The Ins and Outs of Permission Set Groups

Salesforce has a new feature called Permission Set Groups. So, what are Permission Set Groups, and when should you use Permission Set Groups?

Permission Set Groups allow Admins to combine multiple permission sets into a single permission set group for user assignment. With the grouping mechanism, admins can apply role-based access control to manage user entitlements in Salesforce.

Permission Sets allow admins to create mini-profiles easily and handle exceptions for individual user access and security. Another advantage of permission sets is that users could be assigned multiple permissions granting additional privileges to users who perform specific role-based duties and control the correct role-based access.

The principle of role-based access control is to grant permissions based on the roles of individual users. It allows users access rights only to the information they need to do their jobs and prevents them from accessing information that does not pertain to their job function. As mentioned above, the context’s role concept does not refer to Salesforce Role Hierarchy. By roles, we refer to job roles or tasks that a user plays in the organization. For this discussion, “role” and “permission set group” are equivalent. The permissions to perform certain jobs are put into specific roles, and through role assignments, users acquire the permissions needed to perform particular system functions for their daily jobs. Since users are not assigned permissions directly but only acquire them through their membership within a role, managing individual user rights becomes a matter of simply assigning users to the appropriate roles.

Creating a Permission Set Group

1. Go to Setup and search Permission Set Group
2. Click Create New Permission Set Group
3. Enter the label for the Permission Set Group you want to create
4. Click Permission Sets in Group
5. Assign desired permission to the Permission Sets in Group

Muting a Permission Set Group

With this new functionality, you can mute a permission you have previously given to a user. This revokes the consent of a particular permission you have provided to a user as part of the permission set group. By muting permission, it does not affect any other permissions assigned.

Muting lets you customize a current permission set group by muting (disabling) selected permissions. In other words, you can use a current permission set group with 90% of the permissions you need and mute the additional 10% of the permissions you don’t need for a user. This makes use of reusing permission-set groups without recreating.

1. Click on the current Permission Set Group
2. Click Muting Permission Set in Group
3. Go to Object Settings and the Object that you want to remove access to

Another consideration is if your organization created its custom application in Salesforce, this is a great way to leverage the Platform license as you will only be using standard objects within accounts and contacts.

Expiration Dates

Ever wonder if you could set an expiration date on a Permission Set/Permission Set Group? Do you have a user who is temporarily filling in for someone on vacation and needs temporary access? No more need to set reminders to remove a permission set means better productivity!

This feature was released in Winter 22 and made admins’ lives much easier by allowing them to set up an expiration date after assigning a permission and permission set group.

How to Activate the Expiration Date Feature On Permission Sets and Permission Set Groups

1. Go to Setup
2. Search for User Management Settings
3. Find Permission Set & Permission Set Group Assignments with Expiration Dates and toggle on.
4. Go to the Permission Set/Permission Set Group if you want to add a new user.
5. Click Manage Assignments
6. Click Add Assignment
7. Choose users that you want to add and click Next
8. Specify Expiration Date (1 Day / 2 Week / 30 Days / 60 Days / Custom Date)
9. Click Assign

Moving Away From Profile

We are discouraging admins from relying on profiles for permissions management and encouraging admins to adopt these best practices to provide more scalable and secure configurations while enabling admins to deliver the least privilege (and no more) access rights to end-users.

Today, profiles have many constraints due to their one-to-one relationship with the user object and therefore do not provide the appropriate mechanism for scalable permission assignment. Eventually, we want to reach a point where the profile only contains settings requiring one-to-one relationships with users, such as the default page layout assignment.

Migrating Profiles to Permission Sets

Check out the Permission Set Helper App on the Appexchange. The app contains a profile converter and a permission analyzer.

For more information or if you have questions, please contact us.