function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
jamesmelvjamesmelv 

Metadata API does not include the objectPermissions tag in a profile without access to the object.

When retrieving profiles for custom objects in a project.xml manifest, the returned profiles do not contain the objectPermissions object for objects that they do not have access to (ie no CRUD permission).

 

Steps to reproduce:
Open a force.com developer edition instance
Create an object named Object__c.
Create a profile named Profile without any access to Object__c.
Retrieve from metadata API (v.28 / eclipse) using the following package.xml

<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
<types>
<members>Object__c</members>
<name>CustomObject</name>
</types>
<types>
<members>Profile</members>
<name>Profile</name>
</types>
<version>28.0</version>
</Package>

See that the profile received is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<Profile xmlns="http://soap.sforce.com/2006/04/metadata">
<userLicense>Salesforce</userLicense>
</Profile>

Before the Winter 14 upgrade, the profile contained:
<?xml version="1.0" encoding="UTF-8"?>
<Profile xmlns="http://soap.sforce.com/2006/04/metadata">
<objectPermissions>
<allowCreate>false</allowCreate>
<allowDelete>false</allowDelete>
<allowEdit>false</allowEdit>
<allowRead>false</allowRead>
<modifyAllRecords>false</modifyAllRecords>
<object>Object__c</object>
<viewAllRecords>false</viewAllRecords>
</objectPermissions>
<userLicense>Salesforce</userLicense>
</Profile>


Enable read access to the Object__c object for Profile.

Refresh from server, and see that the profile now contains:
<?xml version="1.0" encoding="UTF-8"?>
<Profile xmlns="http://soap.sforce.com/2006/04/metadata">
<objectPermissions>
<allowCreate>false</allowCreate>
<allowDelete>false</allowDelete>
<allowEdit>false</allowEdit>
<allowRead>true</allowRead>
<modifyAllRecords>false</modifyAllRecords>
<object>Object__c</object>
<viewAllRecords>false</viewAllRecords>
</objectPermissions>
<userLicense>Salesforce</userLicense>
</Profile>

We can see that the objectPermissions tag for that object is not retrieved in this profile when the profile has no access to the object.

 

Has anyone else encountered this issue, and found a workaround? This is causing issues for us, because if we remove object access from a profile, it will not be available to commit to our source control, and will not be updated when we deploy metadata to another enviornment.

Chabir Ahamed Mouhamad 14Chabir Ahamed Mouhamad 14
Yes, we have the same issue. It would be better if Salesforce can keep objects with no access in the metadata files.
Abhinav Gupta 13Abhinav Gupta 13
@jamesmelv, I would assume as you want to deploy false permissions further that means in your higher environments somewhere the permissions have been true & you want to modify them. So the next step would be, Retrieve the true permissions of the required objects into the profile. After retrieving the profile metadata file, please segregate the objectpermissions tag in some new notepad file & replace the 'true' with 'false'. All the objects permissions which you want to be false will be false & again you can put this new notepad file in place of your original files objects permissions tag.

Note : Please check in the salesforce org under profile object settings whether any of the object contains word 'true' in its name, other wise it will also get overwrite. Then you can write the original name again for that object.