Today on the Salesforce Admins Podcast, we talk to Cheryl Feldman, Director of Product Management at Salesforce covering all user access features. Join us as we chat about best practices for configuring user access and discuss the latest initiatives Cheryl is spearheading to assist you.
You should subscribe for the full episode, but here are a few takeaways from our conversation with Cheryl Feldman.
We’re so excited to have Cheryl back on the pod to talk permissions and more. As a product area lead, she oversees all of the features you use every day to define user access and user management—things like user records, profiles, permission sets, permission set groups, roles, org-wide defaults, and more.
As an admin and a manager of admin for 18 years, Cheryl recognizes just how much work goes into configuring user access. That’s why her team is hard at work to make everything easier for you and, in the meantime, she’s here to share best practices that might help you out.
Cheryl recommends thinking about user access from the eye of the principle of least privilege. “You want to think about the least amount of access somebody needs to do their job, you don’t want to give them any less or any more,” she says.
Think about if you have a bunch of personas that need object access to the account object. If you do that via profiles, you’d need to go through every profile and modify them if something changes. It’s simpler, instead, to create one wide permission set for all of your account access and then use permission set groups to mute what you don’t want.
It’s definitely a lot of work to set up, but it’ll save you so much time in the long run because your permission sets can be reused.
If you’re looking to evaluate user access in your org, you should know that Cheryl and her team have put out several tools to help you. They’ve created an app, User Access and Permissions Assistant, that helps you understand what a user has access to and how they are getting that access. And there’s more coming in the Winter ‘24 release, including user access reporting on standard reports and dashboards.
Looking forward, they’re releasing a new feature (currently in beta) called User Access Policies. It allows you to describe the type of users you want added to a specific group, or permission set, or profile, and automatically assign them to it when a user is created or updated.
Cheryl is on a mission to, as she puts it, “summary all of the things.” It shouldn’t be so hard to figure out what a user has access to and why. That’s why she needs your help. Check out the links below to the IdeaExchange to see if you might be able to join Cheryl on her quest to simplify user access in Salesforce.
Mike:
A permission set is a collection of settings and permissions that give users access to various tools and functions. Permission sets extend user’s functional access without changing their profiles and are the recommended way to manage user’s permissions. I bet you do that every day. So, of course, on today’s episode of the Salesforce Admins Podcast it only makes sense that I am talking with Cheryl Feldman who is the product manager covering all the user access features about best practices for user access, and the future of user access. Not to mention, Cheryl shares some really great resources for learning and understanding user permissions with us.
But before I get to all of that, I need to make sure you’re doing one thing, and that is that you’re following the Salesforce Admins Podcast on iTunes or Spotify, wherever you get your podcast. And the way that you do that is just click the follow button, subscribe. It’s a little different on each app. The reason I tell you is when you do that a new episode every Thursday morning will just magically appear on your phone and you don’t have to worry about … And then you wake up, you can get ready for work, you can go and ride the train, or take your dog for a walk, listen to the podcast. Boom, it’s right on your phone. With that, let’s get to this wonderful discussion with Cheryl. So Cheryl, welcome to the podcast.
Cheryl Feldman:
Thanks, Mike. I’m so excited to be here again. I feel like this may be the fourth or fifth time, I don’t even remember.
Mike:
Well, at seven times you get a robe. It’s like Saturday Night Live, we have a nice veloure robe made that says Salesforce Admins Podcast.
Cheryl Feldman:
I will make sure to ask you for that in two more times.
Mike:
Keep track. Exactly, right? I mean, I should be thanking you, you’re like the most popular presenter everywhere we go. From Trailblazer DX earlier this year to Dreamforce, your sessions on user management just blow the doors off everywhere. Let’s get started. For people that don’t know the amazing Cheryl Feldman, can you tell us what you do at Salesforce? And then let’s talk about profiles and permission sets.
Cheryl Feldman:
Sure. My name is Cheryl, I’m a product manager at Salesforce, and I cover all of the user access features. I’m the product area lead for user access. So what that means is I design the product direction for all the products that admins use every day to define user access and user management such as the user record, profiles, permission sets, permission set groups, delegated admin, set up audit trail, roles, or by default sharing roles. The list goes on. But essentially every way that you’re granting your user access to something likely sits within my purview from a product standpoint.
