Add field level security management functionality and update documentation

- Introduced salesforce_manage_field_permissions tool for managing field level security, including granting, revoking, and viewing permissions for specific profiles.
- Updated README.md to include new features and examples related to field permissions management.
- Enhanced manageField tool to automatically grant field access to specified profiles or default to System Administrator.
- Added helper functions for handling field permissions in manageField and manageFieldPermissions modules.

Author: tsmztech

README.md

@@ -74,8 +74,18 @@ Manage object fields:
 * Add new custom fields
 * Modify field properties
 * Create relationships
+* Automatically grants Field Level Security to System Administrator by default
+* Use `grantAccessTo` parameter to specify different profiles
 * Example: "Add a Rating picklist field to Account"
 
+### salesforce_manage_field_permissions
+Manage Field Level Security (Field Permissions):
+* Grant or revoke read/edit access to fields for specific profiles
+* View current field permissions
+* Bulk update permissions for multiple profiles
+* Useful for managing permissions after field creation or for existing fields
+* Example: "Grant System Administrator access to Custom_Field__c on Account"
+
 ### salesforce_search_all
 Search across multiple objects:
 * SOSL-based search
@@ -225,6 +235,22 @@ Add to your `claude_desktop_config.json`:
 "Add a Rating field to the Feedback object"
 "Update sharing settings for the Service Request object"
 ```
+Examples with Field Level Security:
+```
+# Default - grants access to System Administrator automatically
+"Create a Status picklist field on Custom_Object__c"
+
+# Custom profiles - grants access to specified profiles
+"Create a Revenue currency field on Account and grant access to Sales User and Marketing User profiles"
+```
+
+### Managing Field Permissions
+```
+"Grant System Administrator access to Custom_Field__c on Account"
+"Give read-only access to Rating__c field for Sales User profile"
+"View which profiles have access to the Custom_Field__c"
+"Revoke field access for specific profiles"
+```
 
 ### Searching Across Objects
 ```

src/index.ts

@@ -16,6 +16,7 @@ import { AGGREGATE_QUERY, handleAggregateQuery, AggregateQueryArgs } from "./too
 import { DML_RECORDS, handleDMLRecords, DMLArgs } from "./tools/dml.js";
 import { MANAGE_OBJECT, handleManageObject, ManageObjectArgs } from "./tools/manageObject.js";
 import { MANAGE_FIELD, handleManageField, ManageFieldArgs } from "./tools/manageField.js";
+import { MANAGE_FIELD_PERMISSIONS, handleManageFieldPermissions, ManageFieldPermissionsArgs } from "./tools/manageFieldPermissions.js";
 import { SEARCH_ALL, handleSearchAll, SearchAllArgs, WithClause } from "./tools/searchAll.js";
 import { READ_APEX, handleReadApex, ReadApexArgs } from "./tools/readApex.js";
 import { WRITE_APEX, handleWriteApex, WriteApexArgs } from "./tools/writeApex.js";
@@ -48,6 +49,7 @@ server.setRequestHandler(ListToolsRequestSchema, async () => ({
     DML_RECORDS,
     MANAGE_OBJECT,
     MANAGE_FIELD,
+    MANAGE_FIELD_PERMISSIONS,
     SEARCH_ALL,
     READ_APEX,
     WRITE_APEX,
@@ -167,11 +169,28 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
           relationshipName: fieldArgs.relationshipName as string | undefined,
           deleteConstraint: fieldArgs.deleteConstraint as 'Cascade' | 'Restrict' | 'SetNull' | undefined,
           picklistValues: fieldArgs.picklistValues as Array<{ label: string; isDefault?: boolean }> | undefined,
-          description: fieldArgs.description as string | undefined
+          description: fieldArgs.description as string | undefined,
+          grantAccessTo: fieldArgs.grantAccessTo as string[] | undefined
         };
         return await handleManageField(conn, validatedArgs);
       }
 
+      case "salesforce_manage_field_permissions": {
+        const permArgs = args as Record<string, unknown>;
+        if (!permArgs.operation || !permArgs.objectName || !permArgs.fieldName) {
+          throw new Error('operation, objectName, and fieldName are required for field permissions management');
+        }
+        const validatedArgs: ManageFieldPermissionsArgs = {
+          operation: permArgs.operation as 'grant' | 'revoke' | 'view',
+          objectName: permArgs.objectName as string,
+          fieldName: permArgs.fieldName as string,
+          profileNames: permArgs.profileNames as string[] | undefined,
+          readable: permArgs.readable as boolean | undefined,
+          editable: permArgs.editable as boolean | undefined
+        };
+        return await handleManageFieldPermissions(conn, validatedArgs);
+      }
+
       case "salesforce_search_all": {
         const searchArgs = args as Record<string, unknown>;
         if (!searchArgs.searchTerm || !Array.isArray(searchArgs.objects)) {

