Skip to main content
SFDC Developers
Admin

Salesforce Cancels Profile Permission Retirement

Vinay Vernekar · · 4 min read

Salesforce Cancels Profile Permission Retirement

Salesforce has officially rescinded its plan to retire permissions from Profiles. Originally slated for Spring '26, this retirement has been indefinitely postponed. While this decision addresses customer feedback and feature gaps, it does not negate the importance of secure permission management. The principle of least privilege remains the recommended security model, with Permission Sets continuing to be the preferred tool for achieving it.

Background: The Evolving Profile Retirement Timeline

The journey towards retiring permissions from Profiles has been a lengthy and, for many, a frustrating one. Let's recap the key milestones:

  • January 2023: Salesforce initially announced the end-of-life for permissions on Profiles, targeting Spring '26. This gave the ecosystem three years to plan for the transition.
  • 2024: Salesforce softened its stance, announcing that the Spring '26 enforcement date would no longer be mandatory. However, the recommendation for a Permission Set-led security model persisted, with Profiles slated for no new feature investment.
  • Recent Update: Salesforce has now quietly updated its Knowledge articles to confirm the outright cancellation of the retirement plan.

Reasons for the Reversal

The cancellation stems from two primary factors:

  1. Customer Feedback: A significant portion of the customer base pushed back against the retirement, indicating readiness challenges.
  2. Feature Gaps: The tooling and platform functionality were not deemed sufficiently robust to support a seamless, large-scale migration for all organizations.

An SF Ben Admin Survey revealed that only 20.5% of organizations had fully transitioned to a Permission Set-led security model, highlighting the widespread challenge.

Implications for Administrators and Developers

This cancellation presents both challenges and opportunities:

  • Frustration with Roadmap Uncertainty: For those who prioritized migration based on Salesforce's initial timeline, this shift can be disruptive. Development roadmaps and strategic initiatives may have been adjusted based on an assumption that has now changed.
  • Continued Relevance of Permission Sets: The core recommendation to adopt a Permission Set-led model for the principle of least privilege is still valid. Enhancements made in this area are not rendered obsolete.
  • Focus on Security Best Practices: Regardless of Salesforce's specific retirement plans, implementing the principle of least privilege is a fundamental security best practice. Organizations must proactively manage permissions to mitigate risks.
  • Feature Gaps and Workarounds: Certain features, such as Record Type access and App Defaults, have historically posed challenges when migrating from Profiles to Permission Sets. While many capabilities are now unified, these specific gaps may have contributed to the delay and require careful consideration.

What Admins and Developers Should Do Now

Despite the cancellation of the retirement plan, the underlying security objectives remain critical. Administrators and developers should:

  1. Review Current Permission Models: Assess how permissions are currently distributed. Identify any discrepancies between the current state and best practices.
  2. Prioritize Principle of Least Privilege: Continue to leverage Permission Sets and Permission Set Groups to grant only the necessary access. This model enhances security and maintainability.
  3. Address Existing Feature Gaps: For organizations that still rely on Profiles for specific functionalities not yet fully replicated in Permission Sets (e.g., certain Page Layout configurations, Record Type access), explore the most scalable workarounds available.
  4. Maintain Vigilance: Recognize that security is an ongoing process. Do not let the cancellation of this retirement plan lead to complacency. Proactive security architecture is essential to protect against unauthorized access.

Key Takeaways

  • Salesforce has indefinitely canceled the retirement of permissions from Profiles.
  • The principle of least privilege remains the recommended security best practice.
  • Permission Sets and Permission Set Groups are still the preferred tools for implementing least privilege.
  • Organizations should continue to review and optimize their permission models, regardless of Salesforce's retirement timelines.
  • This cancellation highlights the importance of robust tooling and clear communication for platform changes impacting all orgs.

Share this article

Get weekly Salesforce dev tutorials in your inbox

Comments

Loading comments...

Leave a Comment

Trending Now