Skip to main content
SFDC Developers
Admin

Salesforce Permissions U-Turn: Developer and Admin Reactions

Vinay Vernekar · · 5 min read

Salesforce recently announced a significant policy change: the cancellation of the planned retirement of permissions within Profiles. This decision, initially slated for a Spring '26 rollout and established by a January 2023 timeline, has been reversed.

Salesforce stated that customer feedback and identified feature gaps were the primary drivers for this cancellation. However, the broader Salesforce community, including developers, technical architects, and administrators, has had a range of reactions.

Community Sentiment: "Not Surprised"

A prevalent sentiment expressed across the community is a lack of surprise. Many see this as a characteristic Salesforce rollout, acknowledging the complexity involved in such a widespread change.

"Not surprised at all," commented Sanna Siltanen, a Salesforce Solution Architect. "It’s a big mess."

David Lanham, a Salesforce Admin, echoed this feeling, stating, "Not surprised at all! This is pretty typical for Salesforce rollouts. I would imagine this is related to both the on-the-ground reality that many orgs are just not ready for this sort of transition, along with internal resources being shifted towards Agentforce."

Lanham further advised adopting a pragmatic approach for administrators: "As an admin, I would try to ignore this and still treat this as a migration from profile permissions to permission sets."

Skot Nelson, a Salesforce Solutions Architect and Lead, emphasized the continued utility of permission sets: "Permission sets and groups are still better for object permission, especially when combined with user access policies."

Future Implications and Best Practices

Discussions are ongoing regarding the long-term roadmap and optimal next steps. Many believe that while the immediate retirement has been halted, the underlying goal of enhancing permission management remains on Salesforce's agenda.

Louise Lockie, a Salesforce MVP, posited that the retirement is likely still "on the (very) long-term roadmap." She explained, "It is a task which involves so many different departments contributing (or at least bringing their own areas in line) that it became a task too big for a time when (let's face it) 99.9% of SF's efforts are going into Agentforce."

Despite the pause, Lockie highlighted that the shift towards permission sets has already yielded benefits: "What hasn't changed though is that it is best practice, and that everyone who has made the change has a more secure and scalable data access model because of it."

Recommended Strategy: "Permission Set All the Things"

A frequently cited approach for managing permissions moving forward is succinctly put as "Permission set all the things." This strategy involves configuring all necessary permissions via permission sets and permission set groups, rather than relying solely on profiles.

Beech Horn, a Salesforce Technology Manager and Architect, elaborated on this: "Make everything available via a profile configurable elsewhere, then let us assign no profile to users and delete all our profiles in preparation. Also a great time to move from inconsistent metadata where, for instance, permission set XML files don't hold all permission set details."

Simon Whight, Director Analyst of Enterprise Apps at Gartner, offered an perspective that this decision indicates Salesforce's awareness of customer challenges:

"The challenge is that permission modernization is often difficult to justify as a standalone initiative. Profiles become deeply embedded across an org over many years, and transitioning to a more permission-set-centric model can require significant analysis, testing, and change management. For many enterprises, this can represent months of work with little immediately visible business impact, making it a difficult investment to prioritize against revenue-generating or transformational projects. In that context, extending the deadline appears to acknowledge the realities facing larger enterprises."

Prioritizing Security

Regardless of the chosen approach to permission management, security remains paramount. Whight stressed that organizations should view profile remediation as part of a broader platform security and governance strategy.

"In client conversations, security remains a consistent concern, but discussions tend to focus on broader strategic issues such as governance, risk management, AI readiness, and overall platform security posture rather than specific remediation activities around profiles and permissions," he noted. "Reducing access-related blast radius should continue to be a priority for organizations seeking to improve their security posture."

Salesforce's guidance on this topic can be found within their documentation, aligning with the Shared Responsibility Model.

Key Takeaways

  • U-Turn Acknowledged: Salesforce has reversed its decision to retire permissions from Profiles, citing customer feedback and feature gaps.
  • Community Reaction: Many in the developer, architect, and admin communities are not surprised, viewing it as a complex rollout issue and a potential redirection of resources towards Agentforce.
  • Best Practice Persists: The principle of least privilege remains critical, with permission sets and permission set groups still being the recommended approach for granular access control.
  • Strategic Approach: Treat permission management as part of a broader security and governance strategy, rather than a standalone compliance exercise.
  • Future Outlook: While the immediate retirement is off, the long-term goal of modernizing permission management is likely to persist.

Share this article

Get weekly Salesforce dev tutorials in your inbox

Comments

Loading comments...

Leave a Comment

Trending Now