Skip to content

Appendix B: Metadata Type Risk Classification Matrix

This matrix classifies Salesforce metadata types into three risk tiers that govern automated PR workflow behavior as described in Section 6. The classification is based on the potential blast radius of an erroneous change - the breadth of impact, reversibility, and likelihood of cascading failures across dependent components or data.

How this matrix is used in the pipeline: The metadata type's file path in the repository maps to a path pattern in the CODEOWNERS file and the GitHub Actions PR workflow. When a PR contains changes to files matching a Tier 1 path pattern, the workflow automatically applies elevated governance: mandatory senior reviewer assignment, auto-merge block, and optional ITSM record requirement. Tier 2 applies the standard quality gate chain. Tier 3 is eligible for expedited review policies in mature teams.

This matrix should be maintained as a versioned artifact in the centralized configuration repository and reviewed periodically as the organization's risk posture and the Salesforce platform evolve. It is intentionally a starting point - organizations should adjust tier assignments to reflect their specific regulatory environment, data sensitivity, and operational history.

High-Risk Permission Elements Within Profiles and Permission Sets

Profiles and Permission Sets are already classified as Tier 1 metadata types. However, the pipeline should apply additional scrutiny specifically to changes that enable high-risk user permissions, regardless of which Profile or Permission Set contains them. The following should be treated as immediate blockers:

Permission Type Risk Implementation
ViewAllData User Permission Grants visibility to all records in the org regardless of sharing model PMD custom rule ModifyOrViewAllData (Priority 1)
ModifyAllData User Permission Grants full read/write access to all records in the org PMD custom rule ModifyOrViewAllData (Priority 1)
ViewSetup User Permission Grants access to Setup; should never appear in a Permission Set PMD rules ViewSetupProfile and ViewSetupPermissionSet (Priority 1)
ManageUsers (and Manage*Users patterns) User Permission Grants user management capabilities PMD custom rule ManageUsers (Priority 1)
ViewAllRecords / ModifyAllRecords on standard objects Object Permission Bypasses the sharing model for standard objects PMD custom rule ModifyOrViewAllRecordsStandard (Priority 1)
ViewAllRecords / ModifyAllRecords on custom objects Object Permission Bypasses the sharing model for custom objects PMD custom rule ModifyOrViewAllRecordsCustom (Priority 2)

These checks are implemented as PMD XPath rules operating on Profile and Permission Set XML metadata files - automatable as part of the standard PR quality gate chain. The full XPath rule definitions are provided in Appendix F. These rules apply a violationSuppressXPath that excludes standard (non-custom) Profiles where custom = false, since these are platform-managed.

Additional Metadata Governance Rules

Organizations may wish to add their own rules, and this list should grow as more rules and standards are developed.

Rule Metadata Type Priority Description
RequireExplicitSharing Apex 1 All Apex classes must declare explicit sharing
DoNotUseWithoutSharing Apex 3 Flags without sharing - requires justification comment
DeclareAccessOnMethods Apex 1 All non-test methods must have an explicit access modifier
RequireOuterClassAccess Apex 1 All outer classes must have an explicit access modifier
DoNotRunAsCurrentUser Apex 1 Tests must not use System.runAs(UserInfo.getUserId())
DoNotUseProcessBuilder Flow/XML 1 Process Builder automations must be migrated to Flow
NonPrivateCustomObjectSharing Object XML 1 Custom objects must default to Private OWD
NonPrivateStandardObjectSharing Object XML 1 Standard objects must not have ReadWrite OWD
MetadataDescriptionPermission Permission XML 2 All Permission Sets, Profiles, and Custom Permissions must have a description
MetadataDescriptionObjectField Object/Field XML 2 All custom objects and fields must have a description
MetadataDescriptionFlow Flow XML 2 All Flows must have a description
NoHardcodedWeblinkURLs Object XML 2 Weblink URLs must not contain hardcoded force.com domain URLs
BumpApiVersion Any XML 3 Metadata using API version below n should be updated
AltTextOnImages Visualforce 3 All <apex:image> and <img> tags must have an alt attribute

Tier 0 - Prohibited Metadata

These metadata types should not be stored in version control.

Metadata Type API Name Rationale
Flow Definition FlowDefinition Salesforce manages the active Flow version server-side; committing FlowDefinition creates merge conflicts and provides no governance benefit.
Certificate Certificates Should be managed manually in each org

