Tutorials / Admins

Introduction to Permission Set Groups

By Bill Appleton

In the Spring ’20 release, Salesforce unveiled technology that revolutionized how Admins can organize the permissions in their Org. This technology is known as Permission Set Groups.

Permission Set Groups allow Permission Sets to be grouped together and assigned to Users. This technology promises to reduce the dependence on Profiles and provide greater clarity and agility for all permission assignments, because sometimes, Profiles are too big, and Permission Sets are too small.

Profiles Are Too Big

In the early days of Salesforce, the only way to control User permissions was with the Profile object. Profiles are complex bundles of permissions. Every User must be assigned exactly one Profile. Over time, more and more permissions were added to the Profile object. At this point, the average Profile includes so many different permissions that they are cumbersome to work with.

Profile management also has a nasty tendency to be driven by User complaints instead of top-down security design. Users often ask for new permissions based on their job description, but they almost never come back and tell an Admin to remove old permissions that they no longer need. The end result of this one-way street is that Profiles often grant too much access for too many Users.

Permission Sets Are Too Small

In order to alleviate this problem, Salesforce introduced Permission Sets back in 2012. Permission Sets are like miniature Profiles. They are sparse in nature and only include granted permissions. They are a great way to handle exceptions for individual Users. Permission Sets can be assigned to multiple Users and are much more agile and atomistic than Profiles.

But Permission Sets are not a general-purpose replacement for Profiles. They don’t include information about Page Layout assignments, Application visibility, Record Type visibility, or Login Hours. And the web of User Permission Set Assignments can become complex. For example, if you have 1000 Users that need 1000 Permission Sets than you will need one million assignments.

Permission Set Groups Are Just Right

Currently in beta release, Permission Set Groups allow any number of Permission Sets to be bundled up with a new name and description. Permission Set Groups can be individually assigned to Users just like Permission Sets. This may seem like a simple feature, but if applied properly, Permission Set Groups can revolutionize the structure of your Org. Let’s look in more detail at this change in architecture. In the early days of Salesforce, each User had a single Profile.

Then, with the introduction of Permission Sets, additional permissions could be assigned to an individual User.

Now, Permission Set Groups allow bundles of permissions to be assigned to a User. They fill the gap between monolithic Profiles and atomistic Permission Sets.

Your Permission Architecture

In the illustration above, Bob has been assigned the Marketing Profile. This Profile only includes the basic permissions needed for any Marketing User. Bob is a member of the Advertising Team, and so he has been assigned the Permission Set Group for that team. Lastly, Bob runs analytics for Marketing, so he has been assigned the Permission Set for Einstein Analytics to cover this special case.

An Admin or Security Officer can look at this structure and see by inspection that Bob’s permissions are correct. The complexity of the Profile object is unpacked into a more human readable structure based on Permission Sets and Permission Set Groups. Your permission architecture should emphasize clarity, context, and meaning.

So How Do We Get There?

This section discusses some techniques to reduce the reliance on Profiles and make better use of Permission Sets and Permission Set Groups. Take a look at two similar Profiles in the diagram below.

They can be combined into a single new base Profile along with two Permission Sets that make up the difference. The Users are reassigned to the new base Profile, so there is no change in the original User permissions.

As a result of this change the Org has one less Profile. The permission differences have been moved out of the Profile and into the two Permission Sets.

Here is another example. Let’s say that over time an Org has ended up with too many Permission Set assignments. How can this be simplified?

These three Permission Sets are assigned to multiple Users. Capture the reason for this in a name and create a new Permission Set Group that simplifies the assignments.

 Assignment Complexity

All the complexity used to be hidden inside the monolithic Profile object. But now some of this complexity will move into the web of assignments between Users, Permission Sets, and Permission Set Groups. Salesforce connects Permission Sets to Permission Set Groups with the PermissionSetGroupComponent junction object. Both Permission Sets and Permission Set Groups are connected to the User with another junction object, the PermissionSetAssignment. Moving forward, Admins will need to be able to quickly edit all these connections in order to manage their permissions.

Summary

Permission Sets and Permission Set Groups are an exciting technology that can revolutionize Org management. This blog has covered these capabilities that are available and some of the best practices to take advantage of them.

By the way, Metazoa provides a free report on the AppExchange that can help Admins visualize the permissions in any Org. We are also conducting a Webinar on Feb 13 to discuss this topic in more detail, please join us.

The Author

Bill Appleton

Bill is an expert on smart clients and API services. He is currently the CTO at Metazoa where he works on the Snapshot Org Management application.

Comments:

    Megan
    April 23, 2020 12:16 am
    Hi, I am looking for 'permission set groups' from setup(quick find/search) but it is not available. Do I need to enable it from somewhere?
    Bill Appleton
    April 24, 2020 3:29 pm
    Hi Megan, The new Permission Set Group option will be right there in Setup, but some older Developer Edition Orgs don't have the option. Any new Org (even Scratch Orgs) will have this option. All the Production Orgs I have seen have the option. I have not seen any switch or setting that enables the feature. If your Production Org does not have the feature then I would ask my sales rep. Sorry I don't have a better answer... Bill
    Jyothi
    May 04, 2020 5:49 pm
    Hi, I was trying to do challenge for maintaining admin certification Spring 20 and i do not see ‘permission set groups’ from setup(quick find/search) .It is not available my Trail head playground.
    Bill
    May 12, 2020 5:19 pm
    Same issue as Jyothi, it is not in my trailhead playground
    Bill Appleton
    May 13, 2020 4:47 pm
    Seems like older developer orgs were never updated, but older production orgs were updated.
    Shruthi
    February 05, 2021 12:31 pm
    Hi I do not find the 'permission set group' on my personal sandbox, any chances that this will be updated?? since this seems to be an existing issue with above mentioned
    Christine Marshall
    February 17, 2021 11:17 am
    Hi Shruthi, It does appear that older developer orgs do not contain this feature. Christine
    Suraj Yadav
    April 01, 2021 6:02 am
    Hi Jyothi, You need to create your own trailhead playground in order to see that feature, it will not reflect in the old org.
    Yuval Bar
    November 08, 2021 2:45 pm
    Hi, I am trying to access with user that is not admin what premission set are inside a premission set group and apex and I cant. Do salesfore have a solution for that?
    Bill Appleton
    November 09, 2021 5:07 pm
    Hi Yuval, you need administrative credentials to use the Metadata API. However, many things in the Metadata API are now available through the SOAP Data API. For example, there is a junction object named PermissionSetGroupComponent that shows the connections between Permission Set Groups and Permission Sets. You might be able to get the information you need there. Best, Bill
    Enrique
    April 12, 2022 7:58 pm
    Hi, do you know if there is a way to find out which groups a permission set is added to if I only have the permission set name? Regards
    Bill Appleton
    April 21, 2022 5:08 pm
    Hi Enrique, using the SOAP API look at the PermissionSetGroupComponent, this is the junction object between Permission Set Groups and Permission Sets. If you have our Snapshot product you can find this information many places. The "User Permission Assignments" interface shows all the junction objects and allows for quick editing of them as well.

Leave a Reply