How does one maintain consistent user profiles between scratch orgs and production? For example, I create a scratch org with the following config:
{
"orgName": "mycompany",
"edition": "Enterprise",
"features": ["AuthorApex"],
"orgPreferences" : {
"enabled": ["S1DesktopEnabled"]
}
}
Then I clone the System Administrator to create My System Administrator profile. I give that profile access to a custom field on the opportunity object. When I try to install a package in my partial copy or production, I encounter various Unknown user permission: xxx errors.
I can remove the permissions causing these errors, but then end up in a state where I get the error: Permission ViewAllData depends on permission(s): ViewAllForecasts, ViewPublicDashboards, ViewPublicReports
I am aware of the Org Shape Pilot and have attempted to sign up. Would creating a scratch org from a shape address the issue I'm having?
Best Answer
I think that the emerging best practice for DX and permissions is to use permission sets instead of modifying profiles. It adds the extra step of assigning permissions sets in production, but makes sure that all the dependencies run in one direction i.e. scratch org doesn't need to know about production permissions.
I foresee us ending up in permission set hell one day where we have hundreds of permission sets to manage, but this is the best anyone has come up with so far.