This is a companion piece covering the tool I used to validate the build. The main article covers what to practice and why.

← Read the main article first

This walkthrough follows Salesforce's own setup documentation for the Tooling API authentication step.

View Salesforce's official docs →

The User Access and Permissions Assistant is a free, Salesforce Labs-published AppExchange app that auto-generates a Permission Set from an existing Profile — genuinely useful for validating a Profile-to-Permission-Set migration independently of your own manual build. But installing it is not a two-click AppExchange affair. It requires a real chunk of OAuth plumbing, and one specific error stalls most people at the first authentication attempt with no obvious next move.

This is the full sequence, in order, including the error and its actual fix — which has nothing to do with the values you typed.


1

What you're installing

What This Tool Actually Does

Once installed, the app gives you four native tabs:

TabWhat it does
AnalyzeInspect effective access for a User, Permission Set, or Permission Set Group
ConverterAuto-generate a Permission Set from an existing Profile
ReportBroader visibility into permission assignments across your org
ManageOngoing administration of the tool itself

💡 Worth knowing before you start

Analyze does not accept a Profile as a target — only Users, Permission Sets, and Permission Set Groups. If you're trying to audit a Profile directly, you want Converter, not Analyze. Easy to assume otherwise going in.

UAPA Application from App launcher

User Access and Permission Assistant from App launcher

It's also not in Setup. Searching Setup Quick Find for "User Access and Permissions Assistant" comes up empty — it's an installed package, and once installed, it lives in the App Launcher, not Setup.


2

The part before the install

Before You Install: Enable the Tooling API

This is the part that catches people off guard. The app needs to call Salesforce's Tooling API on your behalf, which means before installing anything from AppExchange, you have to build a small OAuth chain yourself: a Connected App, an Authentication Provider, a Named Credential, and a couple of Permission Sets. Every field value below is taken directly from Salesforce's own official documentation.

1
Create a Connected App for the Tooling API
Setup → Quick Find → External Client AppsSettings → New Connected App.
  • Name: UAPA Tooling API (or your own descriptive naming)
  • Enable OAuth Settings; Callback URL (placeholder): https://login.salesforce.com
  • OAuth Scopes: Full access (full) + Perform requests at any time (refresh_token, offline_access)
  • Save → Manage Consumer Details → copy the Consumer Key and Consumer Secret
Create a Connected App for the Tooling API

Create a Connected App for the Tooling API

Create a Connected App for the Tooling API

Create a Connected App for the Tooling API

Create a Connected App for the Tooling API

Create a Connected App for the Tooling API

2
Create an Authentication Provider for the Tooling API
Setup → Quick Find → Auth. Providers → New.
  • Name: UAPA Tooling API Auth · Provider Type: Salesforce
  • Paste the Consumer Key / Consumer Secret from Step 1
  • Default Scopes: refresh_token full
  • Save → copy the generated Callback URL — needed for Steps 3 and 4
Create an Authentication Provider for the Tooling API

Create an Authentication Provider for the Tooling API

Create an Authentication Provider for the Tooling API

Create an Authentication Provider for the Tooling API

Create an Authentication Provider for the Tooling API

Create an Authentication Provider for the Tooling API

3
Update the Callback URL in the Connected App
Setup → App Manager → find your Connected App → dropdown → View → Edit → replace the placeholder Callback URL with the real one from Step 2 → Save.
4
Create a Named Credential for the Tooling API
Setup → Quick Find → Named Credentials → dropdown next to New → New Legacy.
  • Label: Tooling API Credential — Name auto-fills as Tooling_API_Credential, required exactly as-is
  • URL: the domain-only portion of the Step 2 callback URL (e.g. https://yourdomain.my.salesforce.com)
  • Identity Type: Per User · Authentication Protocol: OAuth 2.0
  • Authentication Provider: the one from Step 2 · Scope: refresh_token full
  • Callout Options: check Generate Authorization Header and Allow Merge Fields in HTTP Body only
  • Save → log in → click Allow → confirm Authentication Status shows "Authenticated as [you]"
Create a Named Credential for the Tooling API

Create a Named Credential for the Tooling API

Create a Named Credential for the Tooling API

Create a Named Credential for the Tooling API

5
Create a Permission Set to use the Named Credential
Setup → Permission Sets → New → Label: UAPA Tooling API Access → Save.
  • Open it → Named Credential Access → Edit → enable Tooling_API_Credential → Save
  • Same Permission Set → Assigned Connected Apps → Edit → enable the Connected App from Step 1 → Save
  • Assign this Permission Set to yourself
Create a Permission Set to use the Named Credential

Create a Permission Set to use the Named Credential

Create a Permission Set to use the Named Credential

Create a Permission Set to use the Named Credential

Create a Permission Set to use the Named Credential

Create a Permission Set to use the Named Credential

Create a Permission Set to use the Named Credential

Create a Permission Set to use the Named Credential

💡 On the deprecation notice

Salesforce's Spring '26 release restricts new Connected App creation in favour of External Client Apps. This flow — via External Client Apps → Settings → New Connected App — is still Salesforce's own documented path for this specific tool, so proceed as instructed even if you see the deprecation notice.