Tier 1 - High Risk Metadata

Metadata Type API Name Rationale
Sharing Rules SharingRules Controls record visibility; misconfiguration can expose sensitive data org-wide
Territory Management Territory2, Territory2Model Affects record access for large user populations
Named Credentials NamedCredential Governs authentication to external systems
Connected Apps ConnectedApp Controls OAuth flows and external system access
Auth Providers AuthProvider Governs SSO and identity federation
Custom Permissions CustomPermission Used in permission set and flow-based access control
Permission Sets PermissionSet Grants object, field, and system permissions
Permission Set Groups PermissionSetGroup Aggregates permission sets
Profiles Profile Broad access control surface
Muting Permission Sets MutingPermissionSet Removes permissions from permission set groups
Security Settings SecuritySettings Org-wide security configuration
Sharing Settings SharingSettings OWD and sharing model configuration
Certificate and Key Management Certificate Governs SSL/TLS and signing certificates
Custom Metadata Types CustomObject (__mdt) Often used for configuration-as-data patterns
Platform Events PlatformEventChannel Changes can break event-driven integrations
Org-Wide Email Addresses OrgWideEmailAddress Changes affect sender identity for all outbound email
Remote Site Settings RemoteSiteSetting Controls which endpoints Apex callouts can reach - some orgs may prohibit committing these to VCS
CSP Trusted Sites CspTrustedSite Controls which domains LWC components can load from
CORS Allowlist Origins CorsWhitelistOrigin CORS allowlist entries apply to REST API and Lightning Out requests.
Destructive Changes destructiveChanges.xml Any destructive change manifest

Tier 2 - Standard Risk Metadata

Metadata Type API Name Notes
Apex Classes ApexClass Standard gate chain; test coverage enforced
Lightning Web Components LightningComponentBundle Jest tests required; Code Analyzer gates apply
Aura Components AuraDefinitionBundle Code Analyzer ESLint gate applies
Visualforce Pages ApexPage Standard gate chain
Custom Objects CustomObject Review for downstream impact
Custom Fields CustomField Field type changes and deletions are higher risk
Validation Rules ValidationRule Can block record saves
Apex Triggers ApexTrigger Execute on DML operations; poorly tested triggers can cause data corruption
Flows (Active) Flow Active Flows execute in user and system contexts
Process Builder Flow (Process type) Legacy automation; same risk profile as Flows
Workflow Rules WorkflowRule Legacy automation that executes on record save
Agentforce Agent Bundle AiAuthoringBundle Top-level SFDX bundle packaging agent definitions, planners, and versioning artifacts (API v65.0+)
Agentforce Agent / Bot Bot, BotVersion Core agent definition; governs agent behavior, topics, and data access scope
Agent Dialog Block BotBlock Reusable conversational dialog blocks referenced by agents
Agent Template BotTemplate Reusable agent templates for rapid agent creation
AI Planner GenAiPlanner Controls agent reasoning strategy and action selection
AI Planner Bundle GenAiPlannerBundle Packages planner configuration for deployment with an agent
AI Plugin / Action GenAiPlugin Defines actions an agent can invoke; overpermissioned agents can exfiltrate data
AI Function GenAiFunction Custom callable functions exposed to AI agents
AI Prompt Template GenAiPromptTemplate, GenAiPromptTemplateActv Agent instructions and prompt configurations; manipulated templates can alter agent behavior
AI Application AIApplication, AIApplicationConfig Einstein AI application definition and configuration (API v50.0+)
AI Scoring Model AIScoringModelDefinition Einstein Prediction Builder scoring model definition (API v58.0+)
AI Usecase Definition AIUsecaseDefinition Einstein AI use case configuration (API v56.0+)
AI Evaluation Definition AiEvaluationDefinition Agentforce testing and evaluation framework definitions (API v65.0+)
Custom Labels CustomLabel Deletion can break dependent code and LWC
Custom Settings CustomSetting Data-driven configuration
Lightning Pages FlexiPage UI layout changes
Page Layouts Layout Affects field visibility
Record Types RecordType Affects picklist values and page layout assignments
Queues Queue Affects record assignment
Assignment Rules AssignmentRule Governs automated record assignment
Duplicate Rules DuplicateRule Controls duplicate detection
Matching Rules MatchingRule Underlies duplicate detection
Global Value Sets GlobalValueSet Deletions affect all dependent fields

Tier 3 - Low Risk

Metadata Type API Name Notes
Static Resources StaticResource File assets; changes are isolated
Translations Translations Localization strings; no functional impact
In-App Guidance Prompt User guidance overlays
Path Assistant PathAssistant Sales path UI configuration
Email Templates EmailTemplate Content templates; minimal code risk
Reports Report Reporting configuration
Dashboards Dashboard Reporting visualization
Documents Document Legacy documents

Depending on permissions given to users, Reports, Dashboards, Email Templates, and Documents may be pulled from Production to the pipeline branches regularly, which does raise the risk of merge conflicts.

Notes on Matrix Maintenance

Tier promotion: Individual metadata types may warrant promotion to a higher tier based on organizational context. A Custom Label read by Apex code controlling feature flags behaves more like Tier 1 than Tier 2.

New metadata types: Salesforce introduces new metadata types with each major release. New types should be assessed against the Tier 1 criteria and added to this matrix before they appear in the codebase.

Destructive changes override: Any PR containing destructiveChanges.xml or destructiveChangesPre.xml is treated as Tier 1 regardless of which metadata types are listed in the manifest.