ReddRadar
Agent skill
sf-permissions
Permission Set analysis, hierarchy viewer, and access auditing. TRIGGER when: user asks "who has access to X?", analyzes permission sets/groups, or touches .permissionset-meta.xml / .permissionsetgroup-meta.xml files. DO NOT TRIGGER when: creating new metadata (use sf-metadata), deploying permission sets (use sf-deploy), or Apex sharing logic (use sf-apex).
Install this agent skill to your Project
npx add-skill https://github.com/Jaganpro/sf-skills/tree/main/skills/sf-permissions
Metadata
Additional technical details for this skill
- author
- Jag Valaiyapathy
- version
- 1.1.0
- inspiration
- PSLab by Oumaima Arbani (github.com/OumArbani/PSLab)
SKILL.md
sf-permissions
Use this skill when the user needs permission analysis and access auditing: Permission Set / Permission Set Group hierarchy views, “who has access to X?” investigations, user-permission analysis, or permission-set metadata review.
When This Skill Owns the Task
Use sf-permissions when the work involves:
- permission set / permission set group analysis
- user access investigation
- finding which permission grants object / field / Apex / flow / tab / custom-permission access
- auditing or exporting permission configuration
- reviewing permission metadata impacts
Delegate elsewhere when the user is:
- creating new metadata definitions → sf-metadata
- deploying permission sets → sf-deploy
- analyzing Apex-managed sharing logic → sf-apex
Required Context to Gather First
Ask for or infer:
- target org alias
- whether the question is about an object, field, Apex class, flow, tab, custom permission, or specific user
- whether the goal is hierarchy visualization, access detection, export, or metadata generation
- whether the output should be terminal-focused or documentation-friendly
Recommended Workflow
1. Classify the request
| Request shape | Default capability |
|---|---|
| “who has access to X?” | permission detector |
| “what does this user have?” | user analyzer |
| “show me the hierarchy” | hierarchy viewer |
| “export this permset” | exporter |
| “generate metadata from analysis” | generator or handoff |
2. Connect to the correct org
Verify sf auth before running permission analysis.
3. Use the narrowest useful query
Prefer focused analysis over broad org-wide scans unless the user explicitly wants a full audit.
4. Render findings clearly
Use:
- ASCII tree or table output for terminal work
- Mermaid only when documentation benefit is clear
- concise summaries of which permission source grants access
5. Hand off creation or deployment work
Use:
- sf-metadata for richer metadata generation
- sf-deploy for deployment
High-Signal Rules
- distinguish direct Permission Set grants from grants via Permission Set Groups
- be explicit about whether access is object-level, field-level, class-level, flow-level, or custom-permission-based
- use Tooling API where required for setup entities and advanced visibility questions
- for agent access questions, verify exact agent-name matching in permission metadata
Output Format
When finishing, report in this order:
- What was analyzed
- Org / subject scope
- Which permissions grant access
- Whether access is direct or inherited
- Recommended follow-up
Suggested shape:
Permission analysis: <hierarchy / detect / user / export>
Scope: <org, user, permission target>
Findings: <permsets / groups / access level>
Source: <direct assignment or via group>
Next step: <export, generate metadata, or deploy changes>
Cross-Skill Integration
| Need | Delegate to | Reason |
|---|---|---|
| generate or modify permission metadata | sf-metadata | metadata authoring |
| deploy permission changes | sf-deploy | rollout |
| identify Apex classes needing grants | sf-apex | implementation context |
| bulk user assignment analysis | sf-data | larger data operations |
Reference Map
Start here
- references/permission-model.md
- references/soql-reference.md
- references/workflow-examples.md
Specialized analysis
- references/agent-access-guide.md
- references/usage-examples.md
Score Guide
| Score | Meaning |
|---|---|
| 90+ | strong permission analysis with clear access sourcing |
| 75–89 | useful audit with minor gaps |
| 60–74 | partial visibility only |
| < 60 | insufficient evidence; expand analysis |
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
Jaganpro/sf-skills
sf-diagram-mermaid
Salesforce architecture diagrams using Mermaid with ASCII fallback. TRIGGER when: user says "diagram", "visualize", "ERD", or asks for sequence diagrams, flowcharts, class diagrams, or architecture visualizations in Mermaid. DO NOT TRIGGER when: user wants PNG/SVG image output (use sf-diagram-nanobananapro), or asks about non-Salesforce systems.
Jaganpro/sf-skills
sf-integration
Salesforce integration architecture with 120-point scoring. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use sf-connected-apps), Apex-only logic (use sf-apex), or data import/export (use sf-data).
Jaganpro/sf-skills
sf-deploy
Salesforce DevOps automation using sf CLI v2. TRIGGER when: user deploys metadata, creates/manages scratch orgs or sandboxes, sets up CI/CD pipelines, or troubleshoots deployment errors with sf project deploy. DO NOT TRIGGER when: writing Apex/LWC code (use sf-apex/sf-lwc), creating metadata XML (use sf-metadata), or querying org data (use sf-data).
Jaganpro/sf-skills
sf-industry-commoncore-omnistudio-analyze
Cross-cutting OmniStudio analysis skill for namespace detection, dependency visualization, and impact analysis across OmniScripts, FlexCards, Integration Procedures, and Data Mappers. TRIGGER when: user asks about OmniStudio dependencies, wants namespace detection (Core vs vlocity_cmt vs vlocity_ins), needs impact analysis, or requests dependency diagrams. DO NOT TRIGGER when: authoring OmniScripts (use sf-industry-commoncore-omniscript), building FlexCards (use sf-industry-commoncore-flexcard), creating Integration Procedures (use sf-industry-commoncore-integration-procedure), or configuring Data Mappers (use sf-industry-commoncore-datamapper).
Jaganpro/sf-skills
sf-industry-commoncore-callable-apex
Salesforce Industries Common Core (OmniStudio/Vlocity) Apex callable generation and review with 120-point scoring. TRIGGER when: user creates or reviews System.Callable classes, migrates `VlocityOpenInterface` / `VlocityOpenInterface2`, or builds Industries callable extensions used by OmniStudio, Integration Procedures, or DataRaptors. DO NOT TRIGGER when: generic Apex classes/triggers (use sf-apex), building Integration Procedures (use sf-industry-commoncore-integration-procedure), authoring OmniScripts (use sf-industry-commoncore-omniscript), configuring Data Mappers (use sf-industry-commoncore-datamapper), or analyzing namespace/dependency issues (use sf-industry-commoncore-omnistudio-analyze).
Jaganpro/sf-skills
sf-datacloud-act
Salesforce Data Cloud Act phase. TRIGGER when: user manages activations, activation targets, data actions, or downstream delivery of Data Cloud audiences and data. DO NOT TRIGGER when: the task is segment creation (use sf-datacloud-segment), data retrieval/search work (use sf-datacloud-retrieve), or STDM/session tracing (use sf-ai-agentforce-observability).
Didn't find tool you were looking for?