+ Start a Discussion
Thomas FrielingThomas Frieling 

sfdx: Error on deployment to Sandbox: "Unknown user permission: "

When trying to deploy from our sfdx environment to a Sandbox via sfdx force:mdapi:deploy we get lots of errors concerning the Admin-profile and custom profiles:
Error  mdapi_output_dir/profiles/Admin.profile             Admin             Unknown user permission: AllowUniversalSearch

After manually removing each user permission step by step it turns out that we get the same error for at least the following user permissions:
  • AllowUniversalSearch
  • AllowViewKnowledge
  • ChangeDashboardColors
  • EditKnowledge
  • EditPublicReports
  • EditReports
  • EnableCommunityAppLauncher
  • ManageCssUsers
  • ManageDashboards
  • ManageEntitlements
  • ManageKnowledge
  • ManageKnowledgeImportExport
  • ManageSearchPromotionRules
  • ShareInternalArticles
The problem is that those user permissions are added to the Admin.profile-meta.xml again when pulling changes from our scratches. Needless to say that we would not like to manually remove the permissions every few days :)

Thanks for your ideas,
Hi Thomas  
you need to deploy the profiles separately in this case, are you using ANT migration tool?
Thomas FrielingThomas Frieling
Hey! Right now we are testing with the sfdx cli only - happy to introduce ANT migration though. Is that the recommended tool for deployments?
Would we deploy the profiles first or last?
You should deploy them last, deploy the components except profiles and then you need fetch all the components again with profiles included n while deploying you need deploy only profiles 
If you are deploying using Ant , include everything except profiles in the XML. File do a retrieve and deploy components and in the next iteration use the same package.xml file and include profiles this time and do a retrieve and then from the retrieved folders delete everything but profiles folder and in the package.xml delete everything but profile components and then deploy, this should work for you 
Thomas FrielingThomas Frieling
As I am on sfdx I think I have to adjust slightly, so what I did was:
  1. create the MD output using 
    mdapi_output_dir/ --packagename release-pkgsfdx force:source:convert -d
  2. remove the profiles from mdapi_output_dir/package.xml
  3. sfdx force:mdapi:deploy -d mdapi_output_dir/ -u DxTest
    • works
  4. remove everything but the profiles from mdapi_output_dir/package.xml
  5. sfdx force:mdapi:deploy -d mdapi_output_dir/ -u DxTest
    • ERROR: Error  mdapi_output_dir/profiles/Admin.profile             Admin             Unknown user permission: AllowUniversalSearch
​Ergo I can deploy everything without the profiles, but not the profiles themselves (even separately).

Any other ideas? Or is sfdx just not usable yet?
ok then I can think of this option, comment all the permissions from the profiles for example AllowUniversalSearch and then deploy and you can manually grant those permission in the target org, after the deployment
Thomas FrielingThomas Frieling
yes, that should work I guess. Leaves a bad taste since that rather feels like a creepy workaround than a solution. 
yes thats a  lot of manual work , please mark this as solved if it helps you
Good luck !
Mark this as solved if this helps you, you too will fetch some points if the question is marked as solved :)
Brandon H. BarrBrandon H. Barr
What I have found is that some of these are due to features being enabled in scratch orgs by default that arent enabled in production orgs like communities and knowledge. Have yet to find a solution for this issue.