sf-permissions
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesesf-permissions
sf-permissions
Salesforce Permission Set analysis, visualization, and auditing tool
Salesforce Permission Set分析、可视化与审计工具
When to Use This Skill
何时使用此技能
Use when the user needs to:
sf-permissions- Visualize Permission Set and Permission Set Group hierarchies
- Find out "who has access to X?" (objects, fields, Apex classes, custom permissions)
- Analyze what permissions a specific user has
- Export Permission Set configurations for auditing
- Generate Permission Set XML metadata
- Understand permission inheritance through PSG membership
使用的场景包括:
sf-permissions- 可视化Permission Set和Permission Set Group层级
- 查找“谁拥有对X的访问权限?”(对象、字段、Apex类、自定义权限)
- 分析特定用户拥有的权限
- 导出Permission Set配置用于审计
- 生成Permission Set XML元数据
- 理解通过PSG成员关系实现的权限继承
Capabilities
功能特性
| Capability | Description |
|---|---|
| Hierarchy Viewer | Visualize all PS/PSG in an org as ASCII trees |
| Permission Detector | Find which PS/PSG grant a specific permission |
| User Analyzer | Show all permissions assigned to a user |
| CSV Exporter | Export PS configuration for documentation |
| Metadata Generator | Generate Permission Set XML (delegates to sf-metadata) |
| Tooling API | Query tab settings, system permissions via Tooling API |
| 功能 | 描述 |
|---|---|
| 层级查看器 | 以ASCII树形式可视化组织中的所有PS/PSG |
| 权限检测器 | 查找哪些PS/PSG授予了特定权限 |
| 用户分析器 | 显示分配给特定用户的所有权限 |
| CSV导出器 | 导出PS配置用于文档记录 |
| 元数据生成器 | 生成Permission Set XML(委托给sf-metadata) |
| Tooling API | 通过Tooling API查询标签设置、系统权限 |
Prerequisites
前提条件
bash
undefinedbash
undefinedPython dependencies
Python dependencies
pip install simple-salesforce rich
pip install simple-salesforce rich
Salesforce CLI (for authentication)
Salesforce CLI (for authentication)
sf --version # Must be installed and authenticated
undefinedsf --version # Must be installed and authenticated
undefinedAuthentication
身份验证
This skill reuses existing CLI authentication. Ensure you're authenticated:
sfbash
undefined此技能复用现有的 CLI身份验证。确保已完成身份验证:
sfbash
undefinedCheck current org
Check current org
sf org display
sf org display
Authenticate if needed
Authenticate if needed
sf org login web --alias myorg
---sf org login web --alias myorg
---Phase 1: Understanding the Request
阶段1:理解用户请求
When a user asks about permissions, identify which capability they need:
| User Says | Capability | Function |
|---|---|---|
| "Show permission hierarchy" | Hierarchy Viewer | |
| "Who has access to Account?" | Permission Detector | |
| "What permissions does John have?" | User Analyzer | |
| "Export Sales_Manager PS to CSV" | CSV Exporter | |
| "Generate PS XML with these permissions" | Metadata Generator | |
当用户询问权限相关问题时,确定他们需要的功能:
| 用户提问 | 对应功能 | 执行脚本 |
|---|---|---|
| “展示权限层级” | 层级查看器 | |
| “谁拥有对Account的访问权限?” | 权限检测器 | |
| “John拥有哪些权限?” | 用户分析器 | |
| “将Sales_Manager PS导出为CSV” | CSV导出器 | |
| “生成包含这些权限的PS XML” | 元数据生成器 | |
Phase 2: Connecting to the Org
阶段2:连接到组织
Step 1: Determine Target Org
步骤1:确定目标组织
bash
undefinedbash
undefinedList available orgs
List available orgs
sf org list
sf org list
Default to current target org, or ask user to specify
Default to current target org, or ask user to specify
sf org display --target-org <alias>
undefinedsf org display --target-org <alias>
undefinedStep 2: Get Connection via Python
步骤2:通过Python建立连接
python
undefinedpython
undefinedRun from sf-permissions/scripts/
Run from sf-permissions/scripts/
python -c "
from auth import get_sf_connection
sf = get_sf_connection('myorg') # or None for default
print(f'Connected to: {sf.sf_instance}')
"
---python -c "
