function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Krzysztof_WKrzysztof_W 

how to deploy App Permissions

Can anyone tell me how to deploy App Permissions section of the profile (checkboxes like Edit Self-Service Users, Edit Case Comments etc) with Migration Tool?

Best Answer chosen by Admin (Salesforce Developers) 
AdrianCCAdrianCC

Okay... I think we should also ask ourselves if the App Permissions can be retrieved/deployed through the Metadata API. Maybe they're not... You could ask SFDC tech support to see if it's doable.

 

Also, is the Data Loader also based on the implemetation of the Metadata API in java as are the ide and ant tool? Maybe you could use the data loader to bulk modify your profiles.

All Answers

AdrianCCAdrianCC

I don't know exactly the necessary code for the each permission but you could extract the profile that needs modifying using the ant tool to see their exact names. You'll have to modify the package.xml to include: 

<types>
    <members>ProfileName</members>
    <name>Profile</name>
</types>

 Open the file afterwards in a text editor and search for the permissions. In case they are not shown when they have false values go to another instance(a dev one for example) and set up in the browser a test profile with all the permissions. Extract the profile with ant and you should have all the permissions names that you need. Or you could use the profile file directly to overwrite the one from the initial instance.

Krzysztof_WKrzysztof_W

The profile xml that you are retrieving is dependant on what other objects you select (like object, apex classes etc). That means that only permissions of elements that are also listed in package.xml will be also retrieved.

 

The problem is that App Permissions are not listed there, no matter the combination of items I put to package.xml.

 

So still looking for an answer...

AdrianCCAdrianCC

Yeap, you are right http://www.salesforce.com/us/developer/docs/daas/Content/commondeploymentissues.htm

Profiles or permission sets and field-level security — The contents of a retrieved profile or permission set depend on the other contents of the retrieve request. For example, field-level security for fields included in custom objects are returned at the same time as profiles or permission sets. For more information, see Profile and PermissionSet in the Force.com Metadata API Developer's Guide.

 

Hmmm, let's try another approach. Let's try using Force.com Ide. There are 2 metadata components: permissionsets and profiles, that you can select from the Add/Remove Metadata Components... menu. Have you tried this, W?

Abhay AroraAbhay Arora

Hi

 

You need to select the profiles with the components at the time of deployment if both are deployed together at the time of deployment the permissions willl be moved.

 

Use Changeset preferably for this case.

Krzysztof_WKrzysztof_W

@AdrianCC
Both Force.com IDE and Migration Tool are based on implementation of Metadata API in java. So I see no difference between using Force IDE and Migration Tool except the one that Migration Tool is command line so it's preferred by me.

 

@Abhay Arora
I'd rather use ant based deployment as ChangeSets require configuration on both sides. Moreover I would like to find a way of accessing those App Permissions "in bulk" as I have lots of profiles to be modified and don't want to set this up by clicking in the UI (only if it's impossible from Metadata API I'll have to).

 

I'll try to explain my problem once again.

I DON'T want to move regular permissions (dependant on content of package.xml) like:
classAccesses
fieldLevelSecurities
pageAccesses
applicationVisibilities
etc..

 

I WANT to deploy specific App Permissions - when you open profile in the browser then it is available in the Apps section > App Permissions
Settings like: Edit Case Comments, Edit Self-Service Users, Import Solutions...

If I retrieve Permission Set then I see similar settings like:

 

<userPermissions>
<enabled>false</enabled>
<name>EditCaseComments</name>
</userPermissions>

 

But this is NOT available for profile. And my question is - what to do to make it available and possible to retrieve/deploy via ant tool for profile (not permission set).

 

Thanks,
Krzysztof

AdrianCCAdrianCC

Okay... I think we should also ask ourselves if the App Permissions can be retrieved/deployed through the Metadata API. Maybe they're not... You could ask SFDC tech support to see if it's doable.

 

Also, is the Data Loader also based on the implemetation of the Metadata API in java as are the ide and ant tool? Maybe you could use the data loader to bulk modify your profiles.

This was selected as the best answer
Krzysztof_WKrzysztof_W

Thanks! DataLoader solves my problem - I can prepare CSV update script for each environment with changes I need. From what I see those userPermissions are available via MetadataAPI only for Permission Sets, not for Profiles.

 

But using DataLoader is a good workaround.

gitguygitguy

Why is that a good workaround?  What if I need to deploy to 10 orgs?  How will it work with packages?

 

Is there a /reason/ permission sets without a designated user license can't be deployed?

AdrianCCAdrianCC

What kind of instances are those orgs? 

Care that you can create permission sets only in Dev, Enterprise and Unlimited. 

You can deploy using an package but you'll only be able to edit them in Group and Professional.

In Group and Professional Editions, permission sets may be included in installed packages, where they can be viewed and assigned to users but not edited.

 

Starting Winter '13 the user license is not mandatory anymore. You can select -None-. What error do you have?

If this is a new permission set, select a user license option. If you plan to assign this permission set to multiple users with different licenses, select --None--. If only users with one type of license will use this permission set, select the user license that’s associated with them. For more information, see About User Licenses in Permission Sets.

 Links: http://na13.salesforce.com/help/doc/en/perm_sets_create.htm

http://na13.salesforce.com/help/doc/en/perm_sets_overview.htm

 

Thanks,

Adrian

 

 

gitguygitguy

I'm getting an error on deploy to dev and enterprise orgs that the permission set fails because a license type isn't specified.

J PaulJ Paul
You can retrieve and deploy App AND System Permissions by including ProfileUserPermission along with your Profile in the package.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
    <types>
        <members>Profile Full</members>
        <name>Profile</name>
    </types>
    <types>
       	<members>*</members>
        <name>ProfileUserPermission</name>
    </types>
    <version>44.0</version>
</Package>
This will retrieve both App Permissions (e.g., Manage Call Centers) and System Permissions (API Enabled). In my experience it only retrieves a given permission if the value is already set to true in the target org you are retrieving from. Similarly it only overwrites a value if you include a line for it in the xml. In other words if you run the above package.xml  hoping to retrieve permissions that are turned off in the org you are retrieving from, in an attempt to turn them off in another org, you'd need to manually add lines for those permissions and set <enabled> to false in your profile xml.
Melissa Rainboldt 10Melissa Rainboldt 10
For Run Flow permission it is the following metadata in the profile
<userPermissions>
<enabled>true</enabled>
<name>RunFlow</name>
</userPermissions>