mass-transfer-ownership
Use when re-assigning record OwnerId across many records — territory realignment, employee departure, region split, integration cleanup. Triggers: 'mass transfer accounts', 'reassign opportunities to new owner', 'transfer all records on user deactivation', 'OwnerId migration'. NOT for assignment rules, queue routing, or single-record manual transfer.
Best use case
mass-transfer-ownership is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when re-assigning record OwnerId across many records — territory realignment, employee departure, region split, integration cleanup. Triggers: 'mass transfer accounts', 'reassign opportunities to new owner', 'transfer all records on user deactivation', 'OwnerId migration'. NOT for assignment rules, queue routing, or single-record manual transfer.
Teams using mass-transfer-ownership should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/mass-transfer-ownership/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How mass-transfer-ownership Compares
| Feature / Agent | mass-transfer-ownership | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when re-assigning record OwnerId across many records — territory realignment, employee departure, region split, integration cleanup. Triggers: 'mass transfer accounts', 'reassign opportunities to new owner', 'transfer all records on user deactivation', 'OwnerId migration'. NOT for assignment rules, queue routing, or single-record manual transfer.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Mass Transfer Ownership Activate when an admin needs to move a non-trivial volume of records (typically >100, often tens of thousands) from one or more current owners to one or more new owners. The skill produces a transfer plan covering tool selection, child-record cascading rules, sharing recalculation timing, and a rollback path. --- ## Before Starting Gather this context before working on anything in this domain: - Volume per object (Accounts, Opportunities, Contacts, Cases, custom objects). Above ~250k records on a single object, sharing recalc dominates the timeline and a maintenance window is required. - Whether the transfer is a single-source-to-single-target swap, a many-to-many remap (e.g., a CSV mapping old owner → new owner), or a queue-to-user / user-to-queue move. Each uses different tooling. - Whether child records should follow. Account.OwnerId reassignment can optionally cascade to child Cases and Opportunities through the Mass Transfer tool's checkboxes; Data Loader does not cascade — every child object must be transferred explicitly. - Whether the org has Apex triggers, validation rules, or workflow rules that fire on Owner change. These can fail or send unwanted notifications during a 50,000-record transfer. --- ## Core Concepts ### Tool selection | Tool | Best for | Limit | |---|---|---| | Setup → Data Management → Mass Transfer Records | <50k records on standard objects (Accounts, Leads, Opportunities), simple one-to-one reassignment, with cascade-to-children checkboxes | UI-only, no CSV mapping; many-to-many requires repeated runs | | Data Loader Update | Any object, any volume, mapping CSV | No cascade — each child object is its own job; emits triggers and workflow | | Apex (`Database.update` with `AllOrNone=false`) | Many-to-many remap with conditional logic, suppression of email notifications, batched sharing recalc | Requires careful governor-limit-aware batching | | Anonymous Apex Batch (`Database.Batchable`) | >250k records where sharing recalc would otherwise lock the org | Asynchronous; needs progress monitoring | ### Sharing recalculation Owner changes trigger sharing recalculation for the record and its children if the org-wide default is not Public Read/Write. On large objects, recalc can extend the transaction by hours. For >100k records, Salesforce recommends using *Defer Sharing Calculations* (a feature you must request via Support) so the transfer completes first and recalc runs in a controlled window. ### Cascade behavior Account ownership change cascades to child Cases, Contacts, and Opportunities only when the Mass Transfer Records tool's "Transfer ... " checkboxes are ticked. API-driven updates (Data Loader, Apex) do **not** cascade. If you want child records to follow the parent through API, you must update each child object as a separate operation. --- ## Common Patterns ### Pattern: user departure cleanup **When to use:** A sales rep is terminated. Reassign all their open Accounts, Opportunities, and Cases to their manager before deactivating the user. **How it works:** Query `OwnerId = '005...'