Profiles and Permission Sets are essential to determining what different Users in your Salesforce Org can see and do. Balancing security with day-to-day operational needs is crucial, and poorly managed permissions can expose your Org to compliance risks and inefficiencies. Leveraging the right tools and strategies can greatly simplify this process and increase transparency, making it easier for Administrators to manage user capabilities.
Salesforce’s Spring 48.0 release introduces Permission Set Groups, a powerful technology that promises to help revolutionize how Admins organize and assign permissions. With Permission Set Groups, Admins can bundle multiple Permission Sets together and assign that bundle to Users. This will reduce dependence on Profiles and provide a more agile, targeted approach to permission assignments.
In this paper, we explore best practices for shifting away from traditional Profiles and adopting Permission Set Groups. We will also discuss recommended reporting strategies that allow Administrators to track user permission assignments for heightened security and compliance.
The Problem with Profiles
In the early days of Salesforce, Profiles were the only means of controlling user permissions. Essentially, a Profile is a large bundle of permissions that every User in the Org must have, with each User only capable of having one Profile at a time. Over the years, more and more permissions were packaged into Profiles—creating complexity and sometimes making it challenging to figure out how one Profile differs from another.
Profile permissions now include:
- Apex Class Access
- Apex Page Access
- Application Visibility
- External Data Sources
- Field Permissions
- Layout Assignments
- Object Permissions
- Record Type Visibility
- Tab Visibility
- User Permissions
- Custom Permissions
- Login Hours
Compliance-focused organizations find that extensive Profile metadata can bloat their documentation process. For example, an Org with hundreds of Profiles and thousands of Custom Objects might be forced to download gigabytes of XML data—a time-consuming and inefficient procedure. Consequently, many Orgs accumulate too many Profiles with overlapping functionality. In some extreme cases, Administrators grant far too much access simply to avoid user complaints.
One real-world scenario involves creating new cloned Profiles for small adjustments. If a single user requests additional permissions, an Admin can end up cloning a Profile just to meet that user’s need. Over time, this accumulation of Profiles becomes unwieldy, and the original security design is lost. Alternatively, giving extra permissions to all users through one Profile expands the attack surface of the Org, putting data integrity and security at further risk.
Permission Sets Ease the Pain
To address some of these issues, Salesforce introduced Permission Sets in 2012. A Permission Set is like a “mini Profile” that only contains permissions you grant, making it ideal for smaller, more targeted exceptions. Multiple users can share a single Permission Set assignment, which is more flexible than the one-Profile-per-User rule.
However, Permission Sets do not completely replace Profiles, as they do not manage certain details such as Page Layout assignments, default Application visibility, default Record Type visibility, or Login Hours. Also, when a large Org has hundreds or thousands of Permission Sets and the same for Users, the resulting web of assignments can become complicated: for 1000 Users each needing 1000 Permission Sets, you might have a million distinct assignments. This level of complexity can be burdensome to maintain without a structured approach.
Permission Set Groups to the Rescue
Permission Set Groups, arriving in the Spring 48.0 release, offer a powerful solution. They allow you to bundle multiple Permission Sets under a single descriptive name and assign that group to Users. In effect, Permission Set Groups bridge the gap between monolithic Profiles and highly granular Permission Sets.
This new feature can have a transformative impact on how you design user permissions. Instead of giving each User just one Profile—and then layering on countless Permission Set assignments—the Admin can create Permission Set Groups that correspond to logical roles or responsibilities within the organization. Salesforce may also introduce standard Permission Set Groups, similar to the original “Standard Profiles,” thus paving the way for quick starts in new Orgs.
The New Permission Architecture
With Permission Set Groups, Profiles can be scaled back to their most essential function: providing a base layer of access. Many Orgs will substantially reduce the total number of Profiles, simplifying both security and administration. Additional or more specialized permissions can be allocated via targeted Permission Set Groups. Finally, any outlier cases where a single individual needs something unique can still be managed with a single Permission Set assignment.
An example scenario might look like this: Bob is assigned the “Marketing” Profile, which gives him the essential marketing permissions. Then, he is granted the “Advertising” Permission Set Group to handle his team-specific needs. Additionally, Bob has a single “Einstein Analytics” Permission Set for his special reporting role. This layered approach means an Admin or Security Officer can easily review exactly what Bob has access to and understand why he has those permissions.