from auth import get_sf_connection
sf = get_sf_connection('myorg') # or None for default
print(f'Connected to: {sf.sf_instance}')
"
---Phase 3: Executing Queries
阶段3:执行查询
3.1 Permission Hierarchy Viewer
3.1 权限层级查看器
Purpose: Show all Permission Sets and Permission Set Groups in the org
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scripts
python cli.py hierarchy [--target-org ALIAS] [--format ascii|mermaid]Output Example:
📦 ORG PERMISSION HIERARCHY
════════════════════════════════════════
📁 Permission Set Groups (3)
├── 🔒 Sales_Cloud_User (Active)
│ ├── View_All_Accounts
│ ├── Edit_Opportunities
│ └── Run_Reports
├── 🔒 Service_Cloud_User (Active)
│ └── Case_Management
└── 🔒 Marketing_User (Outdated)
└── Campaign_Access
📁 Standalone Permission Sets (12)
├── Admin_Tools
├── API_Access
└── ... (10 more)用途:展示组织中的所有Permission Set和Permission Set Group
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scripts
python cli.py hierarchy [--target-org ALIAS] [--format ascii|mermaid]输出示例:
📦 ORG PERMISSION HIERARCHY
════════════════════════════════════════
📁 Permission Set Groups (3)
├── 🔒 Sales_Cloud_User (Active)
│ ├── View_All_Accounts
│ ├── Edit_Opportunities
│ └── Run_Reports
├── 🔒 Service_Cloud_User (Active)
│ └── Case_Management
└── 🔒 Marketing_User (Outdated)
└── Campaign_Access
📁 Standalone Permission Sets (12)
├── Admin_Tools
├── API_Access
└── ... (10 more)3.2 Permission Detector ("Who has access to X?")
3.2 权限检测器(“谁拥有对X的访问权限?”)
Purpose: Find which PS/PSG grant a specific permission
用途:查找哪些PS/PSG授予了特定权限
3.3 Agent Access Permissions
3.3 Agent访问权限
Purpose: Grant users access to Agentforce Employee Agents
Employee Agents require explicit access via the element in Permission Sets. Without this, users won't see the agent in the Lightning Experience Copilot panel.
<agentAccesses>Permission Set XML Structure:
xml
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
<agentAccesses>
<agentName>Case_Assist</agentName>
<enabled>true</enabled>
</agentAccesses>
<hasActivationRequired>false</hasActivationRequired>
<label>Case Assist Agent Access</label>
</PermissionSet>Key Points:
- must exactly match the
<agentName>in the agent's config blockdeveloper_name - Multiple elements can be included for multiple agents
<agentAccesses> - grants access;
<enabled>true</enabled>or omission denies accessfalse
Deploy and Assign:
bash
undefined用途:授予用户对Agentforce Employee Agent的访问权限
Employee Agent需要通过Permission Set中的元素显式授予访问权限。如果没有此设置,用户将在Lightning Experience Copilot面板中看不到该Agent。
<agentAccesses>Permission Set XML结构:
xml
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
<agentAccesses>
<agentName>Case_Assist</agentName>
<enabled>true</enabled>
</agentAccesses>
<hasActivationRequired>false</hasActivationRequired>
<label>Case Assist Agent Access</label>
</PermissionSet>关键点:
- 必须与Agent配置块中的
<agentName>完全匹配developer_name - 可包含多个元素以支持多个Agent
<agentAccesses> - 授予访问权限;
<enabled>true</enabled>或省略则拒绝访问false
部署与分配:
bash
undefinedDeploy permission set
Deploy permission set
sf project deploy start --source-dir force-app/main/default/permissionsets/Agent_Access.permissionset-meta.xml -o TARGET_ORG
sf project deploy start --source-dir force-app/main/default/permissionsets/Agent_Access.permissionset-meta.xml -o TARGET_ORG
Assign via Setup > Permission Sets > Manage Assignments
Assign via Setup > Permission Sets > Manage Assignments
---
---Agent Visibility Troubleshooting
Agent可见性故障排查
When an Agentforce Employee Agent is deployed but not visible to users:
当Agentforce Employee Agent已部署但用户无法看到时:
Step 1: Verify Agent Status
步骤1:验证Agent状态
