RSMUS.comIn 2023, Salesforce announced the planned retirement of permissions on Profiles. However, in 2024, they declared they were no longer enforcing the retirement, while still recommending a shift to a permission set-based strategy.
Numerous blogs and articles, including those from Salesforce Ben and Salesforce Admins, are discussing this topic. You might wonder, “If I can read those other blogs and articles, why should I read this one?” Since this announcement, I have worked with clients to transition their profiles to permission sets and permission set groups efficiently and effectively. This transition not only improves security posture but also reduces vulnerabilities and meets compliance and industry regulations. In this blog, I will share my insights and outline strategies on effectively migrating to a permission set-based strategy.
What does this mean?
Profiles will continue to exist, and each user will still be assigned a profile. However, profiles will only contain defaults such as record types, apps, login and IP ranges, and page layout assignments.
Here’s where it gets interesting: all object access, field-level security, system, and user permissions will need to be migrated to permission sets. Although the Spring ‘26 release no longer enforces this change, we can expect a phased approach similar to previous enforcement notices from Salesforce, MFA (multi-factor authentication) for example. Therefore, I recommend starting the transition now to stay ahead of potential changes.
Migrating permissions is no small feat, as translating profiles to permission sets requires careful consideration of your current settings. It is recommended to do a full audit and review of those permissions and access policies simultaneously, leading to a larger phased process. Depending on your organization’s size and user groups, this process can take anywhere from a month to a year. In my experience, many users currently have more access than necessary for their daily duties. Often, that access was granted to resolve a time-sensitive issue while the full problem and proper resolution were not investigated and implemented. There is no better time to review and resolve these issues than when you’re already knee-deep in permissions migration.
Based on your Salesforce org edition, you’ll need to adjust your strategy to stay within your org’s limit on permission sets. You can find that limit here. Your overall strategy will be a combination of the three parts below.
Strategy Part One: Assign a single permission set to each persona, such as Sales Leadership or Customer Service Agent. This strategy ensures that each persona has exactly the level of access they need, which can be adjusted at any time without affecting other personas. However, a downside is that if you need to change permission for everyone, you’ll have to update every permission set.
Strategy Part Two: Use cloud/feature-based permission sets, like Sales Cloud Access or Service Cloud Access. This approach is ideal for large groups of users that will need the same access to a specific feature.
Strategy Part Three: Create modular or reusable permission sets based on specific access needs and assign them to Permission Set Groups according to persona or business function. This is where you’ll invest the most time and effort into your strategy and can generate many permission sets.
Reminder, these strategies are not mutually exclusive and can be combined to provide the perfect level of access for each user, which I highly recommend.
You can think of these strategies as layers to a cake: start with the cloud/feature-based permission set as the sponge (the more cloud/features, the more layers), frost it with the persona-based permission sets (you only need one), and decorate with the modular permission sets (like sprinkles, strawberries, candy).
The initial design and effort may feel overwhelming, and it might seem like you’re creating too many permission sets, leading to potential maintenance nightmare. However, I assure you that the upfront effort is worthwhile for the long-term maintenance and scalability benefits. If you need to update object access, you can quickly review and adjust access in a few permission sets rather than across multiple profiles. Are you creating new fields? Again, you’ll only need a handful of permission sets at most to grant read and edit access. Triaging how a user does or doesn’t have access? In an efficient design, there should only be a couple of permission sets granting access. If there are conflicts, you’ll be able to respond and resolve issues more quickly.
How does this affect you?
Whether you run a boutique company with five users or an enterprise with thousands of users and customers who log in, addressing your security is crucial-especially now.
You might think your business is too small to be a target, but that’s precisely what makes it appealing to hackers. Picture this: a cybercriminal infiltrates the systems of 300 small companies, demanding $1,000 from each to restore access and safeguard their data. Unable to afford the downtime, you and 299 others pay up, allowing the hacker to pocket $300,000. In contrast, a larger company with dedicated recovery teams and data restoration procedures might refuse to pay the $300,000 ransom, leaving the hacker empty-handed. So, who do you think the hacker will target next? The truth is, both small and large businesses face these threats daily.
Salesforce provides robust data security capabilities, but proper configuration and maintenance are crucial. With an important transition on the horizon, now is the perfect time to evaluate your Salesforce security posture.
Failing to act could leave your users without access to critical data if permissions are not automatically transferred. Worse yet, your data could be exposed to unauthorized access if not properly secured. Here are some specific risks to consider:
- Data Breaches: Without appropriate security settings, sensitive customer information could be accessed by unauthorized users, leading to potential data breaches.
- Compliance Violations: Inadequate security measures might result in non-compliance with industry regulations, risking hefty fines and legal consequences.
- Operational Disruptions: Misconfigured permissions could disrupt business operations, causing delays and inefficiencies as users struggle to access necessary data.
- Reputation Damage: A security lapse can severely damage your organization’s reputation, eroding customer trust and impacting your brand’s credibility.
Don’t wait – ensure your Salesforce setup is secure today to protect your data and maintain smooth operations.
How do we transition?
To ensure a smooth transition from profiles to permission sets while reassessing access needs and securing your org, it’s essential to be thorough and to possess experience and expertise in Salesforce data sharing and privacy.
While your in-house admin could handle the migration, it’s important to recognize that this is a complex and time-consuming process that requires undivided attention. Tools like the Converter in Setup can assist with one-to-one conversions of profiles to permission sets, excluding the access still retained in profiles. Additionally, there are apps available on AppExchange, such as the User Access and Permissions Assistant to help evaluate your current permissions configurations.
You could choose to do nothing and hope for the best, but I recommend addressing this now. And if you don’t have the necessary expertise, partnering with RSM ensures a professional and efficient transition, minimizing risks and maximizing security.
