Admins / Security

Salesforce Permissions & Profiles: The Latest Retirement Updates

By Andrew Cook

Earlier this year, Salesforce announced that permissions on profiles would have an end-of-life date, which was penciled in for the Spring ‘26 release.

Let’s take a look at what this means for the ecosystem, as well as the latest updates from Salesforce.

Cheryl Feldman, Director of Product Management at Salesforce, has now made another announcement regarding this hot topic:

“Hey, #AwesomeAdmins, I wanted to update you on the End of Life of Permission on Profiles. We are no longer going to enforce the Spring ‘26 end-of-life date. However, I still wholeheartedly recommend you operate with a permission set-led security model. All of our investments are very mission set and permission set group focused from a permissions standpoint. In the coming weeks, you will see some updated blog posts from me on the @SalesforceAdmns blog.”

What Does This Mean?

In short, this update means that there is now no hard date for making the change from a profile-based security model to a permission-set-based security model. The recommendation is still to move to a permission-set-based model, especially with investment being focused on this moving forward.

I like to look at profiles in a similar view to change sets: they’re still here, and people can still make use of them, but there are much better ways of managing changes now.

Why You Should Still Make the Move

To put it bluntly, doing this will make managing your user permissions an awful lot easier. I have previously worked on a project to provide information on all users and their profiles as part of the process of becoming SOX compliant. This involved going through all users and profiles with a fine-toothed comb, outlining exactly why every single user had the specific permissions they had.

Now, had the organization been utilizing a permission-set-based model instead of the profile-based one, this process would have taken hours rather than weeks. I could simply list the permission sets and permission-set groups assigned to each user, and from there explain why each user had those permissions.

Planning

Planning is key for a project like this. For starters, you need to know your current profiles. If you have a Sales User and a Sales Manager profile, you need to understand the differences between the two. Likewise, if you have any Super User profiles, what permissions do these users have over regular users?

Plan how you can group permissions together. If you have a Sales Manager and Service Manager profile for example, can these be grouped into a single “Manager” permission set which gives access to things like reports and dashboards?

As much as you need to plan what permissions need to move from your profiles, you also need to identify what needs to stay. For example, if you have an international sales team, they may have different profiles due to login IP ranges depending on where they are in the world (Sales – US, Sales – EMEA, Sales – APAC, etc.).

In this instance, the different sales teams will need to stay on their respective profiles as the login IP ranges cannot be moved to permission sets. This doesn’t mean that you cannot move over permissions from the profile to a general sales permission set (such as managing opportunity records), but the base profile will need to remain.

You also need to communicate what is happening with your users. Tell them what you are doing and why. Give them a timeline of what is happening and when, and make sure to involve them in the process. They will play a huge role in testing your changes!

Documentation

This is something all admins should be doing regardless of the security model being enforced at their organization. Yet, very few are. So we should all be doing regardless of whether you’re going to move to a permission-set-based model or not.

The User Access and Permissions Assistant tool outlined below will help massively in doing this, but we should all be in a place where we are documenting all of our user permissions. There’s nothing worse than joining a new organization having no documentation to work with and having to discover everything by scratch.

User Access and Permissions Assistant

The Salesforce User Access and Permissions Assistant (UA) is a free tool designed to aid Salesforce Administrators in overseeing user permissions and access levels. This tool consolidates information, offering a centralized platform for reviewing, analyzing, and managing permissions, streamlining the process of ensuring users possess only the necessary access for their roles.

Key features of the User Access and Permissions Assistant include:

  1. Analyzer: Evaluate user permissions based on users, specific permissions, or permission set groups.
  2. Reporter: Generate reports on user permissions, permission assignments, and permission set usage.
  3. Manager: Oversee user permissions, permission set assignments, and permission set groups.
  4. Recommender: Receive recommendations for simplifying permission assignments.

For Salesforce Administrators, the UA proves invaluable to:

  • Enhance Security: Mitigate the risk of unauthorized access by restricting user permissions to the essentials.
  • Boost Efficiency: Streamline permission management, reducing the time spent troubleshooting permission-related issues.
  • Ensure Compliance: Fulfill compliance requirements by maintaining accurate records of user permissions.

User Access Policies

Salesforce User Access Policies are a new feature in Salesforce that allows you to automate and migrate your users’ assignments to access mechanisms, including managed package licenses, permission sets, and permission set groups.

This feature allows you to create rules to identify users with specific profiles and then assign them to new permission sets or permission set groups. This can be useful for migrating users from a profile-based permission model to a permission set-based permission model.

Enabling User Access Policies is now very simple to enable thanks to the work Cheryl Feldman and her team have done. Simply go into setup, search user management settings, scroll down to the user access policies option, and click enable.

Summary

The initial announcement that permissions on profiles was viewed with a lot of skepticism across the Salesforce Ecosystem, so this U-turn is no surprise. But that doesn’t take away from the fact that this is now the best practice in managing users. With the tools mentioned above, the process of migrating these changes isn’t as daunting.

After implementing these changes, Salesforce Admins can look forward to a significant reduction in challenges around managing permissions, leading to a vastly improved experience for end users.

The Author

Andrew Cook

Andrew is 14x certified and has worked in the ecosystem for 12 years.

Comments:

    Prométhée Charissis
    July 24, 2024 10:13 am
    Thanks for sharing the informations ! Would it be possible to have an official link of a SF article explaning this ?
    Andrew Cook
    July 30, 2024 9:14 am
    Hi Prométhée, You can see more information about this in the below link: https://admin.salesforce.com/blog/2023/permissions-updates-learn-moar-spring-23

Leave a Reply