Grant Permissions

The JDBC driver can set profile permissions, although these currently cannot be embedded within the deployment script and must be run directly against the destination environment. It does save a lot of pointing and clicking.

But first, a disclaimer:

WARNING: DO NOT RUN THESE COMMANDS AGAINST A PRODUCTION INSTANCE OF SALESFORCE IF YOU HAVE MANY APEX UNIT TESTS.

This is because each GRANT or REVOKE command is currently an independent "deployment" from Salesforce's perspective, so if run against a Production instance then ALL TESTS will be run for EACH command. If you have a lot of Apex unit tests this may end up taking a very, very, long time. One day this functionality will be rolled into the Deployment Tool, if there is sufficient demand.

Permissions can be granted, or revoked at an object level:

1
2
3
4
5
GRANT OBJECT [create],[update],[delete],[read]
 ON <object> TO [<Profile Name> | * ]
 
 REVOKE OBJECT [create],[update],[delete],[read] 
 ON <object> FROM [<Profile Name> | * ]
or at field level:
1
2
3
4
GRANT FIELD [ VISIBLE], [EDITABLE]
 ON <object>.[<field>|*] TO [<Profile Name> | * ]

REVOKE FIELD VISIBLE ON <object>.[<field>|*] FROM [<Profile Name> | * ]

WARNING: The GRANT and REVOKE commands are likely to fail with a profile of "*" as it will probably attempt to modify a readonly profile, and so fail.