Sf Permissions

Permission sets are defined and iterated while wiring Salesforce objects and apps into your product, which is the canonical Build → integrations shelf even though you revisit them in Operate. Integrations subphase covers platform-specific access models (Salesforce metadata) that gate how your app and users touch standard and custom objects.

Also useful

Also useful

Where it fits

Example use

Draft permission sets before connecting a new custom object to your customer portal.

Example use

Verify modifyAllRecords and viewAllRecords flags before promoting metadata to production.

Example use

Add fieldPermissions for a new revenue field without reopening the whole profile model.

How it compares

Reference for Permission Set XML fields—not a full org security audit runner or a generic RBAC policy engine.

Common Questions / FAQ

Who is sf-permissions for?

Solo and indie builders wiring Salesforce into a SaaS or services workflow who need correct permission set metadata while coding with an agent.

When should I use sf-permissions?

During Build integrations when drafting permission sets; in Ship security when reviewing least privilege before go-live; in Operate when adjusting field or tab access after feedback.

Is sf-permissions safe to install?

Treat it as documentation-only guidance; review the Security Audits panel on this Prism page and your own org change process before applying generated XML in production.

SKILL.md

READMESKILL.md - Sf Permissions

# Permissions Reference

## Complete Permission Set XML

All possible elements in a Permission Set metadata file:

```xml
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
    <label>Complete Example</label>
    <description>Shows all available permission set elements</description>
    <hasActivationRequired>false</hasActivationRequired>
    <license>Salesforce</license>
    <objectPermissions>
        <object>Account</object>
        <allowCreate>true</allowCreate>
        <allowDelete>false</allowDelete>
        <allowEdit>true</allowEdit>
        <allowRead>true</allowRead>
        <modifyAllRecords>false</modifyAllRecords>
        <viewAllRecords>false</viewAllRecords>
    </objectPermissions>
    <fieldPermissions>
        <field>Account.AnnualRevenue</field>
        <editable>true</editable>
        <readable>true</readable>
    </fieldPermissions>
    <tabSettings>
        <tab>standard-Account</tab>
        <visibility>Visible</visibility>
        <!-- Options: DefaultOn, DefaultOff, Hidden, Visible -->
    </tabSettings>
    <classAccesses>
        <apexClass>AccountService</apexClass>
        <enabled>true</enabled>
    </classAccesses>
    <pageAccesses>
        <apexPage>AccountOverview</apexPage>
        <enabled>true</enabled>
    </pageAccesses>
    <customPermissions>
        <name>Can_Export_Data</name>
        <enabled>true</enabled>
    </customPermissions>
    <customMetadataTypeAccesses>
        <name>App_Config__mdt</name>
        <enabled>true</enabled>
    </customMetadataTypeAccesses>
    <customSettingAccesses>
        <name>Feature_Flags__c</name>
        <enabled>true</enabled>
    </customSettingAccesses>
    <externalDataSourceAccesses>
        <externalDataSource>ERP_System</externalDataSource>
        <enabled>true</enabled>
    </externalDataSourceAccesses>
    <flowAccesses>
        <flow>Order_Approval_Process</flow>
        <enabled>true</enabled>
    </flowAccesses>
    <recordTypeVisibilities>
        <recordType>Account.Enterprise</recordType>
        <visible>true</visible>
    </recordTypeVisibilities>
    <userPermissions>
        <name>RunReports</name>
        <enabled>true</enabled>
    </userPermissions>
    <applicationVisibilities>
        <application>Sales_Console</application>
        <visible>true</visible>
    </applicationVisibilities>
</PermissionSet>
```

## Permission Set Group with Muting

```xml
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSetGroup xmlns="http://soap.sforce.com/2006/04/metadata">
    <label>Support Agent</label>
    <description>Permissions for tier-1 support agents</description>
    <status>Updated</status>
    <permissionSets>
        <permissionSet>Case_Manager</permissionSet>
        <permissionSet>Knowledge_Reader</permissionSet>
        <permissionSet>Account_Reader</permissionSet>
    </permissionSets>
    <mutingPermissionSet>Support_Agent_Muting</mutingPermissionSet>
</PermissionSetGroup>
```

Muting permission set (revokes Case delete granted by Case_Manager):

```xml
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
    <label>Support Agent Muting</label>
    <objectPermissions>
        <object>Case</object>
        <allowDelete>true</allowDelete>
        <!-- true = MUTED in the group context -->
    </objectPermissions>
</PermissionSet>
```

## Access Audit SOQL Queries

### User Permission Summary

```sql
-- Permission sets assigned to a user (excluding profile-based)
SELECT PermissionSet.Label, PermissionSet.Name, PermissionSetGroup.MasterLabel
FROM PermissionSetAssignment
WHERE AssigneeId = '005xx000001234AAA'
AND PermissionSet.IsOwnedByProfile = false

-- Users with Modify All Data
SELECT Assignee.Name, Assignee.Username
FROM PermissionSetAssignment
WHERE PermissionSetId IN (
    SELECT Id FROM PermissionSet WHERE PermissionsModifyAllData = true
) AND Assignee.IsActive = true

-- Permission set count per user
SELECT Assignee.N

What is this skill?

Complete Permission Set XML reference with objectPermissions, fieldPermissions, tabSettings, classAccesses, pageAccesses

Documents tab visibility options: DefaultOn, DefaultOff, Hidden, Visible

Shows CRUD and view/modify-all flags per object for least-privilege design

Covers Apex class, Visualforce page, custom metadata type, and named custom permission toggles

Pairs with Salesforce implementation workflows where access must be deployable as metadata

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1 installs on skills.sh; 7 GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

Also useful

Where it fits

Example use

Draft permission sets before connecting a new custom object to your customer portal.

Example use

Verify modifyAllRecords and viewAllRecords flags before promoting metadata to production.

Example use