Merge profiles on retrieve - POC and to discuss - NOT READY TO MERGE #1145
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Profiles suck - this PR attempts to make them suck a little bit less. It's a POC and my attempt to prompt a discussion - it's in no way ready to merge.
Background
I fully expect that anyone reading a PR against this repo will know this already but lets set the scene...
When profiles are retrieved from Salesforce they only contain basic profile information i.e. description, user permissions, etc. If the same retrieve contains metadata types that have profile permissions (e.g. objects, fields, apps, classes, etc), the profile metadata will also contain permissions for that metadata. However, it'll only contain the permissions for metadata contained in that retrieve and any existing profile metadata file will be completely overwritten.
This effectively means you can't use source commands and track profiles. You kind of can, if you maintain a manifest and retrieve all metadata with permissions alongside the profiles but this isn't ideal for so many reasons.
I can understand why this has never worked - profiles are a pain in the ass and are largely superseded by Permission Sets and Permission Set Groups. In the coming years, object and field permissions will be completely removed from profiles.
So why invest time in something that doesn't have a future?
Proposal
When converting from MD API to Source format, merge retrieved profile permissions into the existing profile file. If an existing file doesn't exist, fallback to the way it works at the moment.
There would need to be configuration to determine how to merge the files, I propose the following. Two merge strategies:
This is an example of the configuration used in the POC:
Note, I've also considered an attribute along the lines of 'deleteOnEmpty' (not implemented yet in the POC) to cover metadata that may genuinely have been removed from the org (opposed to just not retrieved) e.g. loginIpRanges.
This does mean there is additional configuration to be maintained. It's not ideal to maintain a list of the permission types in profiles and how to merge them. However, this is mitigated by having a default configuration of replace i.e. do what it does now. Also, the profile metadata type seldom changes.
I've tucked the functionality away behind an environment variable (
SF_ENABLE_EXPERIMENTAL_PROFILE_MERGE
) - having a flag to explicitly turn this feature on or off is probably a good idea. Though, since profile retrieving doesn't work at the moment, arguably a flag to turn off is probably the better way around.Limitations / Potential Issues
TODO
If the idea is a 'go'er', I'm willing to invest my time to finish off the PR.
That will involve:
Conclusion
Ultimately, (and I mean no offence to anyone) I don't think we can make the handling of profiles much worse than it already is - therefore, there is no downside to giving this a shot.
Before:
After: