Newer Version Available

This content describes an older version of this product. View Latest

Profile

Represents a user profile. A profile defines a user's permission to perform different functions within Salesforce. It extends the Metadata metadata type and inherits its fullName field.

In API version 29.0 and later, you can retrieve and deploy access settings for the following managed components in profiles and permission sets:

Apex classes
Apps
Custom field permissions
Custom object permissions
Custom tab settings
External data sources
Record types
Visualforce pages

For more information, see Managed Component Access in Sample package.xml Manifest Files.

Declarative Metadata File Suffix and Directory Location

The file suffix is .profile. There is one file for each profile, stored in the profiles folder in the corresponding package directory.

Version

Profiles are available in API version 10.0 and later.

Fields

The content of a profile returned by Metadata API depends on the content requested in the RetrieveRequest message. For example, profiles only include field-level security for fields included in custom objects returned in the same RetrieveRequest as the profiles. The profile definition contains the following fields:

Field Name	Field Type	Description
applicationVisibilities	ProfileApplicationVisibility[]	Indicates which apps are visible to users assigned to this profile. In API version 29.0 and earlier, this field supports custom apps only. In API version 30.0 and later, this field supports both standard and custom apps.
classAccesses	ProfileApexClassAccess[]	Indicates which top-level Apex classes have methods that users assigned to this profile can execute.
custom	boolean	Indicates whether the profile is a custom (`true`) or standard (`false`) profile. Available in API version 30.0 and later.
description	string	The profile description. Limit: 255 characters. Available in API version 30.0 and later.
externalDataSourceAccesses	ProfileExternalDataSourceAccess[]	Indicates which data sources with identity type of Per User are available to users assigned to this profile. Available in API version 27.0 and later. External Data Source is in Beta release.
fieldLevelSecurities	ProfileFieldLevelSecurity[]	Indicates which fields are visible to a user assigned to this profile, and the kind of access available (editable or hidden). This field is available in API version 22.0 and earlier.
fieldPermissions	ProfileFieldLevelSecurity[]	Indicates which fields are visible to a user assigned to this profile, and the kind of access available (editable or readable). This field is available in API version 23.0 and later.
fullName	string	The name can only contain characters, letters, and the underscore (_) character, must start with a letter, and cannot end with an underscore or contain two consecutive underscore characters. Inherited from the Metadata component, this field is not defined in the WSDL for this component. It must be specified when creating, updating, or deleting. See `create()` to see an example of this field specified for a call.
layoutAssignments	ProfileLayoutAssignments[]	Indicates which layout to use for this profile.
loginHours	ProfileLoginHours[]	Indicates the hours within which a user with this profile may log in. If not specified, the profile doesn’t restrict a user’s login hours. This field is available in API version 25.0 and later.
loginIpRanges	ProfileLoginIpRange[]	The list of IP address ranges from which users with a particular profile can log in. This field is available in API version 17.0 and later.
objectPermissions	ProfileObjectPermissions[]	Indicates which objects are accessible to a user assigned to this profile, and the kind of access available (create, read, edit, delete, and so on). In API version 28.0 and later, this field is only retrieved when allowRead is `true`.
pageAccesses	ProfileApexPageAccess[]	Indicates which Visualforce pages that users assigned to this profile can execute.
recordTypeVisibilities	ProfileRecordTypeVisibility[]	Indicates the visibility of record types for users assigned to this profile. In API version 29.0 and later, this field is not retrieved or deployed for inactive record types.
tabVisibilities	ProfileTabVisibility[]	Indicates which record types are visible to a user assigned to this profile, and therefore which tabs within an app are visible.
userLicense	string	The User License for the profile. A user license entitles a user to different functionality within Salesforce and determines which profiles and permission sets are available to the user. This field is available in API version 17.0 and later.
userPermissions	ProfileUserPermission[]	Specifies a user permission (such as “API Enabled”) and whether it’s enabled for this profile. This field retrieves only enabled user permissions. Available in API version 29.0 and later.

ProfileApplicationVisibility

ProfileApplicationVisibility determines whether an app is visible to a user assigned to this profile.

Field Name	Field Type	Description
application	string	Required. The name of the app.
default	boolean	Required. Indicates whether the app is the default app (`true`) or not (`false`). Only one app per profile can be set to `true`.
visible	boolean	Required. Indicates whether this app is visible to users assigned to this profile (`true`) or not (`false`).

ProfileApexClassAccess

ProfileApexClassAccess determines which top-level Apex classes have methods that users assigned to this profile can execute.

Field Name	Field Type	Description
apexClass	string	Required. The Apex class name.
enabled	boolean	Required. Indicates whether users assigned to this profile can execute methods in the top-level class (`true`) or not (`false`).

ProfileExternalDataSourceAccess

ProfileExternalDataSourceAccess represents the data source access for users with identity type of Per User. Available in API version 27.0 and later. External Data Source is in Beta release.

Field Name	Field Type	Description
enabled	boolean	Required. Indicates whether the data source is enabled (`true`) or not (`false`).
externalDataSource	string	The name of the external data source.

ProfileFieldLevelSecurity

ProfileFieldLevelSecurity represents the field level security for users assigned to a profile. In API version 30.0 and later, permissions for required fields can’t be retrieved or deployed.

Field Name	Field Type	Description
editable	boolean	Required. Indicates whether this field is editable (`true`) or not (`false`). In API version 30.0 and later, when deploying a new custom field, this field is `false` by default.
field	string	Required. Indicates the name of the field.
hidden	boolean	Indicates whether this field is hidden (`true`) or not (`false`). This field is available in API version 22.0 and earlier. For portal profiles, this is set to `true` by default in API version 19.0 and later.
readable	boolean	Indicates whether this field is readable (`true`) or not (`false`). This field is available in API version 23.0 and later. It replaces the hidden field. In API version 30.0 and later, when deploying a new custom field, this field is `false` by default. For portal profiles, this is set to `false` by default.

ProfileLayoutAssignments

ProfileLayoutAssignments determines which layout to use for a profile and a given entity.

Field Name	Field Type	Description
layout	string	Required. Indicates the layout for this particular entity.
recordType	string	This field is optional. If the recordType of the record matches a layout assignment rule, it will use the specified layout.

ProfileLoginHours

ProfileLoginHours restricts the days and times within which users with a particular profile can log in.

Field Name	Field Type	Description
`weekday`Start	string	Specifies the earliest time on that day that a user with this profile may log in. If a start time for a particular day is specified, an end time for that day must be specified as well. Start can’t be greater than end for a particular day. Valid values for weekday: monday, tuesday, wednesday, thursday, friday, saturday, or sunday. For example, mondayStart indicates the beginning of the login period for Monday. Valid values for Start: the number of minutes since midnight. Must be evenly divisible by 60 (full hours). For example, `300` is 5:00 a.m.
`weekday`End	string	Specifies the time on that day by which a user with this profile must log out. Valid values for weekday: monday, tuesday, wednesday, thursday, friday, saturday, or sunday. For example, mondayEnd indicates the close of the login period for Monday. Valid values for End: the number of minutes since midnight. Must be evenly divisible by 60 (full hours). For example, `1020` is 5:00 p.m.

To delete login hour restrictions from a profile that previously had them, you must explicitly include an empty loginHours tag without any start or end times.

ProfileLoginIpRange

ProfileLoginIpRange IP defines an IP address ranges from which users with a particular profile can log in.

Field Name	Field Type	Description
endAddress	string	Required. The end IP address for the range.
startAddress	string	Required. The start IP address for the range.

ProfileObjectPermissions

ProfileObjectPermissions represents a user's access to objects.

In API version 18.0 and later, these permissions are disabled in new custom objects for any profiles in which “View All Data” or “Modify All Data” is disabled.

