Managing users is a core Salesforce Admin skill. One element of this skill is ensuring that each user has access to the right data so they can do their job. As admins, we also need to protect data that may be confidential, preventing users who don’t need to access that data from viewing, editing, or deleting it. That means we need to approach user management by applying the principle of least privilege: Only grant access to data that each user needs to do their job. This is why we use permission sets and profiles to control what data users can access across Salesforce.
When setting up your app, you should always start by granting your users a minimum access profile and layering permission sets on top of that based on their job function. Why? Because you can apply permission sets to all the users based on what job they do versus their specific role. This also saves you from creating hundreds of different profiles for each specific user and job function.
Using permission sets is a best practice that helps save you time. We also strongly urge you to use permission sets because the product team is working on a future where there are no permissions for individual profiles. Using permission sets now will set you up for success in the future.
You might be thinking, “But what about all the customizations I have for specific profiles? Can a permission set replicate that?” Almost. The areas that you should include in permission sets are as follows.
![lide titled, “What Should Be in a Perm Set vs. a Profile”; Left column titled, “What should be in your permission sets” with bullets listing system permissions, object & field permissions, connected app access, Apex classes & Visualforce pages, tab settings, and custom permissions. Right column titled, “What should be in your profiles” with bullets listing use the minimum access profile, defaults (record types, apps), page layout assignment, and login hours/IP ranges.]](https://d3nqfz2gm66yqg.cloudfront.net/images/20220414161027/TDX-User-Management-Best-Practices.jpg)
A permission set is the best way to make sure users have access to what they need in order to complete a specific task.
For example, let’s look at #AwesomeAdmin Brenda Glasser, Salesforce Architect at Ripple, who has done a great job with her permission and user access control setup:
Once you have your permission sets configured, you can save time by creating permission set groups to apply to specific personas across your organization. This means you don’t have to assign each permission set to each user; you can group the permission sets together and assign them by persona or job function. Another advantage of using permission set groups is that, unlike profiles, your user can have more than one persona. So, if you have a user who’s role is hybrid sales and support, they can be assigned the Sales Persona permission set group and the Support Persona permission set group.
Let’s look at Brenda’s org again. She’s done a great job with both naming and designing permission set groups for specific personas:
Now that you have a framework for how to use permission sets and permission set groups, here are some tips for how to put this strategy into practice:
Now that you’ve read this post, you have the permission to be awesome! Our team continues to work on making it easier for you to manage users, and hopefully this strategy of using permission sets and permission set groups helps you be more successful. Let us know how you’re using permission set groups by sharing in the Trailblazer Community or on Twitter.
If you’re attending TrailblazerDX in San Francisco this year, be sure to join Brenda and me for our theater session, Admin Best Practices for User Management. Add this session to your agenda here.
As a security-minded admin, you should follow the principle of least privilege. What is the principle of least privilege, you ask? It’s the concept of limiting users’ access rights to only what is required to do their jobs. That’s always been my guiding principle as an admin, and even when I was a customer. Following […]
You asked; we listened. We’re proud to announce the new Who Sees What Lightning Experience series, updated with the latest best practices on data visibility and access. Follow along with this video series to ensure you’re adhering to the best practice of least privilege access: giving your users the data access they need—and only what […]
As an admin, you play a major role in how customers and colleagues experience Salesforce. Choices you make can connect your organization’s mission/purpose to the power of cutting-edge technology. When it comes to your org’s values, this is especially important, because customers care about what businesses believe in, and it’s often admins who translate those […]
We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?
