[SalesForce] Permission Manage All X Depends On Permission Read All Y

Using Ant Deployment. As the title says, when I deploy I get errors on my custom profiles:

profiles/Some.profile -- Error Permission Manage All Custom_Object__c depends on permission(s): Read All Contact.

If I look at the permissions for this profile through the browser I can see that, under Standard Object Permissions, that Contact has all rows selected.

Where is this "Read All" parameter?

Under "Contact Field-Level Security for profile" there are some fields that aren't enabled. So do I need to enable them all?!

ETA:

The user license associated with this profile is "Force.com App Subscription"

In the sandbox org, Here's what I see from the Profile page:enter image description here

In the developer org, If I create a profile based on "Force.com App Subscription" I see this:
enter image description here

So in the sandbox View All is enabled, in the developer View All is disabled.

Best Answer

I just ran into a very similar issue with Opportunity and a custom object that had a Master-Detail relationship back to Opportunity.

I was attempting to insert an ObjectPermissions record against Opportunity for a particular ParentId PermissionSet and got the following error:

Id permissionSetId = //... Some existing Permission Set gets looked up. 

// Note the omission of PermissionsViewAllRecords = true
ObjectPermissions opportunityObjectReadPermission = new ObjectPermissions(SobjectType = 'Opportunity',
                                                        PermissionsCreate = false,
                                                        PermissionsDelete = false,
                                                        PermissionsEdit = false,
                                                        PermissionsRead = true
                                                    );
opportunityObjectReadPermission.ParentId = permissionSetId;
insert opportunityObjectReadPermission;

System.DmlException: Insert failed. First exception on row 0; first error: FIELD_INTEGRITY_EXCEPTION, Permission Read All ChildCustomObject__c depends on permission(s): Read All Opportunity: []

It turned out there was already an ObjectPermissions record for ChildCustomObject__c that had PermissionsViewAllRecords = true. For that to exist there was already a corresponding ObjectPermissions for Opportunity with the same view all records setting. That makes sense:

If you are going to allow the view all records permission on the detail object in a master-detail relationship you also need to grant it on the master object.

This is applicable to your deployment issue as well. You can't deploy permissions for the child/detail sObject without also deploying the required permissions to the master sObject.

Related Topic