Migrating Salesforce User Management to Permission Sets

Controlling access to sensitive data is an integral part of any CRM, as users should only access what is required for them to do their job. In the world of security, less is more. This is known as the “Principle of Least Privilege” and is the recommended approach to managing user access in Salesforce.

Salesforce allows admins to set user access on either the Profile or Permission Sets, which has historically caused much heartache and confusion. This hasn’t gone unnoticed by Salesforce. On January 16, 2023, they announced the end of life (EOL) permissions on Profiles in their Spring ’26 release.

Salesforce Update:

Since the announcement Salesforce realized they had a lot more work to do on improving the admin experience and decided not to enforce this EOL, although they noted that they will not be making any further improvements to profiles going forward. As such, our recommendation is to migrate over to the Permission Set model to take advantage of new features that will be released.

Follow along to find out how to best set up your Salesforce Org’s permissions through Permission Sets and Permission Set Groups and prepare your Salesforce implementation for scalable growth.

Permission Sets vs Profiles

Every user in Salesforce has a Profile assigned to them which typically contains the most basic level of permissions that a user should have to perform their job. If the level of security needs to be extended, a Permission Set or Permission Set Group can be used.

Permission Sets in Salesforce are a collection of permissions and settings that are useful for giving users access to numerous tools and functions by extending their access without changing their Profile. They offer a broad range of advantages that streamline the process of assigning and revoking permissions to end users. For example, if you have a Sales User Profile, but a particular sales rep needs the ability to edit and export reports for their manager, a Permission Set can be created and assigned to that user. That way, the user can perform this function without making major adjustments to the Sales User Profile.

Important Note:

You have the ability to assign multiple Permissions Sets or Permission Set Groups to a user and the permissions of each set are accumulated. Salesforce enables you to add permissions, but you do not technically restrict permissions. Understanding this will help you better position your Permission Set in a scalable manner.

Salesforce’s initial plan when retiring permissions on Profiles, included moving the following settings to Permission Sets:

User Permissions
Object Permissions
Field Permissions
Tabs
Assigned Record Types
Assigned Apps
Connected App Access
Apex Classes
Visualforce Pages
Custom Permissions

The following, however, would remain on the Profile:

Login Hours
Login IP Ranges
Default Record Types
Default Apps
Page Layout Assignments
Password Policies
Session Settings

How should I plan my user’s profile for permission sets migration?

Since these permissions are created and managed by various sources, many of them become unused or underutilized. With the announced end date for permission settings at the Profile level, there has never been a better time than now to assess and audit your Profiles and Permission Sets.

Once you gain a solid understanding of your current system, you can begin to map out your new permission structure. Here are a few tips to get you started, along with some key areas to consider for scalability.

Salesforce Profiles

Salesforce recommends you create a Profile void of any permissions to be assigned to your users. The idea being that all relevant permissions will now be set on Permission Sets or Permission Set Groups.

Apart from the default Standard User profile, we suggest incorporating profiles such as System Administrator, Administrator, and Integration User into your schema to cover your basic needs. You’ll also want to ensure that any settings at the Profile level are correctly implemented on any newly created profiles.

Salesforce Roles

Roles are used to control access to records, folders, reports, and dashboards and it is best practice to set up roles for governance. Roles allow for a hierarchical approach in which you can factor in your firm’s seniority structure. This way the subordinate will not have visibility to records created by their superior, unless specifically provided by sharing settings. This safeguards any sensitive information in Salesforce, such as company forecast reports, commission calculations and more.

Salesforce Permission Sets

Permission Sets can contain an assortment of access to various objects depending on the use case for that permission set. When building them out, consider categorizing by user job function within Salesforce. For example, one Permission Set may give full access to Activities, whereas another only permits read only access to Activity. This granularity affords you the flexibility of customizing the functions that are added to groups of users, and just as easily, allows you to remove them if there’s a change in responsibilities.

When creating them, we suggest you start in a Sandbox environment. You can clone an existing Permission Set or start from scratch. A cloned Permission Set starts with the same licenses and enables original permissions. A new Permission Set starts with no licenses selected and no permissions enabled.

Salesforce Permission Set Groups

Permission Set Groups are a collection of Permission Sets and are typically categorized by department. In summary, they allow you to add a single Permission Set Group to users, simplifying your onboarding process, saving you time, and greatly reducing your dependency on profiles.

Sharing Settings

Sharing Settings define the default level of access that users have to each other’s records, as well as exceptions to those defaults. They allow you to extend access to records through users, groups, or roles, even if they don’t meet the criteria for organization-wide default access. For example, if your org has cross-region sensitivities, you could set Lead records private and create sharing rules that give all members of the US Sales team access to each other’s records by referencing a US Role. This allows your US team to collaborate and cover each other’s Leads within the region but restricts visibility to those records to sales team members in other regions.

Test, Test, Test!

You can mitigate most major issues by having a comprehensive plan to test and deliver new Profiles, Permission Sets and Permission Set Groups. However, as with any change with this complexity, you should expect some minor user issues after moving to production. Minimize them by logging in as different groups of users and test out the results.

Deployment

When it comes time to deploy to your production environment, it’s important to note that you should validate all changes after deployment due to potential asynchronous data and settings between your production and sandbox orgs.

Using Change Sets:

If using Change Sets to migrate to production, be aware that Profiles will be added in the “Profile Settings For Included Components”, not “Change Set Components”.

Screenshot of Salesforce Change Set Components

Additionally, certain items will need to be updated manually in Production if using Changes Sets, such as Sharing Settings.

Conclusion

When the update from Salesforce was announced, we were both excited and concerned. While the need for this migration is necessary, the migration itself will be difficult for many organizations, especially those that have been around for some time. The task can seem monumental when confronted with the wide range of permissions you need to accommodate.

However, with a little housekeeping and some preventative work, most issues will be avoided and managing users’ access will become a much simpler task. Make Salesforce work for you and your Sales team by configuring it the right way. For a free consultation on your Salesforce org, please drop us a line.

Tips you should know:

Make sure that your testing group consists of a wide range of end users to ensure that all settings for newly created Profiles, Permission Sets, and Permission Set Groups are correctly assigned.
Page Layout Assignments are not moving to Permission Sets since Dynamic Forms will be the preferred method to handle Page Layouts moving forward.
When auditing Profiles and Permission Sets, User Reports can be leveraged to find unutilized Profiles.
Email Panes and Publisher Layouts will continue to be assigned at the Profile level via the Outlook or Gmail sync settings.

About HomeTree Digital

HomeTree Digital is a full-service digital marketing agency for financial services. We incorporate design & creative elements to our work and specialize in email marketing, social media marketing, paid advertising, videography, web development, custom integrations, and automations. As a Salesforce Certified Partner, we can assist with the architecture, administration, or development of your CRM. If you are facing challenges in any of these areas, please reach out to us for assistance. Personalize your subscription to receive regular updates.

HomeTree is defined as a wise resourceful home that provides knowledge, instills inspiration, encourages creativity, and protects. While harmoniously connecting its residents through its branches and roots to the outer world. This accurately describes the approach we take when it comes to our clients. We believe in excellent customer service and prioritizing you. Our mission is to provide you with the know-how to succeed in a rapidly evolving digital world.