A goat in Salesforce attire and headphones, holding a sign for a podcast.

Reduce Salesforce Profiles for Greater Efficiency

By

Today on the Salesforce Admins Podcast, we talk to Douane James, Salesforce Application Product Manager. Join us as we chat about his Dreamforce presentation covering how reducing profiles in your org can enable faster deployments. You should subscribe for the full episode, but here are a few takeaways from our conversation with Douane James.

How permission sets can help you reduce Salesforce profiles in your org

Douane’s giving a talk at Dreamforce this year so I was excited to get him on the pod and hear more. He recently went through the process of reducing the number of profiles in his org from 11 down to only 2, so his talk is centered around why you can and should do the same.

I know I don’t need to tell you this, but Salesforce best practices change over time. Most Salesforce orgs are built to work right now, which is how you can wind up with technical debt. For example, permission sets have become a much more elegant solution to the problems we used to solve with profiles. Sounds like a big project, but Douane’s here to tell you that reducing the number of profiles in your org is not as hard as you might think.

Profile footprint reduction speeds up deployment

A few years ago, Douane’s organization started using a new dev ops process. And while this made it easier to identify what needed to be built and do it quickly, he couldn’t help but notice how long the deployments were taking. More often than not, the delays were related to configuring profiles. He realized they needed to do an overhaul and reduce the number of profiles in their org.

The first step was to get buy in. For Douane, the key was to emphasize how much quicker his team would be able to respond to requests if they spent time on cleaning up profiles. It also helped that they were committed to gradual improvements over time. Profile footprint reduction isn’t something that happens overnight, but it takes less time than you might think if you go step by step.

How to move from profiles to permission set groups

Douane and his team set out to move everything they could from profiles into permission set groups. They identified a representative for each user role they could interview to make sure everything was still working as intended throughout the process.

When you’re looking at your existing profiles, you need to find out:

  1. What are the permissions in the profiles?
  2. What permissions are common to each job function?
  3. Are there any special cases?

For users that need a lot of special access, Douane recommends creating a “heavy” permission set that allows you to give them exactly what they need.

If Douane has one message for you, it’s that the hardest part of reducing their Salesforce profiles was getting started. And the impact was felt immediately in terms of much quicker deployments and better security.

Make sure to catch Douane at Dreamforce and subscribe to the Salesforce Admins Podcast so you never miss an episode.

Podcast swag

Learn more

Admin Trailblazers Group

Social

Full show transcript

Mike Gerholdt:
This week on the Salesforce Admins Podcast, we’re talking to Douane James, who presented at Dreamforce this year on the reduction of profiles that he helped manage for his organization, he went from 11 down to two, so profile reduction footprint, that’s pretty cool, and his journey to Salesforce. He is an intentional admin. He wanted to become a Salesforce admin because he saw the potential and how it aligned with his critical thinking and his business problem solving skills.

So we’re going to talk through how he reduced profiles and also kept permission sets and permission set groups from being bloated. This is an awesome conversation. Now, before we get started, just a reminder, if you love what you’re listening to, hey, drop a review on your favorite app. Be sure to click that follow or subscribe button. A lot of apps have that now.

The reason I ask you to do that is then a new episode just shows up right on your phone. You don’t have to think about it. Every Thursday morning you get a brand new Salesforce Admins Podcast. So when you wake up and you’re walking the dog or commuting to work or going for a bike ride, you’ve got something you didn’t even have to download it. Phone took care of it for you. So with that, let’s get Douane on the podcast. So Douane, welcome to the podcast.

Douane James:
Oh, great. Thank you for having me. This is awesome.

Mike Gerholdt:
Absolutely. Well, it is the last day of Dreamforce, and your session was incredibly popular talking about reducing profiles and adopting permission sets. So that’s my teaser. But before we get into that, tell us a little bit about yourself. How did you get started as a Salesforce admin?

