Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Package installed for AdminsOnly installs for AllUsers #3536

Closed
georgeslater opened this issue Feb 16, 2023 · 5 comments
Closed

Package installed for AdminsOnly installs for AllUsers #3536

georgeslater opened this issue Feb 16, 2023 · 5 comments
Labels
bug

Comments

@georgeslater
Copy link

Describe the bug

We have a build process that generates a 2GP Feature Test Package, installs it in a scratch org and runs tests.

If I install the package version via the Salesforce UI (package installation link), and select install for Admins Only, other profiles such as the Minimum Access - Salesforce profile do not get any package permissions.

However if I install the package version via the install_managed command, even when I specify security_type NONE it gives all the package permissions to the Minimum Access - Salesforce profile. This includes FLS, Custom Permissions, Custom Metadata access etc.

In our case, this causes two tests to fail in our CI build (which were passing with the same codebase late Nov 2022). In the build process we are using the install_2gp_commit flow but I have narrowed it down specifically to the install_managed task.

Reproduction steps

Run the install_managed task to install any package version (it is not clear whether this just affects 2GP or also 1GP)

cci task run install_managed --security_type NONE --version 04txxxxxxxxxxxx --org perms-bug --password xxxxxxx

Your CumulusCI and Python versions

CumulusCI: 3.70
Python: 3.9.1

Operating System

MacOS 12.5.1

Windows environment

No response

CumulusCI installation method

None

Error Gist

No response

Additional information

Unfortunately adding --debug does not show me how the package install request is constructed
@georgeslater
Copy link
Author

georgeslater commented Feb 16, 2023
edited
Loading

I should also note that the equivalent sfdx command,

sfdx force:package:install --package 04txxxxxxxxx -k xxxxxxxx -s AdminsOnly -u [email protected] -w 120
also does not assign package permissions to the Minimum Access profile, leading me to believe that this is a CumulusCI issue.

@davidmreed
Copy link
Contributor

Thanks for the detailed report, George.

SecurityType NONE should in theory work the same way with 1GP and 2GP. (The key difference is that SecurityType PUSH does not work with 2GP, as it's not exposed in the Tooling API).

We'll have to compare with how SFDX runs the install to confirm what is happening here. Our code is doing very little over and above the API call, but the semantics of the SecurityType parameter are not well documented.

@georgeslater
Copy link
Author

georgeslater commented Feb 16, 2023
edited
Loading

Thank you @davidmreed . I notice that the NPSP MetaDeploy Installer (which I believe runs on CumulusCI) also installs the NPSP for AllUsers. Not sure if that's related to this issue or by design, but thought I'd mention it.

@georgeslater
Copy link
Author

@davidmreed Closing as I believe it's an SFDX issue: forcedotcom/cli#2059

@yippie
Copy link
Contributor

yippie commented Sep 12, 2023

@georgeslater @davidmreed API documentation (https://developer.salesforce.com/docs/atlas.en-us.api_tooling.meta/api_tooling/tooling_api_objects_packageinstallrequest.htm) says the security type is None not NONE . Could this be the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@georgeslater @yippie @davidmreed