All Collections
Are profile permissions showing up as 'New' or 'Deleted' when you know it's not the case?
Are profile permissions showing up as 'New' or 'Deleted' when you know it's not the case?

An explanation of how profile permissions can show up differently for Git compared to orgs

Valerio Chang avatar
Written by Valerio Chang
Updated over a week ago

Are you comparing 

  • between a Git branch and a Salesforce org, and 

  • Profile permissions are showing up as New or Deleted (missing from the org) despite you being certain that the Custom field permission or Apex class permission etc. is in the org?

This article explains what is going on.

If you only use the Profile metadata type in the metadata comparison filter, how the results are retrieved and displayed differs depending on the environment type.

From a Salesforce org, this will only retrieve the Profile: User permission component, as to retrieve other parts of a profile you need to include the related metadata type - such as Custom application to retrieve Profile: Application visibility, and Layout to retrieve Profile: Layout assignment. See this article for which metadata type(s) you would need to include. (If you are using Named items, ensure you include the relevant items.)

In contrast, with just the Profile metadata type in the metadata comparison filter, Gearset pulls the whole profile from the Git branch, and that includes all the various profile subcomponent types.

The issue of false profile permissions can occur if you used a wider metadata filter to populate your Git repo than you use for running a CI job, so you deployed the whole profile from the org to your repo, but then only retrieve part of the profile on the org side when running the CI job. Ideally have consistency in filters to avoid this situation.

Managed package setting

Additionally, if you have the Include managed packages set to None this:

  • will retrieve no managed package metadata from an org

  • may or may not retrieve managed package metadata from Git*

*There is no concept of a managed package in Git, but Gearset can filter out and hide managed package metadata on the Git side if the relevant Installed package can be identified.

If the managed package metadata is retrieved on the Git side but not the org side, this can result in permissions showing up as New or Deleted. The easiest way is to identify managed package items is the namespace prefix in the item name; for example, dsfs__ in the following screenshot.


The comparison results may show something as New or Deleted, not because it doesn't exist in your org, but because the metadata filter that you are using does not retrieve that profile component.

All you need to do to correct this is to add in the additional metadata type (for example Custom object or Apex class) to make the comparison result show what you are looking for.

Did this answer your question?