Douane James:
Yeah, it’s a story I always tell, and it’s that I got my start around the time when accidental admins was a thing. You would hear that a lot, “Oh, I’m an accidental admin,” and I would say I’m the opposite of an accidental admin. I got into Salesforce specifically to get into Salesforce. And it’s funny, because before I got into Salesforce, I used to work in the healthcare field, and I used to do different things in a community like recreational leagues. And I’d always have people…

You’d meet new people and would ask me, “Oh, what do you do?” And even before I could say anything, they would say, “Oh, you seem like you work in IT,” and I would say, “No, no, I don’t work in IT. I have nothing to do with IT.” But I kind of recognized, oh, I’m an analytical person and somebody keeps telling me this, maybe I should work in IT. I just happened to come across Salesforce.

This was about seven, eight years ago. And what appealed to me was I was able to get into it without having to go back into college. And I saw Trailhead, and I was actually able to follow those steps where I was a volunteer. After I got certified and I got my first contract, that led to a second contract, and then second contract position, and then that led to a full-time position.

And I’ve been able to really work my way up and now working in an organization as definitely a team lead Salesforce admin and just a mix of roles, business analyst, internal consultant, all these things where I’m just supporting the Salesforce platform and working with users on the regular.

Mike Gerholdt:
Yeah, no, that’s definitely one thing that in admin relations we’ve seen in all of our research, which is the combination of Salesforce’s focus on being a declarative platform, like a platform where you can visually configure a lot of not just the interface, but the automation, the connections, how it pulls and sends data on top of just people having really strong business analytical, critical thinking skills is kind of almost like… It’s like the perfect chili recipe.

Douane James:
What I say a lot is, I wish I would’ve paid attention to people before and gotten into Salesforce before because this just seems like such a great fit for me. I’m so happy I got into it when I did.

Mike Gerholdt:
I’ve often tried to narrow down what part of it is the most rewarding for me, and I think it’s the ability to sit. I’ve always loved mapping business processes and just understanding the flow of things and understanding procedure. And I think for me, it’s being able to take that and then immediately configure the tech and see its impact.

It’s not like a three or four month thing. I mean, sometimes it is, but sometimes you can implement little changes and do things that immediately have impact on the process. And it’s kind of that reward, that immediate burst of endorphins that you get.

Douane James:
Yeah, there’s that. Just being able to make something digitally, let’s say, and then actually see the impact and then have other people be amazed like, “Wow, you did that. Oh wow. How’d you do that?”

Mike Gerholdt:
I know.

Douane James:
Well, it’s a special recipe. I have these skills that I have over the years, that kind of a thing.

Mike Gerholdt:
I’m a very talented individual. You don’t understand.

Douane James:
Yes. Yes. Yes.

Mike Gerholdt:
I think probably most people were like me and we went a little nuts with profiles. I grew up in the era where there was just profiles, and you didn’t have such things as permission set. So anytime you had to create something that was a marketing manager, but not a marketing manager, you had to create another profile. And boy, did your org quickly have an unmanageable amount of little profiles.

It was almost like little mini-me’s running around. And I think that’s probably why people are gravitating towards the session because you’re talking about how you reduce profiles and really adopted permission sets, which is a best practice. So let’s start at the very beginning. Why did you sit back and say, “You know what, let’s do the hard work and make this reduction?”

Douane James:
Yeah, definitely. I think I really look at it like every… It’s like a house. It’s like every house has an eyesore that you know should work on, but you say, “Oh, let me procrastinate. I’ll deal with it later,” that kind of a thing. And that’s how we viewed profiles. Because at a certain point, we looked at it and we knew, okay, every time we have to make a change, we have to change 11 profiles.

It’s like we do not have 11 different types of users or 11 types of roles and functions. It’s much, much fewer than that. So what happened is it basically just reached a point where we saw, okay, there’s definitely too many to manage. As you mentioned, the issue was we started with too many at the original implementation, and we had some profiles with one or two people assigned and then others with way too many people assigned.

And certainly we noticed that users had more access then they needed. And this was something that really, like I said, this was just a known issue for a while, but what made us want to address it specifically is because we started… A few years ago at our organization, we went to using this DevOps process. And I just noticed over time, deployments just took longer.

It’s almost like we had to add 10% longer because we had, okay, wait, I got to change this profile. I’m making this change. I got to change the field level security here. And then, oh wait, I changed it in this sandbox and I didn’t change in another sandbox. Oh no, I meant to sync it, but then I forgot. Things get out of sync. It got to a point where we said, this is something that it really makes sense to carve out time.

