Permission Sets

What is a permission set?

Permission sets are optionally assigned to a user to grant them privileges in addition to their profile.

Why use permission sets?

Using permission sets effectively can help you reduce the number of profiles needed in your Salesforce org, which can dramatically reduce administrative overhead in some scenarios.

When is the use of permission sets appropriate?

Use the profile to set the foundation for a user’s privileges.  Then use permission sets to grant additional privileges for one-off cases, or instances where the same set of privileges must be granted for users that are assigned to different profiles (e.g. providing access to a 3rd party application shared by several departments).

Example 1

I’ve defined a custom profile “Inside Sales Rep” which does not have the ability to delete leads.

1-10-2013 9-38-32 AM

However, I would like to grant one inside sales user “Jane Doe” the ability to delete leads.

UserProfileDelete Leads
Jane DoeInside Sales RepYes
Inside Sales TeamInside Sales RepNo

Instead of creating a custom profile just for Jane, I’ve created a permission set called “Delete Leads”:

1-10-2013 9-48-16 AM

I add that permission set to Jane Doe’s user record:

1-10-2013 9-51-30 AM

Jane now has the ability to delete leads, while other inside sales team members will not.  And I’ve accomplished this without creating another profile to maintain.

Example 2

Your organization has recently built an application in Salesforce to track job applicants.  Each department will have several users that will be provided access to manage their department’s career postings.

Using just profiles, you would need to create a new profile for each user that needed access to the application (cloning the existing assigned profile and then adding the required privileges).  Instead, you could create a single permission set that grants the appropriate privileges and grant that permission set to each user as needed.

Important Notes

  1. Permission sets can only grant (not revoke) privileges.
  2. Permission sets are optional, and a user can be assigned more than 1 permission set (a user is assigned zero to many permission sets).
  3. The profile controls some elements (e.g. page layout assignment) that a permission set cannot influence.

39 Responses to “Permission Sets”

  1. gcejezie June 10, 2016 at 7:49 pm #

    Hi John,

    If your OWD is set to private for a particular object and members of a particular profile only have read access to each other’s records but you want a particular member to be able to edit records, you can’t do this with a permission set because their assigned profile only grants read access and you cannot override the profile access with a permission set, correct ?

    The best way to do it would be to assign that user a higher position in the role hierarchy, correct ?

    • JohnCoppedge June 13, 2016 at 10:19 am #

      Permission sets add to profile permissions, but they cannot subtract. You could grant access to all records within an object using the “view all” or “modify all” object-level permissions. To grant access to a subset of records, you would need to use a sharing rule.

      • sneha06 July 16, 2016 at 12:43 pm #

        Hi John,

        Just wanted to validate whether my below concept is correct or not,
        1. Profile will only determine what type of access you have for an object. But whether you are able to view,edit or delete other’s record that is not determine by Profile rather that it is maintain by role hierarchy and sharing rule.
        2. What we can see that is maintain by profile and permission set.
        3. Whose record we can see that is maintain by role and sharing rule.

        Please let me know whether I am correct or not..

        Thanks

  2. pjonnala December 14, 2015 at 12:42 am #

    Can permission sets be assigned to roles

    • JohnCoppedge December 14, 2015 at 9:53 am #

      Short answer: no

      There are some apps on the market that might be able to help with that if it were needed

  3. pjonnala December 5, 2015 at 6:54 pm #

    Also in follow up with the previous question, why do you have to create a new profile every time.

    • JohnCoppedge December 6, 2015 at 9:24 pm #

      Let’s say you have 3 profiles

      Inside sales
      Marketing
      Hr

      Each profile has 100 users

      Now you add a new app called “recruiting”

      All of hr needs access – update the profile, no problem.

      There are 5 users from sales and 10 from marketing that need access the app also.

      Your choices are:

      1 permission set and assign to each user

      Or

      Create 2 new profiles
      Inside sales w recruiting app
      Marketing w recruiting app

      Now another app is launched… and the problem compounds

      Make sense ?

      • pjonnala December 7, 2015 at 2:56 pm #

        Thanks for the detailed explanation!!

  4. pjonnala December 5, 2015 at 6:53 pm #

    John- In example 2, you said “Using just profiles, you would need to create a new profile for each user that needed access to the application (cloning the existing assigned profile and then adding the required privileges).”.
    Why can’t you create a custom profile that has access to the Job App Tracker and assign the custom profile to all the users in each department. I guess, I’m missing the point.

    • nk005347 October 3, 2016 at 2:57 pm #

      Let’s say you have 5 departments
      ‘department 1
      department 2
      department 3
      department 4
      department 5

      Now some users in each department that needs to have access to new app.

