Ask Search:
Prathibha SPrathibha S 

Update to Permission Set Metadata Deployment in API 40.0 with Summer ‘17

Hi Geeks,

I have came across an update from Salesforce products ATTENTION: Update to Permission Set Metadata Deployment in API 40.0 with Summer ‘17.

Even after going through the mail, I couldn't figure out what steps has to be taken for this. Is it applicable only when we deploy permission set using metadata (or) changeset as well?

Pasting here the details I got in email :

What is Permission Set Metadata?
A permission set is a collection of settings and permissions that give users access to various tools and functions. The Metadata API is used to manage customizations and build tools that can manage the metadata model, including permission sets.

What is changing?
With the Summer '17* release in API version 40.0 and greater, when you retrieve permission set metadata, all metadata API exposed contents for the permission set(s) are retrieved. Retrieval includes Apex associated with the permission set, CRUD, and so forth.

In API version 39.0 and earlier, retrieving permission set metadata returns only app and system permissions that are assigned to the permission set. Junction metadata (such as Apex, CRUD) are only included if the metadata for the related component is also included in the package definition.

*Currently targeted June 2017, but subject to change

What does this mean for you?
In API 39.0 and earlier, when you deploy your retrieved permission set output to another org, the contents of deployment are merged with your current org data. However, in API version 40.0, when you deploy the output of the retrieval to another org, the target org data is replaced by the metadata in the deployment.

For example, in API version 39.0, if your permission set contains the "Manage Roles" user permission and you deploy a metadata file without this user permission, "Manage Roles" remains enabled. However, in API version 40.0, if you deploy a metadata file without this user permission, "Manage Roles" is disabled.

What action do I need to take?
Understand this behavioral change in API version 40.0 before you deploy permission set data using the metadata API to avoid unintended data overwrites. If an overwrite occurs, use the audit trail as a basis for manually recreating data in your org.

Why is Salesforce making this change?
This change simplifies the metadata packaging definition needed to produce consistent permission set outputs. The consistent output allows changes to be trackable in standard version control systems and aligns with the new Salesforce DX features. This change also allows transfers of permission set content between production, sandbox, and other related orgs to be easier and more predictable.

 
Prathibha SPrathibha S
Hi James,

Thanks for the note. I am expecting that this will be applicable only if we use package.xml and metadata not changeset. Is that so? 
Daniel BallingerDaniel Ballinger
My interpretation of the email does indicate a change for deploy.

If you were using v39.0 or earlier then a deploy of Permisison Set metadata then "the contents of deployment are merged with your current org data". I.e. if you included something in the metadata then it would be merged into the target org. If it was omitted then no change would occur in the target.

With v40.0 and later omitting the Permission Set metadata would disable that permission.

See also How is Permission Set Metadata Deployment changing in Summer '17 (API 40.0)? (http://salesforce.stackexchange.com/q/169048/102)
James SullivanJames Sullivan
Daniel is right, I'm deleting my previous responses:
> API version 40.0, if you deploy a metadata file without this user permission, "Manage Roles" is disabled.