3

The part that stops most people

The Error You'll Probably Hit: redirect_uri_mismatch

If Step 4's login/Allow flow throws this:

error=redirect_uri_mismatch&error_description=redirect_uri must match configuration

don't assume you've mistyped something. In practice, this is most often a propagation delay, not a mismatched value.

⚠️ What's actually happening

Connected App Callback URL changes (Step 3) can take roughly 10 minutes to fully apply across Salesforce's auth infrastructure. If you complete Step 3 and immediately move to Step 4's authentication flow, the Named Credential is still trying to authenticate against the old callback configuration — which throws this exact error, even though the values you entered are entirely correct.

How to resolve it:

1
Double-check the values first, just to rule out an actual typo — confirm the Connected App's Callback URL (Setup → App Manager → your Connected App → View) matches the Authentication Provider's Callback URL character-for-character, full path included.
2
If they match exactly, stop and wait roughly 10 minutes — don't keep retrying immediately, since that doesn't speed anything up.
3
Come back to Step 4's Named Credential, save it again, and let it prompt the login/Allow flow again.
4
It should complete cleanly once the propagation window has passed.

💡 The genuinely useful part of this whole article

This is worth knowing before you hit it — the error message itself gives no indication that "wait" is the actual fix, and it's easy to assume you've broken a configuration value when really you just need patience.


4

Now the actual install

Installing the App

6
Download the package from AppExchange
Go to the AppExchange listing → Get It Now → select your org → agree to terms → log in when redirected → choose which profiles get access (Admins Only is the sensible default for a dev org).
Download the package from AppExchange

Download the package from AppExchange

Download the package from AppExchange

Download the package from AppExchange

Download the package from AppExchange

Download the package from AppExchange

7
Assign the Helper App Access Permission Set
Setup → Users → your user → Permission Set Assignments → Edit Assignments → add User Access & Permissions Assistant Access (packaged with the app) → Save.
Assign the Helper App Access Permission Set

Assign the Helper App Access Permission Set

8
Verify required System Permissions
Salesforce's docs state these are already included on System Administrator, so admins can skip this — but it's worth verifying rather than assuming. Check Setup → Profiles → System Administrator → System Permissions for:
  • API Enabled · Assign Permission Sets · Customize Application
  • Manage Custom Permissions · Manage Profiles and Permission Sets
  • Manage Session Permission Set Activations · View Roles and Role Hierarchy · View Setup and Configuration
Verify required System Permissions

Verify required System Permissions

⚠️ Confirmed by testing, not documentation

In testing this myself, Manage Session Permission Set Activations was not checked on System Administrator by default — a genuinely useful reminder that even the most privileged standard profile in Salesforce isn't automatically complete for every newer permission. If you find gaps, build a Permission Set (UAPA System Permissions) with the missing ones enabled and assign it to yourself.

9
Set User Authentication for the Tooling API Credential
Click your profile image → Quick Find → Authentication Settings for External Systems → New. External System Definition: Named Credential → Named Credential: Tooling API Credential → User: your username → Authentication Protocol: OAuth 2.0 → check Start Authentication Flow on Save → Save. By this point the Step 3 callback URL change should be fully propagated, so it should complete cleanly.
Set User Authentication for the Tooling API Credential

Set User Authentication for the Tooling API Credential


5

Putting it to work

Finding and Using the App

App Launcher → search "User Access and Permissions Assistant" — not Setup. This is an easy first stumble; the app is a Lightning app accessed like any other app, not a Setup configuration page.

Running the Converter

What to check in the output

Using the App

From Converter Tab select the desired Profile

Using the App

Click on the 'Convert to Permission Set' from the selected profile

Using the App

'Convert' the Profile into Permission Set

Final Output

Tab settings and record type access is passed when converted but not the default settings

💡 Ties back to the main finding

The Converter independently confirms exactly what I found building the migration by hand: Tab Settings and Record Type access come through, but the things that never had a Permission Set home — Page Layout Assignment, Record Type defaults — simply don't appear in the output. Two different methods, same conclusion.


Quick Reference: Everything You'll Name

ComponentSuggested Name
Connected AppUAPA Tooling API
Authentication ProviderUAPA Tooling API Auth
Named CredentialTooling API Credential (API name auto-fills: Tooling_API_Credential)
Permission Set (Named Credential access)UAPA Tooling API Access
Permission Set (System Permissions, if needed)UAPA System Permissions
The full install, distilled

Closing

None of this setup is difficult in isolation — it's a standard OAuth Connected App / Auth Provider / Named Credential pattern that shows up elsewhere in Salesforce too. What makes it worth documenting is that the official steps are scattered across nine separate help articles with no single unified walkthrough, and one wrong callback URL paste is enough to stall the whole thing at Step 4 with a cryptic error and no obvious next move — except now you know it isn't actually a wrong value at all.

If you're doing the hands-on Profile-to-Permission-Set exercise, this tool is a genuinely useful second validation pass once you're set up — just budget 20–30 minutes for the OAuth plumbing before you get to the part that actually matters.

Read the main article

What to practice, why it's still worth doing without a forced deadline, and the two things that always need a Profile — confirmed both by manual testing and by this tool's own output.