` per object. Use Data Loader Update with a single OwnerId column. Run before deactivation — Salesforce blocks deactivation if the user owns active records or is referenced as a default owner. **Why not the alternative:** Mass Transfer Records works for Accounts but won't transfer Cases or custom objects in one pass. ### Pattern: territory realignment via mapping CSV **When to use:** 30 territories collapsing to 18; each old owner maps to a new owner. **How it works:** Build CSV `OldOwnerId, NewOwnerId`. Per object, build a SOQL query joined to the mapping (in a spreadsheet or via Apex). Update OwnerId via Data Loader. Defer sharing recalculation in advance for large volumes. ### Pattern: queue ↔ user transfer **When to use:** Cases sitting in a queue need to be assigned to a specific user. **How it works:** OwnerId can be a Queue ID (starts with `00G`) or a User ID (starts with `005`). Update through Data Loader the same way, but verify the target object has Queue support enabled in Setup. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | <50k records, standard object, parent-with-children cascade desired | Mass Transfer Records | Built-in cascade, no scripting | | Any object, CSV-driven mapping, no cascade | Data Loader Update | Cleanest for one-table-at-a-time | | >250k records on one object | Apex Batch + deferred sharing recalc | Avoids row-lock and recalc timeouts | | Need to suppress notifications and trigger logic | Apex with custom-setting flag your triggers honor | Tool-based transfers fire triggers and workflows | --- ## Recommended Workflow 1. Inventory: per-object record counts under the source-owner criteria. Write to a planning doc. 2. Choose the tool from the decision table above. If mixed (e.g., Accounts via Mass Transfer + Cases via Data Loader), document each step with its order. 3. Decide the cascade policy: do child Cases/Opportunities/Contacts follow the parent Account? Tick the Mass Transfer checkboxes accordingly, or queue follow-up Data Loader jobs for each child object. 4. Decide the trigger/workflow policy: turn off email notifications via the "Send Email" checkbox (Mass Transfer Records UI), or set a custom-setting flag your triggers honor to short-circuit during the migration. 5. For >100k on a single object, request Defer Sharing Calculations from Support before starting; resume recalc in a maintenance window. 6. Execute in a sandbox first; capture timing and any trigger errors. 7. Run in production with `AllOrNone=false` (Apex) or "Continue on error" (Data Loader) so a single bad record doesn't stop the batch. Capture the success+error CSVs as the audit trail. 8. Validate: rerun the source-owner query — should return zero. Verify a sample of child-record ownership matches expectation. --- ## Review Checklist - [ ] Per-object volumes inventoried; tool chosen against the decision table - [ ] Cascade policy explicit (children follow or stay) - [ ] Notification policy explicit (suppress workflow emails during transfer) - [ ] Triggers reviewed for OwnerId-change side effects (assignment rule re-fire, ownership-based sharing rule, etc.) - [ ] Defer sharing recalc requested if volume warrants - [ ] Rollback CSV captured (Old + New OwnerId by record ID) so a reverse update is one click - [ ] Audit log saved (Data Loader success/error CSVs, or Apex DML log) --- ## Salesforce-Specific Gotchas 1. **User deactivation blocks if records remain** — Salesforce refuses to deactivate users who own active records or are listed as default queue/owner. Always transfer before deactivating. 2. **Sharing recalc can lock other writes** — On a 500k-record transfer, downstream sharing recalc can extend the lock; concurrent integrations may time out. Use deferred sharing recalc. 3. **Data Loader does not cascade ownership** — Updating Account.OwnerId leaves child Case.OwnerId untouched. Plan child object updates explicitly. 4. **OwnerId on a Queue is a `00G` prefix** — Some custom objects don't allow Queue ownership; check the object's "Allow Queues" before targeting `00G` IDs. 5. **AssignmentRuleHeader on the update toggles routing** — If you don't want assignment rules to fire during the migration, omit the header (Apex) or uncheck the Data Loader option. --- ## Output Artifacts | Artifact | Description | |---|---| | Per-object volume inventory | Counts and source criteria for each object in scope | | Transfer execution plan | Ordered list of tool runs with cascade and notification settings | | Rollback CSV | record-id, old-owner-id, new-owner-id — re-runnable in reverse | | Validation queries | SOQL that should return zero rows post-transfer | --- ## Related Skills - admin/user-management — context on user deactivation pre-conditions and transfer-before-deactivate sequencing - data/data-loader-batch-window-sizing — sizing the Data Loader batch parameter to keep sharing recalc tractable - security/record-access-troubleshooting — when post-transfer users report missing records (sharing recalc not yet completed)
Related Skills
xss-and-injection-prevention
Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).