Note

Field Name	Field Type	Description
allowCreate	boolean	Indicates whether the object referenced by the object field can be created by the users assigned to this profile (`true`) or not (`false`). This field is named revokeCreate before version 14.0 and the logic is reversed. The field name change and the update from `true` to `false` and vice versa is automatically handled between versions and does not require any manual editing of existing XML component files. The field name change and the update from `true` to `false` and vice versa is automatically handled between versions and does not require any manual editing of existing XML component files.
allowDelete	boolean	Indicates whether the object referenced by the object field can be deleted by the users assigned to this profile (`true`) or not (`false`). This field is named revokeDelete before version 14.0 and the logic is reversed. The field name change and the update from `true` to `false` and vice versa is automatically handled between versions and does not require any manual editing of existing XML component files.
allowEdit	boolean	Indicates whether the object referenced by the object field can be edited by the users assigned to this profile (`true`) or not (`false`). This field is named revokeEdit before version 14.0 and the logic is reversed. The field name change and the update from `true` to `false` and vice versa is automatically handled between versions and does not require any manual editing of existing XML component files.
allowRead	boolean	Indicates whether the object referenced by the object field can be seen by the users assigned to this profile (`true`) or not (`false`). This field is named revokeRead before version 14.0 and the logic is reversed. The field name change and the update from `true` to `false` and vice versa is automatically handled between versions and does not require any manual editing of existing XML component files.
modifyAllRecords	boolean	Indicates whether the object referenced by the object field can be read, edited, or deleted by the users assigned to this profile (`true`) or not (`false`), regardless of the sharing settings for the object. This is equivalent to the “Modify All Data” user permission limited to the individual object level. This is a new field in API version 15.0. This field is not available for all objects. Refer to the profile in the user interface to determine which objects currently support these permissions. Profiles with "Modify All Data" ignore modifyAllRecords entries in Metadata API and don't return an error if "Modify All Data" is enabled on the profile. Note
object	string	Required. The name of the object whose permissions are altered by this profile, for example, `MyCustomObject__c`.
viewAllRecords	boolean	Indicates whether the object referenced by the object field can be read by the users assigned to this profile (`true`) or not (`false`), regardless of the sharing settings for the object. This includes private records (records with no parent object). This is equivalent to the “View All Data” user permission limited to the individual object level. This is a new field in API version 15.0. This field is not available for all objects. Refer to the profile in the user interface to determine which objects currently support these permissions. Profiles with "View All Data" ignore viewAllRecords entries in the Metadata API and don't return an error if "View All Data" is enabled on the profile. Note

ProfileApexPageAccess

ProfileApexPageAccess determines which Visualforce pages that users assigned to this profile can execute.

Field Name	Field Type	Description
apexPage	string	Required. The Visualforce page name.
enabled	boolean	Required. Indicates whether users assigned to this profile can execute the Visualforce page (`true`) or not (`false`).

ProfileRecordTypeVisibility

ProfileRecordTypeVisibility represents the visibility of record types for this profile. Record types allow you to offer different business processes, picklist values, and page layouts to different users.

Field Name	Field Type	Description
default	boolean	Required. Indicates whether the record type is the default for this pair of profile and object (`true`) or not (`false`). Only one default is allowed per object.
personAccountDefault	boolean	Indicates whether the record type is the default person account record type for this pair of profile and object (`true`) or not (`false`). Only one person account record type default is allowed per object. This field is only relevant for record types for account or contact objects. A person account is an individual consumer with whom you do business, such as a financial services client, an online shopper, or a vacation traveler. Person accounts are applicable to organizations that operate on a business-to-consumer model as opposed to a business-to-business model. For more information about person accounts, see “What is a Person Account?” in the Salesforce online help. Person accounts are not enabled by default in Salesforce. To request person accounts, contact salesforce.com.
recordType	string	Required. The record type name, for example `Account.MyRecordType`.
visible	boolean	Required. Indicates whether this record type is visible to users assigned to this profile (`true`) or not (`false`).

ProfileTabVisibility

ProfileTabVisibility represents the visibility of tabs for this profile. For version 17.0 and later, ProfileTabVisibility supports visibility of tabs for standard objects. The manifest file must include the standard object corresponding to a standard tab to retrieve the tab visibility in a profile.

Field Name	Field Type	Description
tab	string	Required. The name of the tab.
visibility	TabVisibility (enumeration of type string)	Required. Indicates the visibility of the tab. Valid values are: `DefaultOff`—The tab is available on the All Tabs page. Individual users can customize their display to make the tab visible in any app. `DefaultOn`—The tab is available on the All Tabs page and appears in the visible tabs for its associated app. Individual users can customize their display to hide the tab or make it visible in other apps. `Hidden`—The tab isn’t available on the All Tabs page or visible in any apps.