And definitely we had no fear of saying, well, all right, normally when we’re presenting to users things that we’re doing, there’s all this ROI, all these things, oh, look at what we did, we added this new feature, or we implemented this, and that’s not the case so much with profiles and permissions. That’s something that users definitely don’t see. So one thing that we had to do, and I think we were successful at doing this, is get buy-in.

And the way we got buy-in was just really being honest. If we take the time to move from profiles to permission sets, we believe that we will see the benefit of being able to respond to your request quicker. Our users will typically have change requests or different things that we’re building. It might oftentimes requires profile changes because it’s relating to permissions.

And we were just able to connect the two and to say that this is something that we want to work on and not necessarily carve out a lot of time, but just a little time and just work on it in phases incrementally over a period of time.

Mike Gerholdt:
Well, that was going to be my next question because I feel like… This is the joke I always make. It’s like the cobbler’s shoes. Every time you want to sit and carve time out to make a thing better for yourself, it’s always at the sometimes detriment of other features coming out. So my question was how did you phase this into what you already had to do in terms of change management and product management?

Douane James:
Yeah, certainly. It was just the matter of saying, okay, in a given sprint, if there’s 40 hours, let’s at least take five and let’s at least look at it. And actually, the reason it was easier to do is because, like I said, we had 11 profiles. So our approach was what can we do to knock off this profile? What can we do to knock off this other profile? And that’s the stage.

We’ll go into more on the specific stages, but just at the starting level, that’s the way we said we’re going to do it. It just like one profile down, then another profile, then another profile, in the sense of changing it into a permission set or basically not necessarily changing it, but moving the permissions over to a permission set.

Mike Gerholdt:
I mean, thinking about your users, it’s always the joke I make with my friends, which is we go on these long driving trips, the best long driving trip is the most boring because nothing happened. No flat tire, no engine problems, no accidents. And it’s almost the same for users. Going from how many profiles down to a few, essentially for them, they should log in and not feel a change.

Douane James:
Exactly. Exactly.

Mike Gerholdt:
It should be a boring day. Oh, congratulations. You just logged in. You didn’t even know we switched everything on you.

Douane James:
Yes, exactly.

Mike Gerholdt:
So it was two year goal when you started out, or what was your goal?

Douane James:
Well, yeah, definitely, for sure. You could look at two as a little bit of a failure because we wanted to go down to one. And really that one is it’s just a minimum access profile that we assign to everybody because everything is going to be on the permission sets. But definitely we knew 11 was too many and we ended up going down to two mainly because we’re considering the new purpose of profiles where they’re minimum access. They don’t have any permissions on them.

The permissions are now going to be moved to our role-based permission sets. But one thing that we found is just because of the nature of our organization, we have certain issues with page layouts and then default assignments for apps and also record types, it’s like in the future we will be able to go down to one minimum access, but for right now, 11 to two, we thought that’s pretty successful.

Mike Gerholdt:
Yeah, hugely successful. I think one of the things I’m thinking of is you started and you worked it into your sprints. So how long did it take realistically for you to get down to two?

Douane James:
I will say that’s one where we had to be flexible. I think if you were to add up the time, it would probably be maybe three or four months or so. But we had a break in there and then we ran into… Basically the first one that we started with, we had some pushback because we didn’t get everything right. And what we did in order to get the full idea of what the permissions are that needed to be moved over to a role-based permission set, what we’re doing is we’re looking at a persona, a job function and we’re capturing that.

And in order to do that, what we did was we had a good idea because we’re able to look at the permissions that are already there, but what was really helpful was we did a interview, just a brief interview, and we picked a representative user for each role. And what happened in the issue I was just mentioning is for the first one, it turns out we didn’t pick the right representative.

Mike Gerholdt:
Oh no!

Douane James:
They didn’t actually know everything that their colleagues in that particular role, this was marketing, everything that marketing users should do. So the first change that we heard, “Wait, I’m not seeing this. Why am I seeing this?” That kind of a thing. And this was after we’d gone through doing testing. And the representative user that we picked said, “Oh, yeah, everything is fine,” but then someone else said it so we had to roll back.

