org assign permset swallows error details when multiple errors occur #3511
Description
Summary
When sf org assign permset encounters multiple errors during a permission set assignment, it wraps them in a generic message and discards the actual error details. This makes it impossible to diagnose the root cause from either the human-readable or --json output.
Reproduction
Assign a permission set (or permission set group) to a user where the assignment triggers multiple Salesforce API errors — for example, assigning a PSG that includes a permission set license (PSL) when the org has exhausted its PSL allocation AND a licensed permission that requires the user have the PSL assigned.
sf org assign permset -n AFDX_Agent_Perms -b afdx-agent@testdrive.orgHuman-readable output
Failures
┌──────────────────────────────────────────────────────────────┬────────────────────────────────────────────┐
│ Username │ Error Message │
├──────────────────────────────────────────────────────────────┼────────────────────────────────────────────┤
│ afdx-agent@testdrive.org │ Multiple errors returned. Check `error.… │
└──────────────────────────────────────────────────────────────┴────────────────────────────────────────────┘
The error message is truncated. The instruction to "Check error.data" is aimed at programmatic consumers of the CLI's Node.js library, not CLI users.
JSON output (--json)
{
"status": 1,
"result": {
"successes": [],
"failures": [
{
"name": "afdx-agent@testdrive.org",
"message": "Multiple errors returned.\n Check `error.data` for the error details"
}
]
},
"warnings": []
}There is no data property in the JSON output. The actual error details are not serialized.
Actual errors (obtained via direct REST API call)
Running the equivalent REST API call reveals the real errors:
sf api request rest "/services/data/v66.0/sobjects/PermissionSetAssignment" \
-X POST \
-b '{"AssigneeId":"<user-id>","PermissionSetId":"<psg-id>"}'[
{
"message": "All Einstein Prompt Templates permission set licenses are in use. For more licenses, contact your salesforce.com representative.",
"errorCode": "LICENSE_LIMIT_EXCEEDED",
"fields": ["PermissionSetId"]
},
{
"message": "The user license doesn't allow the permission: Read GenAiPromptTemplate",
"errorCode": "FIELD_INTEGRITY_EXCEPTION",
"fields": []
}
]These are the error details that sf org assign permset receives from the API but does not surface to the user.
Expected behavior
Both the human-readable and --json output should include the full error details when multiple errors occur. For example:
Human-readable (expected)
The table should show each individual error, or at minimum display the full error messages without truncation.
JSON (expected)
The --json output should include the error details in a data property (as the message itself suggests) or inline the individual error messages in the failures array:
{
"status": 1,
"result": {
"successes": [],
"failures": [
{
"name": "afdx-agent@testdrive.org",
"message": "Multiple errors returned.",
"data": [
{
"message": "All Einstein Prompt Templates permission set licenses are in use.",
"errorCode": "LICENSE_LIMIT_EXCEEDED",
"fields": ["PermissionSetId"]
},
{
"message": "The user license doesn't allow the permission: Read GenAiPromptTemplate",
"errorCode": "FIELD_INTEGRITY_EXCEPTION",
"fields": []
}
]
}
]
},
"warnings": []
}Impact
- Users cannot diagnose assignment failures without resorting to direct REST API calls.
- Automated scripts (like setup scripts using
--json) cannot inspect or react to specific error conditions because the error details are missing from the output. - The
--dev-debugflag also does not surface the underlying error details.
Environment
sfCLI version: 2.123.1- Command:
sf org assign permset(provided by@salesforce/plugin-user)
System Information
CLI:
@salesforce/cli/2.124.7 darwin-arm64 node-v22.22.0
Plugin Version:
@oclif/plugin-autocomplete 3.2.40 (core)
@oclif/plugin-commands 4.1.40 (core)
@oclif/plugin-help 6.2.37 (core)
@oclif/plugin-not-found 3.2.74 (core)
@oclif/plugin-plugins 5.4.56 (core)
@oclif/plugin-search 1.2.38 (core)
@oclif/plugin-update 4.7.19 (core)
@oclif/plugin-version 2.2.36 (core)
@oclif/plugin-warn-if-update-available 3.1.55 (core)
@oclif/plugin-which 3.2.43 (core)
@salesforce/cli 2.124.7 (core)
agent 1.30.8 (user)
apex 3.9.9 (core)
api 1.3.10 (core)
auth 4.1.6 (core)
code-analyzer 5.10.0 (user)
data 4.0.73 (core)
deploy-retrieve 3.24.11 (core)
info 3.4.104 (core)
limits 3.3.77 (core)
marketplace 1.3.10 (core)
org 5.9.68 (core)
packaging 2.25.4 (core)
schema 3.3.93 (core)
settings 2.4.56 (core)
sobject 1.4.83 (core)
telemetry 3.8.0 (core)
templates 56.8.2 (core)
trust 3.7.114 (core)
user 3.6.51 (core)
SF ENV. VARS.
SF_DISABLE_TELEMETRY,true
SF_BINPATH,/Users/vchawla/.local/share/sf/client/bin/sf
SF_AUTOUPDATE_DISABLE,true
SF_UPDATE_INSTRUCTIONS,Use "npm update --global @salesforce/cli" to update npm-based installations.
Windows: false
Shell: zsh
Channel: stable
Diagnostics
✅ pass - salesforcedx plugin isn’t installed
✅ pass - you don't have any linked plugins
✅ pass - [@salesforce/plugin-trust] can ping: https://registry.npmjs.org
✅ pass - [@salesforce/plugin-trust] can ping: https://registry.yarnpkg.com
✅ pass - [@salesforce/plugin-trust] can ping: https://registry.npmjs.org/
✅ pass - using latest or latest-rc CLI version
✅ pass - [@salesforce/plugin-deploy-retrieve] sourceApiVersion matches apiVersion
✅ pass - [@salesforce/plugin-deploy-retrieve] sourceApiVersion matches default target org max apiVersion
✅ pass - [@salesforce/plugin-auth] CLI supports v2 crypto
✅ pass - can access: https://test.salesforce.com
✅ pass - can access: https://appexchange.salesforce.com/services/data
✅ pass - can access: https://developer.salesforce.com/media/salesforce-cli/sf/channels/stable/sf-win32-x64-buildmanifest