Testing Permission Set Deployment Changes
The Summer17 release made a rather significant change to permission set deployment.
In API 40.0 and later, when you deploy the output of a retrieval to another org, the target org metadata is now replaced by the metadata in the deployment. In API 39.0 and earlier, when you deploy your retrieved permission set output to another org, the deployment contents are merged with your current org data.
So the new permission set blows away the old one. This left me w/ some weedy questions I wanted to test, and this is what I found:
- Does deploying permission set really overwrite ALL permission in target org (CRED, Tab, Record Type, FLS, System Perms, VF, Apex, etc)
answer : yes for CRED, Record Type, VF, Apex, FLS. I still need to test system perms but there is no trace left of the old permission set so i’m going to say yes to all
- does this apply to profiles as well as permission sets?
it appears to only apply to permission sets, which is good since the release notes specifically call this a change to permission set deployment. Given that profiles and permission sets are basically the same under the hood, this is sorta interesting i suppose.
profiles behave just like they did before - the deployment only updated FLS for fields that are included in the change set. Tab permissions require object to be included, etc. this is good, because I typically include the system admin profile on deployments b/c i set all other perms via permission sets, but admins get it all. always.
- what about managed components (FLS on managed fields, Apex / VF page access)
This is a huge improvement - Tab, CRED, FLS and apex/vf for managed fields / objects move easily w/ permission sets now (only permission sets, not profiles as you cant include managed fields / objects in a change set).
Dealing with this used to be a huge PITA and I have some old blog post about it. Now only if Financial Force wasnt tossing their HCM product under the bus… and then stomping on its head for good measure.
One thing I didnt test - I’m not sure how missing components are handled, ie if you try to include something that doesnt exist in the target environment, but life is short, i’m sure i’ll run into this someday.
If you find out anything similar, different, or otherwise interesting, please let me know! For anyone who lives in sandboxes, this is a huge change that I think many people may not know about and might be a bit surprised by.