SFDC Penguin - Access Management: The End of Profiles?

Access Management: The End of Profiles?

By :

Salesforce provides many tools to control user access. However, ensuring the right level of analysis can be challenging. Equally, Salesforce is striving to reduce reliance on Profiles in favour of Permission Sets and Permission Set groups. This post outlines key considerations to help you prepare. 

Background: Why Access Matters

Managing access rights is essential. Too much access can cause confidentiality issues. In severe cases, it can have reputational and legal implications. Equally, too little access impedes your team’s productivity and adoption. You need to give just enough access for your team to complete their work. This is often termed the ‘Principle of Least Privilege’ (POLP).

Access Tools

In Salesforce, access rights are controlled by a mix of features. In summary:  

  • Profiles:
    • Defined as what a user can ‘do’.
    • A Salesforce user can be assigned a single Profile.
    • Set access to Apps, Tabs, Objects, Record Types & Fields.
    • Set Default App, Page layouts. 
    • Control access to Administrative and App Permissions, etc.
    • Security settings: Login Hours, IP Ranges, access to Apex Classes, Visualforce Pages, etc. 
  • Permission Sets:
    • Provide additional access over a Profile (i.e. expands, not reduces).
    • Unlike Profiles, a user can have multiple Permission Sets.
    • Used to set access rights to Apps, Tabs, Objects, Record Types, Fields, etc. 
    • You cannot set a ‘Default’ app/Page layouts. 
    • Control access to Administrative and App Permissions, etc.
    • Not used for setting Security settings (e.g. Login Hours). 
  • Permission Set Groups:
    • Permission Set Groups bundle Permission Sets (e.g. by Job Role/function).
    • A user can have multiple Permission Set Groups. 
    • Permission Set Group can contain up to 100 Permission Sets. 
    • A Permission Set can be assigned to multiple Permission Set Groups.
    • Use a ‘Muting’ Permission Set within a Permission Set group (i.e. disable a permission granted from a Permission Set within the group). 

Alongside this, it is worth considering ‘Roles’. These do not control ‘access’ per se, but do impact data visibility:

  • Roles
    • Typically defined as what you can ‘see’ in Salesforce. 
    • Influences record-level access and visibility via a hierarchy (e.g. a manager being able to see their team member’s records). Impacts reporting and sharing. 
    • Roles are optional, but a user can only have a single Role. 

There are of course more detailed considerations. For example, limits around Permission Sets and Permission Set Groups vary depending on Edition. Regardless, the take-home is that a user’s access rights can be made up from a mix of Profile, Permission Set and Permission Set Groups. Without careful planning or analysis, this can make managing user access challenging.  

Profiles are not the future...

Profiles are an old piece of functionality. Indeed, when I started using Salesforce in 2010, there were no Permission Sets or Permission Set Groups! However, Profiles are showing their age and do have many limitations. For example: 

  • Inflexibility: The 1:1 (one user assigned a single Profile) is not flexible or scalable. Your future-self will not thank you for creating a new Profile for a single user. Do yourself a favour and do not create any more Profiles than necessary! Read on for more info.
  • Size: Not only is the 1:1 assignment inflexible, Profiles are large/complex. Many different permissions can be packaged in a single Profile. This makes it hard to ensure you are following the POLP! 
  • ‘Creation’: Profiles are not created, they are cloned. If you do not pick wisely, or do not tidy-up after, you can find ‘surprises’ down the line (i.e. access rights you were not expecting being given or missing). 
  • Deployment. Deploying Profiles is often a challenging process. This can also result in ‘surprises’. For example, check out this knowledge article about deploying Profiles via Change Sets. 
Fortunately, Permission Sets/Permission Set Groups do not have the same pain points. For this and other reasons: 

"We are discouraging admins from relying on profile for permissions management going forward and encouraging admins to adopt these best practices to provide more scalable and secure configurations while also enabling admins to deliver least privilege (and no more) access rights to end-users.

Profiles today have many constraints due to their one-to-one relationship with the user object and therefore does not provide the appropriate mechanism for scalable permission assignment. Eventually, we want to get a point where profile only contains settings that require the one-to-one relationship to users, such as the default page layout assignment."

Sharon Liao: Salesforce Admins Blog November 19, 2019

Indeed, earlier this year the Salesforce Admin Blog provided additional information on when a Permission Set vs Profile should be used:

What should be in a Permission Set vs Profile
Guidance from Salesforce on what should be included in Permission Sets vs Profiles. Taken from the Salesforce Admin Blog. Written by Cheryl Feldman. View the original article here.

The picture is clear. Whilst we do not have a definitive end date for Profiles, their use cases should be limited. They should only be used where Permission Sets are not appropriate (e.g. Page Layout Assignments etc). However, as with all things Salesforce, use your judgement and tailor to suit your org’s specific needs. 

What should I do?

duplo, lego, to build-1981724.jpg

Moving to Permission Sets and Permission Set Groups can seem daunting. However, it will help in the long-run.  

By adopting Permission Sets/Permission Set Groups, you are modularising access rights. Like Lego, you can then build up access rights to suit your user’s need. This is much harder to do with Profiles. 

In the next post, I’ll look at a free tool to help. Stay tuned!

Summary

Managing access rights in Salesforce is essential. Failure to do so can have severe implications. There are various tools for managing access, such as Profiles, Permission Sets and Permission Set Groups. This can create a tapestry of access rights, which is hard to unpick. However, with Salesforce increasingly favouring Permission Sets and Permission Set Groups, it is important to limit use of Profiles. 

In the next post, I shall explore a free tool to help with managing permissions. Thanks for reading!

Bonus penguin Fact

Now for a Penguin fact! 🐧

Have you ever noticed that, the more we speak to someone, the more we sound like them? This could be our tone, accent, etc. An interesting study published last month found evidence that, African Penguins (Spheniscus demersus) can exhibit a similar trait. Where Penguins remain in close proximity of each other (e.g. partner or members of the same colony) for a protracted period, their calls became increasingly similar. This is termed vocal convergence. Read more about it here! 

 

Want More?

Found this article useful? Why not share!

Facebook
Twitter
LinkedIn
Email
WhatsApp

Or check out some of our other articles:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.