Profiles & Permission Sets deployment 📦 in Salesforce

3 min readNov 20, 2018

Profiles & Permission Sets are the trickiest metadata types to deploy in Salesforce, we’ll describe how to deploy them using the Metadata API & Change Sets

Metadata API

We’ll use the retrieve method of the metadata API with a package.xml using the Salesforce CLI

Profiles 🎭

Profiles define how users access objects and data, and what they can do within the application

Let’s build the package.xml for retrieving all the profiles

1- Only Profile’s metadata type in Package.xml

Authorize a Sandbox (drop the -r param in order to authorize a production org)

sfdx force:auth:web:login -a sourceOrg -r https://test.salesforce.com

Retrieve profiles

sfdx force:mdapi:retrieve -r ./package -u sourceOrg -k ./package.xml

Result

The profiles include only :

IP Ranges & Login hours
User Permissions

2- Add relevant metadata types to the package.xml

As stated in the documentation

When you use the retrieve() call to get information about profiles in your organization, the returned .profile files only include security settings for the other metadata types referenced in the retrieve request (except for user permissions, IP address ranges, and login hours, which are always retrieved).

So in order to extract the access to all the items, we will need to include the corresponding metadata types in the package.xml

Here is a table that recap which metadata type to include for each item

We will not use wildcard (*) operator, because that is not always fully supported for each metadata type (please refer to the Metadata API Developer Guide)

Let’s connect your sandbox/production to workbench

Select : info → Metadata Types & Components