permission-set-deployment-ordering
Use when deploying permission sets, permission set groups, or profiles and encountering cross-reference errors, silent permission loss, or ordering failures. Triggers: 'permission set deployment fails', 'cross-reference id error during deploy', 'permissions disappear after deployment', 'permission set group deployment error'. NOT for permission set design or architecture decisions (use permission-set-architecture), NOT for creating permission sets from scratch (use admin/permission-set-architecture).
Best use case
permission-set-deployment-ordering is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when deploying permission sets, permission set groups, or profiles and encountering cross-reference errors, silent permission loss, or ordering failures. Triggers: 'permission set deployment fails', 'cross-reference id error during deploy', 'permissions disappear after deployment', 'permission set group deployment error'. NOT for permission set design or architecture decisions (use permission-set-architecture), NOT for creating permission sets from scratch (use admin/permission-set-architecture).
Teams using permission-set-deployment-ordering should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/permission-set-deployment-ordering/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How permission-set-deployment-ordering Compares
| Feature / Agent | permission-set-deployment-ordering | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when deploying permission sets, permission set groups, or profiles and encountering cross-reference errors, silent permission loss, or ordering failures. Triggers: 'permission set deployment fails', 'cross-reference id error during deploy', 'permissions disappear after deployment', 'permission set group deployment error'. NOT for permission set design or architecture decisions (use permission-set-architecture), NOT for creating permission sets from scratch (use admin/permission-set-architecture).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Permission Set Deployment Ordering Use this skill when deploying permission sets, permission set groups, or profiles and encountering cross-reference errors, silent permission wipeouts, or deployment ordering failures. It covers the full-replace behavior of the Metadata API for permission sets and the correct sequencing rules that prevent data loss in production deployments. --- ## Before Starting Gather this context before working on anything in this domain: - Know whether you are deploying permission sets, permission set groups, or both. PSGs require all constituent permission sets to already exist in the target org before the group can land. - Understand that the Metadata API performs a **full-replace** on permission sets (API v40+), not a merge. Any permission not in the deployed XML is silently removed from the target org. - Confirm whether your batch includes a ConnectedApp and a permission set or PSG referencing that ConnectedApp — this combination triggers a known cross-reference error when both land in the same deploy transaction. --- ## Core Concepts ### Full-Replace Semantics (API v40+) Since API version 40.0, deploying a PermissionSet metadata type completely overwrites the existing record in the target org. If you retrieve a permission set, remove three field permissions from the XML, and deploy it — those three permissions are gone in the target. There is no merge; the deployed XML is authoritative. This behavior means: **always retrieve the current state from the target org before building a deployment package**. Never deploy a permission set constructed from scratch unless you have confirmed the target org has no existing configuration to preserve. ### Referenced Objects Must Exist First Permission sets that grant access to custom objects, custom fields, Apex classes, or Visualforce pages require those components to already exist in the target org before the permission set deploys. If the deploy batch includes both the custom object and the permission set that grants access to it, order matters: the object must land before the permission set. In a Metadata API deployment, objects are processed before permission sets by default because the deployment engine uses a built-in ordering. However, in split deployments (object in one deploy, PS in another), ensure the first deploy completes successfully before starting the second. ### PSG Constituent Ordering Permission Set Groups require each constituent Permission Set to already exist in the target org (or be deployed in the same batch before the PSG is evaluated). If a PSG references `PS_A` and `PS_B`, both must be present before `PSG_1` is processed. **Safe pattern**: deploy constituent PSets first (separate deploy or earlier in the batch), then deploy the PSG in a subsequent deploy. Do not rely on implicit ordering within a single batch unless you have verified the Metadata API processes them in the correct order. ### ConnectedApp Cross-Reference Bug A known platform bug causes a cross-reference error when a ConnectedApp and a permission set or PSG that references that ConnectedApp are both included in the same deployment batch. The workaround is to deploy the ConnectedApp in a separate deploy from the permission set that grants access to it. --- ## Common Patterns ### Retrieve-Then-Deploy Pattern **When to use:** Any time you need to update a permission set without inadvertently removing existing permissions. **How it works:** 1. Retrieve the current permission set from the target org: `sf project retrieve start --metadata "PermissionSet:My_PS"` 2. Make only the needed changes in the local XML. 3. Deploy the modified file: `sf project deploy start --metadata "PermissionSet:My_PS"` **Why not construct from scratch:** A constructed-from-scratch XML only contains the permissions you explicitly added. All permissions already granted in the target org that are not in your XML will be silently removed on deploy. ### Sequential Batch Deployment Pattern **When to use:** Deploying permission set groups whose constituent sets may not already exist in the target. **How it works:** 1. Deploy 1: `PermissionSet:PS_A`, `PermissionSet:PS_B` — confirms both land and pass tests. 