forcedotcom
`org refresh sandbox` results in INSUFFICIENT_ACCESS error
Summary
While using the command org refresh sandbox to refresh a sandbox, the command finishes with the following error:
INSUFFICIENT_ACCESS: use of the Metadata API requires a user with the ModifyAllData or ModifyMetadata permissions.
However, the sandbox was refreshed and I was able to login to the org after this error.
I noticed the same error occurred with org resume sandbox, when I refreshed a sandbox but the wait timed out.
Steps To Reproduce
- Refresh an existing sandbox:
sf org refresh sandbox -n alandev01 -f sandbox-def.json -o PROD -w 99
- Wait for the command to finish
Expected result
Sandbox should be refreshed without producing an error
Actual result
Command returns after sandbox has finished refreshing but ends with an error
Output:
=== Config Sandbox Refresh
Field Value
───────────────────── ────────────────────────────
Id 0GQ1O000000L07iWAC
SandboxName alandev01
LicenseType DEVELOPER
TemplateId null
HistoryDays 0
CopyChatter false
AutoActivate true
ApexClassId 01pOO000001IyrZYAS
Description null
SourceId null
IsDeleted false
CreatedDate 2019-09-05T16:39:08.000+0000
CreatedById 00530000003ZbzsAAC
LastModifiedDate 2024-08-28T21:08:37.000+0000
LastModifiedById 00530000003ZbzsAAC
ActivationUserGroupId 00G30000002HUShEAO
? Is the configuration correct? yes
Sandbox Refresh... done
Error (sf:INSUFFICIENT_ACCESS): INSUFFICIENT_ACCESS: use of the Metadata API requires a user with the ModifyAllData or ModifyMetadata permissions.
Additional information
sandbox-def.json:
{
"ActivationUserGroupId": "00G30000002HUShEAO",
"ApexClassId": "01pOO000001IyrZYAS",
"autoActivate": true
}
My PROD Permissions:
- Includes:
- Manage Sandboxes
- Manage Dev Sandboxes
- Excludes:
- ModifyAllData
- ModifyMetadata
When I refresh a sandbox via the UI, I do not encounter any such errors.
System Information
{
"architecture": "linux-x64",
"cliVersion": "@salesforce/cli/2.60.13",
"nodeVersion": "node-v18.20.3",
"osVersion": "Linux 6.8.0-45-generic",
"rootPath": "/home/alan.morey/.volta/tools/image/packages/@salesforce/cli/lib/node_modules/@salesforce/cli",
"shell": "zsh",
"pluginVersions": [
"@oclif/plugin-autocomplete 3.2.4 (core)",
"@oclif/plugin-commands 4.0.15 (core)",
"@oclif/plugin-help 6.2.12 (core)",
"@oclif/plugin-not-found 3.2.21 (core)",
"@oclif/plugin-plugins 5.4.9 (core)",
"@oclif/plugin-search 1.2.9 (core)",
"@oclif/plugin-update 4.5.9 (core)",
"@oclif/plugin-version 2.2.13 (core)",
"@oclif/plugin-warn-if-update-available 3.1.17 (core)",
"@oclif/plugin-which 3.2.14 (core)",
"@salesforce/cli 2.60.13 (core)",
"apex 3.4.10 (core)",
"api 1.2.2 (core)",
"auth 3.6.62 (core)",
"community 3.2.32 (user) published 25 days ago (Sat Sep 14 2024) (latest is 3.2.33)",
"data 3.6.7 (core)",
"deploy-retrieve 3.12.11 (core)",
"dev 2.4.2 (user) published 43 days ago (Mon Aug 26 2024)",
"info 3.4.9 (core)",
"limits 3.3.32 (core)",
"marketplace 1.2.26 (core)",
"org 4.5.10 (core)",
"packaging 2.8.7 (core)",
"schema 3.3.32 (core)",
"settings 2.3.21 (core)",
"sobject 1.4.38 (core)",
"source 3.5.21 (core)",
"telemetry 3.6.15 (core)",
"templates 56.3.21 (core)",
"trust 3.7.31 (core)",
"user 3.5.31 (core)",
"cli-plugin 1.0.0 (link) /home/alan.morey/repos/salesforce/cli-plugin",
"gr-sfdx-plugin 0.0.0 (link) /home/alan.morey/repos/salesforce/gr-sfdx-plugin"
]
}
Hello @alan-morey :wave: None of the versions of sf you shared match the latest release.
Shared: 2.60.13
Latest: 2.61.8
Update to the latest version of Salesforce CLI (docs) and confirm that you're still seeing your issue.
You can also try the rc and nightly releases! (docs)
After updating, share the full output of sf version --verbose --json
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.
Updated to Latest: 2.61.8, issue still present.