visualforce-security-and-modernization
Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).
transaction-security-policies
Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.
sso-saml-troubleshooting
Diagnosing broken SAML SSO into Salesforce — IdP-initiated vs SP-initiated flows, signing-certificate validity / expiry, NameID format mismatches, RelayState handling, audience / entityId / issuer mismatches, clock skew, the SAML Assertion Validator in Setup, the Login History debug log, and the My Domain prerequisite for SSO. Covers the standard diagnostic loop: read the SAML response, identify which check failed, fix at the IdP or SP. NOT for OAuth / OpenID Connect SSO (see security/oauth-openid-troubleshooting), NOT for setting up SSO from scratch (see security/sso-saml-setup).
shield-kms-byok-setup
Configure Shield Platform Encryption with customer-supplied (BYOK) or customer-held (Cache-Only Key Service) tenant secrets, rotate them, and recover. NOT for Classic Encryption or field masking.
shield-event-log-retention-strategy
Use when designing Salesforce Shield Event Monitoring retention, SIEM routing, and storage-tier strategy — which event types to keep, for how long, where, and how to answer audit queries across hot/warm/cold tiers. Triggers: 'shield event log retention', 'route event monitoring to splunk', 'how long to keep login history', 'siem salesforce integration', 'event monitoring storage tier'. NOT for enabling Shield (see salesforce-shield-deployment).
session-management-and-timeout
Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.
session-high-assurance-policies
Enforce step-up authentication for sensitive pages/objects using High Assurance session level and login flow policies. NOT for initial MFA enrollment UX.
service-account-credential-rotation
Use when designing credential rotation for integration users, connected apps, named credentials, and OAuth client secrets in Salesforce. Covers rotation cadence, zero-downtime handover, secret storage, and detection of stale credentials. Triggers: 'rotate integration user password', 'connected app secret rotation', 'named credential rotation', 'stale service account', 'zero downtime secret rotation'. NOT for end-user password policies.
security-incident-response
When to use: active or suspected Salesforce org compromise, unauthorized access investigation, attacker containment, forensic evidence collection from EventLogFile/LoginHistory, session revocation, OAuth token cleanup, eradication of attacker persistence, and post-incident recovery verification. Trigger keywords: org compromised, suspicious login, attacker access, session revocation, forensic investigation, breach response, event log forensics, login anomaly investigation, incident response runbook. Does NOT cover general security setup, permission set design, field-level security configuration, or proactive security hardening — those are separate skills. NOT for general security setup.
security-health-check
Use when running, interpreting, or acting on Salesforce Security Health Check results — reading the score, understanding risk categories, evaluating specific settings, creating or importing a custom baseline, querying the Tooling API programmatically, or planning remediation from findings. Triggers: 'security health check score', 'health check failing settings', 'custom baseline', 'remediate health check findings', 'fix risk'. NOT for org hardening implementation, permission model design, or broad baseline config beyond what Health Check directly measures.
secure-coding-review-checklist
Use this skill to audit Apex, Visualforce, LWC, and Aura code for Salesforce security review readiness — covering CRUD/FLS enforcement, SOQL injection, XSS, CSRF, and open redirects. NOT for network-level penetration testing, Shield Platform Encryption key management, or general org permission set design.