permission set group assignment query

Jenwlee's Salesforce Blog

Sharing my love for salesforce with my #ohana, permission set group assignment automation.

Salesforce released permission set group assignments as a generally available feature in Spring 20.

What is permission set groups, you ask? You can group permission sets based on user roles using Permission Set Groups for easier user permission management.

Traditionally, you would assign users to individual permission sets. If a group of users should have the same permissions, you would need to assign each permission set to each individual user.

With permission set groups, you can group one or more permission sets together and assign a group of users to a group of permission sets. This allows for easier security permissioning. As you add or remove permission sets from a permission set group, all the users assigned to the permission set group would receive the same set of permission sets.

With defined business rules, you can automate the assignment and removal of a permission set group assignment to your business users.

Here are a few lessons learned from implementing this use case:

• Learn how to automate permission set group assignment or removal using defined business rules.
• Learn how to invoke flow from process builder.
• Provide descriptions, where provided, in Salesforce. This may be tedious step, I know, but your future self will thank you when you are trying to remember what you configured or assist other/future admins when troubleshooting or enhancing what was built. This includes variables, the purpose of a flow, what each flow element does, etc.

Business Use Case:    Addison Dogster is the system administrator at Universal Containers. Security is a big deal and she wants to ensure that users have least privilege access, meaning they only have enough access need to perform their jobs. Also, if a group of users require the same set of permissions above what is granted through their profile, she’d like some assurance that the same set of perm sets are given to everyone in the group. Addison has used process builder and flow builder in the past to build automate the automatically assign and remove a permission set to/from a user. She wondered if she could do the same thing with permission set groups.

Solution: Addison had used process builder and flow builder in the past to build automation that systematically assigns and removes a permission set to/from a user. She wondered if she could do the same thing with permission set groups.

Let’s see if it’s possible. But first, she needs to understand the data structure of permission set groups as it relates to the user and permission sets.

Addison create a permission set group “Jen Test PSG” assigns a couple of permission sets – “Export Reports” and “Edit Accounts” – to the permission set group and then assigns the permission set group to herself. Then she exports the records from the following objects using Data Loader (version 45.0 and higher):

Note: You must check “Show all Salesforce objects” to see these objects.

Permission Set Group (PermissionSetGroup) – This is the object that holds the high level set up of a permission set group. In this object, you can get the Permission Set Group Developer Name (DeveloperName) and Permission Set Group Id (Id).

View image full screen

Permission Set Group Component (PermissionSetGroupComponent) – This is a junction object that relates the PermissionSetGroup and PermissionSet objects via their respective IDs; enables permission set group recalculation to determine the aggregated permissions for the group. In this object, you can see the related permission set group (PermissionSetGroupId) and the permission sets associated to it (PermissionSetId).

Permission Set (PermissionSet) – Represents a set of permissions that’s used to grant more access to one or more users without changing their profile or reassigning profiles. PermissionSet has a read-only child relationship with PermissionSetGroup. Here, important fields are the permission set name (Label), permission set type (Type – “Group” represents permission set group and “Regular” represents a permission set),

Permission Set Assignment (PermissionSetAssignment) – Represents the association between a User and a PermissionSet (which can be a permission set or permission set group). Here, the important fields are the assigned user (AssigneeId), the permission set the user is assigned to (PermissionSetId) and the Permission Set Group the user is assigned to (PermissionSetGroupId).

When Addison looks at the permission set assignment data, she sees that her userId ( 0056g000005J8PgAAK) is assigned to two permission set, one of which comprises of a permission set group. But when she looks at her user record, she only has the one permission set group and no permission sets assigned. So, what is this mystery permission set?

Addison enters the permission set id “0PS6g000003qnrAGAQ” into the URL after https://servername.salesforce.com/ or https://mydomainname.my.salesforce.com/ to see what this permission set is. She gets the following error.

“Insufficient Privileges

You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary. For more information, see  Insufficient Privileges Errors .”

Interesting. This must be some sort of system generated/owned permission set.

She noticed that when she went back to the Setup Home, there are two Jen Test PSG’s listed in her Most Recently Used list:

It appears that when a new permission set group is created, there is a system generated permission set created with the same permission set group name.

