vulkro-sf role-hierarchy
Renders the org's role hierarchy so you can see how record access cascades upward. In Salesforce, a user inherits read (and optionally edit) access to records owned by users below them in the role tree, so a role near the top of a deep hierarchy can see a large slice of the org's data without any explicit sharing rule. This command makes that inheritance visible in three output shapes.
Synopsis
vulkro-sf role-hierarchy --target-org <alias> [flags]
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--target-org, -o <alias> | string | (required) | The sf CLI org alias or username, as known to sf org login. |
--format <fmt> | enum | tree | Output format: tree (an indented ASCII tree on the terminal), json (the hierarchy as nested objects, for tooling), or mermaid (a Mermaid graph definition you can paste into a Markdown doc or a diagram renderer). |
What it does
role-hierarchy reads every UserRole in the org and reconstructs the
parent-child tree. Each node shows the role name and the count of users
assigned to it, so a reviewer can spot the high-fan-in roles (the ones
whose position grants visibility over many subordinate-owned records).
--format treeprints an indented hierarchy for a quick read on the terminal.--format jsonemits the nested structure for ingestion into a governance tool or for diffing two orgs.--format mermaidemits a Mermaidgraphdefinition. Paste it into any Mermaid-capable renderer (a Markdown preview, a wiki, a diagram tool) to get a rendered org chart of the role tree, which is the form most reviewers and auditors find easiest to reason about.
The command is a governance baseline, not a findings command: it describes the inheritance surface that sharing rules and org-wide defaults operate against.
Example
# Indented tree on the terminal (default).
vulkro-sf role-hierarchy --target-org my-prod
# JSON for tooling or org-to-org diffing.
vulkro-sf role-hierarchy -o my-prod --format json > roles.json
# Mermaid diagram source, redirected into a Markdown doc.
vulkro-sf role-hierarchy -o my-prod --format mermaid > roles.mmd
Exit codes
0- hierarchy rendered successfully.1- reserved (this subcommand does not produce findings).2- error:sfCLI not on PATH, alias not authenticated, network failure, or the org rejected the metadata / tooling API call. The error message names the cause and the next step.
Privacy
role-hierarchy reads the UserRole objects and the assignment counts
needed to label each node. No business-record SOQL is issued. The OAuth
token stays in the sf CLI credential store on your machine.
Where to go next
vulkro-sf org perms: the over-privilege analysis that the role tree contextualizes.- Sharing-rule field and record-type leakage: how explicit sharing rules layer on top of role inheritance.
- Mermaid live editor for rendering the diagram output: https://mermaid.live/