Appendix B: Metadata Type Risk Classification Matrix¶
This matrix classifies Salesforce metadata types into three risk tiers that govern automated PR workflow behavior as described in Section 6. The classification is based on the potential blast radius of an erroneous change - the breadth of impact, reversibility, and likelihood of cascading failures across dependent components or data.
How this matrix is used in the pipeline: The metadata type's file path in the repository maps to a path pattern in the CODEOWNERS file and the GitHub Actions PR workflow. When a PR contains changes to files matching a Tier 1 path pattern, the workflow automatically applies elevated governance: mandatory senior reviewer assignment, auto-merge block, and optional ITSM record requirement. Tier 2 applies the standard quality gate chain. Tier 3 is eligible for expedited review policies in mature teams.
This matrix should be maintained as a versioned artifact in the centralized configuration repository and reviewed periodically as the organization's risk posture and the Salesforce platform evolve. It is intentionally a starting point - organizations should adjust tier assignments to reflect their specific regulatory environment, data sensitivity, and operational history.
High-Risk Permission Elements Within Profiles and Permission Sets¶
Profiles and Permission Sets are already classified as Tier 1 metadata types. However, the pipeline should apply additional scrutiny specifically to changes that enable high-risk user permissions, regardless of which Profile or Permission Set contains them. The following should be treated as immediate blockers:
| Permission | Type | Risk | Implementation |
|---|---|---|---|
ViewAllData |
User Permission | Grants visibility to all records in the org regardless of sharing model | PMD custom rule ModifyOrViewAllData (Priority 1) |
ModifyAllData |
User Permission | Grants full read/write access to all records in the org | PMD custom rule ModifyOrViewAllData (Priority 1) |
ViewSetup |
User Permission | Grants access to Setup; should never appear in a Permission Set | PMD rules ViewSetupProfile and ViewSetupPermissionSet (Priority 1) |
ManageUsers (and Manage*Users patterns) |
User Permission | Grants user management capabilities | PMD custom rule ManageUsers (Priority 1) |
ViewAllRecords / ModifyAllRecords on standard objects |
Object Permission | Bypasses the sharing model for standard objects | PMD custom rule ModifyOrViewAllRecordsStandard (Priority 1) |
ViewAllRecords / ModifyAllRecords on custom objects |
Object Permission | Bypasses the sharing model for custom objects | PMD custom rule ModifyOrViewAllRecordsCustom (Priority 2) |
These checks are implemented as PMD XPath rules operating on Profile and Permission Set XML metadata files - automatable as part of the standard PR quality gate chain. The full XPath rule definitions are provided in Appendix F. These rules apply a violationSuppressXPath that excludes standard (non-custom) Profiles where custom = false, since these are platform-managed.
Additional Metadata Governance Rules¶
Organizations may wish to add their own rules, and this list should grow as more rules and standards are developed.
| Rule | Metadata Type | Priority | Description |
|---|---|---|---|
RequireExplicitSharing |
Apex | 1 | All Apex classes must declare explicit sharing |
DoNotUseWithoutSharing |
Apex | 3 | Flags without sharing - requires justification comment |
DeclareAccessOnMethods |
Apex | 1 | All non-test methods must have an explicit access modifier |
RequireOuterClassAccess |
Apex | 1 | All outer classes must have an explicit access modifier |
DoNotRunAsCurrentUser |
Apex | 1 | Tests must not use System.runAs(UserInfo.getUserId()) |
DoNotUseProcessBuilder |
Flow/XML | 1 | Process Builder automations must be migrated to Flow |
NonPrivateCustomObjectSharing |
Object XML | 1 | Custom objects must default to Private OWD |
NonPrivateStandardObjectSharing |
Object XML | 1 | Standard objects must not have ReadWrite OWD |
MetadataDescriptionPermission |
Permission XML | 2 | All Permission Sets, Profiles, and Custom Permissions must have a description |
MetadataDescriptionObjectField |
Object/Field XML | 2 | All custom objects and fields must have a description |
MetadataDescriptionFlow |
Flow XML | 2 | All Flows must have a description |
NoHardcodedWeblinkURLs |
Object XML | 2 | Weblink URLs must not contain hardcoded force.com domain URLs |
BumpApiVersion |
Any XML | 3 | Metadata using API version below n should be updated |
AltTextOnImages |
Visualforce | 3 | All <apex:image> and <img> tags must have an alt attribute |
Tier 0 - Prohibited Metadata¶
These metadata types should not be stored in version control.
