What is a permission set?
Permission sets are optionally assigned to a user to grant them privileges in addition to their profile.
Why use permission sets?
Using permission sets effectively can help you reduce the number of profiles needed in your Salesforce org, which can dramatically reduce administrative overhead in some scenarios.
When is the use of permission sets appropriate?
Use the profile to set the foundation for a user’s privileges. Then use permission sets to grant additional privileges for one-off cases, or instances where the same set of privileges must be granted for users that are assigned to different profiles (e.g. providing access to a 3rd party application shared by several departments).
Example 1
I’ve defined a custom profile “Inside Sales Rep” which does not have the ability to delete leads.
However, I would like to grant one inside sales user “Jane Doe” the ability to delete leads.
User | Profile | Delete Leads |
---|---|---|
Jane Doe | Inside Sales Rep | Yes |
Inside Sales Team | Inside Sales Rep | No |
Instead of creating a custom profile just for Jane, I’ve created a permission set called “Delete Leads”:
I add that permission set to Jane Doe’s user record:
Jane now has the ability to delete leads, while other inside sales team members will not. And I’ve accomplished this without creating another profile to maintain.
Example 2
Your organization has recently built an application in Salesforce to track job applicants. Each department will have several users that will be provided access to manage their department’s career postings.
Using just profiles, you would need to create a new profile for each user that needed access to the application (cloning the existing assigned profile and then adding the required privileges). Instead, you could create a single permission set that grants the appropriate privileges and grant that permission set to each user as needed.
Important Notes
- Permission sets can only grant (not revoke) privileges.
- Permission sets are optional, and a user can be assigned more than 1 permission set (a user is assigned zero to many permission sets).
- The profile controls some elements (e.g. page layout assignment) that a permission set cannot influence.
I am unable to locate Leads object under permission set – Object settings. Any reason this could happen, What an I missing?
Do you see the rest of the objects under that page? When you enter the search bar for “leads” does it find it (should be listed under object settings)? Are you an admin in a DE org?
Hi John,
If your OWD is set to private for a particular object and members of a particular profile only have read access to each other’s records but you want a particular member to be able to edit records, you can’t do this with a permission set because their assigned profile only grants read access and you cannot override the profile access with a permission set, correct ?
The best way to do it would be to assign that user a higher position in the role hierarchy, correct ?
Permission sets add to profile permissions, but they cannot subtract. You could grant access to all records within an object using the “view all” or “modify all” object-level permissions. To grant access to a subset of records, you would need to use a sharing rule.
Hi John,
Just wanted to validate whether my below concept is correct or not,
1. Profile will only determine what type of access you have for an object. But whether you are able to view,edit or delete other’s record that is not determine by Profile rather that it is maintain by role hierarchy and sharing rule.
2. What we can see that is maintain by profile and permission set.
3. Whose record we can see that is maintain by role and sharing rule.
Please let me know whether I am correct or not..
Thanks
Yep
Can permission sets be assigned to roles
Short answer: no
There are some apps on the market that might be able to help with that if it were needed
Also in follow up with the previous question, why do you have to create a new profile every time.
Let’s say you have 3 profiles
Inside sales
Marketing
Hr
Each profile has 100 users
Now you add a new app called “recruiting”
All of hr needs access – update the profile, no problem.
There are 5 users from sales and 10 from marketing that need access the app also.
Your choices are:
1 permission set and assign to each user
Or
Create 2 new profiles
Inside sales w recruiting app
Marketing w recruiting app
Now another app is launched… and the problem compounds
Make sense ?
Thanks for the detailed explanation!!
John- In example 2, you said “Using just profiles, you would need to create a new profile for each user that needed access to the application (cloning the existing assigned profile and then adding the required privileges).”.
Why can’t you create a custom profile that has access to the Job App Tracker and assign the custom profile to all the users in each department. I guess, I’m missing the point.
Let’s say you have 5 departments
‘department 1
department 2
department 3
department 4
department 5
Now some users in each department that needs to have access to new app.
You will need to create 5 more profiles like department1+ app, department2+app etc for those 5 department users.
Now you may have one more app for something else and problem is multifold.
You rather have one permission set that you add to selective users of those departments.
You can’t create one custom profile that can manage access related to all 5 department + app.
Regds
Nikhil
Nicely explained Nikhil
Hi John , Maybe I am missing the point so need to understand , Jane Doe has an inside sales user profile that has no ability to delete. Created a permission set to enable Jane to delete. On the screenshot of the custom profile, the basic access is (Read , Create , Edit ) but on the screenshot for ‘ Delete Leads’ permission set the ‘Read , Edit ‘ are also checked again but without ‘ create’. The question is, A) Do we need to check the box next to create too on the permission set? B) if no to question A then why we need to check Read and Edit boxes as well on the permission set if these already granted on profile level?
Hi John, I pretty much know the answer now as selecting delete permission would require read and edit as well.
Yep – spot on
Do permission sets override OWD?
Only View All or Modify All permissions
good
John,
I want to create a custom picklist field for one specific user on an existing profile – how would I accomplish this?
I created the field and the permission set, yet everyone in that profile has access to it. Please advise 🙂
Add the permission to the field to the permission set, and remove that permission from the profile – your profile probably still have access to that field.
Thank you!
Also, thank you for this site, such a huge help!! I passed my certification last week!
Awesome, congrats!
Hi John,
I have similar question.
There is a field on an Opportunity record type that I wish to have it visible only to certain user. How do I make sure that this field is not visible to other users (who have the same profile)?
Sorry for the double question, I just didn’t understand it yet.
Gil
I think I got it now.
I will need to go to the Profile and disable them access to that certain field. Than create a Permission Set where I do allow access to that field. Last step is to assign that permission set to the individual users.
Did I get it right?
Yep spot on
About first question, the cannot refers to permission granted in a different way that permission sets like using a profile; think on a user having a profile having Delete permissions, it is not feasible to revoke the delete permission; however, if delete permission is granted through a permission set just need to remove it from the set or remove the set itself from the user profile
Correct
Is it possible to bulk add permission sets to users? I tried creating a list view but was unsuccessful. I understand permission sets are intended for more granular controls, and one off scenarios. However, if I have 10 users that need a permission set – it would be easier to add it to all of them at once.
Or am I using the wrong tool for the job?
Yes you can bulk add users to a permission set: http://docs.releasenotes.salesforce.com/he-il/spring14/release-notes/perm_sets_mass_assign.htm
Hi John,
Please add navigation, addition to the screen shot. Trying to follow the same example as you have provided but unsuccessful.
Thank you
Gita
I probably should have added, assuming OWD are set to private.
A good thing to clarify is that aside from permission sets and profiles, field level security , role sharing rule based security cant grant additional access. If you only have read permissions on your profile for the Account Object and sharing rules would grant you read/wright. You will still not be able to edit only read because your Profile doesn’t contain that edit security.
Good point – that’s a good quiz question 🙂
Important note #3 is out of date.
Thank you, updated.
Your organization has recently build – should be built.
Thank you, updated.
You mentioned that permissions can only be granted and not revoked. What happens if a users job description changes and you need to change their permission sets? (i.e., Jane has been promoted to product marketing and no longer need permission to delete leads or even access leads)
You can revoke the permission set itself from a user, however, a permission set cannot detract permissions when assigned to a user. E.g. you could grant read access to the lead object via permission set, but you could not remove read access to the lead object.