ProfileUserPermission

ProfileUserPermission represents an app or system permission for a profile. Use one of these elements for each permission.

Field	Field Type	Description
enabled	boolean	Required. Indicates whether the permission is enabled (`true`) or disabled (`false`).
name	string	Required. The permission name.

Java Sample

The following sample uses picklists, profiles, record types, and a custom app:

1swfobject.registerObject("clippy.codeblock-0", "9");public void profileSample() {
2  try {
3    // Create an expense report record, tab and app...
4    CustomObject expenseRecord = new CustomObject();
5    expenseRecord.setFullName("ExpenseReport__c");
6    expenseRecord.setLabel("Expense Report");
7    expenseRecord.setPluralLabel("Expense Reports");
8    
9    expenseRecord.setDeploymentStatus(DeploymentStatus.Deployed);
10    expenseRecord.setSharingModel(SharingModel.ReadWrite);
11    
12    CustomField nameField = new CustomField();
13    nameField.setType(FieldType.AutoNumber);
14    nameField.setLabel("Expense Report Number");
15    nameField.setDisplayFormat("ER-{0000}");
16    expenseRecord.setNameField(nameField);
17    
18    AsyncResult[] arsExpenseRecord =
19        metadataConnection.create(new Metadata[] {expenseRecord});
20    
21    Picklist expenseStatus = new Picklist();
22    PicklistValue unsubmitted = new PicklistValue();
23    unsubmitted.setFullName("Unsubmitted");
24    PicklistValue submitted = new PicklistValue();
25    submitted.setFullName("Submitted");
26    PicklistValue approved = new PicklistValue();
27    approved.setFullName("Approved");
28    PicklistValue rejected = new PicklistValue();
29    rejected.setFullName("Rejected");
30    expenseStatus.setPicklistValues(new PicklistValue[] {
31        unsubmitted, submitted, approved, rejected}
32    );
33    
34    CustomField expenseStatusField = new CustomField();
35    expenseStatusField.setFullName(
36        "ExpenseReport__c.ExpenseStatus__c"
37    );
38    expenseStatusField.setLabel("Expense Report Status");
39    expenseStatusField.setType(FieldType.Picklist);
40    expenseStatusField.setPicklist(expenseStatus);
41    AsyncResult[] arsStatusField =
42        metadataConnection.create(new Metadata[] 
43            {expenseStatusField});
44    
45    CustomTab expenseTab = new CustomTab();
46    expenseTab.setFullName("ExpenseReport__c");
47    expenseTab.setMotif("Custom70: Handsaw");
48    expenseTab.setCustomObject(true);
49    AsyncResult[] arsTab =
50        metadataConnection.create(new Metadata[] {expenseTab});
51    
52    CustomApplication application = new CustomApplication();
53    application.setFullName("ExpenseForce");
54    application.setTab(new String[] {expenseTab.getFullName()});
55    AsyncResult[] arsApp =
56        metadataConnection.create(new Metadata[] {application});
57    
58    // Employees and managers have the same app visibility...
59    ProfileApplicationVisibility appVisibility =
60        new ProfileApplicationVisibility();
61    appVisibility.setApplication("ExpenseForce");
62    appVisibility.setVisible(true);
63    
64    Profile employee = new Profile(); 
65    employee.setFullName("Employee");
66    employee.setApplicationVisibilities(
67        new ProfileApplicationVisibility[] {appVisibility}
68    );
69    AsyncResult[] arsProfileEmp =
70    metadataConnection.create(new Metadata[] {employee});
71    
72    Profile manager = new Profile();
73    manager.setFullName("Manager");
74    manager.setApplicationVisibilities(
75        new ProfileApplicationVisibility[] {appVisibility}
76    );
77    AsyncResult[] arsProfileMgr =
78        metadataConnection.create(new Metadata[] {manager});
79    
80    // But employees and managers have different access
81    // to the state of the expense sheet
82    RecordType edit = new RecordType();
83    edit.setFullName("ExpenseReport__c.Edit");
84    RecordTypePicklistValue editStatuses =
85        new RecordTypePicklistValue();
86    editStatuses.setPicklist("ExpenseStatus__c");
87    editStatuses.setValues(new PicklistValue[] 
88        {unsubmitted, submitted});
89    edit.setPicklistValues(new RecordTypePicklistValue[] 
90        {editStatuses});
91    AsyncResult[] arsRecTypeEdit =
92        metadataConnection.create(new Metadata[] {edit});
93    
94    RecordType approve = new RecordType();
95    approve.setFullName("ExpenseReport__c.Approve");
96    RecordTypePicklistValue approveStatuses =
97        new RecordTypePicklistValue();
98    approveStatuses.setPicklist("ExpenseStatus__c");
99    approveStatuses.setValues(new PicklistValue[] 
100        {approved, rejected});
101    approve.setPicklistValues(new RecordTypePicklistValue[]
102        {approveStatuses});
103    AsyncResult[] arsRecTypeApp =
104        metadataConnection.create(new Metadata[] {approve});
105  } catch (ConnectionException ce) {
106    ce.printStackTrace();
107  }
108}

