What are Permission sets?

Posted by Vinay Vernekar 16th September 2025

Introduction

Permission Sets in Salesforce are granular access containers that extend a user
ccess beyond what their Profile provides. They allow administrators to grant additional object, field, app, and system permissions without changing the user ase profiles — enabling flexible, least-privilege access management.

Key Concepts

Permission Sets are additive security constructs. Important points:

  • They never remove permissions — only add to what a user already has from their Profile.
  • A single user can have multiple Permission Sets assigned.
  • Permission Sets can be grouped using Permission Set Groups for easier management.
  • Some Permission Sets require a specific Permission Set License (PSL) and are limited by license availability.

Where Permission Sets Apply

Permission Sets can grant:

  • Object permissions (Create, Read, Edit, Delete, View All, Modify All)
  • Field-level security (FLS) for specific fields
  • App and Tab access
  • Record-level access via sharing rules or permission set-based sharing
  • System permissions (e.g., “Manage Public Reports”, “Customize Application”)

Permission Set vs Profile

Understanding differences helps in designing a secure access model:

  • Profile: Baseline permissions that every user must have. Every user must be assigned exactly one profile.
  • Permission Set: Supplementary permissions assigned in addition to the profile. Users can have zero to many permission sets.

Use Profiles to define broad job-family access and Permission Sets to handle exceptions or temporary needs.

Common Use Cases

  • Granting temporary access (e.g., project access, audits) without changing profiles.
  • Enabling feature access for a small group of users (e.g., a beta feature or a managed package).
  • Applying field-level permissions to specific users.
  • Using Permission Set Groups to bundle several Permission Sets for role-based access.

Best Practices

  • Keep Profiles minimal and role-oriented; use Permission Sets for exceptions.
  • Prefer Permission Set Groups over too many individual Permission Sets to reduce assignment complexity.
  • Document Permission Sets and use naming conventions (e.g., “PS: Finance – Edit Invoices”).
  • Use assignment automation (Permission Set Assignment in Flow or Apex) for scale.
  • Review Permission Set Licenses to avoid assignment failures due to license constraints.

Assigning Permission Sets Programmatically

You can assign a Permission Set to a user using Apex. Example:

Id psId = [SELECT Id FROM PermissionSet WHERE Name = 'My_Permission_Set' LIMIT 1].Id;
PermissionSetAssignment psa = new PermissionSetAssignment(AssigneeId = '005xxxxxxxxxxxx', PermissionSetId = psId);
insert psa;

Permission Set Groups

Permission Set Groups let you combine multiple Permission Sets into a single logical bundle that can be assigned together. They support:

  • Muting Permission Sets to explicitly remove permissions from the group (use carefully).
  • License enforcement for grouped Permission Sets.

Limitations & Considerations

  • Permission Sets are additive only; they cannot revoke access granted by a profile.
  • Number of Permission Sets per org and per user has limits — check Salesforce documentation for current limits.
  • Permission Set Licenses may restrict who can receive certain Permission Sets.

Interview Tip

When answering interview questions, explain Permission Sets with a small example comparing two users: one uses a Profile for baseline access; the other gets additional CRUD or system permissions via a Permission Set for a temporary project. Emphasize administration simplicity, security (least privilege), and scalability using Permission Set Groups.

Summary

Permission Sets are a flexible, powerful way to grant additional permissions in Salesforce without changing profiles. Use them to implement least-privilege access, support temporary access needs, and simplify permission management through Permission Set Groups.