Salesforce Permission Set Groups

A permission set group streamlines permissions assignment and management. Use a permission set group to bundle permission sets together based on user job functions. Users assigned the permission set group receive the combined permissions of all the permission sets in the group.

Reference: Salesforce 

In these two articles: Salesforce Profiles and Salesforce Permission Sets we found that the Minimum Access - Salesforce profile approach proposed as a general solution and in particular for the Data Security Trailhead module can lead us to have so many permission sets that it can be a challenge to manage them.

It is normal to reach the same conclusion as this Trailhead module Get Started with Permission Set Groups when they say: "... given how quickly permission sets can multiply, you may have wondered how to simplify permission set management ...".

And yes, you are correct 😀, the solution is the Permission Set Groups. And the main reasons to use Permission Set Groups are mentioned in the same Trailhead module:

  • "... permission sets should remain fairly limited —in general, you don’t want a permission set with too many permissions ..." (the reason why you end up with so many permission sets).
  • "... grant the permissions by individually assigning users to permission sets ... is a messy approach and becomes challenging to manage ..." (the reason why you need to create sets or groups of permission sets).

The proposed solution was ...

These were the Profiles and Permission Sets proposed:

Role Profile Permission Set
VP Human Resources Department VP - MA --
Recruiting Manager Department Director - MA Position - CREx
Candidate - xRxx (No SSN)
Job Application - xREx (No Lookups)
Review - CREx
Recruiter Department Level 1 - MA Position - CREx
Candidate - CREx
Job Application - CREx
Review - CREx
VP Development Department VP - MA ---
Director Product Management Department Director - MA ---
Product Manager Department Level 1 - MA ---
SW Dev Manager Department Director - MA ---
SW Engineer Department Level 1 - MA Position - xRxx (No min/max pay)
Candidate - xRxx (No SSN)
Job Application - xRxx
Review - CREx
Director QA Department Director - MA Position - xRxx (No min/max pay)
QA Engineer Department Level 1 - MA

Position - xRxx (No min/max pay)

And my solution follows this tip in the Trailhead module above: "... we strongly suggest that you limit the permissions within a permission set to a few related tasks ...".

Solution with Permission Set Groups

Again, I use to follow Salesforce recommendations "... use a permission set group to bundle permission sets based on logical user groups and the tasks users perform ...".

The main task in our Hiring Application and the one where the user needs more permissions is the Recruiter role. The other roles are basically the same permission sets with restrictions, except for the Standard Employee which is only one Permission Set (go back to Salesforce Profiles and Salesforce Permission Sets and you will understand these roles 😉).

How can we restrict permissions?

Just to remember: a Profile is restrictive and a Permission Set is an additive.

We don't want to restrict permissions on our objects changing the profiles, if you remember, we use only one type of profile based on the Minimum Access - Salesforce profile, hence the profiles are restricting basically everything about our four base hiring objects.

In the area of Permission Set Groups when you need to restrict something you use Muting Permission Sets (it is called "muting", and is a way to disable permissions granted on the Permission Sets in the group).

Then, in the following table, I will propose a solution using Permission Set Groups and Muting Permission Sets.

Role Permission Set Permission Set Group Muting Permission Set
Recruiting Manager Position - CREx
Candidate - CREx
Job Application - CREx
Review - CREx
Recruiting Manager - PSG Candidate Muted - xRxx (No SSN)
Job Application Muted - xREx (No Lookups)
Recruiter Position - CREx
Candidate - CREx
Job Application - CREx
Review - CREx
Recruiter - PSG ---
SW Engineer Position - CREx
Candidate - CREx
Job Application - CREx
Review - CREx
Interviewer - PSG Position Muted - xRxx (No min/max pay)
Candidate Muted - xRxx (No SSN)
Job Application Muted - xRxx
Director QA Position - xRxx (No min/max pay) --- ---
QA Engineer

Position - xRxx (No min/max pay)

--- ---

We can see that the Recruiting Manager, the Recruiter, and the Interviewer have the same Permission Sets but their restrictions are controlled by Muting Permission Sets.

The advantage of this is that we manage the user role or function in one place only, the Permission Set Group (the one that is designed to do that 😉).

Comparing the solutions:

  • With Permission Sets only:
    • 8 permission sets
  • With Permission Set Groups
    • 5 permission sets
    • 3 permission set groups
    • 4 muting permission sets (and are managed and work only in the scope of the permission set group)

Permission Set Group Properties

There will be one point in time when you will need to know all the Permission Set Groups configured in your org and which Permission Sets and Muting Permission Sets they have ... once again, with Toolsforce you can do that 😉.

Use the PS Groups button in the Profiles & Permission Sets section to create a report like the one below.

Permission Set Groups

Don't wait, download and install the tool, it's free! 😊


Comments