So that can happen. That can happen. But actually, just to answer your question, I think it ended up definitely a few months and we were okay with that. We were okay with that because we weren’t looking at it as something that we had to do. It’s like we had to get done by a certain time. It’s like it just works well that, okay, we have this goal, and if it takes us a few months, that’s fine.

Mike Gerholdt:
No. I mean, it’s definitely not a precipice that you’re heading towards. You mentioned earlier in one of your answers the stages, and I’d be curious because I think that part, as a fellow Salesforce admin, I always love to know how people work through the problem so that I can either copy it because they’ve already done the hard work for me, or I can understand how I can use it and maybe modify it from my situation.

So you mentioned the stages. I’d be curious, can you give us a little bit of an overview of what those stages were and how you worked through?

Douane James:
Yeah, absolutely, absolutely. So we had what we call or what we’re not calling legacy profiles. So we had all of these, but what we needed to do really was just to find what are those permissions in the profiles, what permissions are common to each job function? And we might have four, three, four, five or so different roles or personas that we could clearly identify.

And it just made sense, like I said, to analyze those permissions, identify what’s common, and then we also had to identify what’s not so common, what’s unique, so like which is unique to this persona, to this role? In order to do that, we were able to… We did the interview, like I mentioned. Hopefully, we’re able to pick a representative user for each function.

And really what we did was we made sure that we captured every profile. So actually now that I recall it, I think we actually did it was maybe some more interviews because we wanted to see, okay, well, there’s only this one person in this profile. Is there a reason that they need this, a unique profile? So we were able to do that. And once we had that, then we were able to get, like I said, the permissions in the permission set.

And obviously these are everything relating to I guess you would call it user permissions, object permissions, the field permissions, custom permissions, anything that’s related. What we did, we sought to make what I call or what I’ve heard called, so I won’t say I coined this term, but a heavy permission set that was based on a persona. So it has a lot in it, but it captures what that role needs to do in Salesforce. And it doesn’t give them more than they need, and it doesn’t give them less than they need.

Mike Gerholdt:
I like that term, heavy permission.

Douane James:
Yeah, I’ve heard that before. I did not coin it.

Mike Gerholdt:
No, it’s okay. But you said it here and it’s on the podcast. It’s on the internet forever now.

Douane James:
Yes. The reason it came up is because I was so used or we were so used to at the beginning of this process thinking of permission sets as this lighter thing. Because before this, we had plenty of permission sets in the org, but typically it was just a permission set for one specific thing or one thing that a person needed to do on an object. Maybe they needed to edit and it would just be that.

It would just be you have this permission set gives you edit permission for the accounts object, or it gives you delete permission. That’s something that we had to get over to understand that, yeah, we can still have those light permission sets, but for this setup, it just didn’t make sense. That’s one thing I think that may have steered us off for a while is because we were thinking, oh man, this is going to be such a long thing.

If I have to do a permission set for this object and a permission set for this object, that’s going to take too long. But no, no, you actually don’t have to do that. You can just look at it like I want one permission set to capture my sales manager users or another one for my marketing users or another one to represent my event manager users, with the understanding that there could be some overlap with somebody having two roles, and that’s fine. That’s fine.

Mike Gerholdt:
Well, that’s where, to play devil’s advocate a little bit, I was thinking, are we just kicking the can farther down the road? So you had 11 profiles, how many permission sets do you have? It’s also, yay, I got down to two profiles, but now I have 400 permission sets to manage.

When you are creating those permission sets, I have to believe you were actively thinking through how we’re going to create groups, keep these things grouped together so that you’re not just moving the problem farther out of profiles into permissions, right?

Douane James:
Yeah, yeah, absolutely, absolutely, because the idea is profiles are one to one. And for us, it just didn’t make any sense to have everything bundled into one profile and to say that this person is just this when they may be more than this. And it just so happens for us, the one thing that we did not, we did not, we did not want to do is to have tons and tons of permission sets and then not know… It’s like, well, what does this person need to do?

