New for the Salesforce Spring‘20 release is Permission Set Groups. A feature intended to deliver value to the Admin, saving us time and making our lives easier.
The general principle is easy enough to understand; you can now bundle up any number of Permission Sets and assign them to Users en masse. There’s a great introduction post on them on Salesforce Ben by Bill Appleton, CTO of Metazoa.
Yet it’s had me asking “Where’s the value?”
Access and security is an essential part of the Admin toolbox. Yet it’s not an area you want to be meddling with on a daily basis. It’s important that your settings and configurations are as stable as possible, as it is this stability that consequently improves security.
A common #AwesomeAdmin task is to update a User to be able to do X. Yet unpicking the access and permissions a User has can be a nightmare, and without careful planning it’s all too easy to fall into a situation where every User has a unique setup, which is difficult and time consuming to maintain.
When an Org’s setup is failing to provide the flexibility to provide different Users with the permissions they need without opening up unnecessary access, then it’s time to review your setup.
Creating Clarity
Firstly, I always refamiliarise myself with the evergreen ‘Who Sees What?’ series on the Salesforce YouTube channel.
Then before getting into Salesforce, it’s always useful to create diagrams to define the setup you’re looking to support.
Begin with the groups of Users that exist in your company, an HR Org Chart can be a great place to start for this. There may be groups of staff who don’t use Salesforce – at least not currently. It can be a good idea to consider how you may support them down the line if asked!
However, we’re not necessarily looking to recreate the HR Org Chart. There will most likely be groups who are differentiated in the Org Chart yet require the same access in Salesforce. Amend the diagram to group people together who have the same base requirements of Salesforce. You’ll likely end up with something akin to this:
Until now it has followed that a good way to support these groups is to have a Profile for each and use Permission Sets to grant individuals within each group with additional functionality. Though if a number of people in a group require the same additions then you had a decision, manage them all separately assigning the multitude of Permissions to each User, or create another Profile bringing together the various Permissions to manage the Users together cohesively. Both approaches have detractions.
The Payoff
Now, Permission Set Groups provide a cleaner solution. For each subset of Users who have common additional needs you can create a Permission Set Group.
You can even go a step further. How different are the Profiles for your ‘base’ groups of Users? It may be possible to isolate the differences and bundle them into a Permission Set Group, enabling your Users to be supported on fewer Profiles.
Fewer Profiles is a good thing because any number of settings may be configured within them, and even if you’re organised enough to have them properly documented then maintaining them can become cumbersome, as Bill’s Blog alluded to.
TLDR
- Profiles are for providing general base permissions for large groups of Users.
- Permission Set Groups are for empowering a subset of Users with the same common additional permissions.
- Permission Sets are for granular control, granting additional permissions to individual Users.
Permission Set Groups can help to reduce the number of Profiles in your Org by making it easier to manage your Permission Sets and their assignments.
This provides a cleaner set of mechanisms for managing Users, improving readability and understanding of access and permissions, empowering #AwesomeAdmin efficiency, increasing stability and therefore enhancing your Org’s security.
I hope this helped shine a light on how best to take advantage of this new feature. If you’ve got any questions or wish to discuss this further then I’m regularly at the Bristol Admin User Group and I am on Twitter @ittooken.
