Let’s start with a definition straight from the Salesforce website. A Permission Set is a collection of settings and permissions that give users access to various tools and functions. I’m sure that you are thinking that Profiles do the same but the main difference between Profiles and Permission Sets is that while I can assign just one Profile to a user, this user can have many Permission Sets assigned at the same time.
Now here is a short example to explain the differences:
You are a user with a Profile that allows you to double check the expenses that are created before being approved by someone else above you in the hierarchy. However, for a period of time the person who approved them is not in the office and you are responsible for performing this action as well. In this case, we have multiple options.
- Modify the Profile in order to allow you to update the expenses and give you more than just read access to this object. This would not be a good idea as it would give update access to everybody who has this Profile assigned.
- Assign the manager Profile to you temporarily. This is not ideal, as you would have access to all processes that your manager has.
- Create a new Profile for this action. From an admin perspective, this is not the best idea. How many profiles would we have in our platform if we do something like this every time that we need it?
If in our system we had Permission Sets instead of only Profiles, we could temporarily assign the Expense Update access Permission Set that the manager has for you, so you would also have access to edit the Expenses. No one else would have rights to do it and at the end you are reusing something that is already created.
I was ready to dive into our product and try to find a good way to leave Profiles with minimum information and create Permission Sets. My first thought was “try to make them as simple as possible so that I can reuse them easily” And I started creating 4 permission sets for the Account object.
- Account Read access
- Account Create access
- Account Update access
- Account Delete access
But after a couple of hours doing this I wondered how many Permission Sets I could create if I take into account that our product has around 50 processes, each one with at least 1 action and for most of them at least 2 objects take part of these actions. How many permission sets should I create?
“When he woke up, the dinosaur was still there.” Augusto Monterroso.
This is the shortest tale written in Spanish and I can use it to explain how I felt after realizing that our product would need hundreds of Permission Sets. Something completely unmanageable for the administrator and he could really see the dinosaur after clicking on the Permission Sets link. So actually I was doing something wrong.
I would recommend that you follow this advice in order to create a good design.
- Granularity is good, as long as you don’t create a monster.
- Try to create them in a way that you can reuse these permission sets so you don’t need to increase this number without any sense.
- If you follow points 1 and 2, you might create a large number of permission sets. Think about if you really need all of them. Maybe all your users have CRUD access to Account, so you don’t really need to create four Permission Sets for each Account action, one would be enough.
- Permission sets are upgradable so what you do today can be modified in the future and easily installed into our customers orgs.
- Permission sets are not editable. So unfortunately, if we have some Permission Sets installed in our org but we really need something different, we would not be able to modify them. On the other hand we would be able to clone them and put in the new Permission Sets the rights that we really need.
- And the most important advice for me is try to find a good balance. Maybe your system needs 150 Permission Sets and that’s fine if there is no other way to make everybody happy.
Here you will find some packaging problems, so take them into account during your design.
My teacher once told me that maybe the dinosaur had a different meaning. Maybe it’s something good. The dinosaur represents all good things that we could find at that time, nature, no pollution, everybody in peace …. so when he woke up, he was still happy, everything was great.
And actually this is my current feeling. We found a great design for our product and everything is good with Permission Sets. Permission Sets are a good friend.