Negative Permissions Remover

[TedHusted]

On the readme page, it says "given you have a Salesforce.com metadata git repository in which you only store positive permissions"

Is storing only the positive permissions something you've been managing up by hand? Or is there a technique that you use to remove the negatives?

We've been storing profiles and permission sets with both in Git, and then removing the negative permissions before deployment, using a Python script, so as to not overwrite any local changes.

Do you have a good technique for removing negative permissions? Would a "Negative Permissions Remover" task make sense?

-Ted.

[amguerrero]

Hi Ted,

Yes, you're right, it would make sense to have a task :)

I don't remove the negative permissions by hand, as a part of the solution I use to implement for Continuous Integration for Salesforce.com projects I use a groovy script that strips the negatives permissions in the profiles and permission sets. This script can be called either from ant after you have retrieved them or before committing. The approach I use is to call it in an ant target after the call to the retrieve.

In this script I have a config file that specifies what is a negative for the different nodes on the profiles and permission sets, and using this information the script removes the nodes that match the negative description.

So far it's just a dirty script, that's why I didn't publish it.

You wrote: "We've been storing profiles and permission sets with both in Git, and then removing the negative permissions before deployment". In this case scenario you are missing the fact that you may want to remove some permissions in a profile or permission set, and you would have to do it manually in the salesforce org. That's the reason I created the "Add Negative Permissions Tasks", which compares the previous deployed version of the profiles or permission sets and adds the missing ones as negatives. This is just executed before deployment in the delta directory, which is the source to be deployed and does not belong to the git repository itself.

When I wrote this tasks, my client wasn't so interested in that functionality because the developers use to make sure they only deploy positive cases, so I didn't write it, but I see it could be interesting.

[amguerrero]

Hi Ted,

Happy New Year!

I have modified the Metadata Clean Task (metadataCleanup) so by default now it removes:

• ListViews in the objects
• All the fields added by managed packages in the objects
• All the permissions added by the managed packages in profiles and permission sets
• All the negatives permissions in the profiles and permission sets

But in the case you just need the negative permissions to be removed from the profiles and permission sets on the src/ directory, you can call the new ant task by passing the following config file: metadataCleanupConfig_just_removeNegatives.json, like this:

<metadataCleanup srcFolder="src"
            configFile="path/to/config/metadataCleanupConfig_just_removeNegatives.json" />

[TedHusted]

Many thanks, Manuel.

I will review the changes against our use cases.

Much of our work involves extending a managed package that we distribute, which might be a different perspective.

I'll also see if the removeNegatives option can replace the Python scripts we use.

I'll be posting a version of our ant build scripts in a GitHub repository later this week, and I'll will point them out to you, so that you can see what we have to do for our projects.

[amguerrero]

Hi Ted,

I'll be happy to see what you have to do in your for your projects.

Regarding the remove negatives, I wrote this post as a little guide to configure it: http://sfdc.ws/2017/01/salesforce-com-ant-tasks/

I will update the Readme file later this week, but as per now, the post is more updated.