Using Salesforce CLI to Update Tab Permissions

I attended TrailheaDX last week and one of the big announcements was DX in open beta. I’m excited to start trying out DX, but I think I was even more excited to learn that the Salesforce CLI also supports the metadata API, querying and loading data and more.

This tool is quickly becoming my goto for various tasks. I needed to make a tab that came in a managed package hidden to all profiles and I really didn’t want to edit each profile individually. (Go vote for this idea to do it through setup:

If you don’t have the latest version of the Salesforce CLI yet, go download it from (Note that as of this writing the top link that comes up in Google is an older version. You don’t want the CLI, you want the Salesforce CLI.)

Once you have it installed, we need to authenticate to our org. You can authenticate to production, sandbox, etc using a web login. There’s a little bit of magic going on.

sfdx force:auth:web:login -a prod -r

What’s going on in the above command? We are telling it to auth using a web login and giving the new connection an alias with -a (in this case prod). We can also specify a custom domain with -r if you use my domain or need to connect to a sandbox. Once you authorize the connected app, you can close your browser. This only needs to be done once and you can keep using the connection for multiple commands.

Now that we have a connection, switch to a text editor and create your package.xml file. This is used to say what you need to retrieve from the org. In this case, I want to retrieve all profiles and a specific tab.

Now we can use this file to retrieve our metadata:

sfdx force:mdapi:retrieve -u prod -r .  -k package.xml

This will retrieve the metadata into a zip file called Unzip it and you’ll see all the profiles. Now you just need to edit each profile to make the tab hidden. This is easily done with a text editor doing a search and replace across files. Save all your changes and zip the folder back into one zip file. Now you can deploy it back to your org.

sfdx force:mdapi:deploy -u prod -f

Check the deployment status and audit log in the target org and you’ll hopefully see your changes. You should to all of this in a sandbox before deploying to production to make sure there aren’t any unintended consequences.