Now, that we understand the data relationship with permission set group, permission set and permission set assignment, we can move into automating the assignment/removal of a permission set group, using a flow which will look like this:

Steps: 

1. L et’s create the flow. For those using Salesforce Classic, flow can be found in Create | Workflows & Approvals | Flows . In Lightning Experience, it is found under Process Automation | Flows .

A. Let’s create our flow resources. Go to the Manager tab, click on the New Resource button.

Best practice tip: Provide a description so you and other/future admins know what this flow resource is used for.

Let’s create a text variable called “varUserId” that will store the userId of the user who will either be assigned a permission set group or removed from one.

• Resource Type: Variable
• API: varUserId (I like starting any variables with “varXXXX”)
• Data Type: Text
• Available for input: checked (This will allow a process or flow to send a value into this variable)
• Available for output: unchecked

Your completed variable should look like this.

Create another text variable called “varPermissionSetGroupDeveloperName” that will store the permission set group developer name that a user will be assigned to or removed from. This will be sent into the flow from a process or another flow. We use the developer name or API name of the component rather than hardcoding the id. Why is hardcoding a id bad, you ask? Check out this posting .

• API: varPermissionSetGroupDeveloperName (I like starting any variables with “varXXXX”)

Create another text variable called “varPermSetGroupAction” that will store the action to take on the permission set group – “Add” to add a permission set group or “Remove” to remove the permission set group. This string value is passed from a process or another flow.

• API: varPermSetGroupAction (I like starting any variables with “varXXXX”)

Create another text variable called “varPermissionSetGroupId” that will store the permission set group id.

• API: varPermissionSetGroupId (I like starting any variables with “varXXXX”)

Create another text variable called “varUserHasPSG.” If there is a value, this means the user is already assigned to the permission set group. If the variable is null, this means that the user is not already assigned to the permission set group.

• API: varUserHasPSG (I like starting any variables with “varXXXX”)

B. First, drag the Get Records flow element to the canvas so we can get the permission set group id based on the permission set group developer name. Best practice: do not hardcode ids in components – declarative or code. You are going to query the Permission Set Group object using the developer name to get the id.

Label: Get PSG Id

Object: Permission Set Group

Filter the Permission Set Group Records by Id Equals {!varPermissionSetGroupDeveloperName}.

How Many Records to Store: Only the first record

For the “How to Store the Data” option, I chose to use “Choose fields and assign variables (advanced)” because I only care about one field but you can use the first two options as well. It’s just a preference thing in this case.

Where to Store Field Values: In separate variables

Select Variables to Store Permission Set Group Fields: Id to {!varPermissionSetGroupId}

When no records are returned, set specified variables to null: Checked

Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.

Your completed Get Records flow element looks like this.

C. Drag another Get Records flow element to the canvas so we can query the permission set assignment object to see if the user is assigned to the permission set group.

Label: Lookup permission set assignment

Object: Permission Set Assignment

Filter the Permission Set Assignment Records that meet these conditions:

• AssigneeId equals {!varUserId}
• PermissionSetGroupId equals {!varPermissionSetGroupId}

Select Variables to Store Permission Set Assignment Fields: AssigneeId to {!varUserHasPSG} (Note: It doesn’t really matter what field from the record you take as a value to store in the variable. Just choose a text one.)

D. We will a Decision flow element to determine if the user is already assigned to the permission set group and the action (add or remove the permission set group) that needs to happen.

Label: Is User Already Assigned?

For the “Add to PSG – Not Assigned” outcome, we need to check that the the user does not already have a permission set group and the action to take is to “add” the user to the permission set group. We need to do this check because if the user already has the permission set group, we can’t add another one. Otherwise, the flow will fault: Duplicate record.

When to Execute Outcome: All Conditions are Met

{!varUserHasPSG} Is Null {!GlobalConstant.True}

{!varPermSetGroupAction} Equals Add

For the “Remove PSG – Assigned” outcome, we need to check that the the user does  already has a permission set group and the action to take is to “remove the user from the permission set group. We need to do this check because if the user doesn’t have the permission set group, we can’t remove it. If we try, the flow will fault.

