--- name: generating-permission-set description: "Generates correct, deployable Salesforce permission set metadata (PermissionSet XML) with object, field, user, and app permissions. Use this skill when creating or editing permission set metadata, object permissions, field-level security (FLS), tab visibility, or deploying permission sets." compatibility: Salesforce Metadata API v60.0+ metadata: author: sf-skills version: "1.0" --- ## When to Use This Skill Use when generating or editing permission set metadata, or when granting object, field, user, and app permissions. ## Step 1: Define Core Properties Start by defining the required permission set properties: ```xml YourPermissionSetName Display Name for Administrators Clear description of purpose and intended audience ``` **Naming conventions:** - Use descriptive API names (e.g., `Sales_Manager_Access`) ## Step 2: Configure Object Permissions Add CRUD permissions for standard and custom objects: ```xml true true true false false false false

``` ## Step 3: Set Field-Level Security Define field permissions for sensitive or custom fields: ```xml true true Account.SSN__c ``` **Important:** - Required fields must NEVER appear in list of field permissions. Granting field-level security on required fields is not allowed by the platform and will cause deployment failure. - Before adding any field, confirm from the object metadata that the field exists and is not required - A field is required when its metadata contains `true`: - Formula fields cannot be editable - Master-detail fields are required fields on the child (detail) object ```xml FieldName__c true ``` - Use format `ObjectName.FieldName` for field references - Set both readable and editable to true when the user needs edit access; editable implies readable - If all fields should be visible, can alternatively enable the "viewAllFields" object permission ## Step 4: Grant User Permissions Add system-level permissions for features and capabilities: ```xml true ApiEnabled true RunReports ``` **Common permissions:** - `ApiEnabled`: API access - `ViewSetup`: View Setup menu - `ManageUsers`: User management - `RunReports`: Report execution **Security review required for:** - `ViewAllData`: Read all records - `ModifyAllData`: Edit all records - `ManageUsers`: User administration ## Step 5: Configure App and Tab Visibility Make applications and tabs visible to users: ```xml Sales_Console true CustomTab__c Visible ``` **Application visibility options:** - can be true or false **Tab visibility options:** - `Visible`: The tab is available on the All Tabs page and appears in the visible tabs for its associated app. Can be customized. - `Available`: The tab is available on the All Tabs page. Individual users can customize their display to make the tab visible in any app - `None`: Not visible **CRITICAL - Tab Naming:** - Custom object tabs: MUST include the __c suffix (e.g., MyCustomObject__c) - Standard object tabs: Use the object name with "standard-" prefix (e.g., standard-Account, standard-Contact) - The tab name matches the object's API name exactly ## Step 6: Add Apex and Visualforce Access (Optional) Grant access to custom code: ```xml CustomController true CustomPage true ``` ## Step 7: Set License and Record Type Settings (Optional) Specify license requirements and record type visibility: ```xml Salesforce false Account.Business true true ``` ## Step 8: Set Agent Access (Optional) Enable access to Agentforce Employee Agents for users assigned to this permission set: Sales_Assistant_Agent true Field requirements: - agentName (Required): The developer name of the employee agent - enabled (Required): Set to true to grant access, false to deny Important: - Agent names must match existing Agentforce Employee Agent developer names ## Validation Checklist Before deploying, verify: - [ ] fullName, label, description set - [ ] Permissions follow least privilege - [ ] No required fields in `` - [ ] No duplicate permissions - [ ] no lengthy comments ## What Causes Deployment Failure - **Field permissions on required fields:** Any required field in `` fails deployment. Required fields cannot have FLS; omit them entirely. Always confirm from object/field metadata that a field exists and is not required—never assume. - **Incorrect API names:** Using the wrong name or missing suffixes (e.g. missing `__c` for custom objects, fields, tabs) cause failure. ## Deployment Deploy using Salesforce CLI