I want to make a permission set such that a user only has Metadata Access and preferably only Read-Only Metadata access through Ant. The idea is I want to make a "Backup Metadata" user. I do not want to give this user "View All Data" or "Modify All Data" access. Per Salesforce Documentation here:
If a user requires access only to metadata for deployments, you can enable the Modify Metadata Through Metadata API Functions permission. This permission gives such users the access they need for deployments without providing access to org data. For details, see “Modify Metadata Through Metadata API Functions Permission” in Salesforce Help.
And on the Salesforce Help doc here:
Users with the Modify Metadata Through Metadata API Functions permission can update metadata (including Apex) through Metadata API even if they don’t also have the Modify All Data permission. Metadata API is used for deployments using change sets, the Ant Migration Tool, or the Salesforce CLI. Users must have the permission that enables use of the feature supported by the metadata they’re trying to modify. They must also have the permission that enables their deployment tool. Modify Metadata Through Metadata API Functions is enabled automatically when either the Deploy Change Sets or the Author Apex permission is selected.
Problem is: I can't get this to work without granting the "Modify All Data" permission. I also granted "Deploy Change Sets" and "Author Apex".
The error I receive is this after running an Ant "retrieve" from the command line:
Failed to process the request successfully. Cause(UNKNOWN_EXCEPTION): INSUFFICIENT_ACCESS: Admin only setting
However, it processes successfully after I grant "Modify All Data". I realize there is an "Idea" here that says in order to use the Metadata API, you must have "Modify All Data", but by the docs, it looks like Salesforce delivered on this with the "Modify Metadata Through Metadata API Functions permission", but I can't find the right combo of perms minus "Modify All Data" to get it to work.
Best Answer
Per Salesforce Support.... The Ant Migration Tool is a "third party tool" and not supported by Salesforce. (News to me.) Second, "Modify All Data" is required. Didn't specify if the permission would work with just deploy. So, there you go.