Managing users is a core Salesforce Admin skill. One element of this skill is ensuring that each user has access to the right data so they can do their job. As admins, we also need to protect data that may be confidential, preventing users who don’t need to access that data from viewing, editing, or deleting it. That means we need to approach user management by applying the principle of least privilege: Only grant access to data that each user needs to do their job. This is why we use permission sets and profiles to control what data users can access across Salesforce.
When setting up your app, you should always start by granting your users a minimum access profile and layering permission sets on top of that based on their job function. Why? Because you can apply permission sets to all the users based on what job they do versus their specific role. This also saves you from creating hundreds of different profiles for each specific user and job function.
Using permission sets is a best practice that helps save you time. We also strongly urge you to use permission sets because the product team is working on a future where there are no permissions for individual profiles. Using permission sets now will set you up for success in the future.
You might be thinking, “But what about all the customizations I have for specific profiles? Can a permission set replicate that?” Almost. The areas that you should include in permission sets are as follows.
![lide titled, “What Should Be in a Perm Set vs. a Profile”; Left column titled, “What should be in your permission sets” with bullets listing system permissions, object & field permissions, connected app access, Apex classes & Visualforce pages, tab settings, and custom permissions. Right column titled, “What should be in your profiles” with bullets listing use the minimum access profile, defaults (record types, apps), page layout assignment, and login hours/IP ranges.]](https://d3nqfz2gm66yqg.cloudfront.net/images/20220414161027/TDX-User-Management-Best-Practices.jpg)
A permission set is the best way to make sure users have access to what they need in order to complete a specific task.
For example, let’s look at #AwesomeAdmin Brenda Glasser, Salesforce Architect at Ripple, who has done a great job with her permission and user access control setup:
Once you have your permission sets configured, you can save time by creating permission set groups to apply to specific personas across your organization. This means you don’t have to assign each permission set to each user; you can group the permission sets together and assign them by persona or job function. Another advantage of using permission set groups is that, unlike profiles, your user can have more than one persona. So, if you have a user who’s role is hybrid sales and support, they can be assigned the Sales Persona permission set group and the Support Persona permission set group.
Let’s look at Brenda’s org again. She’s done a great job with both naming and designing permission set groups for specific personas:
Now that you have a framework for how to use permission sets and permission set groups, here are some tips for how to put this strategy into practice:
Now that you’ve read this post, you have the permission to be awesome! Our team continues to work on making it easier for you to manage users, and hopefully this strategy of using permission sets and permission set groups helps you be more successful. Let us know how you’re using permission set groups by sharing in the Trailblazer Community or on Twitter.
If you’re attending TrailblazerDX in San Francisco this year, be sure to join Brenda and me for our theater session, Admin Best Practices for User Management. Add this session to your agenda here.
This post describes new and planned features, so we want to remind you of our forward-looking statement, which states you should only make purchasing decisions based on existing features and functionality. In a world where the internet is woven into the fabric of our daily lives, accessibility is a human right. If we don’t make […]
Salesforce is a great tool for building out custom solutions to meet your organization’s unique needs. You have tremendous flexibility in building out a data model and user interface (UI) that captures all of the complexity of your specific user workflows using our low-code tools. This flexibility can sometimes come at a cost, however. Over […]
No matter the size of your organization, or how many admins you have on your team (if you have a team!), one of the last things you probably enjoy doing is writing documentation. I hear you—it’s hard to start writing documentation, know what to capture, and figure out where to put it so you’ll actually […]