So that’s definitely, I think, we did that more at the end where we were able to say, okay, for our permission set groups, typically the way we set it up is we have this one heavy permission set based on persona where it captures that person’s role, and then the permission set group, that would also have some smaller permission sets maybe for more granular access that is going to be specific to that role or to that function in our organization.

An example of that might be export reports, because that’s a specific permission that some need to have and others don’t, or merging contacts and accounts because we have duplicates. And when you merge contacts and accounts, you need to have a delete permission. So that’s a specific permission set that’s assigned separately. We don’t want to have those unique permissions to be bundled in with the role-based permission sets. We can leave those. We’ll leave those that we can assign as needed.

Mike Gerholdt:
In seeing your presentation, having you say heavier permission set really makes sense because one of the things that you talk about is layering. And can you just expand on that? Because I really think with the principle of least privilege and then your approach to personas and layering permission sets, it actually made it a lot easier for you to think through. And I bet somebody probably made a really cool graphic. I don’t know. It is graphic in my head. I’m thinking of layers of permission sets.

Douane James:
Yes, yes. There probably is a graphic out there. And definitely I think in our organization, we have these different roles and we have noticed it where… I would say this is a benefit of knowing our work and knowing our users. So it was maybe easier for me to approach this because I’ve been there a while.

And I was able to say, okay, at certain point of the year, there will be an area where our recruiters, our advisors, which each of those would be a role, a recruiter, an advisor, marketing would be a different role, event manager. But in some cases, our recruiter can also be an event manager. We will have certain event managers where that’s all they do. That’s all they do.

Their focus is on managing events, and that’s all they really use Salesforce for. But then we have recruiters that sometimes they’ll come in and they’ll need to manage events. So we were able to approach it in that way where if somebody says, okay, someone’s on maternity leave, let’s say, this happens a lot, I’ll be handling this. So we’re able to just add that permission set and it’s no big deal. It covers all the things that they would need to do.

Mike Gerholdt:
I so remember when I was a Salesforce admin before permission sets, I had a couple people in my office that had to go on leave, and one of them was a marketing use case, just exactly that, where another marketing individual had to take over while a person went on leave.

And I had to create this hybrid profile that was what they did in their day job plus the event management stuff. And I remember thinking, I wish I could just… It should be just like a thing I could plug in and then unplug a permission set, if only.

Douane James:
Yes. Yeah, yeah, absolutely. And what’s good, another thing that relates to that, because usually when you say the first thing that people would think of is like, well, aren’t you going to give them too much permission? Well, if you design these permission sets really according to principle of least privilege, you’re not putting in things that don’t need to be there, and you don’t have to worry about somebody being able to delete everything by accident.

Because our permission sets, it’s like typically everything that you would need to do in your role, then it would be standard, read, create, edit permissions. I don’t think any of our users have by standard delete permissions. So when we’re layering, we’re doing it without fear, without fear that that’s going to happen.

And that’s something that under our previous setup, it just so happened that, however it happened with profiles, some of our users had these delete permissions. And sometimes users just think of deleting as no big deal, and they don’t realize that on the backend you can’t just delete one thing, this is connected and it’s related, and then you have orphan records. We don’t want that, that kind of a thing.

Mike Gerholdt:
Yep. The cascade delete.

Douane James:
Yes.

Mike Gerholdt:
As we wrap up here, if you had to go back and do it all again, is there something you’d do different? Or for admins looking to get into this endeavor, what piece of advice would you give them?

Douane James:
Well, you know what? There’s two different levels of that. I mean, the biggest thing I would say is you don’t have to be like us where we were procrastinating until it really bit us and was taking so much time. You don’t have to run away from it. You can run toward it. And that’s the reason why I wanted to do the presentation at Dreamforce is because I thought, wow, I was so afraid of doing this because I thought, oh, it’s going to take so much time.

And in reality, it didn’t take that much time. Definitely if you add up the amount of time, we were able to do it pretty easily. Granted nothing ever goes smooth as you expected, but yeah, we were able to do it. It’s just like, don’t run from it. You can absolutely do this. And I think the benefits and definitely is something that’s worth it, it’s just quicker deployments.