Declarative Metadata Sample Definition

The following is the definition of a profile in an organization with a custom app, custom object, record type, tab, and user permission:

1<?xml version="1.0" encoding="UTF-8"?>
2<Profile xmlns="http://soap.sforce.com/2006/04/metadata">
3    <applicationVisibilities>
4        <application>PubApps__Myriad_Publishing</application>
5        <default>false</default>
6        <visible>true</visible>
7    </applicationVisibilities>
8    <custom>true</custom>
9    <objectPermissions>
10        <object>TestWeblinks__c</object>
11    </objectPermissions>
12    <recordTypeVisibilities>
13        <default>true</default>
14        <recordType>TestWeblinks__c.My First Recordtype</recordType>
15        <visible>true</visible>
16    </recordTypeVisibilities>
17    <tabVisibilities>
18        <tab>Myriad Publications</tab>
19        <visibility>DefaultOn</visibility>
20    </tabVisibilities>
21    <userPermissions>
22        <enabled>true</enabled>
23        <name>APIEnabled</name>
24    </userpermissions>
25</Profile>

Usage

When you use the retrieve() call to get information about profiles in your organization, the returned .profile files only include security settings for the other metadata types referenced in the retrieve request (with the exception of user permissions, IP address ranges, and login hours, which are always retrieved). For example, the package.xml file below contains a types element that matches all custom objects, so the returned profiles contain object and field permissions for all custom objects in your organization, but do not include permissions for standard objects, such as Account, and standard fields.

1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>*</members>
5        <name>CustomObject</name>
6    </types>
7   <types>
8        <members>*</members>
9        <name>Profile</name>
10    </types>
11    <version>30.0</version>
12</Package>

The wildcard “*” on CustomObject does not match standard objects and this helps to avoid making unintended, high-impact profile changes. If you create a few custom objects in a Developer Edition organization, retrieve() the information, and subsequently deploy() the custom objects to your production organization, the profile and field-level security for all your standard objects, such as Account, and standard fields are not overwritten unless you explicitly create separate types elements for the standard objects or fields.

Metadata API intentionally makes it somewhat difficult to include standard fields in retrieve() calls in order to prevent unexpected profile changes. However, you can still retrieve and deploy profile permissions for custom and standard fields in standard objects, such as Account.

The next package.xml file allows you to return profile permissions for Account standard and custom fields. Note how the standard Account object is defined in a types element by specifying it as a member of a CustomObject type.

1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3    <types>
4        <members>Account</members>
5        <name>CustomObject</name>
6    </types>
7   <types>
8        <members>*</members>
9        <name>Profile</name>
10    </types>
11    <version>30.0</version>
12</Package>

The final package.xml file allows you to return profile permissions for the MyCustomField__c custom field in the Account object.

1<?xml version="1.0" encoding="UTF-8"?>
2<Package xmlns="http://soap.sforce.com/2006/04/metadata">
3   <types>
4        <members>Account.MyCustomField__c</members>
5        <name>CustomField</name>
6   </types>
7   <types>
8        <members>*</members>
9        <name>Profile</name>
10   </types>
11   <version>30.0</version>
12</Package>

Metadata API Developer’s Guide

No Results