Ask Search:
Gorav SethGorav Seth 

How do i deploy permission sets referencing fields in a managed package?

We are rolling out a HRIS built on force.com and I am trying to do things "properly" i.e. in a sandbox, and deploy to production.

So, we have a few custom permission sets that we need to migrate over.  When I migrate them solo, nothing really comes over, just the permission set name (Tried via eclipse and workbench as well to confirm). 

Per this help article (http://help.salesforce.com/HTViewHelpDoc?id=changesets_perm_sets_profiles.htm&language=en_US), In order to get the object settings to come over, I have to inclue all the fields in these objects, but as they are part of a managed package, I cant do so!

Am I missing something?  Looks like i can get this via workbench / metadata API via manually including the custom object names in the package.xml file, but thats probably more painful than just re-creating the permission set in production, though I guess could be used in the future.

Anyways, looking for any insight on how to stay on the up-and-up

thanks
Best Answer chosen by Gorav Seth
Gorav SethGorav Seth
Finally figured this out - was very close before, but there is a checkbox in workbench when you deploy metadata for "allow missing files".  Checking that checkbox allowed me to deploy field, object, and tab permissions on a managed object to a permission set.

I wrote up some details on my blog, here: 
http://goravseth.com/deploying-a-permission-set-for-a-managed-package-from-sandbox

Thanks for the help!

All Answers

Jeff MayJeff May
You don't.  Since you can't include the managed fields in your Change Set, the Permission Set will deploy with those fields 'unchecked'.
Gorav SethGorav Seth
Thanks Jeff.  Will try cross posting to developer boards to see if anyone can enlighten me on metadata api / ant options.  I cant imagine that the only way to work w/ an app is to do it in production or manually migrate permissions.  Till then, i'm going to be this guy:

dont be this guy
Gorav SethGorav Seth
Finally figured this out.  You can extract and upload permission set data from Sandbox to Production for any objects including managed objects, using data loader / workbench in 3 rounds.

1. create the permission set in production (Can do this via a change set)

2a. Query the ObjectPermssions object for all fields, where ParentId = the ID of the permission set. 
2b. Insert the ObjectPermissions setting parent ID to the ID of the permission set in production.

3a. Query the FieldPermissions object for all fields where ParentID = the ID of the permissions set.
3b. Insert the FieldPermissions, setting parent ID to the ID of the permission set in production.

Note sure about deploying apex and visualforce security in this manner - I did not see any object that stores these permissions, but perhaps one exists.  
Gorav SethGorav Seth
Another update...so close...yet so far.  

Have not been able to find any way so far to deploy Tab permissions

I've started trying to use the metadata API from workbench.developerforce.com and if I specify the API object name w/ the namespace of the managed object, I can pull a package w/ all permissions for that object.  However, I have not been able to successfully deploy that package.  

Some folks pointed my at the Snapshot app by Dreamfactory, and they say they can indeed pull this off.  They say they do it all using the metadata API, so I feel like if they can do it so can I, but so far that has not proven to be the case. 

Will post another update if / when any progress is made.  
Gorav SethGorav Seth
Finally figured this out - was very close before, but there is a checkbox in workbench when you deploy metadata for "allow missing files".  Checking that checkbox allowed me to deploy field, object, and tab permissions on a managed object to a permission set.

I wrote up some details on my blog, here: 
http://goravseth.com/deploying-a-permission-set-for-a-managed-package-from-sandbox

Thanks for the help!
This was selected as the best answer