User Permissions Are Not Disabled in the Destination Org When Deploying Profiles
User Permissions set to false are not retrieved by the Metadata API. This is the standard behavior of Salesforce’s Metadata API. If you do a retrieve of a profile with Workbench or ANT Migration Tool, you will get only the user permissions that are set to true on that profile.
When committing a profile in a user story, you will see that the user permissions set to true in the master branch are removed in the feature branch if they are set to false in the source org. This is because user permissions set to false are not retrieved by the Metadata API.
The user permission will be removed also from the promotion branch and the destination branch when deploying.
Permissions that don't exist in the xml file that is being deployed (promotion branch) are not modified in the org you are deploying to, and therefore, they will not be set to false in the destination org.
If you add the user permissions in the feature branch and the promotion branch as false, the permissions will be deployed with status disabled in the destination org.
Let’s take a look at the example scenario below:
- Disable Manage Users and Manage Internal Users in the source org.
- Commit the profile in a user story.
- The user permissions are removed in the feature branch as expected. (See screenshot above).
- Commit, promote and deploy the user story. The permissions are removed in the destination branch but they are not disabled in the destination org.
- Add the permissions in the feature branch in Git set to false.
- Create a new deployment from the promotion.
- You will see now the permissions added in the new promotion branch as false.
- Deploy the new deployment which is taking the new promotion branch with the permissions set to false.
- The permissions are deployed as false in the destination org.
You can use the Commit Full Profiles and Permission Sets feature to commit and deploy a profile including also the permissions that are set to false. Note that this will commit and deploy the whole profile with all the OLS, FLS, user permissions and any other relationships, even if you do not include any other component in the commit.