Managing users is a crucial skill for Salesforce Admins, involving ensuring proper data access and addressing security concerns. Admins safeguard confidential data by limiting access to users who require it for their tasks.
To ensure long-term efficiency, create a user management plan. Protect your data by allowing users access only to the specific information they need. Assigning correct profiles, roles, and data access enhances system flexibility for the future.
Follow the principle of granting access based on job requirements. Implement this using profiles, permission sets, and permission set groups.
Key Steps for Managing Users in Salesforce:
- Create Logins: Learn to generate usernames and login accounts. Implement Multi-Factor Authentication (MFA) for enhanced security. User Management Module on Trailhead
- Assign Profiles: Start by assigning minimal access profiles when granting user access.
- Enhance Object Access with Permission Sets: Use permission sets to grant access to objects beyond profile settings. Explore bundle sets with the Permission Set Groups module on Trailhead.
- Role Assignment for Record Access: Create a role hierarchy to mirror your team structure. Assign roles to provide easier access to records within teams.
- Determine and Grant Data Access: Ensure effective data access with organization-wide defaults and sharing rules for teams with varying data protection needs.
The Future: Security Model Driven by Permission Sets and Groups
To give users access, start with a low access profile, then use permission sets and permission set groups to grant more access based on their roles. This way, you can customize permissions without making many profiles, and reuse them easily. Even though profiles still have permissions for now, it is better to use permission sets to manage security. Although the End of Life (EOL) enforcement for permissions on profiles is paused, a security model led by permission sets is recommended over profiles. Next, let’s learn how to create good permission sets and groups, and what to put in a profile or a permission set.
This outlines what information is appropriate for a profile and what should be included in a permission set.
Permission Sets | Profiles |
System & Custom Permissions | Minimum Access |
Object & Field Permissions | Defaults(RecordTypes,Apps) |
Connected App, Apex Classes & VF pages access | Page Layout Assignment |
Apps, Tab settings & Record Types(no defaults) | Login Hours/IP Ranges |
Organizing Permission Sets and Permission Set Groups
Permission sets offer excellent reusability in a permission set-led model, aligning with our desire for technology efficiency. Consider the example of “Opportunity Access.” Create a comprehensive permission set covering all Object CRUD for opportunities, enable all fields for field-level security (simplified with the Winter ’24 Release), and include relevant apps, record types (non-defaults), user permissions, and custom permissions related to opportunities.
Some admins believe they must create multiple versions of the same permission set to manage diverse access levels, which can become challenging. Great news! You don’t need to go through it all. Use permission set groups with a muting feature to easily give the same “Opportunity Access” permissions to different groups.
Conversion from Profiles to Permission Sets and Permission Set Groups
Moving from profiles to permission sets and groups is pivotal for refining your security model. If your organization is new to this shift, start by documenting user personas and aligning them with permission sets. Use user access policies for seamless migration and adhere to best practices like clear naming, Assignment Expiration, custom report types, and custom permissions over profiles in formulas. For those familiar with the dev console, querying user access control is a viable option, streamlining the transition effectively.
SELECT Id, SObjectType, PermissionsRead, PermissionsCreate FROM ObjectPermissions where SObjectType = ‘Opportunity’
Salesforce Future Ideas:
Salesforce is working on implementing user-suggested ideas. Vote for essential ideas related to access summary on the user and managing object CRUD access in Object Manager.
Vote for Access Summary Idea
Vote for Object Access in Object Manager Idea
As Salesforce evolves, actively participate in the community, provide feedback, and vote on enhancements. By adopting best practices, admins can navigate the dynamic landscape of Salesforce user management with confidence.