Best of Dreamforce: Embrace a Permission Set Led Security Model with Louise Lockie

By

Today on the Salesforce Admins Podcast, we talk to Louise Lockie, Salesforce Consultant and Trainer, and 6x Salesforce MVP. Join us as we chat about her amazing presentation from Dreamforce which covered how to embrace a permission set led security model in your org.

You should subscribe for the full episode, but here are a few takeaways from our conversation with Louise Lockie.

Everything you need to know about permission sets

We last heard from Louise back in 2016, after she gave a presentation for Dreamforce ‘16. We’ve brought her back on the pod to give us an overview of her killer presentation this year: “Embracing a Permission Set Led Security Model.” 

As Louise points out, Salesforce recently made a very important announcement—that they are going to be sunsetting permissions on profiles sometime in the near future. “Whenever a change like that comes out, we know we need to help the community and the community needs to help each other to get through this change,” she says. Louise is a big fan of permissions for helping to manage security in her org, so she put together her talk to share how she’s approaching the upcoming changes.

An easier approach to permissions

In her talk, Louise covered what has to stay on a profile at the moment, what she thinks will definitely stay on a profile even after the change, and what she recommends for a baseline standard profile in terms of managing security.

When you’ve got it properly deployed, permissions will make it so much easier to standardize things like your password policies, login hours, IP ranges, and more. From there, it’s simple to take advantage of permission set groups to build out what you need for each persona at your org.

Why it’s worth it to overhaul your permissions

Since 2019, Louise has been a big advocate for permission set groups purely to save time and clicks—but it has always been something that was nice to have and not necessarily something that was absolutely essential. This new approach affords you more flexibility than building out one big permission set, allowing you to more easily share capabilities across roles and also adjust things quickly when the need arises.

If you have hundreds of profiles on your org, you now have the opportunity to really look at where the commonalities are and simplify things a great deal. “Map it all out, capture what permissions you’re giving out, and then see how you want to break those out,” Louise says, “with permission set groups being where you want to commonly give out those permissions together, knowing you can still give them out separately.”

Listen to the whole episode to learn more and, if you lead a user group and want to bring this content to your people, Louise would be happy to get in touch about sharing her deck or even doing a virtual presentation, so don’t hesitate to reach out!

Podcast swag

Learn more

Social

Full show transcript

Gillian Bruce:
Welcome to the Salesforce Admins Podcast, where we talk about product, community, and careers to help you be an awesome admin. I’m your host today, Gillian Bruce, and we are coming at you with a Best of Dreamforce episode. I know that many listeners may not have been able to make it to Dreamforce, or even if you did, you didn’t get to go to all the sessions that you wanted. So we’ve pulled some of the best sessions, in my opinion, to share with you on the podcast. So today joining us is Louise Lockie, who has put together an amazing presentation about how to embrace a permission set led security model. Now, Louise is a longtime rockstar in the Salesforce community. She was last on the podcast I think in 2016 as we were preparing for that Dreamforce, because she had another great presentation that she had put together for that. So Louise is joining us from across the pond. And so without further ado, let’s welcome Louis back to the podcast.

Gillian Bruce:
Louise, welcome back to the podcast.

Louise Lockie:
Thanks, Gillian. It has been a long time, so I’m thrilled to be back.

Gillian Bruce:
Every six years we’ll just keep having you back on the podcast. How about that?

Louise Lockie:
I’ll hold you to that one. It’s a date.

Gillian Bruce:
There we go. Well, I wanted to have you on the podcast today, Louise, because you have put together a great session for Dreamforce this year and I wanted to bring that to our listeners. So can you talk to us a little bit about an overview of your session?

Louise Lockie:
Sure, yeah, absolutely. And I’m really pleased to got selected for Dreamforce. It is called Embrace a Permission Set Led Security Model. How’s that for a nice, long name? But it’s actually one that I delivered at Midwest Streaming and it went down so well and I got so much great interaction with the audience there and the questions, and I know it’s such a hot topic, so I am really pleased to be presenting it at Dreamforce this year in a breakout, which gives me lots of time to get into the detail.

Gillian Bruce:
So many details to get into, right? We’re talking about security model and hey, permission sets are the future. So talk to us a little bit about some of the top things that you’re going to be getting into in the session.

