Permissions in Salesforce, regardless of the mechanism of granting them, are sure to always be a hot topic. At the end of the day, Salesforce does a great job of offering various options to control access following the principle of the least privilege.
In this post, we will go through the use of Salesforce permission sets, why they are a great asset in an admin’s toolbox, and a few tips to best make use of related permission set features in Salesforce and beyond.
It is all about granular control. While every user needs to have one profile, permissions are where the mix and match starts happening. The need to extend access based on roles and responsibilities in Salesforce, as well as exceptions where only a subset of users need additional permissions, is where permission sets shine.
A simple example would be the marketing team. The baseline access can be represented by a marketing user profile (for now), but different divisions have different responsibilities. This means there could be a Marketing Operations permission set providing greater access for troubleshooting purposes, which colleagues from the product marketing team wouldn’t have the use for.
Additionally, at the beginning of this year, Salesforce announced the retirement of permissions on profiles in the Spring ‘26 release. Only a few things, such as page layout assignments, will remain to be controlled on profiles. Make sure to plan ahead for the transition!
READ MORE: Salesforce to Retire Permissions on Profiles – What’s Next?As the name hints, permission set groups bundle together multiple permission sets in a way that (for example) can represent everything that a persona or job function needs.
If we revisit the marketing scenario above, we could have a permission set group that would define the general marketing team access, couldn’t we?
READ MORE: Intro to Permission Set GroupsNow that we’ve done a short recap of the ‘why’, let’s jump into how to leverage the available resources to your advantage to ensure the process of analyzing, updating, and assigning permission sets is fast and smooth.
Similar to any other Salesforce feature, updates to permissions sets, permission set groups, and related functionality will be mentioned in the release notes. While it may seem overwhelming to read through so many changes across different clouds, this ensures that you stay up-to-date with future changes and how they can impact your or your users’ day-to-day operations when the release gets to production environments.
As you can see below, Winter ‘24 Salesforce Release Notes were packed with permissions updates – all of which are sure to increase your productivity when using them. You can take a look over all of them here.
READ MORE: 10 Hottest Salesforce Winter ’24 Features for AdminsHow long did it take to analyze the permissions within a permission set until now? Depending on how much the permission set actually included, it could have been quite a bit. Following the Winter ‘24 release, this analysis just became much, much easier.
With a click of the View Summary button, currently in beta, you will have a complete overview of the permission set you’re interested in. This included any permission set groups it’s added to, app and system permissions, as well as individual field permissions grouped by the object.
Before this feature, you might have encountered situations where you had to set a reminder to remove a certain permission set from a user. Ever since this feature was in beta a couple of years ago, there was no way I wasn’t making use of it when needed.
By default, permissions sets don’t have an expiry date. However, going through the Manage Assignment page from a permission set will allow you to choose an expiry date when assigning the permission set – be it one of the predefined options or a custom date for one or multiple users. Additionally, the expiry date can be quite precise, as you can even select the timezone to be the users’.
Over the fairly recent releases, the User Management Settings page in Setup got a few more options to enable if desired, which are once again related to permission sets – you should certainly try them out if you haven’t already.
Assuming that creating new fields directly in production is long gone, field-level security for permission sets (during field creation in a sandbox or field-level security update, for that matter) will considerably decrease the time it takes to navigate to multiple permission sets and add the new or existing field. Especially when you have to create and deploy multiple fields across various objects. Imagine having to go back to every permission set and every object’s settings to check a box, then repeat – not anymore.
Available in Enterprise and Unlimited editions, user access policies are criteria-based automation, which any admin can easily set up to ensure users will receive exactly the permissions they need in no time. This feature allows permission sets, permission set licenses, permission set groups, and queue or group membership to be granted or revoked when a user is created, updated, or both.
READ MORE: 7 Salesforce User Management Best PracticesWith so many updates to choose from in Winter ‘24, it is no wonder quite a few will become crowd favorites. The out-of-the-box possibility to select and unselect all fields when editing the field-level security in a permission set was long overdue.
Until now, you might have used a Chrome extension to do this, but you heard right, it’s no longer the case. In the event of a clean-up, not having to go and uncheck every single field will save quite a bit of time.
As mentioned at the beginning of this post, permission set groups are meant to bundle permission sets, usually those that a certain persona might need. There are situations, though, when multiple personas need similar access to the same object but with a few key differences.
In this kind of situation, you can go ahead and mute the permissions directly within the group without duplicating the permission set just because of them. This means that you can actually reuse permission sets with broader access and limit them within one of the groups they were added to – all this can be achieved through the use of a muting permission set.
Especially in an organization with multiple admins making changes, tracking which permissions were enabled, disabled, or assigned sure comes in handy. Additionally, if and when users report that, for some reason, they lost a permission, this should be one of the first places to check.
Within the Setup Audit Trail Setup page, you can download the changes from the last six months. As far as permission sets and permission set groups go, you can see when they were added or removed to/from certain users, as well as when individual permissions were enabled or disabled, and more.
When editing permission sets, or permission set groups for that matter, you might have noticed a little search bar on the top left corner of the page. Have you used it already? If not, this is sure to be an absolute game-changer.
You can search by keywords or objects, but note that if your org has more than 500 custom objects, you will have to manually navigate to object settings and to the standard or custom object that you would like to edit the permissions for.
Even if this is not a Salesforce functionality per se, the Salesforce Inspector reloaded browser extension couldn’t have been skipped when thinking about permission assignment and navigation. The particular reason behind this mention (as you can do lots with this extension) is the two buttons that appear when searching for a user’s name, email, username, or alias within the side panel. Clicking either of them will redirect you to that user’s permission set or permission set group assignment page.
READ MORE: Most Popular Salesforce Chrome Extensions 2023While the list could go on and on, these are a few tips and functionalities to consider when working with Salesforce permission sets – regardless of the number of users or company size.
Which others do you believe deserve a shout-out? Share your favorites in the comments below!