Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
All errors
Deployment

Profile permissions cannot be granted because the user license doesn't include them

You're deploying a profile that grants permissions the target org's license doesn't allow — typically a Customer Community profile granting an Enterprise-only feature, or a Sales Cloud profile asking for Service Cloud entitlements. The deploy fails until you remove the unsupported permissions from the profile XML.

Also seen asuser license doesn't include·Profile permissions cannot be granted·license permission deploy

Profiles in Salesforce are tied to a User License (Enterprise, Customer Community, Partner Community, etc.). Each license includes a specific set of permissions; the profile can only grant permissions on its license's allow-list.

What triggers it

Common scenarios:

  • A profile XML in your repo grants ManageRoles (Enterprise license) but the deploy targets a Community license profile
  • A profile asks for ServiceCloudUser access in a Sales Cloud-only org
  • A package upgrade includes a new permission that requires a higher license tier than the customer org has

The fix

Edit the profile XML and remove the offending permission. The error message names which permission and which license:

profileName: 'Customer Community Login Plus User'
unsupported permission: 'ManageRoles'

In your profiles/Customer Community Login Plus User.profile-meta.xml, find:

<userPermissions>
    <enabled>true</enabled>
    <name>ManageRoles</name>
</userPermissions>

Delete that block, redeploy.

A common cause: copying profiles between orgs

Profile XML retrieved from one org and deployed to another may include permissions the target org's license doesn't support. Don't copy profiles wholesale; use Permission Sets for license-portable permissions.

The right architecture

The platform's recommended pattern:

  1. Profiles are minimal — license-required permissions only
  2. Permission Sets add specific feature access
  3. Permission Set Groups bundle related permission sets

This keeps profiles license-portable and gives you fine-grained per-user access.

If your codebase has fat profiles with many granted permissions, refactor to permission sets in chunks — pick a feature, move its permissions out of the profile and into a permission set, redeploy. Over a few sprints, the profiles shrink to license-essentials only.

When the deploy is from one sandbox to another

Sandbox profiles can drift from production over time. If your sandbox has been receiving deploys piecemeal, a profile in the sandbox may reflect old grants that the production license doesn't support anymore. Before deploying from sandbox to prod, retrieve the prod profile and reconcile.

A diagnostic

sf data query --query "SELECT Id, Name, UserLicense.Name FROM Profile WHERE Name = 'Standard User'" --target-org production

The UserLicense.Name tells you which license the target org's profile is tied to. Check the Salesforce documentation for that license to see which permissions are allowed.

Related dictionary terms