2. Deploy 2: `PermissionSetGroup:PSG_1` — PSG references PS_A and PS_B, which now exist. **Why not a single batch:** While the Metadata API often processes PSets before PSGs in a single batch, this is not guaranteed and there is no documented specification. The sequential pattern is explicit and repeatable. ### ConnectedApp Isolation Pattern **When to use:** Deploying a ConnectedApp and a PermissionSet or PSG that references it. **How it works:** 1. Deploy 1: `ConnectedApp:My_App` 2. Deploy 2: `PermissionSet:My_PS` (which grants access to My_App) **Why not together:** The cross-reference resolution order in the same batch causes a platform error even though both components are present. Separation into sequential deploys resolves it. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | Updating an existing permission set | Retrieve from target first, edit XML, deploy | Prevents silent permission wipeout | | Deploying new PSG to org that doesn't have constituent PSets | Two-step: PSets first, then PSG | PSG validation requires constituent PSets to exist | | Deploying ConnectedApp + PS that references it | Two separate deploys | Known platform bug — same batch causes cross-reference error | | Deploying permission set to scratch org (fresh) | Single deploy fine | No existing permissions to preserve | | CI pipeline deploys entire org metadata | Ensure object metadata deploys before PS in same batch | Referenced objects must exist for PS to validate | --- ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner deploying permission sets: 1. **Identify all permission sets and PSGs in the deployment package.** List their dependencies: which custom objects, fields, Apex classes, or ConnectedApps they reference. 2. **Retrieve the current state from the target org** for any permission set that already exists there. Use `sf project retrieve start --metadata "PermissionSet:<name>"` to get the authoritative current XML. 3. **Merge your changes** into the retrieved XML rather than replacing it. Only modify the specific permissions you intend to add, remove, or change. 4. **Check for ConnectedApp references.** If any PS or PSG in the batch references a ConnectedApp also in the batch, split into two sequential deploys: ConnectedApp first, then the PS/PSG. 5. **Sequence the deployment batches.** Deploy constituent PSets before PSGs. Deploy custom objects/fields before the PSets that reference them. 6. **Validate deploy first** (`sf project deploy validate`) before running the actual deploy in production. Review any cross-reference errors in the validation output and resolve them. 7. **Confirm post-deploy** that key permission grants are still intact in the target org. Use `sf project retrieve start` to pull the deployed PS and diff against expectations. --- ## Review Checklist Run through these before marking work in this area complete: - [ ] Retrieved current state of all existing permission sets from the target org before building deploy package - [ ] Verified no ConnectedApp and permission set referencing it are in the same deploy batch - [ ] Confirmed all constituent PSets deploy before any PSG that references them - [ ] Confirmed all referenced custom objects, fields, and Apex classes exist in target before PS deploys - [ ] Ran `sf project deploy validate` and resolved all errors before actual deploy - [ ] Post-deploy verification: retrieved deployed PS and confirmed expected permissions are present --- ## Salesforce-Specific Gotchas Non-obvious platform behaviors that cause real production problems: 1. **Silent permission wipeout on full-replace** — Deploying a PermissionSet that is missing permissions which exist in the target org silently removes those permissions. There is no warning or error. Always retrieve from the target first and perform a diff before deploying. 2. **ConnectedApp cross-reference error in same batch** — Including a ConnectedApp and a PermissionSet or PSG referencing it in the same deployment batch causes a CANNOT_INSERT_UPDATE_ACTIVATE_ENTITY or cross-reference error. The fix is always a sequential deploy: ConnectedApp first, permission set second. 3. **PSG validation failure when PSets are missing** — A Permission Set Group deployed to an org where one of its constituent PSets does not yet exist will fail with a validation error referencing the missing set. PSets must be deployed before PSGs that reference them. --- ## Output Artifacts | Artifact | Description | |---|---| | Ordered deployment plan | A numbered list of deployment batches in sequence, each listing the metadata types included | | Pre-deploy PS diff | Side-by-side comparison of current target org PS vs the PS about to be deployed, highlighting permissions that will be removed | --- ## Related Skills - permission-set-architecture — when to design PSets vs PSGs vs Profiles for user access strategy - change-set-deployment — for change-set-based deployment workflows where metadata ordering is also relevant - deployment-error-troubleshooting — for diagnosing the specific error messages that arise from PS deployment failures
Related Skills
salesforce-shield-deployment
Roll out Shield (Platform Encryption + Event Monitoring + Field Audit Trail) end-to-end, sequencing feature enablement to avoid data lockout. NOT for Classic Encryption or general PE design.
permission-set-groups-and-muting
Use when designing or reviewing permission-set-group architecture, especially profile minimization, group composition, muting strategy, and migration away from profile-heavy security models. Triggers: 'permission set group', 'muting permission set', 'profiles to permission sets', 'PSG architecture', 'muted permissions'. NOT for record-sharing design or CRUD/FLS review in Apex code.
