Back to Details

generating-permission-set

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

When to Use This Skill

何时使用此技能

Use when generating or editing permission set metadata, or when granting object, field, user, and app permissions.
在生成或编辑权限集元数据,或授予对象、字段、用户和应用权限时使用。

Step 1: Define Core Properties

步骤1:定义核心属性

Start by defining the required permission set properties:
xml
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
    <fullName>YourPermissionSetName</fullName>
    <label>Display Name for Administrators</label>
    <description>Clear description of purpose and intended audience</description>
</PermissionSet>
Naming conventions:
  • Use descriptive API names (e.g., 
    Sales_Manager_Access
    )
首先定义所需的权限集属性:
xml
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
    <fullName>YourPermissionSetName</fullName>
    <label>Display Name for Administrators</label>
    <description>Clear description of purpose and intended audience</description>
</PermissionSet>
命名规范:
  • 使用描述性API名称(例如:
    Sales_Manager_Access

Step 2: Configure Object Permissions

步骤2:配置对象权限

Add CRUD permissions for standard and custom objects:
xml
<objectPermissions>
    <allowCreate>true</allowCreate>
    <allowRead>true</allowRead>
    <allowEdit>true</allowEdit>
    <allowDelete>false</allowDelete>
    <modifyAllRecords>false</modifyAllRecords>
    <viewAllRecords>false</viewAllRecords>
    <viewAllFields>false</viewAllFields>
    <object>Account</object>
</objectPermissions>
为标准和自定义对象添加CRUD权限:
xml
<objectPermissions>
    <allowCreate>true</allowCreate>
    <allowRead>true</allowRead>
    <allowEdit>true</allowEdit>
    <allowDelete>false</allowDelete>
    <modifyAllRecords>false</modifyAllRecords>
    <viewAllRecords>false</viewAllRecords>
    <viewAllFields>false</viewAllFields>
    <object>Account</object>
</objectPermissions>

Step 3: Set Field-Level Security

步骤3:设置字段级安全性

Define field permissions for sensitive or custom fields:
xml
<fieldPermissions>
    <editable>true</editable>
    <readable>true</readable>
    <field>Account.SSN__c</field>
</fieldPermissions>
Important:
  • Required fields must NEVER appear in list of field permissions. Granting field-level security on required fields is not allowed by the platform and will cause deployment failure.
  • Before adding any field, confirm from the object metadata that the field exists and is not required
  • A field is required when its metadata contains 
    <required>true</required>
    :
  • Formula fields cannot be editable
  • Master-detail fields are required fields on the child (detail) object
xml
<fields>
    <fullName>FieldName__c</fullName>
    <required>true</required>
</fields>
  • Use format 
    ObjectName.FieldName
    for field references
  • Set both readable and editable to true when the user needs edit access; editable implies readable
  • If all fields should be visible, can alternatively enable the "viewAllFields" object permission
为敏感或自定义字段定义字段权限:
xml
<fieldPermissions>
    <editable>true</editable>
    <readable>true</readable>
    <field>Account.SSN__c</field>
</fieldPermissions>
重要提示:
  • 必填字段绝对不能出现在字段权限列表中。平台不允许对必填字段授予字段级安全性,否则会导致部署失败。
  • 添加任何字段之前,务必从对象元数据中确认该字段存在且非必填
  • 当字段元数据包含
    <required>true</required>
    时,该字段为必填字段:
  • 公式字段不可编辑
  • 主明细字段在子(明细)对象上是必填字段
xml
<fields>
    <fullName>FieldName__c</fullName>
    <required>true</required>
</fields>
  • 字段引用使用
    ObjectName.FieldName
    格式
  • 当用户需要编辑权限时,需将readable和editable都设为true;editable隐含readable权限
  • 如果所有字段都需要可见,也可以启用对象的"viewAllFields"权限

Step 4: Grant User Permissions

步骤4:授予用户权限

Add system-level permissions for features and capabilities:
xml
<userPermissions>
    <enabled>true</enabled>
    <name>ApiEnabled</name>
</userPermissions>
<userPermissions>
    <enabled>true</enabled>
    <name>RunReports</name>
</userPermissions>
Common permissions:
  • ApiEnabled
    : API access
  • ViewSetup
    : View Setup menu
  • ManageUsers
    : User management
  • RunReports
    : Report execution
Security review required for:
  • ViewAllData
    : Read all records
  • ModifyAllData
    : Edit all records
  • ManageUsers
    : User administration
为功能和能力添加系统级权限:
xml
<userPermissions>
    <enabled>true</enabled>
    <name>ApiEnabled</name>
</userPermissions>
<userPermissions>
    <enabled>true</enabled>
    <name>RunReports</name>
</userPermissions>
常见权限:
  • ApiEnabled
    : API访问权限
  • ViewSetup
    : 查看设置菜单
  • ManageUsers
    : 用户管理
  • RunReports
    : 报表执行
需要安全审核的权限:
  • ViewAllData
    : 读取所有记录
  • ModifyAllData
    : 编辑所有记录
  • ManageUsers
    : 用户管理

