Permissions Updates

Permissions Updates | Learn MOAR Spring ’23

By

Author’s note: You likely noticed that the official announcement about the End of Life (EOL) of permissions on profiles was never sent out. We’ve decided to no longer enforce the End of Life of permissions on profiles for Spring ’26. We realized, thanks to all the Awesome Admin feedback we’ve received, that we first have work more to do to improve the admin experience, and we’re focusing on these updates. However, we want to be clear that we won’t be making any improvements to profiles going forward. All of our efforts will be focused on permission sets, permission set groups, and related features.

You can still view our original post on EOL of permissions on profiles below. The most up-to-date user management best practices can be found here.

Follow and complete a Learn MOAR Spring ’23 trailmix for admins or developers by March 31, 2023, 11:59 p.m. PT to earn a special community badge and be automatically entered for a chance to win one of five $200 USD Salesforce Certification vouchers. Restrictions apply. Learn how to participate and review the Official Rules by visiting the Trailhead Quests page.

The future of user management

If you’ve been keeping up with new features for admins each release, you may have noticed we’ve been sharing updates on the future of user management in Salesforce. For the past 3 years, we’ve consistently told our customers and partners that permission sets are the future of user management.

It’s finally here! We’re announcing the end of life (EOL) of permissions on profiles that will be the Spring ’26 release. Over the next few weeks, you will see the official announcement come out.

Before we dive into what’s new with Spring ‘23, here’s a quick reminder of what will remain in a profile and what will eventually be available only in permission sets. I’ve also included some FAQs to help you understand where we’re going.

Profiles will still exist; however, permissions on profiles will EOL and permissions will be available only on permission sets.

What will remain on a profile

  • One-to-one relationships—login hours/IP ranges
  • Defaults—record types, apps
  • Page layout assignment—The future is App Builder/Dynamic Forms so we will not invest in bringing page layout assignment to permission sets.

What will be available only on permission sets after EOL

  • User permissions (system and app permissions)
  • Object permissions (object Create, Read, Update, and Delete [CRUD])
  • Field permissions (field-level security [FLS])
  • Tabs
  • Record types (not defaults)
  • Apps (not defaults)
  • Connected app access
  • Apex classes
  • Visualforce pages
  • Custom permissions

How can I migrate users profiles to permission sets and permission set groups?

  • User Access Policies is a feature we have in Closed Beta (as of Spring ‘23) that will allow you to specify criteria about your users—either user attribute or entitlement based—to help you migrate your users. If you would like to participate in the Closed Beta for user access policies please fill out this form.

Will I be able to turn off the ability to use permissions on profiles before the official EOL once I have completed the migration?

  • Yes! We are targeting the Spring ’24 release for this.

What about updates to the field creation wizard? It currently shows profiles instead of permission sets.

  • We have a feature in Open Beta that you can turn on in the user management settings to set FLS on permission sets instead of profiles. This also applies to the “Set FLS button” on fields. We plan to make this Generally Available (GA) in Summer ‘23.

Are there upcoming changes to package/AppExchange installs? This shows only profiles today.

  • We’re working on a solution for this that will likely include user access policies and some new features. More to come on this.

In Winter ’22, we released new features to make it easier to manage user access with permission sets, by making them available during field creation! Now, in Spring ’23, there are even MOAR enhancements that #AwesomeAdmins can use to manage user access.

Spring ’23 features to manage user access

User Access Policies will remain in Closed Beta for the Spring release; however, we’ve made many improvements including the ability to have 20 active user access policies. We’re accepting most customers into the Beta that have Unlimited Edition or Enterprise Edition orgs, so please fill out this form if you would like to try this feature. In addition to this, we’ve also made user access policies available via the Tooling API and the Metadata API, and they can be deployed with both first-generation and second-generation packaging. Since this is a high visibility feature with many customers starting to make the move off of profiles, we’ve made the documentation available early in Help & Training.

User Access Policies list view that shows three active user access policies

In the Winter ’22 release, we introduced the ability to set FLS on permission sets. Now in the Spring ’23 release, you can turn off the filter that shows only permission sets with at least read access to the object where you’re creating or editing the field. We also added more columns to help you identify the right permission set, and we made the columns sortable. In addition, if you’re in a new org with this setting on and don’t have any permission sets, we display a message with a link to create a permission set.

 Field creation wizard with the permission sets, with object permissions toggled off

Field creation wizard with the permission sets, with object permissions toggled off

Field creation wizard when there are no permission sets in the org

Last but not least, in the last Release Readiness Live (RRL) at Dreamforce, you heard me mention that we’re going to give Delegated Admin some much needed love over the next few releases. We’ve delivered on that promise by making Delegated Admin available in the Tooling API, not only for querying but also for inserting and updating through tools like Developer Console and the Data Loader!

Developer Console with query on Delegated Admin

See these new features in action!

Don’t forget to tune in to the Spring ’23 Release Readiness Live: Admin Preview on January 20, 2023, to see demos of a subset of these new, exciting features. Add the broadcast to your calendar today! And be sure to check out the Learn MOAR Spring ’23 for Admins Trailmix and follow along on the blog this week for more Learn MOAR!

More Learn MOAR

Release Highlights for Admins

Release Highlights for Admins | Learn MOAR Spring ’23

Join us and discover the new Spring ’23 release features for admins and developers. We know each release brings with it lots of amazing new functionality and there can be a lot to digest. With Learn MOAR, we’re packaging the release and bringing it to you in an easy-to-digest format with blogs, videos, and more. […]

READ MORE
Get Started with Einstein Copilot Custom Actions.

Get Started with Einstein Copilot Custom Actions

As Salesforce continues to revolutionize how users interact with the Einstein 1 Platform, Einstein Copilot is poised to provide a new and exciting layer of artificial intelligence (AI)-powered conversations for your users. Einstein Copilot is your trusted AI assistant for CRM — built into the flow of work for any application, employee, and department. With […]

READ MORE