bash
sf org open -p "/lightning/setup/EinsteinAgentforce/home" -o TARGET_ORGbash
sf org open -p "/lightning/setup/EinsteinAgentforce/home" -o TARGET_ORGAgent should show Status: Active
Agent should show Status: Active
undefinedundefinedStep 2: Check for Agent Access Permission
步骤2:检查Agent访问权限
bash
undefinedbash
undefinedRetrieve permission sets to check for agentAccesses
Retrieve permission sets to check for agentAccesses
sf project retrieve start -m "PermissionSet:*" -o TARGET_ORG
sf project retrieve start -m "PermissionSet:*" -o TARGET_ORG
Search for agentAccesses element
Search for agentAccesses element
grep -r "agentAccesses" force-app/main/default/permissionsets/
undefinedgrep -r "agentAccesses" force-app/main/default/permissionsets/
undefinedStep 3: Create Permission Set (if needed)
步骤3:创建Permission Set(如需要)
Create :
force-app/main/default/permissionsets/MyAgent_Access.permissionset-meta.xmlxml
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
<agentAccesses>
<agentName>MyAgent</agentName>
<enabled>true</enabled>
</agentAccesses>
<hasActivationRequired>false</hasActivationRequired>
<label>MyAgent Access</label>
</PermissionSet>创建:
force-app/main/default/permissionsets/MyAgent_Access.permissionset-meta.xmlxml
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
<agentAccesses>
<agentName>MyAgent</agentName>
<enabled>true</enabled>
</agentAccesses>
<hasActivationRequired>false</hasActivationRequired>
<label>MyAgent Access</label>
</PermissionSet>Common Issues
常见问题
| Symptom | Cause | Solution |
|---|---|---|
| No Agentforce icon | CopilotSalesforceUser PS not assigned | Assign CopilotSalesforceUser permission set |
| Icon visible, agent not in list | Missing agentAccesses | Add |
| Agent visible, errors on open | Agent not fully published | Check agent logs in Setup |
| "Agent not found" error | Name mismatch | Ensure |
Supported Permission Types:
- - Object CRUD (Create, Read, Update, Delete, ViewAll, ModifyAll)
object - - Field-Level Security (Read, Edit)
field - - Apex Class access
apex - - Visualforce Page access
vf - - Flow access
flow - - Custom Permission
custom - - Tab visibility
tab
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scripts| 症状 | 原因 | 解决方案 |
|---|---|---|
| 无Agentforce图标 | 未分配CopilotSalesforceUser PS | 分配CopilotSalesforceUser权限集 |
| 图标可见,但列表中无Agent | 缺少agentAccesses元素 | 在Permission Set中添加 |
| Agent可见,但打开时出错 | Agent未完全发布 | 在设置中检查Agent日志 |
| “Agent未找到”错误 | 名称不匹配 | 确保 |
支持的权限类型:
- - 对象CRUD(创建、读取、更新、删除、查看全部、修改全部)
object - - 字段级安全性(读取、编辑)
field - - Apex类访问权限
apex - - Visualforce页面访问权限
vf - - Flow访问权限
flow - - 自定义权限
custom - - 标签可见性
tab
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scriptsObject permissions
Object permissions
python cli.py detect object Account --access delete
python cli.py detect object Opportunity --access create,read,edit
python cli.py detect object Account --access delete
python cli.py detect object Opportunity --access create,read,edit
Field permissions
Field permissions
python cli.py detect field Account.AnnualRevenue --access edit
python cli.py detect field Account.AnnualRevenue --access edit
Apex class access
Apex class access
python cli.py detect apex MyApexClass
python cli.py detect apex MyApexClass
Custom permission
Custom permission
python cli.py detect custom Can_Approve_Expenses
python cli.py detect custom Can_Approve_Expenses
Tab visibility
Tab visibility
python cli.py detect tab Account
**Output Example**:🔍 PERMISSION DETECTION RESULTS
════════════════════════════════════════
Query: Delete access to Account
Found in 3 Permission Sets:
