Managing users is a core Salesforce Admin skill. One element of this skill is ensuring that each user has access to the right data so they can do their job. As admins, we also need to protect data that may be confidential, preventing users who don’t need to access that data from viewing, editing, or deleting it. That means we need to approach user management by applying the principle of least privilege: Only grant access to data that each user needs to do their job. This is why we use permission sets and profiles to control what data users can access across Salesforce.
Permission sets > profiles
When setting up your app, you should always start by granting your users a minimum access profile and layering permission sets on top of that based on their job function. Why? Because you can apply permission sets to all the users based on what job they do versus their specific role. This also saves you from creating hundreds of different profiles for each specific user and job function.
Using permission sets is a best practice that helps save you time. We also strongly urge you to use permission sets because the product team is working on a future where there are no permissions for individual profiles. Using permission sets now will set you up for success in the future.
You might be thinking, “But what about all the customizations I have for specific profiles? Can a permission set replicate that?” Almost. The areas that you should include in permission sets are as follows.
![lide titled, “What Should Be in a Perm Set vs. a Profile”; Left column titled, “What should be in your permission sets” with bullets listing system permissions, object & field permissions, connected app access, Apex classes & Visualforce pages, tab settings, and custom permissions. Right column titled, “What should be in your profiles” with bullets listing use the minimum access profile, defaults (record types, apps), page layout assignment, and login hours/IP ranges.]](https://d3nqfz2gm66yqg.cloudfront.net/images/20220414161027/TDX-User-Management-Best-Practices.jpg)
Use permission sets for specific tasks
A permission set is the best way to make sure users have access to what they need in order to complete a specific task.
For example, let’s look at #AwesomeAdmin Brenda Glasser, Salesforce Architect at Ripple, who has done a great job with her permission and user access control setup:


Use permission set groups for personas
Once you have your permission sets configured, you can save time by creating permission set groups to apply to specific personas across your organization. This means you don’t have to assign each permission set to each user; you can group the permission sets together and assign them by persona or job function. Another advantage of using permission set groups is that, unlike profiles, your user can have more than one persona. So, if you have a user who’s role is hybrid sales and support, they can be assigned the Sales Persona permission set group and the Support Persona permission set group.
Let’s look at Brenda’s org again. She’s done a great job with both naming and designing permission set groups for specific personas:

Best practices for using permission sets and permission set groups
Now that you have a framework for how to use permission sets and permission set groups, here are some tips for how to put this strategy into practice:
- Utilize muting in a permission set group to reuse permission sets across many personas. For example, your permission set may contain everything a user needs to manage opportunities, which may include something like the ability to Modify All opportunity records or Delete on the Opportunity object. You may want your Sales Management persona to have this type of access but not your Sales Rep. In your Sales Rep permission set group, you can mute the Modify All and Delete access from opportunities so you can reuse the permission set.
- Remember that naming is key. Think about creating a naming structure that makes it clear what each permission set contains.
- Timebox the access to specific permission sets and groups using Assignment Expiration to prevent over-permissioning. See this great blog post for more info.
- Report on permissions using Permission Helper. This allows you to analyze who has what type of access and report on user access control.
- Use custom permissions instead of referencing profiles in formulas and validation rules. See this great blog post for more info.
- If you’re comfortable using the dev console, you can query user access control through the dev console. Here’s an example of a query from Brenda:

Now that you’ve read this post, you have the permission to be awesome! Our team continues to work on making it easier for you to manage users, and hopefully this strategy of using permission sets and permission set groups helps you be more successful. Let us know how you’re using permission set groups by sharing in the Trailblazer Community or on Twitter.
If you’re attending TrailblazerDX in San Francisco this year, be sure to join Brenda and me for our theater session, Admin Best Practices for User Management. Add this session to your agenda here.
Resources