Louise Lockie:
Yeah, well I am going to be a reminding people that if they don’t know, that Salesforce is going to be sun setting permissions on profiles. And that’s a bit of a big announcement. Whenever a change that comes out, we know we need to help the community and the community need to help each other to get through this change. And I really did shout from the rooftops when this one was officially best practice, because I’ve been a massive fan of using permission sets instead of profiles. Let me correct that because we can’t lose profiles, we can’t get away from them completely, but I use them as the principle driving and the principle means of granting access in my org.

Louise Lockie:
So with that announcement coming from Salesforce that this is somewhere in the future, we don’t know exactly when yet, I wanted to talk to fellow admins about how I approach making this change and preparing for this change so that they can do the same. So I talk about what, at the moment, has to stay on a profile because there are some things that aren’t yet available on permission sets. What I envisage will stay on a profile, and as I’m a community member, I don’t work for Salesforce, I can make those statements because I’m just saying, “This is what I think.” Rather than, “This is what I know.” And of course, it’s a Dreamforce presentation. There’ll be forward looking statements, safe harbors mentioned there.

Louise Lockie:
And what I then will talk about is that, once you’ve got your baseline profiles, and I talk about my recommendation of having, of course, the system admin profile because we need those keys to our org, we need to have all that access, and then having a standard profile for our users. And that is just to give those permissions, things like the password policies, like the maybe login hours that are going to stay on profiles, IP ranges.

Louise Lockie:
So that super, super basic level on a profile that all of your users get. And then you really utilize the permission sets and permission set groups to build out the persona-based access. And I talk about doing that sort of role persona-based for permission set and permission set groups. And then additionally features, because we all know that you can be almost the same persona, you can have two colleagues in one team, but one of them needs slightly different access because they’ve been given a special task or they are also managing an extra area, or maybe they wear more than one hat, like admins do, in that they need to actually have the permissions of both sets of personas or roles. So I work it through and talk about what I put on a profile and then some examples of how permission sets and permission set groups could be grouped together.

Gillian Bruce:
Wow. Okay. So this is great. I love… What I really like, Louise, about this, your approach, is that you’re like, “Oh, I went through this and this is how I thought about it, so I’m going to share it with everyone.” And you mentioned permission set groups, so can you just take a second and kind of break down when you would use a permission set group versus just a permission set?

Louise Lockie:
Well, when permission set groups first came out, of course I didn’t have the knowledge at that time that this is what we were working to, basically profiles essentially being sidelined to almost go away. And so I used to say permission set groups have been saving admins clicks since 2019. Because at that time I was like, “Yeah, that saves us some time. But really?” It’s a bit like the confetti. We all thought it was a bit fun, but was it the best use of time to create this feature? But now I’ve totally rethought it, because what you can do with your permission set groups is something like a persona. So a role based permission set group. But instead of building out one big permission set, which of course could end up looking almost like a profile, which feels like it defeats the object of this change, you can break it down into the different permission sets and use those for different parts of that role, that persona, that department, if you will.

Louise Lockie:
But of course the joy of that means each of those individual permission sets can be in multiple permission set groups. We can have A, B, and C together, and D, E and A together and so forth. Which is again, something I show in my presentation, use some real case examples of different departments and how different roles and how they can be added together. And knowing that the permission sets can be in more than one permission set group, users can have a permission set group and permissions. So you can still assign them individually. And I think that building block approach means that you’ve got complete flexibility, which is important because with that flexibility, you can actually give that granular access and you’re not tempted to just give, “Oh, I’ll give the whole department that access because that’ll be easier.” Which I do think happens with profiles.

Gillian Bruce:
Oh, absolutely. I remember, gosh, in my early days of learning our security model back 10, 12 years ago, I was always like, “Oh, so then why wouldn’t you just give everybody this profile? Then you’re covered?” And then it’s like, “Oh no, no, wait, hold on. You’re going to make a mess for yourself if you do that because then you’re not going to be able to understand and kind of troubleshoot when you need to that easily.” And from a Salesforce perspective, the product team has been talking about this kind of different change and different approach for a while. And I know that there’s so many exciting announcements coming kind of in the roadmap about user access and permissions and how that’s all modeling. Big shout out to Cheryl Feldman, who’s now a product manager who manages a lot of these. She came in from the other side, right?

Louise Lockie:
Absolutely. She has done wonders, and I’ve been on a few sessions and calls with her about this and she knows I’m a massive fan of what she’s doing, her and her team are doing. So she definitely will be getting shout outs at Dreamforce as well from me. And I’ll be attending her sessions as well.