{
"architecture": "linux-x64",
"cliVersion": "@salesforce/cli/2.61.8",
"nodeVersion": "node-v18.20.3",
"osVersion": "Linux 6.8.0-45-generic",
"rootPath": "/home/alan.morey/.volta/tools/image/packages/@salesforce/cli/lib/node_modules/@salesforce/cli",
"shell": "zsh",
"pluginVersions": [
"@oclif/plugin-autocomplete 3.2.5 (core)",
"@oclif/plugin-commands 4.0.16 (core)",
"@oclif/plugin-help 6.2.13 (core)",
"@oclif/plugin-not-found 3.2.22 (core)",
"@oclif/plugin-plugins 5.4.10 (core)",
"@oclif/plugin-search 1.2.10 (core)",
"@oclif/plugin-update 4.5.10 (core)",
"@oclif/plugin-version 2.2.14 (core)",
"@oclif/plugin-warn-if-update-available 3.1.18 (core)",
"@oclif/plugin-which 3.2.15 (core)",
"@salesforce/cli 2.61.8 (core)",
"apex 3.5.0 (core)",
"api 1.2.2 (core)",
"auth 3.6.65 (core)",
"community 3.2.32 (user) published 25 days ago (Sat Sep 14 2024) (latest is 3.2.33)",
"data 3.6.8 (core)",
"deploy-retrieve 3.12.15 (core)",
"dev 2.4.2 (user) published 43 days ago (Mon Aug 26 2024)",
"info 3.4.9 (core)",
"limits 3.3.32 (core)",
"marketplace 1.2.26 (core)",
"org 4.6.0 (core)",
"packaging 2.8.10 (core)",
"schema 3.3.34 (core)",
"settings 2.3.23 (core)",
"sobject 1.4.40 (core)",
"source 3.5.21 (core)",
"telemetry 3.6.15 (core)",
"templates 56.3.21 (core)",
"trust 3.7.32 (core)",
"user 3.5.32 (core)",
"cli-plugin 1.0.0 (link) /home/alan.morey/repos/salesforce/cli-plugin",
"gr-sfdx-plugin 0.0.0 (link) /home/alan.morey/repos/salesforce/gr-sfdx-plugin"
]
}
Are you sure that you have the perms to access the metadata api? This might be a helpful thread from the trailblazer community: https://trailhead.salesforce.com/trailblazer-community/feed/0D54V00007T4L7RSAV
@mdonnalley I do not have those permissions:
My PROD Permissions:
Includes:
- Manage Sandboxes
- Manage Dev Sandboxes
Excludes:
- ModifyAllData
- ModifyMetadata
Are those permissions required for this command to function correctly? Are those permissions required in the new sandbox, or are they required in the PROD org?
In my situation, the ApexClassId specified in the sandbox definition I mentioned above, when executed during sandbox post copy actually changes my profile from a minimum access user in Production to a System Administrator in the sandbox. So eventually my user would have the Metadata API access permissions but it might be too late by time the commands finishes executing?
The refresh command makes a request to the SandboxInfo endpoint, which presumably requires those perms. I'll confirm with the sandbox team that that's the case
If you provide debug output we should be able to track down the exact request that's failing. Use both the --dev-debug flag and JSFORCE_LOG_LEVEL=DEBUG environment variable
Ran as follows for debug output
JSFORCE_LOG_LEVEL=DEBUG sf org refresh sandbox -n alandev03 -f config/dev-sandbox-def.json -o PROD -w 99 --dev-debug --no-prompt &> refresh-debug-output.txt
Output attached: refresh-debug-output.txt.gz
Note: In the output file, I replaced my domain with "EXAMPLE" and replaced the access token values with "**REMOVED**".
Thanks for that. Here you can see the http request that's failing
DEBUG [http-api] <request> method=POST, url=https://EXAMPLE.my.salesforce.com/services/Soap/m/61.0
DEBUG [http-api] elapsed time: 214 msec
DEBUG [http-api] <response> status=500, url=https://EXAMPLE.my.salesforce.com/services/Soap/m/61.0
Error (sf:INSUFFICIENT_ACCESS): INSUFFICIENT_ACCESS: use of the Metadata API requires a user with the ModifyAllData or ModifyMetadata permissions
I'm not 100% sure where that's coming from but, regardless, I think the solution here is to ensure that you have the correct perms
After discussing this with a coworker, there might be a couple of things that we can do to improve the experience here including that particular API call. I'll mark this as a feature request since it's currently working as designed
![git2gus[bot] avatar](https://avatars.githubusercontent.com/in/19654?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for filing this feature request. We appreciate your feedback and will review the feature at our next grooming or sprint planning session. We prioritize feature requests with more upvotes and comments.
This issue has been addressed in version 2.70.7 (December 18, 2024). Thx!
