Introducing The Next Generation of User Management: Permission Set Groups


Introducing Permission Set Groups

Permission Set Groups is a new feature that allows Admins to combine multiple permission sets into a single permission set group for user assignment. With the grouping mechanism, admins can truly apply role-based access control for managing user entitlements in Salesforce orgs.

Forward Looking Statement: This blog was created to share our product roadmap and contents in this doc contain forward-looking statements about services that are not currently available and may not be delivered. Any decisions, including purchase decisions, of our service should be made based upon features that are generally available.

In the context of permission set groups, role is intended to reflect some job function within a business organization. Historically, the term role has been used in reference to the built in “role-based” record access hierarchy. An example might be Customer Support or Marketing. As such, the role is reflected in the naming of the Permission Set Group rather than an object that represents the role. This should be strongly encouraged as a best practice.

Why is Role-Based Access Control the Best Practice

The essence of role-based access control is to grant permissions based on the roles of individual users. It allows users to have access rights only to the information they need to do their jobs and prevents them from accessing information that does not pertain to their job function. As mentioned above, the role concept in the context is not referring to Salesforce Role Hierarchy. By roles, we are referring to job roles or job functions that a user plays in the organization. For the purpose of this discussion, “role” and “permission set group” are equivalent. The permissions to perform certain jobs are put into specific roles, and through role assignments, users acquire the permissions needed to perform particular system functions for their daily jobs. Since users are not assigned with permissions directly, but only acquire them through their membership within a role, management of individual user rights becomes a matter of simply assigning users to the appropriate roles.

How DO Permission Set Groups Represent Roles

Admins are encouraged to create permission sets based on tasks that users regularly perform and group those task-based permission sets into groups that represent user’s job role. You can include the same permission sets in multiple groups. Updates in the permission set will propagate to all permission set groups that the permission set is part of, giving users assigned to the groups the aggregated permissions. ISV partners can package permission sets in groups and allow subscribers to extend the groups with their own local permission sets.

  • Spend two minutes on this walkthrough video (from 2:00 to 3:45) to better understand roles and permission set groups with an example.

We are looking to invest in standard permission set groups (not available yet today) as the out-of-the-box roles that Salesforce defines for typical application use, which will be the counterpart of standard profiles in your org today. For example, an Invoice Manager role for Sales Cloud users, or a Support Center role for Service Cloud users.

Moving Away from Profile

In the above visionary model, the labor of permission management is completely delivered by permission sets and permission set groups. We are discouraging admins from relying on profile for permissions management going forward and encouraging admins to adopt these best practices to provide more scalable and secure configurations while also enabling admins to deliver least privilege (and no more) access rights to end-users.

Profiles today have many constraints due to their one-to-one relationship with the user object and therefore does not provide the appropriate mechanism for scalable permission assignment. Eventually, we want to get a point where profile only contains settings that require the one-to-one relationship to users, such as the default page layout assignment.

Migrating Profiles to Permission Sets

Feel free to use this cheat sheet to determine what you can move off profiles to permission sets. Remember the principle question is “Is this permission/setting restricted to a one-to-one mapping to my user?”

We also offer tools to help you with the migration. Check out the Permission Set Helper App on the Appexchange. The app contains a profile converter and a permission analyzer.

Profile Converter

  • Create assignable Permission Sets based on the Profile you selected with one click
  • Reduce administrative overhead in profile and permissions management when switching user licenses
  • Support both standard Profiles and Custom Profiles

Permission Analyzer

  • View a summation of all permissions assigned to a user in one screen
  • View which specific profiles or permission sets contain a permission
  • Keep all data transactions securely within your org and respect data access control

Is It True That Profile Will Be Deprecated?

We have shared the idea of sunsetting permissions on profiles as part of product roadmap preview. We are certainly moving towards that direction. Releasing Permission Set Groups is indeed a concrete start. However, until we publicly send out the the end of life announcement, there is no expected timeframe associated with the path. It’s also worth noting that the plan is to get rid of permission management on profile since permission sets and groups can better deliver it. The concept of profile with those 1:1 settings will likely remain.

There are certainly product gaps we, as Salesforce, need to fill to make this change as pain-free for our customers as we can. It will take a long runway to get to the optimal access control model. We will continue to engage with customers to get the requirements around what tools and features they want us to build, incorporating feedback into our future product iterations. Listed below are some significant gaps that have been identified. If your concerns are not yet covered, please feel free to post to the Idea Exchange or discuss with us in the permission set group pilot community group.

  • Allow assignment of FLS to perm set when creating a field
  • Tools to identify where profile is referenced, locating profile names in code and configurations
  • Migration path for profile reference in custom settings
  • Allow permission sets or permission set groups mapping when installing managed package


How to Use UX Principles to Shape Your Security Model

How to Use UX Principles to Shape Your Security Model

Congratulations! Your organization, Awesome Admin Automotive, made the investment in Salesforce. You’ve absorbed so much great content and can’t wait to dive right in and try out all the new bells and whistles! While it’s a very exciting journey ahead, as Simon Sinek’s book “Start With Why” suggests, it’s important to first take some time […]