It’s like we just had something the other day where we had this new integration and the new integration was basically a whole new custom object, and there were fields bringing in and people needed access. And the question that a developer was asking is like, okay, what about the profiles? How are we going to change all the profiles? I was like, wait, remember, we’re not on profiles anymore.

All you have to do, is it in a permission set? And he says, “Well, yeah, I can put in a permission set.” Then yeah, that’s it. That’s all you have to do. Just assign it and we’re good.

Mike Gerholdt:
Yeah, no. I mean, the part that you’re at right now is that over the big hump and now we just have to maintain and keep this philosophy going part, which is so enviable for everyone. So thank you for coming on the podcast and inspiring us to go to the profile gym and lose some profile weight, I’ll say. How’s that?

Douane James:
Yes, absolutely. See? I love…

Mike Gerholdt:
It’s true. It’s true. We’re all a little over. We got too many profiles and we need to go to the gym, lose it. And that’s the hardest part, getting there and doing it.

Douane James:
Getting started. Getting started. It’s definitely something that helps when you’re thinking of it. Like, let me just work on getting rid of this.

Mike Gerholdt:
Well, that’s what I like that you guys did is you just, we’re not going to tackle the whole thing. We’re not going to go from 11 to one or two overnight. Let’s just get rid of one.

Douane James:
Right.

Mike Gerholdt:
Yay!

Douane James:
Yeah, that’s exactly the way it worked. That’s the way it worked. It was, oh man, I’m refreshing my memory now because that’s something else that we went through where…

Mike Gerholdt:
I can hear the joy in your voice.

Douane James:
Where it was time to remove this profile. We didn’t have any… So we were able to… And then we were just… It’s chopping a tree. It’s like, okay, then we’re down to this. And then, of course, that last one, it took the most time. We wanted to make sure everything was everything, because it’s also important to have a rollback plan because you may need to roll back. But we were able to do that.

It’s something that the more progress we made, the more confident we felt about doing it. And that’s something that I think people in the Salesforce ecosystem would benefit from is just getting started. And then just like you mentioned, you’ll find you get more confident about doing it and you will be able to show benefits even to the business users as far as moving things through quicker and being able to be more flexible in how your permissions are set up.

Mike Gerholdt:
I would agree. Thank you, James, for coming on the podcast, and I look forward to hearing more from you in upcoming Dreamforces and content because you’re definitely giving us a lot of best practices to work on.

Douane James:
Sure, sure. I look forward to it myself. Thanks a lot. I really appreciate the feedback, and this is great. Dreamforce is excellent. Excellent. Always so happy to attend.

Mike Gerholdt:
So it was a great discussion with Douane. I really enjoyed it. A little bit longer because I had a lot of questions about how he tackled it. I think the metaphor of going to the gym kind of works, right? It feels like, oh, we’ve got to do this great big thing and we have to tackle it all in one big chunk. We have to go from a lot of profiles to very few in just one fell swoop.

But Douane actually proved us wrong and said, you just take it one little bit at a time and work on it, and you modify and you change, and you learn from your mistakes. I mean, that’s every day for me. So I’m really glad he could come on, walk us through this, and set the bar high for us. So I feel being a North Star and being able to show us how it can be done and give us that best practices really inspires me.

Of course, there’s a ton of Trailhead modules and there’s stuff on profiles and permission sets and permission set groups. We’ll link to those in the show notes, which you’ll find at admin.salesforce.com, and we’ll also include a transcript of the show. Now, be sure to jump over to the Trailblazer community. We have a group there called Admin Trailblazers. You can jump in, ask questions.

There’s always a lot of admins asking questions in that group. Don’t worry, the link to that is also in the show notes. So with that, until next week, I’ll see you in the cloud.

Love our podcasts?

Subscribe today on iTunes, Google Play, Sound Cloud and Spotify!

Cheryl Feldman on the Salesforce Admins podcast

Master User Access with Cheryl Feldman

Today on the Salesforce Admins Podcast, we talk to Cheryl Feldman, Director of Product Management at Salesforce covering all user access features. Join us as we chat about best practices for configuring user access and discuss the latest initiatives Cheryl is spearheading to assist you.  You should subscribe for the full episode, but here are […]

READ MORE