首页/AI 应用构建与集成/generating-permission-set
G

generating-permission-set

by @forcedotcomv
4.3(120)

生成正确、可部署的 Salesforce 权限集元数据(PermissionSet XML),涵盖对象、字段、用户和应用权限。用于创建、编辑权限集元数据,配置对象权限、字段级安全、选项卡可见性或部署权限集。

salesforcepermissionsmetadatadeploymentsecurityGitHub
安装方式
git clone https://github.com/forcedotcom/afv-library.git
compare_arrows

Before / After 效果对比

1
使用前

手动配置Salesforce复杂权限集,需耗费大量时间检查XML语法、对象字段引用及权限逻辑,易出错且效率低下。

使用后

AI自动生成准确的Salesforce权限集XML,大幅缩短配置时间,减少人工错误,确保快速部署和合规性。

SKILL.md

When to Use This Skill

Use when generating or editing permission set metadata, or when granting object, field, user, and app permissions.

Step 1: Define Core Properties

Start by defining the required permission set properties:

<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
    <fullName>YourPermissionSetName</fullName>
    <label>Display Name for Administrators</label>
    <description>Clear description of purpose and intended audience</description>
</PermissionSet>

Naming conventions:

  • Use descriptive API names (e.g., Sales_Manager_Access)

Step 2: Configure Object Permissions

Add CRUD permissions for standard and custom objects:

<objectPermissions>
    <allowCreate>true</allowCreate>
    <allowRead>true</allowRead>
    <allowEdit>true</allowEdit>
    <allowDelete>false</allowDelete>
    <modifyAllRecords>false</modifyAllRecords>
    <viewAllRecords>false</viewAllRecords>
    <viewAllFields>false</viewAllFields>
    <object>Account</object>
</objectPermissions>

Step 3: Set Field-Level Security

Define field permissions for sensitive or custom fields:

<fieldPermissions>
    <editable>true</editable>
    <readable>true</readable>
    <field>Account.SSN__c</field>
</fieldPermissions>

Important:

  • Required fields must NEVER appear in list of field permissions. Granting field-level security on required fields is not allowed by the platform and will cause deployment failure.
  • Before adding any field, confirm from the object metadata that the field exists and is not required
  • A field is required when its metadata contains <required>true</required>:
  • Formula fields cannot be editable
  • Master-detail fields are required fields on the child (detail) object
<fields>
    <fullName>FieldName__c</fullName>
    <required>true</required>
</fields>
  • Use format ObjectName.FieldName for field references
  • Set both readable and editable to true when the user needs edit access; editable implies readable
  • If all fields should be visible, can alternatively enable the "viewAllFields" object permission

Step 4: Grant User Permissions

Add system-level permissions for features and capabilities:

<userPermissions>
    <enabled>true</enabled>
    <name>ApiEnabled</name>
</userPermissions>
<userPermissions>
    <enabled>true</enabled>
    <name>RunReports</name>
</userPermissions>

Common permissions:

  • ApiEnabled: API access
  • ViewSetup: View Setup menu
  • ManageUsers: User management
  • RunReports: Report execution

Security review required for:

  • ViewAllData: Read all records
  • ModifyAllData: Edit all records
  • ManageUsers: User administration

Step 5: Configure App and Tab Visibility

Make applications and tabs visible to users:

<applicationVisibilities>
    <application>Sales_Console</application>
    <visible>true</visible>
</applicationVisibilities>
<tabSettings>
    <tab>CustomTab__c</tab>
    <visibility>Visible</visibility>
</tabSettings>

Application visibility options:

  • can be true or false

Tab visibility options:

  • Visible: The tab is available on the All Tabs page and appears in the visible tabs for its associated app. Can be customized.
  • Available: The tab is available on the All Tabs page. Individual users can customize their display to make the tab visible in any app
  • None: Not visible

CRITICAL - Tab Naming:

  • Custom object tabs: MUST include the __c suffix (e.g., MyCustomObject__c)
  • Standard object tabs: Use the object name with "standard-" prefix (e.g., standard-Account, standard-Contact)
  • The tab name matches the object's API name exactly

Step 6: Add Apex and Visualforce Access (Optional)

Grant access to custom code:

<classAccesses>
    <apexClass>CustomController</apexClass>
    <enabled>true</enabled>
</classAccesses>
<pageAccesses>
    <apexPage>CustomPage</apexPage>
    <enabled>true</enabled>
</pageAccesses>

Step 7: Set License and Record Type Settings (Optional)

Specify license requirements and record type visibility:

<license>Salesforce</license>
<hasActivationRequired>false</hasActivationRequired>
<recordTypeVisibilities>
    <recordType>Account.Business</recordType>
    <visible>true</visible>
    <default>true</default>
</recordTypeVisibilities>

Step 8: Set Agent Access (Optional)

Enable access to Agentforce Employee Agents for users assigned to this permission set:

Field requirements:

  • agentName (Required): The developer name of the employee agent
  • enabled (Required): Set to true to grant access, false to deny

Important:

  • Agent names must match existing Agentforce Employee Agent developer names

Validation Checklist

Before deploying, verify:

  • fullName, label, description set
  • Permissions follow least privilege
  • No required fields in <fieldPermissions>
  • No duplicate permissions
  • no lengthy comments

What Causes Deployment Failure

  • Field permissions on required fields: Any required field in <fieldPermissions> fails deployment. Required fields cannot have FLS; omit them entirely. Always confirm from object/field metadata that a field exists and is not required—never assume.
  • Incorrect API names: Using the wrong name or missing suffixes (e.g. missing __c for custom objects, fields, tabs) cause failure.

Deployment

Deploy using Salesforce CLI

用户评价 (0)

发表评价

效果
易用性
文档
兼容性

暂无评价

统计数据

安装量1.2K
评分4.3 / 5.0
版本
更新日期2026年5月23日
对比案例1 组

用户评分

4.3(120)
5
37%
4
43%
3
13%
2
5%
1
2%

为此 Skill 评分

0.0

兼容平台

🤖claude-code

时间线

创建2026年5月19日
最后更新2026年5月23日