{!varUserHasPSG} Is Null {!$GlobalConstant.False} (This is a double negative. Which means, there is a record)

{!varPermSetGroupAction} Equals Remove

E. For the “Remove Permission Set Group” path, our next step is to delete the permission set group assignment for the user. Let’s drag the Delete Records flow element to the canvas. Configure it as follows:

Label: Remove PSG from User

How to Find Records to Delete: Specify conditions

Filter Permission Set Assignment Records when Conditions are Met

• AssigneeId Equals {!varUserId}
• PermissionSetGroupId Equals {!varPermissionSetGroupId}

F. For the “Add Permission Set Group” path, we want to assign the user to the permission set group. This is done by creating a new permission set assignment record with the user as the assignee and the permission set id as the permission set group id. Let’s drag the Create Records flow element to the canvas and configure as follows:

Label: Assign User to PSG

How Many Records to Create: One

How to Set the Record Fields: Use separate resources, and literal values

Set Field Values for the Permission Set Assignment

G. Set your flow starting point . And connect the flow elements, fault connectors and outcome connectors  to match the below…

H. Save/Save As and provide the following properties.

Best practice tip: Provide a description so you and other/future admins know what this flow is used for.

I. Before you activate your flow, test this by using the Debug button. You will provide three inputs: varPermSetGroupAction (Either put the word “Add” to add the permission set group or “Remove” to remove the permission set group), varPermissionSetGroupDeveloperName (the developer or API name for the permission set group) and varUserId (the id of the user you want to assign to or remove the permission set group from).

Note: Only use the Debug feature in a sandbox as it will update records. Because of this, NEVER use the flow debug function in Production.

J. Click the “ Activate ” button.

Next, you can either create a process or flow that based on certain conditions, it invokes the flow and sends the same inputs into the three flow input variables in Step I (Debug step). We will not go through the process for creating the process or flow.

In Process Builder, this is an example of how you would invoke the flow created…

In a flow, you would invoke the flow created as a subflow. Here is an example of that subflow.

Now, before you deploy the changes to Production, don’t forget to test your configuration changes.

Deployment Notes/Tips:

• Flows (and processes) can be deployed to Production in a change set (or can be deployed using a tool such as Metazoa’s Snapshot).
• You will find the flows and/or a process in a change set under the Flow Definition component type.
• Activate the flow and process post deployment as flows deploy inactive in Production, unless you have opted in on the Process Automation Settings screen, to “Deploy processes and flows as active.” NOTE: With this change, in order to successfully deploy a process or flow, your org’s Apex tests must launch at least 75% of the total number of active processes and active autolaunched flows in your org.

Share this:

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

About 15 mins

Learning Objectives

Get the business requirements, ready to get hands-on with permission set groups, analyze your existing permissions structure, help as you begin using permission set groups, summing it up.

• Challenge +500 points

Create a Permission Set Group

After completing this unit, you’ll be able to:

• Create a permission set group.
• Assign users to a permission set group.
• Analyze existing profiles and permissions and develop a model that includes permission set groups.

Accessibility

This unit requires some additional instructions for screen reader users. To access a detailed screen reader version of this unit, click the link below:

Open Trailhead screen reader instructions .

Before you start creating a permission set group, let’s analyze the business needs. The VP of sales, E.J. Agarwal, needs team members to perform certain tasks as part of the sales orders processing function. E.J. says that some sales staff need permissions to make changes to orders, and other sales staff members need to make changes to both orders and contracts. 

Create a couple of permission sets based on tasks. Then include them in a permission set group that focuses on the job function that E.J.’s users perform. 

“Wait,” you think. “How does this save me time if I’m still creating new permission sets?”

Fair question, but remember: You can reuse permission sets! When you group these permission sets for E.J’s requirements, you retain the ability to assign the individual permission sets to other groups as needed. 

In other words, you avoid creating a unique permission set just for E.J., yet you can tailor the permission set group according to his needs. Create two custom permission sets.

Launch your Trailhead Playground now to follow along and try out the steps in this module. To open your Trailhead Playground, scroll down to the hands-on challenge and click Launch . You also use the playground when it's time to complete the hands-on challenges.

Create Permission Sets

OK, let’s create a permission set for sales orders.  