Mike:
And the cool thing is, if I say, “I was a Salesforce admin,” you understand what that is, right?
Cheryl Feldman:
I do. Prior to joining Salesforce I was actually an admin and led teams of admins for almost 18 years.
Mike:
That’s why you’re such the perfect product manager. Okay. So I mean, it’s pretty straightforward, right? Profiles, permission sets. We get permission set groups. What do we need to know?
Cheryl Feldman:
I would say straightforward is probably not the words I would use to describe it. I would say it’s actually very complicated.
Mike:
Okay.
Cheryl Feldman:
It’s one of the most complicated areas within setup. I recognize that, and I recognize how much work admins have to do in the user management space every day which is why we always are revising our roadmap and always revising our plans, from a product standpoint, to support that. I just want to recognize, for all the admins out there, the amount of work that you have to do every day to maintain and manage your user access. I know it is an astronomical amount of work, and I just want to recognize that for a second and let you know that I hear you.
Mike:
Because you were there, appreciate that.
Cheryl Feldman:
Yes.
Mike:
Okay. Let’s just start present tense before we get into the future and all the really cool stuff that you’re working on. Present tense, Cheryl Feldman gets hired because the company pays you a billion dollars to be a Salesforce admin, and they want to make sure that all of their users are set up. What is some best practices on setting up users presently?
Cheryl Feldman:
Sure. I would say your best practices are to think about everything from the eye of the least privileged. So what that means is you want to think about the least amount of access somebody needs to do their job, you don’t want to give them any less or any more. With that, what you want to do is form your user access control around that methodology. Meaning, you should be using permission sets and permission set groups over profiles to permission because that allows you to create a level of granular permissioning that you weren’t able to have at the profile level. Think about a permission set that is very reusable but you can still get your fine-grain level of access through permission set groups. If you think about profiles, they’re just this big monolith of stuff. And if you have a number of personas that, let’s say, need some sort of object access to the account object, something that’s very common, you need to go through every single profile and modify that if something changes.
With permission sets, you can create one very wide permission set for all of your account access and reduce that across multiple permission set groups. And then for those personas who need a slightly different level of access, you can mute out what you don’t want. So it ends up creating a lot of reusability. And ends up being, in the long run, less maintenance. But I do want to recognize it takes a lot of work to get there.
Mike:
Well, anything worth doing is a lot of work, right?
Cheryl Feldman:
That’s true.
Mike:
What you’re telling me is the thought of thinking about permission sets is how can I reuse this as opposed to how do I make individual permission sets for every single person?
Cheryl Feldman:
Correct, yes.
Mike:
Got it.
Cheryl Feldman:
Really what permission sets allow our customers to do is to have reusability which is what we’re all looking for in technology. That’s why lightning components are so popular is because of the reusability. It’s why a lot of the features in lightning are so popular is because of the reusability. And that’s what permission sets and permission set groups give us.
Mike:
Now, let’s say I’m an admin in an established org and I’ve got just pages of permission sets because somebody didn’t set it up that way. What would Cheryl’s approach be for that?
Cheryl Feldman:
My approach would be to figure out first before you start looking at every single permission set, is figure out your personas and what each persona needs to do. And then figure out what the permission sets you need and the permission set groups to match those personas. That’s how I would start. Now, I do want to recognize that is not a small effort. And I do want to build tools to help admins do those type of things because there aren’t a ton of great tools out there yet to really help admins optimize and refactor their user access.
Mike:
I always like to get to the soft side of being a Salesforce admin outside of the clicks. What are some of the questions that you asked, Cheryl, as an admin to understand if people needed permissions?