📋 Permission Set │ Group Membership │ Users
──────────────────────────┼────────────────────────┼───────
System_Administrator │ ✗ Standalone │ 2
Sales_Operations_Manager │ ✓ Sales_Cloud_PSG │ 5
Data_Steward │ ✓ Data_Management_PSG │ 1
Total users with this access: 8
undefinedpython cli.py detect tab Account
**输出示例**:🔍 PERMISSION DETECTION RESULTS
════════════════════════════════════════
Query: Delete access to Account
Found in 3 Permission Sets:
📋 Permission Set │ Group Membership │ Users
──────────────────────────┼────────────────────────┼───────
System_Administrator │ ✗ Standalone │ 2
Sales_Operations_Manager │ ✓ Sales_Cloud_PSG │ 5
Data_Steward │ ✓ Data_Management_PSG │ 1
Total users with this access: 8
undefined3.3 User Permission Analyzer
3.3 用户权限分析器
Purpose: Show all permissions assigned to a specific user
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scripts
python cli.py user "john.smith@company.com"
python cli.py user 005xx000001234AAA # User ID also worksOutput Example:
👤 USER PERMISSION ANALYSIS
════════════════════════════════════════
User: John Smith (john.smith@company.com)
Profile: Standard User
📁 Via Permission Set Groups (2)
├── 🔒 Sales_Cloud_User
│ ├── View_All_Accounts ✓
│ ├── Edit_Opportunities ✓
│ └── Run_Reports ✓
└── 🔒 Service_Cloud_User
└── Case_Management ✓
📁 Direct Permission Sets (3)
├── API_Access
├── Custom_App_Access
└── Einstein_Analytics_User用途:显示分配给特定用户的所有权限
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scripts
python cli.py user "john.smith@company.com"
python cli.py user 005xx000001234AAA # User ID also works输出示例:
👤 USER PERMISSION ANALYSIS
════════════════════════════════════════
User: John Smith (john.smith@company.com)
Profile: Standard User
📁 Via Permission Set Groups (2)
├── 🔒 Sales_Cloud_User
│ ├── View_All_Accounts ✓
│ ├── Edit_Opportunities ✓
│ └── Run_Reports ✓
└── 🔒 Service_Cloud_User
└── Case_Management ✓
📁 Direct Permission Sets (3)
├── API_Access
├── Custom_App_Access
└── Einstein_Analytics_User3.4 Permission Set Exporter
3.4 Permission Set导出器
Purpose: Export PS configuration to CSV for documentation/auditing
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scripts
python cli.py export Sales_Manager --output /tmp/sales_manager.csvCSV Output Columns:
- Category (Object, Field, Apex, Tab, System)
- Name (Object/Field/Class name)
- Permission (Create, Read, Edit, Delete, etc.)
- Value (true/false)
用途:将PS配置导出为CSV用于文档记录/审计
bash
cd ~/.claude/plugins/marketplaces/sf-skills/sf-permissions/scripts
python cli.py export Sales_Manager --output /tmp/sales_manager.csvCSV输出列:
- 类别(对象、字段、Apex、标签、系统)
- 名称(对象/字段/类名称)
- 权限(创建、读取、编辑、删除等)
- 值(true/false)
3.5 Metadata Fetcher (Helper)
3.5 元数据获取器(辅助工具)
Purpose: Get available objects, fields, Apex classes for autocomplete/validation
python
from metadata_fetcher import (
get_available_objects,
get_object_fields,
get_apex_classes,
get_custom_permissions
)
sf = get_sf_connection()
objects = get_available_objects(sf)
fields = get_object_fields(sf, 'Account')用途:获取可用的对象、字段、Apex类用于自动补全/验证
python
from metadata_fetcher import (
get_available_objects,
get_object_fields,
get_apex_classes,
get_custom_permissions
)
sf = get_sf_connection()
objects = get_available_objects(sf)
fields = get_object_fields(sf, 'Account')Phase 4: Rendering Output
阶段4:渲染输出
ASCII Tree (Terminal)
ASCII树(终端)
Uses the library for professional terminal output:
rich- Trees for hierarchy visualization
- Tables for tabular data
- Panels for summaries
- Progress bars for long-running queries
使用库实现专业的终端输出:
rich- 树状结构用于层级可视化
- 表格用于展示结构化数据
- 面板用于汇总信息
