Managing user permissions in Salesforce can be complex and present a host of challenges for administrators and users alike. In this blog post, we’ll briefly go over some of the common pain points that users and admins may encounter, and explore several strategies to manage them.
1. Complexity of the Security Model:
Salesforce's security model consists of multiple layers, including organization-wide defaults, role hierarchy, sharing and restriction rules, profiles, permission sets, and permission set groups. Understanding and navigating this model can be daunting for administrators, making it challenging to strike a balance between data security and user access.
2. Managing Permissions for Large Teams:
As organizations grow, managing permissions for a large number of users across many profiles, permission sets, and permission set groups becomes increasingly more difficult. The more security layers added, the more complex the process becomes. Keeping track of who has access to what can turn into a cumbersome task, and if not managed correctly, it may result in undetected security risks.
3. User Access and Extra Permissions:
Users often request more access than they actually need, and administrators may inadvertently grant non-essential or administrative permissions, such as modify all data. This can result in security vulnerabilities and non-compliance with data protection policies.
4. Profile Limitations:
Profiles control default settings and permissions for a group of assigned users. However, profiles have certain limitations, with the primary one being that users cannot be assigned to multiple profiles. When it comes to permissions, profiles grant the same baseline level of access to all users belonging to the profile. This limitation necessitates the use of custom profiles, permission sets, and permission set groups to grant additional permissions, adding additional layers to keep track of.
5. Managing Permission Set Assignments:
While permission sets provide additional flexibility, managing them can also become complicated. It’s not uncommon that the same permission may be found in multiple permission sets, leading to overlapping permissions. It is crucial to keep track of which permission sets are assigned to which users, as well as each user's combined permissions, to avoid redundancies and other potential issues stemming from having multiple permission set assignments.
6. Adapting to Changes:
Salesforce undergoes regular updates, making it essential to review and update your security model accordingly. In response to Salesforce's recent plans that permissions on profiles will be discontinued by 2026 (read more here), it is becoming increasingly important to develop a secure permissions model based on permission sets and permission set groups. After 2026, permission sets will fully take over the responsibility of granting permissions to users while profiles will continue to control Default App/Record Types, Page Layouts, Login Hours, and IP Ranges.
7. Reporting and Auditing:
Compliance, in the simplest of terms, can essentially be boiled down to the question of knowing and documenting, “who has what?” To ensure proper compliance, administrators must monitor and document user access to sensitive data. While Salesforce maintains a robust set of compliance certifications, out-of-the-box reporting capabilities may not be sufficient for complex organizations. Thus, many Salesforce customers must rely on third-party tools or custom solutions, especially when it comes to generating compliance documentation.
Facing these Challenges
To overcome these challenges and pain points, it is essential to invest time in understanding Salesforce's security model, establish clear processes for user access management, regularly review and optimize permission configurations, and utilize features like permission sets and permission set groups effectively.
Let’s go over a few strategies for each one:
Understanding Salesforce’s Security Model:
Given the intricacies of Salesforce’s security model, it’s difficult to know where to begin. To help customers learn, Salesforce recently released their “Who Sees What” video series that covers each main area of Salesforce’s security model.
Follow the Salesforce Admins Blog and apply the “security” and ”setup + customization” topic filters to get the latest educational content around user management. I find that reading the official admin blog is one of the best ways to learn about Salesforce’s security model in bite-sized pieces.
Practice in Trailhead: Getting Started with User Management is an official trailmix designed to help you learn about user management best practices and polish up your skills.
The Trailblazer Community Group “The Future of User Management” is a treasure trove of information and is a great way to learn about the newest user management features Salesforce has to offer. There, Salesforce employees and community members discuss advanced concepts in user management and regularly share their tips and strategies. Joining this group keeps you informed and provides opportunities to gain early access to new features like User Access Policies.
Establish clear processes for user access management:
Before creating and assigning a bunch of permission sets, it’s important to review the latest user management best practices. Check out Admin Best Practices for User Management for more details.
Here are some important takeaways:
- Create permission sets based on functional needs or features.
