Security / News

Salesforce Backtracks on Permission Retirement in Profiles

By Tim Combridge & Mariel Domingo

Highlights

  • Salesforce has recently cancelled the retirement of permissions in profiles.
  • The principle of least privilege is still the best practice, and Permission Sets still provide the best building block to achieve this. 
  • Admins’ first step should be to review where their permission distribution currently stands and identify gaps between this and best practice. 

Salesforce has backflipped on its commitment to removing permissions from profiles. According to Salesforce, the retirement that was planned to begin in Spring ‘26 has been delayed indefinitely following feedback from customers, as well as the fact that there are still quite a number of feature gaps. 

One thing that needs to be super clear: just because Salesforce is cancelling the retirement, it doesn’t mean that they’re removing the reason behind it. Security is critical, and best practice is to follow the principle of least privilege. Good security architecture is your best defense against a bad actor. 

What Changed, and How We Got Here

To appreciate how tired this deadline is, it helps to walk through its life:

January 2023, Salesforce announced the end-of-life of permissions on profiles. The target was initially in Spring ’26, and at the time, three years felt like a generous runway. It was bound to be a huge development, but this news was treated by the ecosystem more like a signal to “start planning now” instead of an emergency or urgent need to transition.

READ MORE: Moving from Profiles to Permission Sets: 5 Pitfalls to Avoid

Barely a year in, Salesforce softened its own deadline in 2024. Cheryl Feldman, Director of Product Management, posts that Salesforce is “no longer going to enforce the Spring ’26 end-of-life date,” but still recommends a permission-set-led security model going forward. 

Profiles will no longer be getting new investments or features, but they also aren’t going anywhere on a fixed clock anymore. We can say this is the first walk-back, with no new date, so safe to say it’s sort of a postponement.

Last month, Salesforce’s Knowledge article on this was quietly updated to say the retirement has been cancelled. Yes, not just delayed or deprioritized. 

But Why?

According to the doc, the reversal comes down to two things: customer feedback and remaining feature gaps. 

It seems enough orgs have pushed back, and the tooling actually wasn’t fully ready to support a clean migration at scale. 

In fact, our recent SF Ben Admin Survey even revealed that only 20.5% of organizations have fully transitioned away from Profiles and into a Permission Set-led security model.

This Is Frustrating

As someone who performed many migrations from profiles to permission sets as a consultant, this has been one of the most frustrating experiences that I can think of. 

Permissions are the crux of everything that Salesforce as a platform is – if they need to change (which they do), then the instructions must be clear. The new method must close the gaps and be architected better than the original solution. Most of all, the goal posts must not change

I’ve led conversations with many clients over the last few years, explaining that they should delay other enhancements on the platform until they move away from profiles entirely. Again, this is because of the timeline Salesforce itself had laid out, and the fact that Profiles are very rigid and unscalable. 

READ MORE: Salesforce Permission Sets vs. Profiles: Why Most Orgs Are Still Stuck

I can totally agree with and understand that there have been feature gaps that have meant delays for this migration. While a majority of functionality is now shared between the two, and Permission Set Groups make it easier to manage and deploy them at scale, the gaps have made things difficult.

Record Type access and App Defaults, for example, have been a thorn in my side many times when it came to designing scalable solutions. Similarly, Salesforce has been on the fence about Page Layouts for a long time now. Dynamic Forms, Related Lists, and Actions replace a majority of Page Layout features. Page Layouts remain firmly in the profile era. 

Salesforce customers have worked with what’s been available and left space for what is coming in the future. And now… the future is changing. The goal posts are changing. 

Two Years of Guessing

Frustration with working around feature gaps, plus roadmap decisions built on top of a deadline that turned out not to be load-bearing, is understandable. 

The cancellation itself is only part of the story. When you think about it, walking away from a deadline that the tooling can’t support is, technically, the responsible call. But what of the two years admins have spent in between?

