CRM Science
Jun 20, 2023
Welcome to the second part of our blog series on navigating the end of life of profile permissions with Permission Sets and Permission Set Groups. In the previous article, we delved into the concept of managing permissions using these powerful tools. Now, in this second installment, we will roll up our sleeves and dive into a hands-on exploration of permission sets and permission set groups. Get ready to take your Salesforce permissions to the next level as we delve into practical examples and best practices for effectively utilizing these features. Let's begin our journey towards mastering permission sets and permission set groups.
Log in to your Salesforce account and go to the Setup menu by clicking on the gear icon in the upper-right corner of the screen
In the Setup menu, click on the Users option and then select Permission Sets from the dropdown
Click the New button to create a new permission set
Give the permission set a name and a description that clearly describes its purpose
*The importance of this step cannot be overstated.
The naming convention should clearly define what the permission set does
The description should include all permissions assigned to the permission set
*Our recommendation is to use Permission Sets for feature based permissions, and Permission Set Groups to house permission sets by role or job function.
Tips: Use prefixes to display the type of permission
Object Permissions: [Object Name] - [what the permission does]
System Permissions: SYS - [what the permission does]
Tab Permissions: TAB - [which tab the permission applies to]
Apex: APEX - [name of Apex Class]
Visual Force: VF - [name of visualforce page]
Add Permissions to the Permission Set
Permissions are segmented between App & System. Click on the hyperlink for the type of permission you are adding. (For the example below, we will be adding Read, Create, and Edit access to Accounts, but the process would be the same for other permissions)
Click Object Settings
Select the object (Accounts)
Click the Edit button to make changes
Use the checkbox fields to select the Object & Field Level permissions
Click Save
Repeat the above steps for any other permissions needing to be added to the permission set
In the Setup menu, click on the Users option and then select Permission Sets from the dropdown
Click the Clone link beside the permission set you want to copy
Update the Label, API Name, and Description for the new Permission Set, and click Save
Add or Remove the permissions needed for the new permission set
In the Setup menu, click on the Users option and then select Permission Set Groups from the dropdown
Click the New Permission Set Group button to create a new permission set group
Give the permission set group a name and a description that clearly describes its purpose, and click Save
*Our recommendation is for Permission Set Groups to be Persona or Role based, where Permission Sets should be feature based and user/role agnostic.
Click Permission Sets in Group
Click Add Permission Set to assign permission sets to the Permission Set Group
Use the checkbox fields to select the Permission Sets that need to be added to the Group, and click Add, and then Done
A Muting Permission Set allows administrators to restrict access to functionality within a Permission Set Group.
For example, let’s say we want to ensure that a Permission Set Group never receives access to view encrypted data. Since permission set groups will continue to evolve, adding a Muting Permission provides us the ability to restrict this capability regardless of which permission sets end up being added to the group.
In the Setup menu, click on the Users option and then select Permission Set Groups from the dropdown
Click on the name of the Permission Set Group
Click the Muting Permission Set in Group button
Click New
Enter a detailed label of what is being Muted, and click Save
Click the Muting Permission Set Label
Select the category that needs to be muted (in our case, System Permissions)
Check the Muted box beside the Permission needing to be Muted, and click Save
*Muted Permissions only apply to the Permission Set group they are applied to. If a user was assigned “View Encrypted Data” in a separate permission set or permission set group, they would still have access to this functionality.
Users can be assigned to Permission Sets and/or Permission Set Groups. Best practice would be to handle all assignments at the Permission Set Group level where possible.
In the Setup menu, click on the Users option and then select Permission Set Groups from the dropdown
Click on the name of the Permission Set Group
Click the Manage Assignments button
Click Add Assignment
Select the users needing to be added by clicking the checkbox field beside their name(s), and click Next
Choose an Expiration Option for the Assigned Users, and click Assign
In the Setup menu, click on the Users option and then select Permission Set Groups from the dropdown
Click on the name of the Permission Set Group
Click the Manage Assignments button
Check the box beside the users name needing to be removed from the Permission
Click the Trash icon to remove the user from the Permission Set Group OR
Click the Pencil icon to edit the users Expiration Options on the Permission Set Group
Permission Sets and Permission Set Groups by default require manual assignment. However, once the permissions are well defined, Salesforce Flows support automation of permission assignments.
The Permission Set Assignment object in flow supports the assigning of both Permission Sets & Permission Set Groups
Conclusion
Permission sets and permission set groups are powerful tools in Salesforce that can help ensure users have the necessary access to do their jobs while maintaining security and data privacy. By following these best practices, you can create a robust permission management system that meets the needs of your organization while reducing risk.