Should I move away from profile permissions?

There was this End-Of-Life announcement for Profile permissions by Salesforce. It was decide later to not enforce the change based on feedbacks from the community. Got a chance to try some features around this today. I think that its real good than toggling the same buttons at two different places.

The need

The tools required for this change are already available in User Management Settings. It’s a recommended from Salesforce that customers should consider permission sets over profiles. There will be no updates to Profiles going forward.

Profiles will mainly look around the IP restrictions, app defaults and page layouts. All other primary permissions will be in permission sets.

This gives a strong semantics to the word – Permission Set

Key rules for planning permission sets

  1. Keep all permissions like FLS and feature settings in permissions sets. Give permission sets a name that conveys the exact purpose.
  2. Have more permission sets but never mix permissions. You can have a Permission Set Group to mix them in an organisational way BUT never mix permissions within permission sets.
  3. Just like you assign Fields to Profiles in Object fields creation page, you can also assign the FLS to permission sets instead. All features that I am talking about here are available to try. Enable/Disable them from User management settings.
  4. You can define User Access Policies to assign/revoke a user from a group, queue, permission sets, permission groups, feature license, etc. based on a user level data criteria.
  5. You can automate User Access Policies based on user record triggers.
  6. When assigning permission sets, you can choose expiry time. Its a significant security feature.

Overall, this seems to be a much cleaner way to plan security structure of your organisation. Imagine you freeing up your feature licenses on a fixed date and auto assign them to new users as they are created. Was never a thing with Profiles.

Coming to deployment problems with Profiles, I am sure there is also a benefit as permission sets are easy to process in CI/CD pipelines compared to profiles which are doable but often tricky and wastes so much time during agile reviews.

Should I start moving towards Permission sets?

I don’t see a reason FOR NOT STARTING unless you are still living a classic environment life.


Leave a Reply

Your email address will not be published. Required fields are marked *