We all knew it was coming, and now it's official. The End of Life for Profile Permissions was announced as part of the Spring 26 release:
“What do I do now” might be a question floating around in your head. The vast majority of your permissions are likely handled at the Profile Level.
Enter Permission Sets & Permission Set Groups. Maybe you have used them to grant access to a managed package, apex class, or individual feature, but now they take center stage as the best practice for handling Salesforce permissions going forward.
In this blog, we will define Permission Sets and Permission Set Groups, and provide best practices on how they can be set up for your organization.
Permission sets and permission set groups are powerful tools in Salesforce that allow administrators to grant users access to specific features and data based on their job roles and responsibilities. When used correctly, permission sets and permission set groups can help ensure that users have the necessary permissions to do their jobs without granting them unnecessary access to sensitive data.
Best Practices Overview
How permission sets and permission set groups are configured will vary from company to company, but each of the below steps should be followed regardless of your business model. We will start with Best Practices that apply to both Permission Sets & Permission Set Groups, and then we can dive into configuration steps for each.
1. Plan Ahead
Before creating permission sets or permission set groups, it's important to:
Assess the current state of your org’s Profile permissions
If the Profile permissions have been clearly defined, the process will be primarily based on moving existing Profile Permissions over to Permission Set/Permission Set Groups.
If the Profile permissions are not clearly defined, this is a great time to re-define what access which users need in your Salesforce org.
Plan ahead and determine what access each user or group of users needs
Consider the impact of granting certain permissions to users, such as the ability to view or edit sensitive data
Make sure you understand the business processes of your organization and the roles and responsibilities of each user before creating permission sets
2. Use Naming Conventions
When creating permission sets and permission set groups, it's important to use consistent naming conventions. This makes it easier to identify and manage permission sets and groups over time.
For example, you could use a naming convention like "PSG - [Job Role]" for permission set groups or "PS - [Feature or Object]" for individual permission sets.
3. Document your permission sets and groups.
As your organization grows and changes over time, it's important to have documentation of your permission sets and groups. This can help ensure that new administrators understand the permissions that have been granted and can help identify any potential security risks. Consider using a wiki or other documentation tool to keep track of your permission sets and groups.
4. Assign permission sets and groups carefully
When assigning permission sets and groups:
Be careful to only grant users the permissions they need to do their jobs.
Avoid granting broad permissions that could give users access to sensitive data or features they don't need.
Review and update permissions periodically to ensure that users still need the permissions granted to them.
5. Test your permission sets and groups
Before deploying permission sets and groups to production, it's important to test them in a sandbox environment. This can help ensure that users have the necessary permissions to do their jobs and that there are no unexpected security risks.
Consider setting up a test plan that includes testing each permission set and group individually and in combination with other permission sets and groups.