Cheryl Feldman:
Sure. I think it’s asking, so what do you actually need to do on the platform and what are you going to be doing day to day? And sometimes you don’t even need to ask it in context of the platform you could just say, “Tell me about your job, tell me what you’re going to be doing.” I took a job, this was … Oh my God, it’s probably 10 years ago now actually. I took a job as a lead admin where I was coming into a company that had Salesforce for about eight or nine years at that point. They had never had a dedicated team internally, they had been using a hodgepodge of consulting firms and independent consultants, and they realized they really needed a dedicated team to manage it and I was going to be managing it.
They basically had everybody in the system admin profile, they had … Everything you should not do they had. It was such a daunting task to figure out the user access. And I said, “Well, let me just figure out what people actually need to do and then back out from there,” and that’s what I did. I think also an important thing to think about is when you are making large changes to user access is do some form of UAT either with some power users or in a sandbox. Well, I think you should always be doing things in a sandbox, but make sure you’re having-
Mike:
Please.
Cheryl Feldman:
Yes. And make sure you’re having somebody, from the actual who’s going to be actually doing the job, test for you because you’re going to … They’re never going to tell you everything, you’re never going to think of everything, and there’s probably going to be something that gets missed so that’s why it’s really important. I would really just start asking the questions, “So tell me about what you do every day.” And you can map what they’re doing, what we consider in product management. And I think this also starts to help admins think about product management is what is somebody’s job to be done? What are they trying to do? And you can map that to different features and different access levels within Salesforce.
Mike:
I mean, Cheryl, you grew up in the days when you would log in and everybody had an admin profile because it was just easier to make sure they have access to everything. But that actually causes visual clutter and just anxiety for people because they’re … Am I supposed to put something in this field? This isn’t my job. Or, I put something in that field but somebody overwrote it.
Cheryl Feldman:
There’s just so much stuff here where do I start? The screens aren’t catered, they’re seeing so many fields because … They don’t necessarily need to see. And so I think it also gets to what is this person actually need to do. So it’s very focused on their personalized experience. I actually never really grew up from an admin perspective in a world where I could live that way because I spent most of my career working in financial services which is very, very regulated. Which is essentially how I became an expert in this area because I had to figure it out. I had no way to not do this because it was required by law.
Mike:
Jeepers. Let’s stay current day. What are some of the tools that admins have to evaluate profiles and permission sets, and permission set groups, right?
Cheryl Feldman:
Sure. One is an app that my team puts out called User Access and Permissions Assistant which you can find on the AppExchange. What this tool allows you to do is to report … Do some light reporting on user access as well as it also allows you to do some troubleshooting against the user to select a specific user and understand what they have access to, how they’re getting that access, and where they’re getting that access. That’s one tool. Some things that we’re actually putting out now within platform are … In the winter release, we are starting to bring some of the reporting into standard reports and dashboards, and we release the ability to report on permission set and permission set group assignments. So you can do that right from your reports and dashboards by creating a customer report type. That will also help you analyze to understand who is actually assigned to what rather than having to click into every single permission set and try to figure that out. That I think will really start to help. We’re going to build on that even further.
Mike:
That’s so great. I mean, back in my day I would just be like “Give me login as” and then I’d poke around as them. Oh, okay, I see where it’s gone wrong, where it’s gone awry, my bad. I hid the field on the page layout, what was I thinking? Okay. That’s present day. And I feel like that’s like okay, we’re caught up. What is some of the cool stuff that you’re working on that’s going to come out that would be the future of profiles and permission sets?
Cheryl Feldman:
We are very focused on what I’m calling the future of user management, and just general the future of the admin experience in a lot of ways because the user management features are the most used features within setup. What we’re very focused on is reducing the number of clicks admins have to make. I know when you started this podcast it was called ButtonClick Admin, and I think a lot of admins got started with clicking. But now if you think about how many objects, fields, settings, areas in set up an admin has to click, it almost becomes somewhat of just an overwhelming process. When you set up a new user you have to remember, especially if you have a lot of Salesforce products that have different licenses, and come with different permission sets, and permission set groups. You have maybe a sharing model you need to assign groups and queues. And then maybe you use a lot of AppExchange packages where you have all sorts of other package licenses, and permission sets, and things you need to assign.