- 进度条用于长时间运行的查询
Mermaid Diagrams (Documentation)
Mermaid图表(文档)
For embedding in Markdown/documentation:
bash
python cli.py hierarchy --format mermaid > hierarchy.mdmermaid
graph TD
subgraph Permission Set Groups
PSG1[Sales_Cloud_User]
PSG2[Service_Cloud_User]
end
subgraph Permission Sets
PS1[View_All_Accounts]
PS2[Edit_Opportunities]
PS3[Case_Management]
end
PSG1 --> PS1
PSG1 --> PS2
PSG2 --> PS3用于嵌入Markdown/文档:
bash
python cli.py hierarchy --format mermaid > hierarchy.mdmermaid
graph TD
subgraph Permission Set Groups
PSG1[Sales_Cloud_User]
PSG2[Service_Cloud_User]
end
subgraph Permission Sets
PS1[View_All_Accounts]
PS2[Edit_Opportunities]
PS3[Case_Management]
end
PSG1 --> PS1
PSG1 --> PS2
PSG2 --> PS3Phase 5: Generating Metadata (Optional)
阶段5:生成元数据(可选)
If the user wants to create a new Permission Set based on analysis:
bash
undefined如果用户希望基于分析结果创建新的Permission Set:
bash
undefinedGenerate Permission Set XML
Generate Permission Set XML
python cli.py generate
--name "New_Sales_PS"
--label "New Sales Permission Set"
--objects Account:crud,Opportunity:cru
--fields Account.AnnualRevenue:rw
--apex MyApexClass,AnotherClass
--output /tmp/New_Sales_PS.permissionset-meta.xml
--name "New_Sales_PS"
--label "New Sales Permission Set"
--objects Account:crud,Opportunity:cru
--fields Account.AnnualRevenue:rw
--apex MyApexClass,AnotherClass
--output /tmp/New_Sales_PS.permissionset-meta.xml
**Or delegate to sf-metadata skill** for more complex generation.
---python cli.py generate
--name "New_Sales_PS"
--label "New Sales Permission Set"
--objects Account:crud,Opportunity:cru
--fields Account.AnnualRevenue:rw
--apex MyApexClass,AnotherClass
--output /tmp/New_Sales_PS.permissionset-meta.xml
--name "New_Sales_PS"
--label "New Sales Permission Set"
--objects Account:crud,Opportunity:cru
--fields Account.AnnualRevenue:rw
--apex MyApexClass,AnotherClass
--output /tmp/New_Sales_PS.permissionset-meta.xml
**或委托给sf-metadata技能**进行更复杂的生成。
---SOQL Reference
SOQL参考
Permission Set Queries
Permission Set查询
sql
-- All Permission Sets (excluding PSGs)
SELECT Id, Name, Label, Description, IsOwnedByProfile
FROM PermissionSet
WHERE IsOwnedByProfile = false AND Type != 'Group'
-- All Permission Set Groups
SELECT Id, DeveloperName, MasterLabel, Status, Description
FROM PermissionSetGroup
-- PSG Components (which PS are in which PSG)
SELECT PermissionSetGroupId, PermissionSetGroup.DeveloperName,
PermissionSetId, PermissionSet.Name
FROM PermissionSetGroupComponent
-- User's PS Assignments
SELECT AssigneeId, PermissionSetId, PermissionSet.Name,
PermissionSetGroupId, PermissionSetGroup.DeveloperName
FROM PermissionSetAssignment
WHERE AssigneeId = '005...'sql
-- All Permission Sets (excluding PSGs)
SELECT Id, Name, Label, Description, IsOwnedByProfile
FROM PermissionSet
WHERE IsOwnedByProfile = false AND Type != 'Group'
-- All Permission Set Groups
SELECT Id, DeveloperName, MasterLabel, Status, Description
FROM PermissionSetGroup
-- PSG Components (which PS are in which PSG)
SELECT PermissionSetGroupId, PermissionSetGroup.DeveloperName,
PermissionSetId, PermissionSet.Name
FROM PermissionSetGroupComponent
-- User's PS Assignments
SELECT AssigneeId, PermissionSetId, PermissionSet.Name,
PermissionSetGroupId, PermissionSetGroup.DeveloperName
FROM PermissionSetAssignment
WHERE AssigneeId = '005...'Object Permissions
对象权限
sql
-- Object permissions for a specific PS
SELECT SobjectType, PermissionsCreate, PermissionsRead,
PermissionsEdit, PermissionsDelete,
PermissionsViewAllRecords, PermissionsModifyAllRecords
FROM ObjectPermissions
WHERE ParentId = '0PS...'
