An Easier Way to Deploy Profiles and Permissions Sets

Share this article...

Profiles and Permission Sets have always been a pain to deploy, but the recent Salesforce outage known as #permissiongeddon on Twitter makes it even more of a pressing issue for teams.

For many Salesforce admins and developers, Profiles and Permission Sets have always been somewhat of a pain to manage. Yes, they can be deployed via Change sets or Ant scripts, but neither option works all that well. Accordingly, many teams manage their Profiles and Permission Sets manually.

It appears that there is also a correlation between the size of the Salesforce Org and the reliance on manual steps to manage Profiles and Permission Sets. This probably has a lot to do with the importance these vital types have for organizations. As we recently saw with the most recent massive Salesforce outage known on Twitter as #permissionsgeddon, relying on a script to manage permissions can be nerve-wracking for many organizations.


Still, manual steps come with their own challenges and dangers. Manual steps performed by human beings are prone to error. And for anyone who has had to manually deploy a large group of Profile or Permission Set changes you can be forgiven for mistakes as each item looks perilously close to the last after awhile.

Free Profiles & Permissions Deployer

Blue Canvas, a source control and CI tool for the Salesforce ecosystem, has recently released a free tool for the community that can help take some of the manual steps out of deploying Profiles and Permission Sets while still giving you the oversight you want for such a critical part of your Salesforce org. (Disclosure, I’m the CTO of Blue Canvas).

You can access the free Profiles and Permission Sets deployment tool here. We have developed it for our customers but are now proud to offer it for free to the entire Salesforce community.

It’s a relatively simple tool, but in its simplicity lies its power. The tool allows you to connect to and compare any two Salesforce orgs, whether they are sandboxes or production orgs. Once connected you’ll see a complete diff of all Profiles and Permission Sets between the orgs. The tool allows you to filter by Profiles, Permission Sets, Apex Classes, Objects and Fields (Field Level Security), and VisualForce Pages.
You can then use these diffs to create a custom changeset with a few clicks. And when you are ready to deploy you can do it with a single click.

The filters allow you to be very granular about which types and which permissions changes you want to include. You can deploy entire Profiles or Permission Sets. You can update existing permissions at the Field, VF Page or Object level (we’ll be continuing to add more types and filters in the coming weeks).

Recovering From #Permissiongeddon

Unfortunately, a full recovery from the recent Salesforce incident has not been possible for all orgs. As of May 20, 2019 over 10% of Salesforce orgs still did not have their permissions fully restored and Salesforce began informing customers that they would have to restore their orgs on their own. (A recovery script had mixed results and was not as successful as hoped over the weekend).

If you are affected by this and want to restore your org on your own, unfortunately, there is no magic solution. However, the Profiles & Permissions Deployer can help. It’s especially helpful if you have an unaffected Sandbox with previous permissions still intact. We’ve helped dozens of organizations recover so far and more are still coming.

If you have an unaffected Sandbox with all of your permission in place (you can confirm this by logging into the Sandbox, opening Setup, checking a non-Salesforce Administrator profile and looking at Standard Object Permissions. If Read, Create, Edit and Delete are unchecked for all objects the sandbox was reset and it cannot be used to restore).

Connect this sandbox as the Source Org, then connect your Target Org. Click Compare and in the left sidebar, you should see all of your Profiles listed. You can add them to a “change set” and deploy them.

It’s not a perfect solution, but it beats manually reconfiguring your orgs. You can also find out more about the outage by following this unofficial Google doc which logs notes from all of Salesforce’s support webinars.

12 thoughts on “An Easier Way to Deploy Profiles and Permissions Sets

  1. I tried connection with the sandvox. It gives me this error.{“error”:”Invalid `state.csrf_token`.”} i have verified my credentials which is valid.

  2. Salesforce Solutions


    hi alex, the product looks good, but can it happen that in future it becomes a paid product (currently free) ? and any org. using it has to either pay or uninstall.

  3. Hi Alex, this seems to be a good tool to migrate the permissions. But considering the recent salesforce incident, it impacted all the sandboxes along with production, we could not have used this tool.

    What would be helpful from my perspective, is a tool which backs up all the profiles and permissions set access settings. The backup can be used in the events of any adverse change either from salesforce or customer itself.

    Please let us know if there is any such tool available.

    1. Hello Saket, we should talk! OwnBackup offers daily, automated back ups of data, meta data, chatter and attachments across all environments = PROD and Sandboxes. We were able to assist about 60 customers from the service disruption on May 17. Check us out! Thank you. Ellen

  4. I just want to know if all the changes actually track in the audit log… I know they don’t with ant. So I often want to tear out my eyes

    1. Hey Becca! You should check out – their tool integrates right into the Salesforce platform and monitors and tracks any specified change you want. It’s a lot more comprehensive than the audit log.

Add Comment