What we’re very focused on is reducing the clicks there and helping admins not to have to maintain these massive spreadsheets about user access. We have a feature that’s an open beta, that any admin can go in into their user management settings and turn on called user access policies. And what this feature allows an admin to do is describe their users in … That’s either attribute-based fields on the user record or entitlement-based users are assigned to a specific group or a specific permission set or a specific profile. And when a user is created or updated, and you can define the trigger, you can automatically assign access. And that access can be permission sets, permission set groups, package licenses, permission set licenses, groups, and queues. And we have more coming. This has been a very popular beta product. That’s one thing that we’re working on that admins can try out now.
In order to figure out what’s in a permission set you have to click into every single section until the last release. In the winter release we put out a button on permission sets that says, “View summary,” and it says “Beta” in parentheses. And this very quickly summarizes what’s in a permission set, and it’s also in a permission set group. And so I’m on a mission to what I call summary all of the things. Where admins get stuck a lot of times, especially with troubleshooting and understanding user accesses, there’s just so many things. If you look at a user, what does that user have access to? That should be a relatively simple question to answer but sometimes it could take hours to figure that out. What my vision is is that we start to bring summaries to the user record and to object manager to summarize the access that’s being granted to that object or what that user has access to.
I’ve actually, a shameless plug, created two ideas on the IdeaExchange with some mocks that I would love all the listeners to vote on and give me feedback on, that I hope we can link, that I would like to bring to … Hopefully, I’m hoping to bring these to life by next Dreamforce. And that’s what I’m really working on is how can we reduce the number of clicks, and how can we still allow the flexibility of the platform but simplifying this to admins, especially newer admins? I can’t even imagine what it’s like to become a new admin in 2023. And with all these different clouds, and options, and trying to figure this all out in a four-day admin training, my little admin brain would’ve exploded. What I’m trying to do is make this easier to use and also address some of the longstanding issues we’ve had within user management just in that setup experience.
Mike:
Moving forward, can you spill anything you got planned for next year?
Cheryl Feldman:
Yes. Here’s what we’re planning. Like I talked about is to deliver summaries. And we’re going to GA, that makes something generally available. We’re going to make user access policies generally available. We are going to make the permission set summary and permission set group summary generally available. We’re going to start addressing the fact that you … It’s so hard to tell what’s on a user record and what that user actually has access to by delivering a summary on user. As well as we’re also starting to ideate on how we centralize things around an object. For user management specifically, our setup node reflects my team’s org chart rather than how customers work. What we’re trying to do is look at this and say, “Well, how can we unify this experience a little bit?” And that unification is either from the user perspective or from an object perspective.
And so what we’re looking at doing is creating some new sections with an object manager to look at the record access, which is your sharing, as well as your permissions right from Object Manager instead of having to be your on the account object. And then you’re trying to troubleshoot something and oh, it might be a permissions issue, let me look through every single permission set. Or, it might be a sharing issue, let me go to some other setup node and look at my org-wide defaults, and then let me go to some other setup node and look at my group membership. What we’re trying to do is centralize things a little bit.
Mike:
That’ll help.
Cheryl Feldman:
Yes.
Mike:
I mean, the goal of ButtonClick Admin wasn’t to wear your mouse out, it was to just say you can do things with a few clicks. And then it just ended up being you need to buy a new mouse every time you have to set up a user. Make sure you have your Amazon subscription up-to-date on batteries. As we finish things out, if you were to have admins really focus in on paying attention to doing a Trailhead module or understanding a piece of content as they get ready for next year, what would that be?
Cheryl Feldman:
So one of my favorite pieces of content … And this actually brings me to something else I wanted to make sure admins were aware of that-
Mike:
Good.
Cheryl Feldman:
Is the Who Sees What When video series. The doc writers I work with we released this maybe about two or three months ago, and it’s a really good bite-sized video series for you to understand user access. And I think that is honestly the best place to go. But I do want to recognize that we have a lot of areas for improvement in our documentation and we absolutely recognize that. And so we’re also going to be working on a considered effort to update our Trailhead modules. Some of our Trailhead modules don’t reflect what we are telling customers our best practices are, and so that’s something that we’ve prioritized to fix over the next year. As well as looking at our documentation in totality and making sure it’s organized in a way that would help an admin. Look and thinking about some other tools for admins to help them understand and learn user access.