      You will need to create 5 more profiles like department1+ app, department2+app etc for those 5 department users.

      Now you may have one more app for something else and problem is multifold.

      You rather have one permission set that you add to selective users of those departments.

      You can’t create one custom profile that can manage access related to all 5 department + app.

      Regds
      Nikhil

  5. Davin Casey October 3, 2015 at 12:57 pm #

    Hi John , Maybe I am missing the point so need to understand , Jane Doe has an inside sales user profile that has no ability to delete. Created a permission set to enable Jane to delete. On the screenshot of the custom profile, the basic access is (Read , Create , Edit ) but on the screenshot for ‘ Delete Leads’ permission set the ‘Read , Edit ‘ are also checked again but without ‘ create’. The question is, A) Do we need to check the box next to create too on the permission set? B) if no to question A then why we need to check Read and Edit boxes as well on the permission set if these already granted on profile level?

    • Davin Casey October 4, 2015 at 8:37 am #

      Hi John, I pretty much know the answer now as selecting delete permission would require read and edit as well.

  6. Andrew DeSanctis September 6, 2015 at 11:26 pm #

    Do permission sets override OWD?

  7. Farzana Hafiz August 19, 2015 at 5:04 pm #

    good

  8. Ashley Scheller March 12, 2015 at 9:40 pm #

    John,

    I want to create a custom picklist field for one specific user on an existing profile – how would I accomplish this?

    I created the field and the permission set, yet everyone in that profile has access to it. Please advise 🙂

    • JohnCoppedge March 13, 2015 at 2:15 pm #

      Add the permission to the field to the permission set, and remove that permission from the profile – your profile probably still have access to that field.

      • Ashley Scheller March 18, 2015 at 2:54 pm #

        Thank you!
        Also, thank you for this site, such a huge help!! I passed my certification last week!

      • g.levy@mamacash.org February 4, 2016 at 4:16 pm #

        Hi John,

        I have similar question.
        There is a field on an Opportunity record type that I wish to have it visible only to certain user. How do I make sure that this field is not visible to other users (who have the same profile)?
        Sorry for the double question, I just didn’t understand it yet.
        Gil

        • g.levy@mamacash.org February 4, 2016 at 4:25 pm #

          I think I got it now.
          I will need to go to the Profile and disable them access to that certain field. Than create a Permission Set where I do allow access to that field. Last step is to assign that permission set to the individual users.
          Did I get it right?

  9. Luis Palacios November 30, 2014 at 7:02 pm #

    About first question, the cannot refers to permission granted in a different way that permission sets like using a profile; think on a user having a profile having Delete permissions, it is not feasible to revoke the delete permission; however, if delete permission is granted through a permission set just need to remove it from the set or remove the set itself from the user profile

  10. Paul Temple November 20, 2014 at 8:40 pm #

    Is it possible to bulk add permission sets to users? I tried creating a list view but was unsuccessful. I understand permission sets are intended for more granular controls, and one off scenarios. However, if I have 10 users that need a permission set – it would be easier to add it to all of them at once.

    Or am I using the wrong tool for the job?

  11. Gita Patel October 31, 2014 at 6:53 pm #

    Hi John,

    Please add navigation, addition to the screen shot. Trying to follow the same example as you have provided but unsuccessful.

    Thank you
    Gita

  12. gera;d dente June 4, 2014 at 12:44 pm #

    I probably should have added, assuming OWD are set to private.

  13. gera;d dente June 4, 2014 at 12:11 pm #

    A good thing to clarify is that aside from permission sets and profiles, field level security , role sharing rule based security cant grant additional access. If you only have read permissions on your profile for the Account Object and sharing rules would grant you read/wright. You will still not be able to edit only read because your Profile doesn’t contain that edit security.

  14. Kaira Bergstra January 19, 2014 at 10:32 pm #

    Important note #3 is out of date.

  15. Chris Eley December 9, 2013 at 5:33 pm #

    Your organization has recently build – should be built.

  16. Karran October 7, 2013 at 6:09 pm #

    You mentioned that permissions can only be granted and not revoked. What happens if a users job description changes and you need to change their permission sets? (i.e., Jane has been promoted to product marketing and no longer need permission to delete leads or even access leads)

    • JohnCoppedge October 7, 2013 at 6:44 pm #

      You can revoke the permission set itself from a user, however, a permission set cannot detract permissions when assigned to a user. E.g. you could grant read access to the lead object via permission set, but you could not remove read access to the lead object.

Leave a Reply