--- id: gh-generating-permission-set name: "generating-permission-set" url: https://skills.yangsir.net/skill/gh-generating-permission-set author: forcedotcom domain: ai-app-building-integration tags: ["salesforce", "permissions", "metadata", "deployment", "security"] install_count: 1200 rating: 4.30 (120 reviews) github: https://github.com/forcedotcom/afv-library/tree/main/skills/generating-permission-set --- # generating-permission-set > 生成正确、可部署的 Salesforce 权限集元数据（PermissionSet XML），涵盖对象、字段、用户和应用权限。用于创建、编辑权限集元数据，配置对象权限、字段级安全、选项卡可见性或部署权限集。 **Stats**: 1,200 installs · 4.3/5 (120 reviews) ## Before / After 对比 ### 复杂权限集配置时间 **Before**: 手动配置Salesforce复杂权限集，需耗费大量时间检查XML语法、对象字段引用及权限逻辑，易出错且效率低下。 **After**: AI自动生成准确的Salesforce权限集XML，大幅缩短配置时间，减少人工错误，确保快速部署和合规性。 | Metric | Before | After | Change | |---|---|---|---| | 配置时间 | 90分钟 | 5分钟 | -94% | ## Readme ## When to Use This Skill Use when generating or editing permission set metadata, or when granting object, field, user, and app permissions. ## Step 1: Define Core Properties Start by defining the required permission set properties: ```xml YourPermissionSetName Display Name for Administrators Clear description of purpose and intended audience ``` **Naming conventions:** - Use descriptive API names (e.g., `Sales_Manager_Access`) ## Step 2: Configure Object Permissions Add CRUD permissions for standard and custom objects: ```xml true true true false false false false

``` ## Step 3: Set Field-Level Security Define field permissions for sensitive or custom fields: ```xml true true Account.SSN__c ``` **Important:** - Required fields must NEVER appear in list of field permissions. Granting field-level security on required fields is not allowed by the platform and will cause deployment failure. - Before adding any field, confirm from the object metadata that the field exists and is not required - A field is required when its metadata contains `true`: - Formula fields cannot be editable - Master-detail fields are required fields on the child (detail) object ```xml FieldName__c true ``` - Use format `ObjectName.FieldName` for field references - Set both readable and editable to true when the user needs edit access; editable implies readable - If all fields should be visible, can alternatively enable the "viewAllFields" object permission ## Step 4: Grant User Permissions Add system-level permissions for features and capabilities: ```xml true ApiEnabled true RunReports ``` **Common permissions:** - `ApiEnabled`: API access - `ViewSetup`: View Setup menu - `ManageUsers`: User management - `RunReports`: Report execution **Security review required for:** - `ViewAllData`: Read all records - `ModifyAllData`: Edit all records - `ManageUsers`: User administration ## Step 5: Configure App and Tab Visibility Make applications and tabs visible to users: ```xml Sales_Console true CustomTab__c Visible ``` **Application visibility options:** - can be true or false **Tab visibility options:** - `Visible`: The tab is available on the All Tabs page and appears in the visible tabs for its associated app. Can be customized. - `Available`: The tab is available on the All Tabs page. Individual users can customize their display to make the tab visible in any app - `None`: Not visible **CRITICAL - Tab Naming:** - Custom object tabs: MUST include the __c suffix (e.g., MyCustomObject__c) - Standard object tabs: Use the object name with "standard-" prefix (e.g., standard-Account, standard-Contact) - The tab name matches the object's API name exactly ## Step 6: Add Apex and Visualforce Access (Optional) Grant access to custom code: ```xml CustomController true CustomPage true ``` ## Step 7: Set License and Record Type Settings (Optional) Specify license requirements and record type visibility: ```xml Salesforce false Account.Business true true ``` ## Step 8: Set Agent Access (Optional) Enable access to Agentforce Employee Agents for users assigned to this permission set: Sales_Assistant_Agent true Field requirements: - agentName (Required): The developer name of the employee agent - enabled (Required): Set to true to grant access, false to deny Important: - Agent names must match existing Agentforce Employee Agent developer names ## Validation Checklist Before deploying, verify: - [ ] fullName, label, description set - [ ] Permissions follow least privilege - [ ] No required fields in `` - [ ] No duplicate permissions - [ ] no lengthy comments ## What Causes Deployment Failure - **Field permissions on required fields:** Any required field in `` fails deployment. Required fields cannot have FLS; omit them entirely. Always confirm from object/field metadata that a field exists and is not required—never assume. - **Incorrect API names:** Using the wrong name or missing suffixes (e.g. missing `__c` for custom objects, fields, tabs) cause failure. ## Deployment Deploy using Salesforce CLI --- *Source: https://skills.yangsir.net/skill/gh-generating-permission-set* *Markdown mirror: https://skills.yangsir.net/api/skill/gh-generating-permission-set/markdown*