-- Find PS with specific object access
SELECT Parent.Name, Parent.Label, SobjectType,
PermissionsCreate, PermissionsRead, PermissionsEdit, PermissionsDelete
FROM ObjectPermissions
WHERE SobjectType = 'Account' AND PermissionsDelete = truesql
-- Object permissions for a specific PS
SELECT SobjectType, PermissionsCreate, PermissionsRead,
PermissionsEdit, PermissionsDelete,
PermissionsViewAllRecords, PermissionsModifyAllRecords
FROM ObjectPermissions
WHERE ParentId = '0PS...'
-- Find PS with specific object access
SELECT Parent.Name, Parent.Label, SobjectType,
PermissionsCreate, PermissionsRead, PermissionsEdit, PermissionsDelete
FROM ObjectPermissions
WHERE SobjectType = 'Account' AND PermissionsDelete = trueField Permissions
字段权限
sql
-- Field permissions for a specific PS
SELECT Field, PermissionsRead, PermissionsEdit
FROM FieldPermissions
WHERE ParentId = '0PS...'
-- Find PS with specific field access
SELECT Parent.Name, Field, PermissionsRead, PermissionsEdit
FROM FieldPermissions
WHERE Field = 'Account.AnnualRevenue' AND PermissionsEdit = truesql
-- Field permissions for a specific PS
SELECT Field, PermissionsRead, PermissionsEdit
FROM FieldPermissions
WHERE ParentId = '0PS...'
-- Find PS with specific field access
SELECT Parent.Name, Field, PermissionsRead, PermissionsEdit
FROM FieldPermissions
WHERE Field = 'Account.AnnualRevenue' AND PermissionsEdit = trueSetup Entity Access (Apex, VF, Flows, Custom Permissions)
设置实体访问权限(Apex、VF、Flows、自定义权限)
sql
-- Setup entity access for a PS
SELECT SetupEntityType, SetupEntityId
FROM SetupEntityAccess
WHERE ParentId = '0PS...'
-- Find PS with access to specific Apex class
SELECT Parent.Name, Parent.Label
FROM SetupEntityAccess
WHERE SetupEntityType = 'ApexClass'
AND SetupEntityId IN (SELECT Id FROM ApexClass WHERE Name = 'MyClass')
-- Custom permissions
SELECT Parent.Name
FROM SetupEntityAccess
WHERE SetupEntityType = 'CustomPermission'
AND SetupEntityId IN (SELECT Id FROM CustomPermission WHERE DeveloperName = 'Can_Approve')sql
-- Setup entity access for a PS
SELECT SetupEntityType, SetupEntityId
FROM SetupEntityAccess
WHERE ParentId = '0PS...'
-- Find PS with access to specific Apex class
SELECT Parent.Name, Parent.Label
FROM SetupEntityAccess
WHERE SetupEntityType = 'ApexClass'
AND SetupEntityId IN (SELECT Id FROM ApexClass WHERE Name = 'MyClass')
-- Custom permissions
SELECT Parent.Name
FROM SetupEntityAccess
WHERE SetupEntityType = 'CustomPermission'
AND SetupEntityId IN (SELECT Id FROM CustomPermission WHERE DeveloperName = 'Can_Approve')Common Workflows
常见工作流
Workflow 1: Audit "Who can delete Accounts?"
工作流1:审计“谁可以删除Account?”
User: "Who has delete access to the Account object?"
1. Run permission detector for object:Account with delete access
2. For each PS found, get PSG membership
3. For each PS/PSG, count assigned users
4. Display results in table format用户:“谁拥有对Account对象的删除权限?”
1. 针对对象Account的删除权限运行权限检测器
2. 获取每个PS的PSG成员关系
3. 统计每个PS/PSG的分配用户数
4. 以表格形式展示结果Workflow 2: Troubleshoot User Access
工作流2:排查用户访问问题
User: "Why can't John edit Opportunities?"