Mike:
Wow. I would 100% agree. Thanks so much for coming on. I mean, your sessions again at TrailblazerDX and Dreamforce we’re just super, super packed. Anytime you go to a World Tour you’re super packed. I think it’s so cool. I remember working with you and being with you in the community, and then seeing you stand up and answer questions at True to The Core for Parker I just think is … It’s just wonderful. And other admins know this too, you’re in the same seat as us. And now you’re back there with the wizards behind the curtain fixing all the levers and it’s just so appreciative.
Cheryl Feldman:
Well, thank you, I appreciate that. It truly is my dream job so I’m super excited that I get to answer those, even if they’re tough questions, at True to the Core, I absolutely love it. That also leads me to something else I wanted to mention is … It should still be live by the time this podcast goes live. I’m actually opening a role on my team for a product manager to help me with some of this vision that I talked about. We’ll post a link if it’s still open. If you are listening to this you don’t see the link, it means we’ve filled it by the time this role goes open. The role will be based in India but it will be for product management. And I am looking for somebody who has a deep understanding of the user access features. Somebody who’s really passionate about the things I’m passionate about and that is improving the quality of life of admins.
Mike:
Yes, I would agree. Boy, get ready for tough interview questions. Somebody will not me. I don’t want to sit across the table from you and answer interview questions about files and permission sets. Somebody can that’s smarter than me, that’s for sure. I’ll put the link down in the show notes. Thanks so much, Cheryl, this was great. I can’t wait to see some of this stuff coming out in the releases and just … I know it’s always been ruckus applause at release readiness and on social whenever you show this stuff. That base level of just making sure the user has the right access feels like table stakes, but when you get it right and you nail it it’s just like you want the town … You want your company to throw a parade for you.
Cheryl Feldman:
Yes, that is 100% true. And definitely, I feel like sometimes it feels like a thankless job on the admin side of all the work that they do. I just want to recognize again how much work I know the admins put in every day into making sure their orgs are secure and people have the right access. It is a ton of work but it is work worth doing.
Mike:
Well, I enjoyed having Cheryl back on the podcast. I remember working with her in the community. And I’m so glad, as a former Salesforce admin, that she is also a product manager, and she understands exactly where we sit, and all of the things that we have in our daily life that challenge us. Now, if you enjoyed this episode I want you to do one thing, I need you to share it with somebody. If you’re listening on iTunes you just tap the three dots and click share episode. And you can post it social, you can text it to a friend, you can maybe send it to somebody that’s also struggling with user management access or learning it as well.
And, of course, if you’re looking for more great resources there’s all the links that Cheryl mentioned in the show notes to her IdeaExchange article to the Who Sees What video series. Everything that she mentioned is in the show notes. And, of course, everything for you is at admin.salesforce.com including a transcript of this show. You can be sure to join our conversation over in the Admin Trailblazer group in the Trailblazer Community. Don’t worry, again, link is in the show notes. So until next week enjoy setting up all of your user access management and I will see you in the cloud.
Today on the Salesforce Admins Podcast, we talk to Douane James, Salesforce Application Product Manager. Join us as we chat about his Dreamforce presentation covering how reducing profiles in your org can enable faster deployments. You should subscribe for the full episode, but here are a few takeaways from our conversation with Douane James. How […]
This week on the Salesforce Admins Podcast, we catch up with Vin Addala, a Product Manager, Senior Director at Salesforce. He gives us a sneak peek at the upcoming Dreamforce episode, Design and Build Apps Fast for #AwesomeAdmins, and fills us in on all the latest developments in board gaming, too. Join us as we […]
Today on the Salesforce Admins Podcast, we talk to Andrew Russo, Salesforce Architect at BACA Systems. Join us as we chat about Salesforce Foundations and why it’s a game changer for solo admins and small orgs. You should subscribe for the full episode, but here are a few takeaways from our conversation with Andrew Russo. […]
