You may come across a Salesforce validation/deployment error like this:

Cannot modify managed object: entity=CustomPermissionSet, component=<ID>, field=Description, state=installed

This is usually seen when you are not explicitly deploying the permission set(s) that have failed the Salesforce validation/deployment, but only selecting something like Custom field permissions, with the failing permission sets being brought in automatically.

We suspect you are seeing this because: 

  • in the new Salesforce API v48, Salesforce has added support for permission sets to be added into managed packages and/or unlocked packages, and

  • your managed package (or unlocked package) that contains the permission set is on different versions in the source and target¬†

What can I do?

Exclude all permission sets from the comparison and therefore the deployment

To work around the issue, if you do not need to deploy any permission sets, you can remove permission sets from your comparison, which means they then cannot be brought in automatically.

  1. Go back to your comparison results page

  2. Click Refresh comparison in the bottom left

  3. Remove the Permission set metadata type from your metadata comparison filter

  4. Click Refresh comparison in the bottom right of the modal to re-run the comparison

This is the comparison filter with Permission set selected:

Exclude specific permission sets from the comparison and therefore the deployment

If you do want to include some permission sets in your validation/deployment, just not the specific permission sets that are causing the error, you can modify the metadata filter (described/shown above) in a different way.

  • If you need to include permission sets but don't need to include managed package metadata, and it's managed package permission sets causing the error, you could set Include managed packages to None.

  • If you need to include permission sets from managed package A, and the permission sets giving the error are from managed packages B and C, you could set Include managed packages to Choose, and specify only managed package A to be included.

  • If you need to include permission sets from the same managed package(s) as the permission set(s) causing the error, in the metadata filter for the Permission set metadata type you could switch from All items to Named items, and then specify the particular permission set(s) you want to include or exclude.

Update the package

Check if the packages (managed or unlocked) are on the same version in the source and target, and synchronize them before deploying the permissions set.

Did this answer your question?