Permission Set Groups is a new feature that allows Admins to combine multiple permission sets into a single permission set group for user assignment. With the grouping mechanism, admins can truly apply role-based access control for managing user entitlements in Salesforce orgs.
Forward Looking Statement: This blog was created to share our product roadmap and contents in this doc contain forward-looking statements about services that are not currently available and may not be delivered. Any decisions, including purchase decisions, of our service should be made based upon features that are generally available.
In the context of permission set groups, role is intended to reflect some job function within a business organization. Historically, the term role has been used in reference to the built in “role-based” record access hierarchy. An example might be Customer Support or Marketing. As such, the role is reflected in the naming of the Permission Set Group rather than an object that represents the role. This should be strongly encouraged as a best practice.
The essence of role-based access control is to grant permissions based on the roles of individual users. It allows users to have access rights only to the information they need to do their jobs and prevents them from accessing information that does not pertain to their job function. As mentioned above, the role concept in the context is not referring to Salesforce Role Hierarchy. By roles, we are referring to job roles or job functions that a user plays in the organization. For the purpose of this discussion, “role” and “permission set group” are equivalent. The permissions to perform certain jobs are put into specific roles, and through role assignments, users acquire the permissions needed to perform particular system functions for their daily jobs. Since users are not assigned with permissions directly, but only acquire them through their membership within a role, management of individual user rights becomes a matter of simply assigning users to the appropriate roles.
Admins are encouraged to create permission sets based on tasks that users regularly perform and group those task-based permission sets into groups that represent user’s job role. You can include the same permission sets in multiple groups. Updates in the permission set will propagate to all permission set groups that the permission set is part of, giving users assigned to the groups the aggregated permissions. ISV partners can package permission sets in groups and allow subscribers to extend the groups with their own local permission sets.
We are looking to invest in standard permission set groups (not available yet today) as the out-of-the-box roles that Salesforce defines for typical application use, which will be the counterpart of standard profiles in your org today. For example, an Invoice Manager role for Sales Cloud users, or a Support Center role for Service Cloud users.
In the above visionary model, the labor of permission management is completely delivered by permission sets and permission set groups. We are discouraging admins from relying on profile for permissions management going forward and encouraging admins to adopt these best practices to provide more scalable and secure configurations while also enabling admins to deliver least privilege (and no more) access rights to end-users.
Profiles today have many constraints due to their one-to-one relationship with the user object and therefore does not provide the appropriate mechanism for scalable permission assignment. Eventually, we want to get a point where profile only contains settings that require the one-to-one relationship to users, such as the default page layout assignment.
Feel free to use this cheat sheet to determine what you can move off profiles to permission sets. Remember the principle question is “Is this permission/setting restricted to a one-to-one mapping to my user?”
We also offer tools to help you with the migration. Check out the Permission Set Helper App on the Appexchange. The app contains a profile converter and a permission analyzer.
Profile Converter
Permission Analyzer
We have shared the idea of sunsetting permissions on profiles as part of product roadmap preview. We are certainly moving towards that direction. Releasing Permission Set Groups is indeed a concrete start. However, until we publicly send out the the end of life announcement, there is no expected timeframe associated with the path. It’s also worth noting that the plan is to get rid of permission management on profile since permission sets and groups can better deliver it. The concept of profile with those 1:1 settings will likely remain.
There are certainly product gaps we, as Salesforce, need to fill to make this change as pain-free for our customers as we can. It will take a long runway to get to the optimal access control model. We will continue to engage with customers to get the requirements around what tools and features they want us to build, incorporating feedback into our future product iterations. Listed below are some significant gaps that have been identified. If your concerns are not yet covered, please feel free to post to the Idea Exchange or discuss with us in the permission set group pilot community group.
Congratulations! Your organization, Awesome Admin Automotive, made the investment in Salesforce. You’ve absorbed so much great content and can’t wait to dive right in and try out all the new bells and whistles! While it’s a very exciting journey ahead, as Simon Sinek’s book “Start With Why” suggests, it’s important to first take some time […]
Hello, #AwesomeAdmins! Today, I want to tell you about a new feature in Beta, Permission Sets and Permission Set Groups with Assignment Expiration, that you can add to your superpower tool kit. This new feature will allow you to set expiration dates for assignments on permission sets and permission set groups. What are assignments in […]
As a Salesforce Administrator I’m sure you have process on your brain. I know I do. I’m always thinking about how to make the sales process more efficient, improve the service process, or any other business process that surfaces. Process plays a huge role in everything we do, in every level of business. Building good […]
