With Spring ’20 coming up, permission set groups are finally generally available.
This new feature gives you an opportunity to rethink the way you manage the user access rights in your Salesforce organization. You can now combine multiple permission sets for user management and truly apply a role-based access control.
Depending on your security policy, you can also now assess the pros and cons of using permission sets or profiles. We will be giving you a few clues here to sort things out.
The problem with Profiles
-
Profiles are hard to deploy
As you may know, profiles can generate a lot of issues when it comes to deploying metadata in your organization. I personally spent a lot of time in the past trying to do it with Salesforce Change Sets or Apache Ant. But I ended it up to manually create or update profiles in the target org.
-
Profiles are hard to maintain
From an administration perspective, profiles are also hard to maintain. In most of the orgs I had to work with, profiles were badly maintained or even not at all. Profiles were systematically cloned even if there were just a few differences between them.
Indeed profiles are a catch-all feature where you have various types of rights from system permissions to object and field permissions. Because of that, Salesforce Administrators tend to create a new profile instead of bothering to update an existing one.
-
Profiles do not fit with a role-based security logic
Finally, profiles do not apply a role-based access control from a functional viewpoint. Profiles do not match with the concept of job title or function. That is why it is sometimes hard to configure the logic between profiles and role hierarchy to set the right access controls.
Permission Set Groups, the right option
Indeed, permission set groups allow Admins to bundle multiple permission sets into a single permission set group for user assignment. We can now apply a real role-based access control.
Permission set groups should gather permission sets that enable a user to perform his daily use of Salesforce.
For instance, a Sales VP called Elliot has the following recurring tasks :
- Create leads
- Reports Sales Pipeline in Salesforce Analytics
- Manage billing in Salesforce CPQ
As you can see, permission set groups fill the gap between profiles and permission sets. Since permissions are not strictly assigned to users (they get them through their membership to a group), you can now easily define and organize user access rights depending on their day to day tasks and their job title. You can also create several permission sets and dispatch them into several permission set groups so you do not have to duplicate them.
We recommend following those steps to implement permission set groups.
-
Simplify your profiles
Keep only the basic one with the minimum valuable rights you can allow to your users. Since layouts, record type, lightning apps, lightning pages and login hours are assigned according to profiles, you should take only those criteria into account to manage profiles. In case you are working on a new Salesforce organization, you should use standard profiles or create custom ones with minimum access rights focused on Salesforce features that are directly linked to profiles.
-
Create permission set groups according to job roles
Define which are the job roles of your users and create a list of permission set groups that represent each of them. Simple use cases would be Sales users, Marketing users, Customer Support users or Analytics users.
-
Create permission sets based on user’s daily tasks
Once you’ve created your permission groups, it is time to create permission sets according to tasks your users do on their daily job. In our example, Elliot created leads, reports his Sales Pipeline in Salesforce Tableau CRM and manages his clients’ invoices in Salesforce CPQ.
So we will create 3 permission sets for each tasks :
- Create accounts
- Reports in Tableau CRM
- Manage invoices
Now the only thing left to do is to add our permission sets to the “Sales” permission set group.
Profile, the end ?
Salesforce is encouraging everyone to move away from profiles. They are planning to terminate permission management on profiles in the long term to avoid mixing profiles and permission sets and groups. But profiles would still be required to manage page layouts and record types as the picture below suggests it :
Finally, if you want to migrate from profile to permission set groups, check out the Permission Sets Helper App available on the Appexchange.
And if you want more information about how to create a permission set group, do not forget to read our article on Texeï’ Blog written by Loïc Nicolas.
Ressources
- Salesforce article: Introducing The Next Generation of User Management: Permission Set Groups
- Salesforce Winter ’20 Release Notes
- PSG Pilot Walkthrough (Salesforce Spring’19 Administration)
