User Permissions are not disabled in destination org when deploying profiles.

User Permissions set as false are not retrieved by the Metadata API. This is the standard behaviour of the Salesforce Metadata API. If you do a retrieve of a profile with Workbench or ANT Migration Tool, you will get only the user permissions that are set as True on that profile.

When committing a profile in a user story, you will see that the user permissions set to True in the master branch are removed in the feature branch if they are set to False in the source org. This is because the user permissions set to False are not retrieved by the Metadata API.
User-added image

The user permission will be removed also from the promotion branch and target branch when deploying.
Permissions that don't exist in the xml file that is being deployed (promotion branch) are not modified in the org you are deploying to and therefore they will not be set to False in the target org.

Solution 1:

If you add the user permissions in the feature branch and the promotion branch as False, the permissions will be deployed with status disabled in the target org.

This is an example scenario: 

1. Disable "Manage Users" and "Manage Internal Users" in the source org. 
2. Commit the profile in a user story.
3. The user permissions are removed in the feature branch as expected. (See screenshot above)
4. Commit promote and deploy the user story. The permissions are removed in the target branch but they are not disabled in the target org.
5. Add the permissions in the feature branch in Git set as false.
6. Create a new deployment from the promotion record.
7. You will see now the permissions added in the new promotion branch as false.
8. Deploy the new deployment record which is taking the new promotion branch with the permissions set as false.
9. Permissions are deployed as false in the target org.

Solution 2:

You can use the feature Commit Full Profiles and Permission Sets to commit and deploy a profile including also the permissions that are set as False. Note that this will commit and deploy the whole profile with all the OLS, FLS, User Permissions and any other relationship even if you do not include any other component in the commit.

 

How did we do?