1. Run user analyzer for john@company.com
2. Check if any PS grants Opportunity edit
3. If not, suggest which PS/PSG to assign
4. Check for conflicting profile restrictions用户:“为什么John无法编辑Opportunity?”
1. 针对john@company.com运行用户分析器
2. 检查是否有任何PS授予了Opportunity编辑权限
3. 如果没有,建议分配哪个PS/PSG
4. 检查是否存在冲突的配置文件限制Workflow 3: Document Permission Set
工作流3:记录Permission Set
User: "Export the Sales_Manager PS for documentation"
1. Run exporter for Sales_Manager
2. Generate CSV with all permissions
3. Optionally generate Mermaid diagram showing PSG membership用户:“导出Sales_Manager PS用于文档记录”
1. 针对Sales_Manager运行导出器
2. 生成包含所有权限的CSV
3. 可选:生成展示PSG成员关系的Mermaid图表Troubleshooting
故障排查
"INVALID_SESSION_ID" Error
“INVALID_SESSION_ID”错误
Re-authenticate with sf CLI:
bash
sf org login web --alias myorg使用sf CLI重新验证:
bash
sf org login web --alias myorgSlow Queries
查询缓慢
Large orgs may have thousands of PS. Use filters:
python
undefined大型组织可能有数千个PS。使用过滤器:
python
undefinedFilter by name pattern
Filter by name pattern
sf.query("SELECT Id, Name FROM PermissionSet WHERE Name LIKE 'Sales%'")
undefinedsf.query("SELECT Id, Name FROM PermissionSet WHERE Name LIKE 'Sales%'")
undefinedTooling API Limitations
Tooling API限制
Some metadata (like tab settings) requires Tooling API:
python
from tooling_api import tooling_query
results = tooling_query(sf, "SELECT Name, Visibility FROM PermissionSetTabSetting")某些元数据(如标签设置)需要使用Tooling API:
python
from tooling_api import tooling_query
results = tooling_query(sf, "SELECT Name, Visibility FROM PermissionSetTabSetting")Integration with Other Skills
与其他技能的集成
| Skill | Integration |
|---|---|
| Generate Permission Set XML from analysis results |
| Identify Apex classes to grant access to |
| Deploy generated Permission Sets |
| Query user assignments in bulk |
| 技能 | 集成方式 |
|---|---|
| 基于分析结果生成Permission Set XML |
| 确定需要授予访问权限的Apex类 |
| 部署生成的Permission Set |
| 批量查询用户分配情况 |
Examples
示例
Example 1: Full Org Audit
示例1:完整组织审计
User: "Give me a complete picture of permissions in my org"
Claude:
1. Runs hierarchy viewer to show all PS/PSG
2. Identifies PSGs with "Outdated" status
3. Counts users per PS
4. Generates Mermaid diagram for documentation用户:“给我展示组织中权限的完整情况”
Claude:
1. 运行层级查看器展示所有PS/PSG
2. 识别状态为“Outdated”的PSG
3. 统计每个PS的用户数
4. 生成用于文档记录的Mermaid图表Example 2: Security Review
示例2:安全审查
User: "Find all PS that grant ModifyAllData"
Claude:
1. Queries PermissionSet for PermissionsModifyAllData = true
2. Lists PS names and assigned user counts
3. Flags any non-admin PS with this powerful permission用户:“查找所有授予ModifyAllData权限的PS”
Claude:
1. 查询PermissionSet中PermissionsModifyAllData = true的记录
2. 列出PS名称和分配的用户数
3. 标记任何非管理员PS拥有此高权限的情况Example 3: Permission Set Creation
示例3:创建Permission Set
User: "Create a PS for contractors with read-only Account access"
Claude:
1. Uses permission_generator.py to create XML
2. Sets Account object to Read-only (no Create/Edit/Delete)
3. Outputs .permissionset-meta.xml file用户:“为承包商创建一个具有Account只读访问权限的PS”
Claude:
1. 使用permission_generator.py创建XML
2. 将Account对象设置为只读(无创建/编辑/删除权限)
3. 输出.permissionset-meta.xml文件