If we all took the January 2023 announcement very seriously, there was a real decision to make: How do we start the transition? Hearing “we’re no longer enforcing this retirement date” in 2024 was pretty vague and also changed the urgency. Does it mean we have to stop planning, or does it mean the date just moved, and you should keep going? Salesforce never actually said outright that everything was framed as the recommended action or best practice, so for all this time, the retirement was just a blurry deadline hanging over our heads. 

Some admins may have kept quietly migrating just in case. Others had that task drop lower and lower on their to-do lists. Neither group got a straight answer until this week – and whichever way you went, you spent two years making a judgment call Salesforce could have just… made solid, in writing, back then.

The tax is becoming less about the migration itself, because it’s becoming more about building anything on top of a Salesforce timeline you can’t actually rely on. MFA Enforcement is the next big deadline on the calendar. Given what just happened here, will admins take it as seriously as they should?

READ MORE: How to Prepare for Salesforce’s Mandatory MFA Changes in 2026

What Admins Need to Do Now

Thankfully, the enhancements that Salesforce has made in this space have not been in vain. Salesforce’s recommendation for best practice is still to follow the principle of least privilege, and this is best achieved through Permission Sets and PS Groups

If you’ve not yet migrated what you can from profiles over to more scalable options like Permission Sets, you should still consider this a priority. While the timeline for permissions in profiles has been cancelled, the reason behind the original decision is still very valid. 

The principle of least privilege is the best design methodology for deploying permissions across Salesforce, and Permission Sets empower Salesforce Admins to be able to do this with the least friction possible. 

READ MORE: Clean Up Profiles and Permission Sets in Salesforce

Your immediate first step, whether you’re done with your initial migration or not, should be to perform a quick review of your current permission needs and how you’re delivering them. The reality is now that you’re no longer bound by Salesforce’s timeline. 

However, without a proper security architecture in place, you’re simply waiting for a bad actor to gain access and do some damage in your org. That is something that no Salesforce timeline or feature deprecation will prevent – you need to do your part to protect your own data. 

Notably, this is the first time that I can think of where a retirement has been totally cancelled. There were examples of delays (like permissions on profiles in the past, Salesforce for Outlook from 2024 to 2027), but never a total cancellation. This complete backflip on messaging for such a major change that was due to impact quite literally every single Salesforce org in existence is a big deal, and undermines the validity of any future retirement statements from Salesforce. 

Final Thoughts

This change is one that perhaps we should have seen coming, given the significant impact of such a change and the gradual slowing of comms from Salesforce about it over the years. That, and the fact that this timeline was quietly extended in 2024, is an interesting pattern and one to consider when it comes to future changes.

The best practice approach remains the principle of least privilege – and Permission Sets and Permission Set Groups empower admins to do this simply. Profiles still lag behind, and this doesn’t change because Salesforce has walked back a retirement. 

Have you performed a migration of permissions from profiles to another technology? Will this cancellation change the way you do things going forward? Are you frustrated about this change of messaging? Let us know in the comments.

The Authors

Tim Combridge

Tim is a Technical Content Writer at Salesforce Ben.

Mariel Domingo

Mariel is a Technical Content Writer at Salesforce Ben.

Leave a Reply

Comments:

    Christian Belko
    July 09, 2026 2:28 pm
    I just had my team complete a migration from Profiles to Permission Sets and organizationally it was a success! It took some time, but overall we now use Permission Sets and Groups to manage access and have all Users in a significantly sized org down to one Profile. I've been in the Salesforce space for 15+ years and can tell you that this something that should be done sooner, not kicking the can down the road. Admins and their Orgs should definitely plan on making the switch as a priority in the second half of this year. Not doing this presents significantly more risk, especially in mature orgs with technical debt sprawl and limited oversight.
    Bill Appleton
    July 09, 2026 3:35 pm
    This is the right thing to do. Profiles are often used as baseline permissions. There is nothing wrong with that. Removing permissions from Profiles them would have been extremely disruptive. Customers fall into three groups on this: (1) profiles are not causing problems (2) massive technical debt afraid to touch anything (3) already transitioning to simplified Profiles with Permission Sets.