omnistudio-deployment-datapacks
Use when exporting, importing, or version-controlling OmniStudio components using DataPacks via the OmniStudio DataPacks tool or vlocity CLI. Covers DataPack export/import, Git version control integration, CI/CD for OmniStudio. NOT for SFDX-based metadata deployment of non-OmniStudio components.
flow-deployment-and-packaging
Move a Flow from sandbox to production reliably — source format, version-on-deploy semantics, deploy vs activate, dependency bundling, Change Set vs SFDX vs Unlocked vs Managed, validate-then-quick-deploy, and rollback by activating a prior version. NOT for source-driven setup or branching strategy — see devops/salesforce-dx-project-structure and devops/source-tracking-and-conflict-resolution.
pre-deployment-checklist
Use when preparing a Salesforce metadata deployment for production and need a structured gate-check before releasing. Trigger keywords: 'pre-deploy checklist', 'what to check before deploying', 'validation deploy', 'deploy readiness', 'quick deploy window', 'checkOnly deploy', 'pre-release backup'. NOT for post-deployment smoke tests (use post-deployment-validation), full cutover sequencing (use go-live-cutover-planning), or change set UI workflow (use change-set-deployment).
post-deployment-validation
Verifying Salesforce deployments succeeded end-to-end after metadata lands in the target org. Covers validation deploys (checkOnly), quick deploy from validated IDs, Apex test result interpretation, Deployment Status page drill-down, and rollback strategies. NOT for writing Apex tests (use apex test patterns). NOT for CI/CD pipeline setup (use github-actions-for-salesforce or gitlab-ci-for-salesforce).
health-cloud-deployment-patterns
Use when planning or executing a Health Cloud deployment to production or a full sandbox, including managed package installation sequencing, Permission Set License assignment, care plan template setup, HIPAA compliance controls, and post-deploy manual steps not captured in metadata. Triggers: 'how do I deploy Health Cloud', 'HealthCloudGA package install order', 'care plan template not working after deployment', 'Health Cloud HIPAA Shield Encryption setup', 'CarePlanProcessorCallback registration post-deploy'. NOT for Health Cloud data model design (use health-cloud-data-model), NOT for Apex extensions in Health Cloud (use health-cloud-apex-extensions), NOT for API usage patterns (use health-cloud-apis).
experience-cloud-deployment-dev
Use this skill when scripting or automating the deployment of Experience Cloud sites between Salesforce orgs using the Metadata API, Salesforce CLI, or CI/CD pipelines. Covers ExperienceBundle (Aura-based sites), DigitalExperienceBundle (enhanced LWR sites), the ExperienceBundleSettings prerequisite, CMS content exclusion gaps, and required post-deployment manual steps for domain configuration, SSO, and CDN bindings. NOT for general Experience Cloud site building in Experience Builder, OmniStudio-based sites, CMS content authoring, or Salesforce Sites (Force.com Sites) deployments.
experience-cloud-deployment-admin
Use this skill when deploying an Experience Cloud site (formerly Community) between Salesforce orgs or sandboxes — including metadata ordering, ExperienceBundle enablement, post-deployment publishing, and change-set or SFDX-based migration. NOT for: LWC component development within Experience Builder, CMS content migration via Managed Content REST API, or Aura/LWC code authoring.
destructive-changes-deployment
Managing destructiveChanges.xml manifests for safe metadata deletion in Salesforce deployments. Use when deleting metadata components via Metadata API or sf CLI. Covers pre vs post destructive manifests, safe deletion sequencing, dependency handling. NOT for package.xml basics (use metadata-api-and-package-xml). NOT for basic deployment setup (use change-set-deployment).
deployment-monitoring
Tracking the real-time and historical status of Salesforce metadata deployments via Metadata API checkDeployStatus, REST deployRequest polling, and the Deployment Status Setup page. Covers DeployResult field interpretation, component error triage, concurrent deployment queue behavior, and 30-day history limits. NOT for post-deployment functional smoke testing (use post-deployment-validation). NOT for CI/CD pipeline setup (use github-actions-for-salesforce). NOT for rollback execution.
deployment-error-troubleshooting
Use when a Salesforce metadata deployment fails and you need to diagnose and fix the error. Trigger keywords: 'deployment failed', 'component failure', 'dependent class is invalid', 'code coverage failed', 'UNSUPPORTED_API_VERSION', 'deploy error', 'test failure blocking deploy', 'rollbackOnError', 'missing dependency deploy'. NOT for authoring destructive changes manifests (use destructive-changes-deployment). NOT for CI/CD pipeline setup (use github-actions-for-salesforce or gitlab-ci-for-salesforce). NOT for change set mechanics (use change-set-deployment).