Salesforce is introducing exciting new technology in the Spring ‘20 release that will revolutionize how Admins can organize the permissions in their Org!
Permission Set Groups allow Permission Sets to be grouped together and assigned to Users. This technology promises to reduce the dependence on Profiles and provide greater clarity and agility for all permission assignments, because sometimes, Profiles are too big, and Permission Sets are too small.
Profiles Are Too Big
In the early days of Salesforce, the only way to control User permissions was with the Profile object. Profiles are complex bundles of permissions. Every User must be assigned exactly one Profile. Over time, more and more permissions were added to the Profile object. At this point, the average Profile includes so many different permissions that they are cumbersome to work with.
Profile management also has a nasty tendency to be driven by User complaints instead of top-down security design. Users often ask for new permissions based on their job description, but they almost never come back and tell an Admin to remove old permissions that they no longer need. The end result of this one-way street is that Profiles often grant too much access for too many Users.
Permission Sets Are Too Small
In order to alleviate this problem, Salesforce introduced Permission Sets back in 2012. Permission Sets are like miniature Profiles. They are sparse in nature and only include granted permissions. They are a great way to handle exceptions for individual Users. Permission Sets can be assigned to multiple Users, and are much more agile and atomistic than Profiles.
But Permission Sets are not a general-purpose replacement for Profiles. They don’t include information about Page Layout assignments, Application visibility, Record Type visibility, or Login Hours. And the web of User Permission Set Assignments can become complex. For example, if you have 1000 Users that need 1000 Permission Sets than you will need one million assignments.
Permission Set Groups Are Just Right
Currently in beta release, Permission Set Groups allow any number of Permission Sets to be bundled up with a new name and description. Permission Set Groups can be individually assigned to Users just like Permission Sets. This may seem like a simple new feature, but if applied properly, Permission Set Groups can revolutionize the structure of your Org. Let’s look in more detail at this change in architecture. In the early days of Salesforce, each User had a single Profile.
Then, with the introduction of Permission Sets, additional permissions could be assigned to an individual User.
Now, Permission Set Groups allow bundles of permissions to be assigned to a User. They fill the gap between monolithic Profiles and atomistic Permission Sets.
The New Permission Architecture
In the illustration above, Bob has been assigned the Marketing Profile. This Profile only includes the basic permissions needed for any Marketing User. Bob is a member of the Advertising Team, and so he has been assigned the Permission Set Group for that team. Lastly, Bob runs analytics for Marketing, so he has been assigned the Permission Set for Einstein Analytics to cover this special case.
An Admin or Security Officer can look at this structure and see by inspection that Bob’s permissions are correct. The complexity of the Profile object is unpacked into a more human readable structure based on Permission Sets and Permission Set Groups. Your new permission architecture should emphasize clarity, context, and meaning.
So How Do We Get There?
This section discusses some techniques to reduce the reliance on Profiles and make better use of Permission Sets and Permission Set Groups. Take a look at two similar Profiles in the diagram below.
They can be combined into a single new base Profile along with two Permission Sets that make up the difference. The Users are reassigned to the new base Profile, so there is no change in the original User permissions.
As a result of this change the Org has one less Profile. The permission differences have been moved out of the Profile and into the two Permission Sets.
Here is another example. Let’s say that over time an Org has ended up with too many Permission Set assignments. How can this be simplified?
These three Permission Sets are assigned to multiple Users. Capture the reason for this in a name, and create a new Permission Set Group that simplifies the assignments.
All the complexity used to be hidden inside the monolithic Profile object. But now some of this complexity will move into the web of assignments between Users, Permission Sets, and Permission Set Groups. Salesforce connects Permission Sets to Permission Set Groups with the PermissionSetGroupComponent junction object. Both Permission Sets and Permission Set Groups are connected to the User with another junction object, the PermissionSetAssignment. Moving forward, Admins will need to be able to quickly edit all these connections in order to manage their permissions.
Permission Sets and Permission Set Groups are an exciting new technology that can revolutionize Org management. But you have to adopt this new technology in order to receive the benefits. This blog has covered the new capabilities that are available and some of the best practices to take advantage of them.
By the way, Metazoa provides a free report on the AppExchange that can help Admins visualize the permissions in any Org. We are also conducting a Webinar on Feb 13 to discuss this topic in more detail, please join us.