Gillian Bruce:
She’s going to be a popular person again. So Louise, I would also like to know, what are some of the things that helped you understand these concepts as you were… You mentioned like, “Oh, I wasn’t so sure about permission set groups when they first came out.” You’ve been working in the ecosystem for a while, at least six years, right?

Louise Lockie:
True. And that’s it.

Gillian Bruce:
So talk to us a little bit about what helped you understand these concepts. Because I would imagine for some new admins, it’s not the most intuitive thing to grasp. So help us understand what helped you really get these concepts and put them to work for you in a really good ease… A way that helps.

Louise Lockie:
Yeah, no, you’re absolutely right. They aren’t the easiest. And I think the overall security model and data access model of Salesforce takes some understanding. And one of the hats I wear is actually, I teach the admin course, the five day admin course for Salesforce. And as you’d imagine, there’s a big focus on this because it’s a toughie, but once you know it, once you know the rules then it’s so important. You’ve got the fundamentals of Salesforce down. And so you have to look at what’s on a profile, what’s on a permission set, have some examples. So what I’ve done in the presentation, and I do similar things when I’m teaching this as well because it helped me, is map it out. Do an audit of what permissions you are granting which users now, and then think about, well, where are the commonalities? What are the permissions or the org settings or the field level security that you need to give everyone?

Louise Lockie:
And then work for it in a granular way that way, because it is… The combinations can be almost endless. So the businesses that have got hundreds of profiles at the moment, now have got that opportunity to really compare them all and use some of the tools that are out there to compare the different profiles and work out, well, am I giving the right level of access? And use that as an opportunity to audit, use this process as an opportunity to audit what you’re doing at the moment. And I think once you see the differences that you’ve got in your org, in your permissioning model, you can then work out, well, where do they sit? And where you’ve got the permission sets, go ahead, create those at a really granular level, because what that means is, it’s so much more transparent because the name of the permission set is what it’s doing.

Louise Lockie:
The description filled on profiles and permission sets is tiny. And I think that breaking it down like this, if though you may have to set it up, it will take a little bit of time working through the permissions, grouping them together and deciding that they’re going on these permission sets, and then grouping those permission sets together into the groups. And for me, I’m a real data person. So that’s what I would recommend because what would work for me is map it all out, capture what permissions you’re giving out, and then see how you want to break those out. Thinking about permission sets being a small subset of permissions, permission set groups being where you want to commonly give out those permissions together, knowing you can still give them out separately. And I do mention muting permissions in the session. And again, it’s one of those things that when it came out, I was like, “Oh, blimey, Salesforce. All the time we’ve been… Permissions is always granted.”

Louise Lockie:
So I do a bit of work in Marketing Cloud as well, and they actually have it that has a deny permission, normal, core Salesforce doesn’t. It’s all about granting permissions. And then muting came along and I was like, “Oh, there we go. That’s just set the cat amongst the pigeons, that’s something different.” But with permission set groups, again, it’s one of those features, once you see it as part of the bigger picture, you can understand, okay, now that really adds value. That really adds value to my setup because I can create a permission set group, maybe have five different permissions, permission sets in it, and then just clone it and add a mute for a new version. And that can really give you that flexibility that is going to encourage you to use the principle of least privilege rather than the, I’ll just give them all the same access, which is obviously… Well, every good admin should avoid at all costs.

Gillian Bruce:
Well, yeah, and it saves you time. Because, to your point, you don’t have to recreate a perm set group every single time, if you got one that you know works and you just want to mute that one little part of it. So that’s really helpful to think about that as part of the strategy. So Louise, do you have any idea how many Dreamforces this is going to be for you?

Louise Lockie:
I need to work… Remember this. So I think this… And do I count virtual or not? Because I went every year since 2015, and then obviously missed the hybrid one last year. So let’s do the math, shall we? ’15, ’16, ’17, ’18, ’19. So this will be my sixth in person, but obviously I did attend the virtual versions the last two years. So six or eight, depending on which [inaudible 00:14:32].

Gillian Bruce:
We’ll count it as eight, we’ll count it as eight. But that’s awesome. Yeah. Okay. So as a veteran Dreamforce attendee, if anyone listening to the podcast has… Well, when they listen to this, they would’ve already been to Dreamforce. What are some of your tips for Dreamforce recovery?

Louise Lockie:
Oh, stay hydrated, for sure. So I’m hearing we’re not getting a water bottle this year, so make sure you bring your own. I obviously travel across the Atlantic, so I definitely have at least a one water bottle, if not several.