src/tools/manageField.ts

@@ -7,8 +7,9 @@ export const MANAGE_FIELD: Tool = {
   - Field Types: Text, Number, Date, Lookup, Master-Detail, Picklist etc.
   - Properties: Required, Unique, External ID, Length, Scale etc.
   - Relationships: Create lookups and master-detail relationships
+  - Automatically grants Field Level Security to System Administrator (or specified profiles)
   Examples: Add Rating__c picklist to Account, Create Account lookup on Custom Object
-  Note: Changes affect metadata and require proper permissions`,
+  Note: Use grantAccessTo parameter to specify profiles, defaults to System Administrator`,
   inputSchema: {
     type: "object",
     properties: {
@@ -105,6 +106,12 @@ export const MANAGE_FIELD: Tool = {
         type: "string",
         description: "Description of the field",
         optional: true
+      },
+      grantAccessTo: {
+        type: "array",
+        items: { type: "string" },
+        description: "Profile names to grant field access to (defaults to ['System Administrator'])",
+        optional: true
       }
     },
     required: ["operation", "objectName", "fieldName"]
@@ -129,10 +136,104 @@ export interface ManageFieldArgs {
   deleteConstraint?: 'Cascade' | 'Restrict' | 'SetNull';
   picklistValues?: Array<{ label: string; isDefault?: boolean }>;
   description?: string;
+  grantAccessTo?: string[];
+}
+
+// Helper function to set field permissions (simplified version of the one in manageFieldPermissions.ts)
+async function grantFieldPermissions(conn: any, objectName: string, fieldName: string, profileNames: string[]): Promise<{success: boolean; message: string}> {
+  try {
+    const fieldApiName = fieldName.endsWith('__c') || fieldName.includes('.') ? fieldName : `${fieldName}__c`;
+    const fullFieldName = `${objectName}.${fieldApiName}`;
+    
+    // Get profile IDs
+    const profileQuery = await conn.query(`
+      SELECT Id, Name 
+      FROM Profile 
+      WHERE Name IN (${profileNames.map(name => `'${name}'`).join(', ')})
+    `);
+
+    if (profileQuery.records.length === 0) {
+      return { success: false, message: `No profiles found matching: ${profileNames.join(', ')}` };
+    }
+
+    const results: any[] = [];
+    const errors: string[] = [];
+
+    for (const profile of profileQuery.records) {
+      try {
+        // Check if permission already exists
+        const existingPerm = await conn.query(`
+          SELECT Id, PermissionsRead, PermissionsEdit
+          FROM FieldPermissions
+          WHERE ParentId IN (
+            SELECT Id FROM PermissionSet 
+            WHERE IsOwnedByProfile = true 
+            AND ProfileId = '${profile.Id}'
+          )
+          AND Field = '${fullFieldName}'
+          AND SobjectType = '${objectName}'
+          LIMIT 1
+        `);
+
+        if (existingPerm.records.length > 0) {
+          // Update existing permission
+          await conn.sobject('FieldPermissions').update({
+            Id: existingPerm.records[0].Id,
+            PermissionsRead: true,
+            PermissionsEdit: true
+          });
+          results.push(profile.Name);
+        } else {
+          // Get the PermissionSet ID for this profile
+          const permSetQuery = await conn.query(`
+            SELECT Id FROM PermissionSet 
+            WHERE IsOwnedByProfile = true 
+            AND ProfileId = '${profile.Id}'
+            LIMIT 1
+          `);
+
+          if (permSetQuery.records.length > 0) {
+            // Create new permission
+            await conn.sobject('FieldPermissions').create({
+              ParentId: permSetQuery.records[0].Id,
+              SobjectType: objectName,
+              Field: fullFieldName,
+              PermissionsRead: true,
+              PermissionsEdit: true
+            });
+            results.push(profile.Name);
+          } else {
+            errors.push(profile.Name);
+          }
+        }
+      } catch (error) {
+        errors.push(profile.Name);
+        console.error(`Error granting permission to ${profile.Name}:`, error);
+      }
+    }
+
+    if (results.length > 0) {
+      return {
+        success: true,
+        message: `Field Level Security granted to: ${results.join(', ')}${errors.length > 0 ? `. Failed for: ${errors.join(', ')}` : ''}`
+      };
+    } else {
+      return {
+        success: false,
+        message: `Could not grant Field Level Security to any profiles.`
+      };
+    }
+  } catch (error) {
+    console.error('Error granting field permissions:', error);
+    return {
+      success: false,
+      message: `Field Level Security configuration failed.`
+    };
+  }
 }
 
 export async function handleManageField(conn: any, args: ManageFieldArgs) {
-  const { operation, objectName, fieldName, type, ...fieldProps } = args;
+  const { operation, objectName, fieldName, type, grantAccessTo, ...fieldProps } = args;
 
   try {
     if (operation === 'create') {
@@ -205,10 +306,21 @@ export async function handleManageField(conn: any, args: ManageFieldArgs) {
       const result = await conn.metadata.create('CustomField', metadata);
 
       if (result && (Array.isArray(result) ? result[0].success : result.success)) {
+        let permissionMessage = '';
+        
+        // Grant Field Level Security (default to System Administrator if not specified)
+        const profilesToGrant = grantAccessTo && grantAccessTo.length > 0 ? grantAccessTo : ['System Administrator'];
+        
+        // Wait a moment for field to be fully created
+        await new Promise(resolve => setTimeout(resolve, 2000));
+        
+        const permissionResult = await grantFieldPermissions(conn, objectName, fieldName, profilesToGrant);
+        permissionMessage = `\n${permissionResult.message}`;
+        
         return {
           content: [{
             type: "text",
-            text: `Successfully created custom field ${fieldName}__c on ${objectName}`
+            text: `Successfully created custom field ${fieldName}__c on ${objectName}.${permissionMessage}`
           }],
           isError: false,
         };