Enable Access to Metadata Without Enabling Access to Data, Too (Beta)

Users with the Modify Metadata permission can update metadata (including Apex) through Metadata API even if they don’t also have the Modify All Data permission. Metadata API is used for deployments using change sets, the Ant Migration Tool, or the Salesforce CLI. Users must have the permission that enables use of the feature supported by the metadata they’re trying to modify. They must also have the permission that enables their deployment tool.

The Modify Metadata permission doesn’t impact direct customization of metadata using Setup UI pages, because those pages don’t use Metadata API for updates.

Where: This change applies to Lightning Experience, Salesforce Classic, and all versions of the mobile app in Professional, Performance, and Unlimited editions.

Some metadata, such as Apex, executes in system context, so be careful how you delegate the Modify Metadata permission. Modify Metadata allows deployment of Apex metadata, but it doesn’t allow some Apex development and debugging features that still require the Modify All Data permission.

Modify Metadata is enabled automatically when either the Deploy Change Sets or the Author Apex permission is selected. The Modify Metadata permission is beta when enabled without also enabling the Modify All Data permission.
Note

Note

As a beta feature, the Modify Metadata permission is a preview and isn’t part of the “Services” under your master subscription agreement with Salesforce. Use this feature at your sole discretion, and make your purchase decisions only on the basis of generally available products and features. Salesforce doesn’t guarantee general availability of this feature within any particular time frame or at all, and we can discontinue it at any time. This feature is for evaluation purposes only, not for production use. It’s offered as is and isn’t supported, and Salesforce has no liability for any harm or damage arising out of or in connection with it. All restrictions, Salesforce reservation of rights, obligations concerning the Services, and terms for related Non-Salesforce Applications and Content apply equally to your use of this feature. You can provide feedback and suggestions for the Modify Metadata permission by posting in Collaboration or Ideas in the Trailblazer Community.

Why: Previously, users needed the Modify All Data permission to deploy metadata using change sets, the Ant Migration Tool, or the Salesforce CLI. Some users don’t need the data access conferred by the Modify All Data permission, only the metadata access. Now users can deploy metadata if they have the Modify Metadata permission in addition to permissions enabling access to their chosen deployment tool and the feature the metadata supports. For example, to deploy a change set, users previously had to have permissions enabling the feature the change set customized and both the Deploy Change Sets permission and the Modify All Data permission. Users now need only the feature permission, the Deploy Change Sets permission, and the Modify Metadata permission to deploy the change set.