Salesforce Permission Sets and Permission Set Groups, A Guide and Demo
In today's exploration of Salesforce Security, we're diving deep into the world of permission sets and permission set groups.
Salesforce has evolved over the years, and now, permission sets have become the primary means of granting access to various elements within the platform.
In this blog post, we'll discuss the significance of permission sets and how they can be organized into permission set groups for more efficient access management.
The Transition from Profiles to Permission Sets
In the past, profiles were the go-to method for controlling access to Salesforce features. However, a fundamental shift has occurred in recent times. Profiles are now designed to be stripped down to the essentials, focusing primarily on elements such as IP address access and core defaults. The real power lies in permission sets—collections of permissions grouped together into a set.
This shift allows for more granular control over user access. Instead of adding numerous permissions directly to user profiles, permission sets provide a modular approach to access management. You can think of them as building blocks that can be combined to create complex sets of permissions. Moreover, permission set groups introduce the concept of "muting," which enables you to remove specific capabilities from a group of users.
The Anatomy of Profiles and Permission Sets
To better understand this concept, let's break it down with a practical example. Imagine you have a Salesforce instance with different types of users, each requiring different levels of access. We'll illustrate this with a demo using a pilot user named Paul and two objects: "View Airports" and "Navigational Aids."
1. Creating a Staff Pilot Profile
Start by creating a minimal access profile for Paul, aptly named the "Staff Pilot Profile." This profile should grant only the bare minimum permissions required.
2. Building Permission Sets
Now, let's create two permission sets:
Permission Set 1: Airport View
Description: View airport data
Permissions: Provide access to the "OA Airports" object, including read access to all its fields.
Permission Set 2: Navigational View
Description: View navigational data
Permissions: Grant access to the "OA Navigational Aid" object, along with read access to all its fields.
3. Creating a Permission Set Group
Next, form a permission set group called the "Pilot Group." This group will consist of the two permission sets we created earlier, "Airport View" and "Navigational View."
4. Muting Permissions
Here comes the magic of muting. We can use a muting permission set group to subtract specific capabilities. In our case, we want to remove access to the "File Name" field within the "Navigational Aid" object.
This muting permission set group should be specific to the "Pilot Group" and can't be shared or created in advance.
User Assignment and Expiration
Now that we have our permission sets and groups in place, we can assign them to users. In this demo, we assign Paul the pilot to the "Pilot Group." But there's more to it.
You can control the assignment duration by setting an expiration date. This means you can grant time-based access to users and have the permission set group automatically removed when it expires.
The Result
As a result, when Paul the pilot logs in, he sees two tabs: "OA Airports" and "OA Navigational Aid." However, notice that the "File Name" field, which was muted, is no longer accessible. This demonstrates how permission sets and permission set groups can offer fine-grained control over user capabilities.
Conclusion
In conclusion, Salesforce profiles should be designed primarily for authentication and access, while permission sets and permission set groups should be organized functionally. This approach allows you to manage user capabilities more effectively and maintain a well-structured system.
With the power of permission sets and muting, you can easily tailor user access to specific needs, creating a more secure and efficient Salesforce environment.
Thank You
I hope this blog post has shed light on the capabilities of profiles, permission sets, and permission set groups.
Stay tuned here on www.SteveTechArc.com and to the @SteveTechArc YouTube channel.
Helping change the world by sharing cool thoughts with fellow Architects and those on their Architect Journey!
STA 4.3