Platform / News / Users

What the Community Really Thinks About Salesforce’s Permissions U-Turn

By Sasha Semjonova

In case you hadn’t heard, Salesforce recently cancelled the retirement of permissions in profiles. So if you’ve been preparing for it, now is the time to pause, step back, and work out what to do next. 

Salesforce cited customer feedback and feature gaps for this cancellation. However, this does not mean that the community is happy about this decision, even if many saw it coming… 

Note: If you’ve not yet read all the details, then you’ll want to read through this post here. Come right back!

What Happened To Profile Permissions?

Last week, Salesforce announced that it was backtracking on its commitment to removing permissions from profiles. This was initially planned to begin in Spring ‘26, but has now been cancelled.

This decision comes after a lengthy history with this particular timeline, which has been in place since January 2023. 

“I’m Not Surprised At All” 

Although this decision is significant and has puzzled many in the community, the most common response that we have received from the Salesforce community regarding this is some variation of “I am not surprised”. 

“Not surprised at all,” Sanna Siltanen, a Salesforce Solution Architect, told SF Ben. “[It’s] a big mess.” 

David Lanham, a Salesforce Admin, shared the same sentiment. “Not surprised at all!” he said. 

“This is pretty typical for Salesforce rollouts. I would imagine this is related to both the on-the-ground reality that many orgs are just not ready for this sort of transition, along with internal resources being shifted towards Agentforce.”

David also said that, as an admin, he would “try to ignore this” and still treat this as a migration from profile permissions to permission sets.

READ MORE: Moving from Profiles to Permission Sets: 5 Pitfalls to Avoid

Skot Nelson, a Salesforce Solutions Architect and Lead, also seemed to share some of David’s thoughts, saying: “Permission sets and groups are still better for object permission, especially when combined with user access policies.”

Is It Part of Something Larger?

The community has also begun to consider what happens now, what the best next steps are, and whether we could see the retirement coming back in at some point in the future. 

Louise Lockie, Salesforce MVP, told SF Ben that she believed that the retirement is indeed still “on the (very) long-term roadmap”

“[…] it is a task which involves so many different departments contributing (or at least bringing their own areas in line) that it became a task too big for a time when (let’s face it) 99.9% of SF’s efforts are going into Agentforce,” she said. “What hasn’t changed though is that it is best practice, and that everyone who has made the change has a more secure and scalable data access model because of it.”

READ MORE: Salesforce Security Roadmap 2026: What’s Changing and How to Prepare

In terms of next steps, Salesforce does have its own guidance, but Beech Horn, a Salesforce Technology Manager and Architect, said it best: “Permission set all the things.”

“Make everything available via a profile configurable elsewhere, then let us assign no profile to users and delete all our profiles in preparation. Also a great time to move from inconsistent metadata where, for instance, permission set XML files don’t hold all permission set details.”

Simon Whight, the Director Analyst of Enterprise Apps at Gartner, provided a slightly different perspective, explaining that this decision actually shows Salesforce is aware of its customers’ struggles. 

“The challenge is that permission modernization is often difficult to justify as a standalone initiative,” he told SF Ben. “Profiles become deeply embedded across an org over many years, and transitioning to a more permission-set-centric model can require significant analysis, testing, and change management.

“For many enterprises, this can represent months of work with little immediately visible business impact, making it a difficult investment to prioritize against revenue-generating or transformational projects. In that context, extending the deadline appears to acknowledge the realities facing larger enterprises.”

Let the Focus Remain on Security

Simon also highlighted that ensuring security remained the biggest priority despite this decision – whether an admin chooses to still migrate or take a slightly different approach.

“In client conversations, security remains a consistent concern, but discussions tend to focus on broader strategic issues such as governance, risk management, AI readiness, and overall platform security posture rather than specific remediation activities around profiles and permissions,” he said. 

“Reducing access-related blast radius should continue to be a priority for organizations seeking to improve their security posture.”

He explained that organizations should treat profile remediation as part of a broader platform security and governance strategy, rather than a one-time compliance exercise, and this holds true for many other security changes enforced by Salesforce or otherwise. 

Salesforce has provided further guidance on this through a help page, which is part of the Shared Responsibility Model. Now, customers have to decide what they do next in the face of this cancelled retirement. 

Final Thoughts

This U-turn from Salesforce has understandably put some community members off, and it’s easy to see why when you consider this was all set in motion nearly four years ago.

Ultimately, the focus should now be on working according to the principle of least privilege, with permission sets and permission set groups an easy way to do this.

The Author

Sasha Semjonova

Sasha is the Salesforce Reporter at Salesforce Ben.

Leave a Reply