Step 5: Configure App and Tab Visibility

步骤5:配置应用和标签可见性

Make applications and tabs visible to users:
xml
<applicationVisibilities>
    <application>Sales_Console</application>
    <visible>true</visible>
</applicationVisibilities>
<tabSettings>
    <tab>CustomTab__c</tab>
    <visibility>Visible</visibility>
</tabSettings>
Application visibility options:
  • <visible> can be true or false
Tab visibility options:
  • Visible
    : The tab is available on the All Tabs page and appears in the visible tabs for its associated app. Can be customized.
  • Available
    : The tab is available on the All Tabs page. Individual users can customize their display to make the tab visible in any app
  • None
    : Not visible
CRITICAL - Tab Naming:
  • Custom object tabs: MUST include the __c suffix (e.g., MyCustomObject__c)
  • Standard object tabs: Use the object name with "standard-" prefix (e.g., standard-Account, standard-Contact)
  • The tab name matches the object's API name exactly
让用户可见应用和标签:
xml
<applicationVisibilities>
    <application>Sales_Console</application>
    <visible>true</visible>
</applicationVisibilities>
<tabSettings>
    <tab>CustomTab__c</tab>
    <visibility>Visible</visibility>
</tabSettings>
应用可见性选项:
  • <visible> 可设为true或false
标签可见性选项:
  • Visible
    : 标签在所有标签页面可用,并显示在其关联应用的可见标签中,可自定义。
  • Available
    : 标签在所有标签页面可用,用户可自定义显示设置,使其在任意应用中可见
  • None
    : 不可见
关键注意 - 标签命名:
  • 自定义对象标签:必须包含__c后缀(例如:MyCustomObject__c)
  • 标准对象标签:使用对象名称加"standard-"前缀(例如:standard-Account, standard-Contact)
  • 标签名称必须与对象的API名称完全匹配

Step 6: Add Apex and Visualforce Access (Optional)

步骤6:添加Apex和Visualforce访问权限(可选)

Grant access to custom code:
xml
<classAccesses>
    <apexClass>CustomController</apexClass>
    <enabled>true</enabled>
</classAccesses>
<pageAccesses>
    <apexPage>CustomPage</apexPage>
    <enabled>true</enabled>
</pageAccesses>
授予自定义代码访问权限:
xml
<classAccesses>
    <apexClass>CustomController</apexClass>
    <enabled>true</enabled>
</classAccesses>
<pageAccesses>
    <apexPage>CustomPage</apexPage>
    <enabled>true</enabled>
</pageAccesses>

Step 7: Set License and Record Type Settings (Optional)

步骤7:设置许可证和记录类型配置(可选)

Specify license requirements and record type visibility:
xml
<license>Salesforce</license>
<hasActivationRequired>false</hasActivationRequired>
<recordTypeVisibilities>
    <recordType>Account.Business</recordType>
    <visible>true</visible>
    <default>true</default>
</recordTypeVisibilities>
指定许可证要求和记录类型可见性:
xml
<license>Salesforce</license>
<hasActivationRequired>false</hasActivationRequired>
<recordTypeVisibilities>
    <recordType>Account.Business</recordType>
    <visible>true</visible>
    <default>true</default>
</recordTypeVisibilities>

Step 8: Set Agent Access (Optional)

步骤8:设置Agent访问权限(可选)

Enable access to Agentforce Employee Agents for users assigned to this permission set:
<agentAccesses> <agentName>Sales_Assistant_Agent</agentName> <enabled>true</enabled> </agentAccesses>
Field requirements:
  • agentName (Required): The developer name of the employee agent
  • enabled (Required): Set to true to grant access, false to deny
Important:
  • Agent names must match existing Agentforce Employee Agent developer names
为分配了此权限集的用户启用Agentforce Employee Agents访问权限:
<agentAccesses> <agentName>Sales_Assistant_Agent</agentName> <enabled>true</enabled> </agentAccesses>
字段要求:
  • agentName(必填):员工Agent的开发者名称
  • enabled(必填):设为true以授予访问权限,设为false则拒绝
重要提示:
  • Agent名称必须与现有Agentforce Employee Agent的开发者名称匹配

Validation Checklist

验证清单

Before deploying, verify:
  • fullName, label, description set
  • Permissions follow least privilege
  • No required fields in 
    <fieldPermissions>
  • No duplicate permissions
  • no lengthy comments
部署前,请验证:
  • 已设置fullName、label、description
  • 权限遵循最小权限原则
  • <fieldPermissions>
    中无必填字段
  • 无重复权限
  • 无冗长注释

What Causes Deployment Failure

导致部署失败的原因

  • Field permissions on required fields: Any required field in 
    <fieldPermissions>
    fails deployment. Required fields cannot have FLS; omit them entirely. Always confirm from object/field metadata that a field exists and is not required—never assume.
  • Incorrect API names: Using the wrong name or missing suffixes (e.g. missing 
    __c
    for custom objects, fields, tabs) cause failure.
  • 对必填字段设置字段权限: 
    <fieldPermissions>
    中包含任何必填字段都会导致部署失败。必填字段无法设置FLS,需完全省略。务必从对象/字段元数据中确认字段存在且非必填——切勿主观假设。
  • 错误的API名称: 使用错误名称或缺少后缀(例如:自定义对象、字段、标签缺少
    __c
    )会导致失败。

Deployment

部署

Deploy using Salesforce CLI
使用Salesforce CLI进行部署