Permission Sets
Permission sets are collections of permissions and other settings that provide users access to various objects, fields, etc. They are the recommended way to manage user permissions in Salesforce, and allow for fine-grained control over what users can access.
Permission sets should be created on a functional task basis, as opposed to by a job title, as profiles tend to be. This allows permission sets to be reusable building blocks, reducing the overall overhead of managing profiles and permissions.
The following are some best practices for managing permission sets:
- Follow a consistent naming convention
- Create atomic task-based permission sets
- Use permission sets for all field and object access
Use a minimal profile for all users that grants the minimum possible access, and then use permission sets to grant additional access as required.
Permission set groups
Permission set groups are a way of bundling permission sets together. These can be used to more closely align with user personas, and the users' actual roles, simplifying the management of permissions by eliminating the need to assign a large number of permission sets to a user, while still enabling the granularity of atomic task-based permission sets.
Effective use of atomic permission sets and persona-based permission set groups can greatly simplify the management of user permissions.
Muting permission sets
It's a common scenario for users to require similar but slightly different permissions. For example, one group of users does not require delete access to objects. Instead of having to duplicate and maintain two permission sets, you can use muting permission sets to remove permissions from a permission set.
Muting permission sets allow you to reuse the underlying permission sets by creating multiple permission set groups and muting the permissions that are not required for a particular group.
This only affects the permissions granted by the permission set, and does not affect the permissions granted by the user's profile.
Seven20 packaged permission sets
The Seven20 packages provide a set of permission sets that can be used as a baseline level of access for specific functional areas. These permission sets are designed to be used in conjunction with the atomic task-based permission sets and persona-based permission set groups.
These permission sets should not be assigned to guest site users, as they are designed for internal users only. Any integration package will come with its own set of permission sets, including ones intended for guest site users, which should be used instead.
Due to Salesforce packaging limitations, these permission sets do not include any permissions for standard objects, such as Accounts or Contacts. These need to be implemented separately.