Louise Lockie:
And I would say there’s going to be lots of standing around, there’s going to be some queuing, so use those opportunities to talk to the people in line. Make some new friends because you immediately have got something in common with them because you’re going to the same session, you’ve got that interest. So when I go to Dreamforce, I don’t tend to know a huge amount of people because it’s mostly people more local. There’s not that many of us Europeans that come over, so it’s a great opportunity for me to meet new people. So I bet there’ll be people out there that don’t know everyone in the queue. It’ll definitely be people that don’t know anyone in the queue. So use that as an opportunity to make some new friends.

Gillian Bruce:
All right. So for listeners who maybe just attended Dreamforce, what are your tips for carrying the learnings and everything they got from Dreamforce? The connections forward.

Louise Lockie:
Oh yeah, because every day is a school day. We work in this space where there’s so much to learn and we are encouraged to learn and we are all in that mindset, I believe. So there’ll be some sessions that are available afterwards. It’s not going to be all of them, I understand it. So that you have sometimes that cloning machine, you’re going to be regretting not having it. So catch up on that content. There’ll be new Trailhead modules coming out. Speakers will make their presentations available, I know that’s a thing. And reach out to them. So if you are hearing this and you didn’t go to my session at Dreamforce, get in touch with me on LinkedIn, Twitter, the Trailblazer community, and I’ll send you my deck. If you lead a user group, I could always come and virtually deliver to you, deliver to your users as well. So I’d say do that for me, but do that for other presenters as well.

Gillian Bruce:
That’s a great tip because I think a lot of folks be like, “Oh, I wasn’t at Dreamforce,” or “I missed that session and it’s gone.” No, I love that, Louise. It’s great. Yeah, reach out to the speakers because you’re right, you already did all this work to prepare this great presentation.

Louise Lockie:
Happy to share it with a wider audience, always. Everyone will be.

Gillian Bruce:
Exactly. Might as well amplify it. Well, Louise, thank you for all your hard work in preparing for this year’s Dreamforce and sharing your knowledge with the community. It’s amazing. It’s one of the best things about the Salesforce community at large, is just the generosity and people like you who want to take what you learn and give back and help enable others. So thank you for all you do. And I look… Well, we’re recording this before Dreamforce, so I look forward to seeing you at Dreamforce.

Louise Lockie:
Yes.

Gillian Bruce:
And we’ll have you back on in another six years. How about that?

Louise Lockie:
As I say, it’s a date. Get it in the diary.

Gillian Bruce:
Thank you so much, Louise.

Louise Lockie:
Thank you. Cheerio.

Gillian Bruce:
Well, always lovely to chat with Louise. Great to hear about how she thinks about that permission set model and how to use permission set groups, lots of good strategies and best practices there.

Gillian Bruce:
Now, if you want her session or any of her content, or you want her to come present at your user group, reach out to her. You can find her on Twitter, @louiselockie. You can also find her on the Trailblazer community on LinkedIn, put all those links in the show notes. And as always, if you want any information on how you can be an awesome admin, check out my favorite website, admin.salesforce.com. That’s where you can find more blog, content, videos. You can find the admin skills kit, which I’m super passionate about. And stay tuned because we probably are going to turn some of these great Dreamforce sessions into content for our site as well.

Gillian Bruce:
So if you want to follow all of the awesome admin goodness on Twitter, as always, you can find us @salesforceadmns, no ‘I’. Or #awesomeadmin. You can find myself @gilliankbruce. And you can find Mike Gerholt, my co-host with the most, @mikegerholt. I hope you have a great rest of your day. Thank you for listening, and I’ll catch you next time in the cloud.

Love our podcasts?

Subscribe today on iTunes, Google Play, Sound Cloud and Spotify!

Solving Business Problems with Composer and Flow with Jennifer Cole

Today on the Salesforce Admins Podcast, we talk to Jennifer Cole, Manager of the CRM & Analytics Team at 908 Devices. Join us as we chat about business processes, Jennifer’s latest presentation at Dreamforce, and why it’s so important to understand everything about a problem process before you try to implement a solution. You should […]

READ MORE

A Brief History of Salesforce Characters with Domenique Buxton

Today on the Salesforce Admins Podcast, we talk to Domenique Buxton, VP, Executive Creative Director for the Trailblazer Ecosystem and Trailhead Brand at Salesforce. Join us as we talk about the history of the colorful cast of Salesforce characters and where you can find some “Hidden SaaSys.” You should subscribe for the full episode, but […]

READ MORE