- Label your permission sets well.
- Build permission set groups based around shared user personas or specific job functions.
Incorporate the principles of least privileged access (LPA) into your security model:
LPA is a security principle that limits data access while ensuring uninterrupted job functionality for users (read more about LPA here). Learning about LPA and implementing and maintaining LPA principles in your Salesforce org is an important factor to consider when building a proper security model centered around minimum access.
Regularly review and optimize permission configurations:
When reviewing your Org’s permissions configuration, consider each permission and ask yourself the following questions: What is it? Who has it? Why do they have it? What grants it?
Finding the answers may not be as simple as it seems. To help you answer these questions more easily, we’ve released a free resource that helps admins explore their org’s permissions structure in great detail. I encourage you to check it out.
After answering these questions, you’ll have a good baseline for optimization: Does this user need it to do their job? Do they get it exclusively through their profile or also from a permission set? Can I build personas around certain users that require similar levels of access?
Experiment with minimum access profiles in a Sandbox: If I assign the minimum access profile along with these permission sets, will the user still be able to access what they need in order to do their job?
Asking yourself these types of questions and experimenting (in a sandbox!) will help you think critically about how you want to structure and configure your permissions model.
Utilize features like permission sets and permission set groups effectively:
A good starting point is to build permission sets based on functional needs or features. Label your permission sets well. Use a standardized naming convention and include short, clear descriptions for each permission set.
For example, “PLATFORM : Manage List Views - Description: Grants Permissions to Manage Public List Views.” Remember to make your description clear, as it makes your permission sets much easier to manage and keep track of in the future (you’ll thank yourself later).
If you’d like a more user-friendly experience when managing your security model in Setup, you have the option to enable enhanced user management views and other experimental features.
Tip: You can enable enhanced views for profiles, permission sets, and permission set groups by typing “User Management Settings” into the Quick Find box in Setup.
Build persona-based permission set groups for users who require cross-functional access, like hybrid sales and marketing teams. Maximize permission set reusability across permission set groups by utilizing muting permission sets to restrict access.
Try to avoid using custom profiles to grant permissions when possible. Be on the lookout for assistive features that can help you rely less on profile permissions, such as the upcoming “permissionless profile view” toggle feature, set for release in Spring ‘24.
Note that profile-based permissions will no longer be supported following the 2026 end-of-life update, so it’s important to move away from using profiles to grant further access as much as possible. Edit: In 2024, Salesforce wrote the it will no longer enforce the 2026 deadline. However it is still important to move away from profiles.
Conclusion:
Effective permission management in Salesforce is important for maintaining data security and enabling users to perform their job duties efficiently.
As a new admin, you might wonder why you should invest so much effort into this. From an admin perspective, effective user management leads to faster troubleshooting, fewer headaches, and the ability to answer questions like “why can’t I see this?” much more quickly. Moreover, staying organized makes preparing for audits a lot easier down the line.
From a business perspective, your company will benefit from a reduced likelihood of internal data leaks, fewer business interruptions, and enhanced customer trust.
While learning everything there is to know about User Management in Salesforce is quite the challenge, there are many resources available to help you learn and prepare effectively (I highly recommend starting with Salesforce’s “Who Sees What” video series mentioned earlier).
By addressing these common pain points and implementing some of the strategies we discussed, you can overcome permission management challenges and ensure a secure, compliant, and streamlined Salesforce experience in your Org.
Resources and Links:
- Salesforce Who Sees What Video Series
- Getting Started With User Management Official Trailmix
- Salesforce Admins Blog
- Admin Best Practices for User Management
- Permatrix - a Free Resource to Help you Better Understand your Org’s Permissions
- LeedsSource Youtube Channel - Salesforce Tutorials and More
- The Future of User Management Trailblazer Community Group
- Applying the Principles of Least Privileged Access to your Org.
- Enabling User Access Policies
- Muting Permission Sets
- 2026 EOL Profiles on Permissions Update
- Salesforce Compliance Certifications
- Written by Arthur Papernik, Product Manager at LeedsSource