Sf Permissions

1---2name: sf-permissions3description: >4  Permission Set analysis, hierarchy viewer, and access auditing.5  TRIGGER when: user asks "who has access to X?", analyzes permission sets/groups,6  or touches .permissionset-meta.xml / .permissionsetgroup-meta.xml files.7  DO NOT TRIGGER when: creating new metadata (use sf-metadata), deploying8  permission sets (use sf-deploy), or Apex sharing logic (use sf-apex).9license: MIT10metadata:11  version: "1.1.0"12  author: "Jag Valaiyapathy"13  inspiration: "PSLab by Oumaima Arbani (github.com/OumArbani/PSLab)"14---15 16# sf-permissions17 18Use this skill when the user needs **permission analysis and access auditing**: Permission Set / Permission Set Group hierarchy views, “who has access to X?” investigations, user-permission analysis, or permission-set metadata review.19 20## When This Skill Owns the Task21 22Use `sf-permissions` when the work involves:23- permission set / permission set group analysis24- user access investigation25- finding which permission grants object / field / Apex / flow / tab / custom-permission access26- auditing or exporting permission configuration27- reviewing permission metadata impacts28 29Delegate elsewhere when the user is:30- creating new metadata definitions → [sf-metadata](../sf-metadata/SKILL.md)31- deploying permission sets → [sf-deploy](../sf-deploy/SKILL.md)32- analyzing Apex-managed sharing logic → [sf-apex](../sf-apex/SKILL.md)33 34---35 36## Required Context to Gather First37 38Ask for or infer:39- target org alias40- whether the question is about an object, field, Apex class, flow, tab, custom permission, or specific user41- whether the goal is hierarchy visualization, access detection, export, or metadata generation42- whether the output should be terminal-focused or documentation-friendly43 44---45 46## Recommended Workflow47 48### 1. Classify the request49| Request shape | Default capability |50|---|---|51| “who has access to X?” | permission detector |52| “what does this user have?” | user analyzer |53| “show me the hierarchy” | hierarchy viewer |54| “export this permset” | exporter |55| “generate metadata from analysis” | generator or handoff |56 57### 2. Connect to the correct org58Verify `sf` auth before running permission analysis.59 60### 3. Use the narrowest useful query61Prefer focused analysis over broad org-wide scans unless the user explicitly wants a full audit.62 63When choosing identifiers, prefer stable metadata names first:64- `PermissionSet.Name`65- `PermissionSetGroup.DeveloperName`66- `CustomPermission.DeveloperName`67- object and field API names such as `Account` or `Account.AnnualRevenue`68- `Assignee.Username` / email for user-centric checks69 70Use Salesforce record IDs only when:71- the underlying object model requires `ParentId` or `SetupEntityId`, or72- you are drilling into records returned by a prior read-only query in the same investigation73 74### 4. Render findings clearly75Use:76- ASCII tree or table output for terminal work77- Mermaid only when documentation benefit is clear78- concise summaries of which permission source grants access79 80### 5. Hand off creation or deployment work81Use:82- [sf-metadata](../sf-metadata/SKILL.md) for richer metadata generation83- [sf-deploy](../sf-deploy/SKILL.md) for deployment84 85---86 87## High-Signal Rules88 89- distinguish direct Permission Set grants from grants via Permission Set Groups90- prefer `Name` / `DeveloperName` / API names over org-specific record IDs for first-pass investigation queries91- be explicit about whether access is object-level, field-level, class-level, flow-level, or custom-permission-based92- use Tooling API where required for setup entities and advanced visibility questions93- for agent access questions, verify exact agent-name matching in permission metadata94- when a follow-up child query requires `ParentId` or `SetupEntityId`, resolve the ID from a prior result instead of starting with copied IDs95 96---97 98## Output Format99 100When finishing, report in this order:1011. **What was analyzed**1022. **Org / subject scope**1033. **Which permissions grant access**1044. **Whether access is direct or inherited**1055. **Recommended follow-up**106 107Suggested shape:108 109```text110Permission analysis: <hierarchy / detect / user / export>111Scope: <org, user, permission target>112Findings: <permsets / groups / access level>113Source: <direct assignment or via group>114Next step: <export, generate metadata, or deploy changes>115```116 117---118 119## Cross-Skill Integration120 121| Need | Delegate to | Reason |122|---|---|---|123| generate or modify permission metadata | [sf-metadata](../sf-metadata/SKILL.md) | metadata authoring |124| deploy permission changes | [sf-deploy](../sf-deploy/SKILL.md) | rollout |125| identify Apex classes needing grants | [sf-apex](../sf-apex/SKILL.md) | implementation context |126| bulk user assignment analysis | [sf-data](../sf-data/SKILL.md) | larger data operations |127 128---129 130## Reference Map131 132### Start here133- [references/permission-model.md](references/permission-model.md)134- [references/soql-reference.md](references/soql-reference.md)135- [references/workflow-examples.md](references/workflow-examples.md)136 137### Specialized analysis138- [references/agent-access-guide.md](references/agent-access-guide.md)139- [references/usage-examples.md](references/usage-examples.md)140 141---142 143## Score Guide144 145| Score | Meaning |146|---|---|147| 90+ | strong permission analysis with clear access sourcing |148| 75–89 | useful audit with minor gaps |149| 60–74 | partial visibility only |150| < 60 | insufficient evidence; expand analysis |