Profiles are one of the most complex metadata types in Salesforce, and are notoriously hard to migrate with change sets or the command line.
(In the context of permissions, the
Profile metadata type in this article can also be substituted by
Custom permission and
Permission set metadata types, as they work on the same principle as
Gearset makes managing profile changes much easier by breaking them down into small components and intelligently stitching the files together as part of your deployment. This article explains how profiles work in Gearset and how to deploy the changes you're after.
Splitting profiles into individually deployable components
Profiles are large objects in Salesforce. To help make managing them easier, Gearset breaks down the profile metadata API object into its individual subcomponents. Each component is individually deployable without affecting the other parts of the profile.
This gives fine-grained control over what changes you migrate. For example, you can migrate just a single
field level security setting without affecting the rest of the profile.
Because Gearset separates profiles into these individual subcomponents, the parent profile will show up in comparisons as
No difference even if the subcomponents, such as tab visibility, have been changed. You can find the changed subcomponents by expanding out the components of the parent object in the comparison table, or by searching up their names in the filter.
In Gearset, profiles are split into the following subcomponent types:
Apex class permissions
Apex page permissions
Custom field permissions
Custom object permissions
Profile Password Policy
Profile Session Setting
Profile: Apex class access
Profile: Apex page access
Profile: Application visibility
Profile: Custom permissions
Profile: External data source access
Profile: Field level security
Profile: Flow access
Profile: Layout assignment
Profile: Object permission
Profile: Record type visibility
Profile: Set of user permissions for a new profile
Profile: Tab visibility
Profile: User permission
Want to know how to retrieve Profiles and their components using Gearset's metadata filter? See here
Sometimes, you may run into order-dependency issues when trying to deploy changes to Profiles. Here’s one example for Profile
CRUD on Case (objectPermission)
R - C - E -
R - C - E - D -
Manage Cases (userPermission)
When you try to deploy this, Salesforce first removes the Delete (D) and Modify All permission from the Profile in the target org and then immediately throws up a Validation Error: “Manage Cases requires delete permission”.
There are two options for working around this:
Option 1: Do two deployments - one to remove
Manage Cases permission first, then a second deployment to remove D and
Modify All from Case.
Option 2: Go into the target org and manually remove
Manage Cases user permission. Then deploy the object permissions via Gearset.