This clarity aligns with top-down security design principles. Human-readable labels and descriptions of Profiles, Permission Set Groups, and Permission Sets should mirror corporate job titles, departmental structures, or other relevant business logic. By designing for clarity, Orgs can ensure that the distribution of permissions is both transparent and justifiable.
The Transition to Better Permissions
Transitioning from Profile-centric permission structures to a model that fully leverages Permission Set Groups will likely be an incremental process. It often makes sense to roll out these changes in stages, as part of normal Change and Release Management cycles. Below are some approaches:
- Reduce the Overall Number of Profiles: If many of your Profiles differ only slightly, consider unifying them into a new base Profile and capturing the variations via Permission Sets. This consolidation minimizes confusion and cuts down on long-term maintenance.
- Create Permission Sets for Exceptions: Where you have subtle but important differences among users, isolate those differences into new Permission Sets so that your base Profiles remain lean.
- Bundle Common Permissions into Permission Set Groups: If you notice that multiple Permission Sets are often assigned together, convert them into a Permission Set Group. This not only lowers the number of assignments but also clarifies the conceptual category of permissions involved.
By methodically refining Profiles and grouping Permission Sets together with meaningful names, you can dramatically improve the permission architecture of your Org. In the process, you’ll achieve an ongoing security design that is flexible, transparent, and scalable.
The Sparse Profile Problem
One obstacle you might face while cleaning up Profiles is the sparse Profile issue. In certain cases, the Metadata API does not return “negative” values. Specifically:
- Object Permissions must have at least the Read permission enabled or these permissions are not retrieved.
- User and Custom Permissions must be Enabled to be returned.
- Tab Visibility is sometimes excluded from retrieval if a tab is set to Hidden.
This behavior complicates deployment because if you retrieve a Profile and then deploy it to Production, any unchecked (or “negative”) values that do not appear in the metadata will not be revoked. An Admin might attempt to remove a permission by editing it out of the source metadata, only to find that it remains enabled after deployment. Handling these negative values often requires manual editing or specialized tools that can accurately fill in or remove unselected permissions.
Assignments Become More Important
When shifting to Permission Sets and Permission Set Groups, the assignment layer becomes the critical realm to manage. Previously, complexity was often buried within a single Profile. Now, PermissionSets connect to Permission Set Groups via the PermissionSetGroupComponent junction object, and both connect to Users through the PermissionSetAssignment junction object.
Large Orgs need to efficiently manage these assignments without resorting to endless manual clicking in Setup. Command-line tools or AppExchange packages can automate these tasks, allowing you to execute bulk assignments or changes rapidly. The result is more accurate and consistent permission structures, especially in fast-growing enterprises with frequent user turnover.
Reports for User Permissions
Reporting becomes a crucial aspect of your organizational intelligence around security. High-level matrix views, which show the relationships between Profiles, Permission Sets, and Users, are vital for spotting redundancy or over-permissioned structures. Likewise, generating combined reports that show all active permissions for selected Users—taking both Profiles and Permission Sets/Groups into account—can help in audits and compliance checks.
Free reports, such as those provided by the Metazoa Profiles & Permission Sets Report on the AppExchange, give Admins quick insights. Meanwhile, specialized tools like Metazoa Snapshot can offer:
- Bulk editing of Profiles and Permission Sets.
- Mass assignment of Permission Sets and Permission Set Groups.
- Comparison utilities to detect differences between Orgs.
- Workarounds for the sparse Profile problem.
Conclusion
Permission Sets and Permission Set Groups offer an advanced and more intuitive way to manage user access. Moving away from large, monolithic Profiles and adopting a system of layered, well-labeled bundles will strengthen security and simplify administration. As you renovate your Org’s permission structure, plan for gradual, methodical changes—ensuring that every new bundle, Profile, and assignment has clear justification and real business value.
While the new technology greatly improves agility, it requires thoughtful deployment and ongoing management. By utilizing reporting tools, addressing the sparse Profile issue, and carefully controlling assignments, you can build a modern, flexible, and secure environment. Begin exploring Permission Set Groups today and discover how much more effective your Org’s permission management can become!
Congratulations! 