hardis:org:diagnose:minimalpermsets
Description
Analyzes permission set metadata files in the sfdx project to identify permission sets with very few permissions (configurable threshold, default: 5 or fewer).
These "minimal" permission sets may be candidates for consolidation to reduce org complexity and improve maintainability.
Key functionalities:
- Project-based analysis: Scans
.permissionset-meta.xmlfiles in the project (no org connection required for analysis). - Permission counting: Uses structure to differentiate leaf elements (primitives) from nested elements (objects). Leaf elements are metadata-only; nested elements grant permissions. Future API additions are supported automatically.
- Configurable threshold: Set
MINIMAL_PERMSETS_THRESHOLDenv var or use--threshold(default: 5). - Metadata directory: Uses
--metadata-diror scans**/*.permissionset-meta.xmlin the project. - CSV report: Generates a report listing minimal permission sets with their permission count.
- Notifications: Sends alerts to Grafana, Slack, MS Teams when minimal permission sets are found.
This command is part of sfdx-hardis Monitoring and can output Grafana, Slack and MsTeams Notifications.
Parameters
| Name | Type | Description | Default | Required | Options |
|---|---|---|---|---|---|
| debug -d |
boolean | Activate debug mode (more logs) | |||
| flags-dir | option | undefined | |||
| json | boolean | Format output as json. | |||
| metadata-dir -m |
option | Directory containing .permissionset-meta.xml files. If not set, scans entire project for */.permissionset-meta.xml | |||
| outputfile -f |
option | Force the path and name of output report file. Must end with .csv | |||
| skipauth | boolean | Skip authentication check when a default username is required | |||
| target-org -o |
option | undefined | |||
| threshold -t |
option | Maximum number of permissions to be considered minimal. Overrides MINIMAL_PERMSETS_THRESHOLD env var. | |||
| websocket | option | Websocket host:port for VsCode SFDX Hardis UI integration |
Examples
$ sf hardis:org:diagnose:minimalpermsets
$ sf hardis:org:diagnose:minimalpermsets --threshold 5
$ sf hardis:org:diagnose:minimalpermsets --metadata-dir force-app/main/default/permissionsets