Change Sets and Profile Permissions

Did you know your change sets may be including more permission changes than you thought? I recently deployed a new field in a change set along with the “profile settings for for included components”. I selected all the profiles in my org because I wanted to make sure all my profiles could see the new field. After deploying, I discovered that the change set deploy had removed one of the login IP ranges for a profile. Turns out that is expected behavior as described in the help.

This behavior was unexpected to me and didn’t seem right, so I started asking around and was able to talk to the PM for Change Sets, Andrew Smith. We had a great talk about change sets and I learned a thing or two that I thought would be nice to share with others.

First, change sets will modify many profile settings when you include them in the “profile settings for for included components” section. Not only will it give appropriate permissions for things such as fields, but it will also overwrite login IP ranges among other things. (Take a look at this help doc for the entire list.) In Winter 14 this list gets expanded and will also include user permissions such as “Manage Users”. I tested this in a couple of Winter ’14 sandboxes and was alarmed to see that the audit trail did not record any of the user permissions changes. The moral of this story is that you need to be sure your profiles in your sandboxes are exactly what you want as the changes will move with the change set.

Second, we discussed that change sets are not typically destructive, but there are certain cases where change sets will remove items:

For instance, we delete picklist values in a field that you migrate.  Same goes for adding/removing workflow actions associated with a rule when you move the rule (the link to the actions – not the actions themselves).  Our general rule is we don’t delete things you can add to a change set directly (think field, object, report), but we will update (including removal) sub aspects of a component as part of migrating that component.

Change sets are a great feature and I’m looking forward to future clarification on what can and can’t get deployed as well as improvements to the UI for selecting items to add to the change set.