Minimum access to create/delete Salesforce scratch orgs

Working with scratch orgs in Salesforce requires that the DevHub feature is enabled in a non-sandbox (i.e. Production, Developer or Trial) org and that you’ve authenticated to the org. Normally from your Salesforce CLI or CI/CD pipeline.

Since the DevHub is required to be enabled in Production this has led to some concern from some customers I’ve spoken to. Following up on this with a customer who now really needed the scratch org capability I set out to figure out the least amount of access required to the DevHub Salesforce org.

It’s important to remember that license is one thing another is object access. If you are out of licenses Salesforce

Well one thing is license another is access. License seems well described but not so access. Played a bit around with access and was able to get it working with minimum access to an org. I started with a no-access profile and added API access and then figured out object access required. Minimum access required to create a scratch org is:
Read, Create on ScratchOrgInfos
Read on ActiveScratchOrgsTo delete a scratch org you need:
Read, Create, Edit on ScratchOrgInfos
Read, Create, Edit, Delete on ActiveScratchOrgs

One thought on “Minimum access to create/delete Salesforce scratch orgs”

  1. Hi!
    Great Article!
    In my case, I has also to add “API Enabled” on the profile to be able to create scratch orgs from SF CLI.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s