Salesforce How to create a profile with minimum access
Creating a profile with minimum access in Salesforce using Apex code directly isn’t possible, because profiles are metadata, not runtime data — and Apex cannot create or modify metadata (like Profiles, Permission Sets, Objects, or Fields) directly.
However, you can achieve this using:
- Salesforce Metadata API (via tools like the Salesforce CLI, Workbench, or Apex + Metadata API wrapper), or
- Salesforce Setup (manually), or
- Using Apex + Tooling API / Metadata API programmatically.
Let’s go over all options — and provide sample code using Metadata API via Apex.
🧭 Objective
Create a Profile with minimum access (similar to a “Read Only” baseline).
⚙️ Option 1: Using Metadata API (Recommended via Salesforce CLI)
Step 1: Create a Profile XML
Create a file called MinimalAccess.profile-meta.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Profile xmlns="http://soap.sforce.com/2006/04/metadata">
<userLicense>Salesforce</userLicense>
<custom>false</custom>
<fieldPermissions>
<editable>false</editable>
<readable>false</readable>
<field>Account.Name</field>
</fieldPermissions>
<objectPermissions>
<allowCreate>false</allowCreate>
<allowDelete>false</allowDelete>
<allowEdit>false</allowEdit>
<allowRead>true</allowRead>
<modifyAllRecords>false</modifyAllRecords>
<viewAllRecords>false</viewAllRecords>
<object>Account</object>
</objectPermissions>
<tabVisibilities>
<tab>standard-Account</tab>
<visibility>Hidden</visibility>
</tabVisibilities>
<userPermissions>
<enabled>false</enabled>
<name>ViewSetup</name>
</userPermissions>
</Profile>
This example gives read-only access to the Account object, hides tabs, and removes extra permissions.
Step 2: Deploy it using Salesforce CLI
sfdx force:source:deploy -m Profile:MinimalAccess
This will create a profile named MinimalAccess in your Salesforce org.
🧩 Option 2: Using Apex + Metadata API Wrapper (Programmatic)
You can use Apex + MetadataService (a public Salesforce wrapper) to create metadata from Apex code.
Step 1: Install the Metadata API Wrapper
- Download from the official Salesforce repo:
👉 https://github.com/financialforcedev/apex-mdapi - Deploy the
MetadataServiceclasses to your org.
Step 2: Create the Profile via Apex
public class CreateMinimalAccessProfile {
public static void createProfile() {
MetadataService.MetadataPort service = MetadataServiceExamples.createService();
MetadataService.Profile profile = new MetadataService.Profile();
profile.fullName = 'Minimal_Access';
profile.userLicense = 'Salesforce';
// Example: give read-only access to Account
MetadataService.ProfileObjectPermissions accountPerm = new MetadataService.ProfileObjectPermissions();
accountPerm.object = 'Account';
accountPerm.allowRead = true;
accountPerm.allowCreate = false;
accountPerm.allowEdit = false;
accountPerm.allowDelete = false;
accountPerm.modifyAllRecords = false;
accountPerm.viewAllRecords = false;
profile.objectPermissions = new MetadataService.ProfileObjectPermissions[] { accountPerm };
// Save metadata
List<MetadataService.SaveResult> results = service.createMetadata(
new MetadataService.Metadata[] { profile }
);
if (results[0].success) {
System.debug('Profile created successfully: ' + results[0].fullName);
} else {
System.debug('Error: ' + results[0].errors[0].message);
}
}
}
✅ This code creates a new Profile named Minimal_Access with read-only access to the Account object.
🧰 Option 3: Using Tooling API (Partial Solution)
You can clone an existing profile using Tooling API (REST API or external script), then strip down permissions.
Example REST API payload (simplified):
{
"Name": "Minimal_Access",
"UserType": "Standard",
"Description": "Minimal access profile for restricted users"
}
But full permission setup (like object/field access) still needs the Metadata API.
🔒 Recommended Best Practice
Rather than relying on profiles, use Permission Sets to add access.
Salesforce is gradually moving away from profiles for fine-grained access control.
So, you can:
- Assign users a bare-minimum profile (like “Minimum Access - Salesforce”),
- Then grant extra access using Permission Sets.
Related Posts
How to Automatically create a follow-up Task when a Lead is converted
How You need to update a related child record whenever a parent record’s status changes, but only if the status is “Closed Won.” How would you design this in Apex?