| Metadata Type | API Name | Rationale |
|---|---|---|
| Flow Definition | FlowDefinition |
Salesforce manages the active Flow version server-side; committing FlowDefinition creates merge conflicts and provides no governance benefit. |
| Certificate | Certificates |
Should be managed manually in each org |
Tier 1 - High Risk Metadata¶
| Metadata Type | API Name | Rationale |
|---|---|---|
| Sharing Rules | SharingRules |
Controls record visibility; misconfiguration can expose sensitive data org-wide |
| Territory Management | Territory2, Territory2Model |
Affects record access for large user populations |
| Named Credentials | NamedCredential |
Governs authentication to external systems |
| Connected Apps | ConnectedApp |
Controls OAuth flows and external system access |
| Auth Providers | AuthProvider |
Governs SSO and identity federation |
| Custom Permissions | CustomPermission |
Used in permission set and flow-based access control |
| Permission Sets | PermissionSet |
Grants object, field, and system permissions |
| Permission Set Groups | PermissionSetGroup |
Aggregates permission sets |
| Profiles | Profile |
Broad access control surface |
| Muting Permission Sets | MutingPermissionSet |
Removes permissions from permission set groups |
| Security Settings | SecuritySettings |
Org-wide security configuration |
| Sharing Settings | SharingSettings |
OWD and sharing model configuration |
| Certificate and Key Management | Certificate |
Governs SSL/TLS and signing certificates |
| Custom Metadata Types | CustomObject (__mdt) |
Often used for configuration-as-data patterns |
| Platform Events | PlatformEventChannel |
Changes can break event-driven integrations |
| Org-Wide Email Addresses | OrgWideEmailAddress |
Changes affect sender identity for all outbound email |
| Remote Site Settings | RemoteSiteSetting |
Controls which endpoints Apex callouts can reach - some orgs may prohibit committing these to VCS |
| CSP Trusted Sites | CspTrustedSite |
Controls which domains LWC components can load from |
| CORS Allowlist Origins | CorsWhitelistOrigin |
CORS allowlist entries apply to REST API and Lightning Out requests. |
| Destructive Changes | destructiveChanges.xml |
Any destructive change manifest |
Tier 2 - Standard Risk Metadata¶
| Metadata Type | API Name | Notes |
|---|---|---|
| Apex Classes | ApexClass |
Standard gate chain; test coverage enforced |
| Lightning Web Components | LightningComponentBundle |
Jest tests required; Code Analyzer gates apply |
| Aura Components | AuraDefinitionBundle |
Code Analyzer ESLint gate applies |
| Visualforce Pages | ApexPage |
Standard gate chain |
| Custom Objects | CustomObject |
Review for downstream impact |
| Custom Fields | CustomField |
Field type changes and deletions are higher risk |
| Validation Rules | ValidationRule |
Can block record saves |
| Apex Triggers | ApexTrigger |
Execute on DML operations; poorly tested triggers can cause data corruption |
| Flows (Active) | Flow |
Active Flows execute in user and system contexts |
| Process Builder | Flow (Process type) |
Legacy automation; same risk profile as Flows |
| Workflow Rules | WorkflowRule |
Legacy automation that executes on record save |
| Agentforce Agent Bundle | AiAuthoringBundle |
Top-level SFDX bundle packaging agent definitions, planners, and versioning artifacts (API v65.0+) |
| Agentforce Agent / Bot | Bot, BotVersion |
Core agent definition; governs agent behavior, topics, and data access scope |
| Agent Dialog Block | BotBlock |
Reusable conversational dialog blocks referenced by agents |
| Agent Template | BotTemplate |
Reusable agent templates for rapid agent creation |
| AI Planner | GenAiPlanner |
Controls agent reasoning strategy and action selection |
| AI Planner Bundle | GenAiPlannerBundle |
Packages planner configuration for deployment with an agent |
| AI Plugin / Action | GenAiPlugin |
Defines actions an agent can invoke; overpermissioned agents can exfiltrate data |
| AI Function | GenAiFunction |
Custom callable functions exposed to AI agents |
| AI Prompt Template | GenAiPromptTemplate, GenAiPromptTemplateActv |
Agent instructions and prompt configurations; manipulated templates can alter agent behavior |
| AI Application | AIApplication, AIApplicationConfig |
Einstein AI application definition and configuration (API v50.0+) |
| AI Scoring Model | AIScoringModelDefinition |
Einstein Prediction Builder scoring model definition (API v58.0+) |
| AI Usecase Definition | AIUsecaseDefinition |
Einstein AI use case configuration (API v56.0+) |
| AI Evaluation Definition | AiEvaluationDefinition |
Agentforce testing and evaluation framework definitions (API v65.0+) |
| Custom Labels | CustomLabel |
Deletion can break dependent code and LWC |
| Custom Settings | CustomSetting |
Data-driven configuration |
| Lightning Pages | FlexiPage |
UI layout changes |
| Page Layouts | Layout |
Affects field visibility |
| Record Types | RecordType |
Affects picklist values and page layout assignments |
| Queues | Queue |
Affects record assignment |
| Assignment Rules | AssignmentRule |
Governs automated record assignment |
| Duplicate Rules | DuplicateRule |
Controls duplicate detection |
| Matching Rules | MatchingRule |
Underlies duplicate detection |
| Global Value Sets | GlobalValueSet |
Deletions affect all dependent fields |
Tier 3 - Low Risk¶
| Metadata Type | API Name | Notes |
|---|---|---|
| Static Resources | StaticResource |
File assets; changes are isolated |
| Translations | Translations |
Localization strings; no functional impact |
| In-App Guidance | Prompt |
User guidance overlays |
| Path Assistant | PathAssistant |
Sales path UI configuration |
| Email Templates | EmailTemplate |
Content templates; minimal code risk |
| Reports | Report |
Reporting configuration |
| Dashboards | Dashboard |
Reporting visualization |
| Documents | Document |
Legacy documents |
Depending on permissions given to users, Reports, Dashboards, Email Templates, and Documents may be pulled from Production to the pipeline branches regularly, which does raise the risk of merge conflicts.
Notes on Matrix Maintenance¶
Tier promotion: Individual metadata types may warrant promotion to a higher tier based on organizational context. A Custom Label read by Apex code controlling feature flags behaves more like Tier 1 than Tier 2.
New metadata types: Salesforce introduces new metadata types with each major release. New types should be assessed against the Tier 1 criteria and added to this matrix before they appear in the codebase.
Destructive changes override: Any PR containing destructiveChanges.xml or destructiveChangesPre.xml is treated as Tier 1 regardless of which metadata types are listed in the manifest.