Perms Are Not for Hair- Understanding User Access
Summary
User permissions in Salesforce are moving away from being managed primarily by user profiles to a model where profiles hold minimal settings and permission sets handle most permissions. The article uses the metaphor of a layer cake to explain how licenses, basic profiles, and multiple permission sets combine to define user access. It warns admins to start planning for a permission set-centric approach and shares practical advice on building baseline permission sets and the drawbacks of permission set groups. This helps Salesforce teams prepare and cleanly design access models that are scalable and manageable in the near future.
Takeaways
- Plan for user access using a layered model: license, profile, then permission sets.
- Create a baseline permission set for common access shared by all users.
- Minimize reliance on permission set groups due to complexity and silent failures.
- Profiles will retain only 1:1 settings, shifting most permissions to permission sets.
- Assign multiple permission sets rather than one group for clearer access tracing.
Once upon a time, user permissions ("perms") were controlled by user profiles. Then in 2023, Salesforce announced, via a blog post from Cheryl Feldman , the "end of life" (EOL) of permissions on profiles. Eventually profiles will be stripped nearly bald and all permissions will be assigned by permission sets. All that will be left on profiles will be those settings or permissions that are 1:1 with a user, like the default app, default record type, page layout assignment, login hours, and a handful of other things. Everything else, including settings like Edit Reports, or object and field access will be assigned as part of a permission set (or "permset"). It's a couple years later and I'm not sure we're really any closer to that future from a technical standpoint. That blog post has been updated a few times to indicate that the EOL for permissions on profiles is not on the horizon.