Skip to main content
SFDC Developers
Admin

Salesforce Profiles vs. Permission Sets: Why Orgs Delay Migration

Vinay Vernekar · · 6 min read

The State of Salesforce Security Models: Profiles vs. Permission Sets

Despite Salesforce's continued guidance toward a Permission Set-centric security model, a significant portion of organizations remain entrenched in legacy Profile-based configurations. Recent survey data indicates that nearly 80% of Salesforce orgs are still utilizing Profiles as a primary or significant part of their security structure, even with the absence of an imminent retirement deadline.

This persistent reliance isn't merely a matter of convenience; it represents a growing concern for security posture, technical debt, and readiness for future platform enhancements, including AI-driven features.

Current Community Transition Status

Survey results reveal a community actively engaged in migration, but largely stuck in a transitional phase:

  • 20.5%: Fully transitioned to Permission Sets (or Permission Set Groups) for most permissions.
  • 43.6%: Profiles still play a significant role, indicating a partial migration.
  • 22.7%: Only critical permissions have been moved to Permission Sets.
  • 10.8%: Primarily running on Profiles.
  • 2.3%: Unsure about their current state.

The majority (43.6%) are in the "messy middle," managing a mix of Profiles and Permission Sets. This hybrid approach often leads to inconsistent access control, making troubleshooting and auditing complex and increasing the risk of security vulnerabilities.

Enterprise organizations show a higher adoption rate of Permission Sets (26%) compared to smaller organizations (14%), likely due to more established governance and dedicated security teams.

The Root Causes of Profile Dependency

Profiles have long been the foundational element of Salesforce access control. Their initial design, bundling all necessary permissions within a single profile per user, was suitable for less complex orgs. However, as the platform evolved, this monolithic approach led to significant issues:

Permission Sprawl and Technical Debt

When granular access adjustments are needed, the path of least resistance often involves cloning existing Profiles and making minor modifications. This iterative cloning process results in numerous near-identical Profiles, many with obscure naming conventions, making it nearly impossible to audit cleanly or troubleshoot effectively. This "permission sprawl" is a direct contributor to technical debt.

Difficulty Enforcing the Principle of Least Privilege

Only about 20% of respondents effectively enforce the Principle of Least Privilege (PoLP). A Permission Set-led model structurally addresses this by enabling modular, stackable access sets. A minimal baseline Profile can be assigned to users, with granular permissions layered on via Permission Sets, ensuring users only have access to what they strictly need. This model is easier to audit, adjust, and significantly reduces the risk of accidental over-permissioning.

Obstacles to Permission Set Migration

The migration to Permission Sets is conceptually straightforward, yet several practical factors hinder its completion:

Profile-Related Configurations Beyond Permissions

Profiles are intertwined with numerous org configurations beyond explicit permissions. These include page layouts, login hours, IP ranges, app assignments, and Lightning page assignments. Any migration without careful planning for these dependencies can lead to unexpected breakages and user complaints.

Administrator Burnout and Competing Priorities

Salesforce Administrators are frequently overloaded, with a majority reporting that too much is expected of them and identifying technical debt as their biggest challenge. A comprehensive migration project—requiring meticulous auditing, sandbox testing, and methodical rollout—directly competes with their existing delivery pressures.

Shifting Deadlines and Mindset

Salesforce's initial hard deadline for retiring permissions on Profiles, followed by postponements, fostered a "we'll get to it eventually" mentality. While the deadline is no longer imminent, Salesforce's clear indication of ceasing further development on Profiles signals a definitive direction towards Permission Sets and Permission Set Groups for all future enhancements.

Strategies for a Phased Migration

Approaching the migration incrementally can mitigate the risk of destabilizing the org and consuming all available resources. Consider the following steps:

1. Conduct a Thorough Audit

Before any changes are made, understand the current state of your user profiles and permissions. Identify duplicate Profiles, unused Permission Sets, and inherited configurations. Tools like the User Access and Permissions Assistant on the AgentExchange can assist in this process.

2. Design Around Job Functions with Permission Set Groups

Structure your security model around job functions rather than individual users. Leverage Permission Set Groups to define the access required for roles (e.g., "Sales Rep"). Keep Profiles minimal, primarily for essential settings like login hours and IP restrictions.

3. Automate Assignments with User Access Policies

Utilize User Access Policies (GA in Summer '24) to automate Permission Set assignments based on predefined criteria. This feature, though underutilized, significantly reduces manual effort and minimizes the risk of incorrect provisioning when users are created or change roles.

4. Test Extensively in Sandboxes

Migrate and test changes in sandboxes with a representative sample of users from each role. Migration pitfalls often surface due to specific combinations of Profile, page, and record type, making thorough user testing critical.

5. Integrate Migration into Recurring Projects

Treat permission sprawl as technical debt that accrues over time and should be managed iteratively. Instead of a one-time sprint, incorporate permission cleanup into your regular project cadence. Addressing even one or two Profiles per quarter can lead to a comprehensive cleanup over time.

Key Takeaways

  • The majority of Salesforce orgs still rely heavily on Profiles, hindering effective security management.
  • Permission sprawl leads to auditing difficulties, increased risk, and technical debt.
  • Key migration blockers include Profile dependencies on various org configurations, administrator workload, and past shifting deadlines.
  • A Permission Set-led model inherently supports the Principle of Least Privilege.
  • Phased migration strategies, including auditing, designing around job functions, automating assignments, sandbox testing, and iterative cleanup, are crucial for success.
  • A well-organized Permission Set structure is foundational for integrating future AI capabilities like Agentforce.

Future-Proofing Your Salesforce Org

Migrating from Profiles to Permission Sets is more than a housekeeping task. It's a proactive step towards a robust security foundation, essential for adopting emerging technologies like Agentforce. As AI agents operate within the user's granted permissions, a clean and consistent access control model directly impacts their effectiveness and security. By prioritizing this migration, you're building a solid platform for future innovation.

Share this article

Get weekly Salesforce dev tutorials in your inbox

Comments

Loading comments...

Leave a Comment

Trending Now