• From Setup, in Quick Find type Permission Sets and select Permission Sets .
• Click New .
• For Label, enter Sales Orders .
• For License, keep None .
• Save the permission set.

Add permission to activate orders.

• In the Find Settings... box, type Orders and then click Activate Orders .
• On the App Permissions page, click Edit .
• Scroll to the Sales section and enable Activate Orders.
• Save the permission set. A Permission Changes Confirmation box opens. Notice that both Read Order and Edit Order were also enabled. That’s because Order Activation depends on being able to read and edit orders.
• Save your changes.

Add permission to create and delete orders.

• In the Find Settings... box, type Orders and then click Orders .
• On the Object Settings page for Orders, click Edit .
• Enable the Create and Delete object permissions.

Create the permission set for contracts. 

• Navigate to the main Permission Sets Setup page. Click New .
• For Label, enter Sales Contracts .

Add permission to read, create, edit, and delete contracts.

• In the Find Settings... box, type Contracts and then click Contracts .
• On the Object Settings page for Contracts, click Edit .
• Enable the Read, Create, Edit, and Delete object permissions.

Yay! Now you can create a permission set group to contain the two permission sets. 

Create Users

Permission sets and permission set groups are worthless without users. So first, add two users to your org. 

• In Setup, open Users.
• Create two users:
• Eric Jackson:
• Title: Sales Contracts Manager
• License: Salesforce
• Profile: Minimum Access - Salesforce
• Email: Enter any email address. The Username and Nickname populate automatically.
• Anuj Singh:
• Title: Sales Coordinator
• License: Force.com - Free
• Profile: Force.com - Free User

Finally, the main event! 

• From Setup, in Quick Find, type Permission Set Groups and then select Permission Set Groups .
• Click New Permission Set Group .
• For Label, enter Sales Processing .
• Save the permission set group.

Add permission sets to the permission set group.

• Under Permission Sets, click Permission Sets in Group .
• Click Add Permission Set .
• Select Sales Orders and Sales Contracts .
• Click Add .
• Click Done .

Ta-da! Your first permission set group, Sales Processing. 

Go to your permission set group, and confirm that the group status is Updated. 

If it is, scroll down to Combined Permissions and click Object Settings . Notice that the settings for both the Contracts and Orders objects reflect the access you gave in the two permission sets in the group. 

Next you add users to the group. 

• Return to the Sales Processing permission set group.
• Click Manage Assignments .
• Click Add Assignments .
• Select Eric Jackson and then click Next .  
• Click Assign . A confirmation message states that the permission set group has been assigned to one user.
• Try to add Anuj Singh. You get an error. Just like with permission sets, you cannot assign a user to a permission set group if their license does not permit the permissions you want to assign. 
• Ignore the message and click Done .

Anuj Singh won’t be added to the group until his license is updated. Licensing requirements remain the same when you work with permission set groups.

Nifty stuff! But there’s more! 

You’ve created a permission set group and experienced some of the power that permission set groups can offer. But what do you do with your existing permission sets and users? You might wonder what to consider as you analyze your org’s assignment structure and prepare to begin using permission set groups. First, remember the principle of least privilege: Users should have the least permissions necessary to do their job. We keep this principle in mind as we work with permission set groups. 

Let’s review the purposes of profiles, permission sets, and permission set groups.

Profiles provide default settings for each user, such as default record type, IP range, and so on. Salesforce recommends using the Minimum Access - Salesforce profile as a best practice for assignment to users. Each user has only one profile . 

Permission Sets are collections of settings and permissions. Profiles allow users to perform some tasks, but permission sets allow additional tasks (tasks not enabled by profiles). For example, you can add permissions to create and customize list views, activate contracts, or any number of other permissions. 

Permission Set Groups bundle permission sets together. Users assigned to a permission set group receive the combined permissions of all the permission sets in the group. Permission set groups correspond to the job functions of users. 

With these definitions in mind, let’s revisit the permission set group you created for E.J. The goal was to give sales staff members the ability to perform the Sales Processing job function. 

• First, we listed the tasks the sales processing job function includes.
• Activate orders
• Read, create, edit, and delete orders
• Read, create, edit, and delete contracts
• Then we asked, “Can we modify existing permission sets, or do we need to create new ones?” We discovered that we needed to create two new permission sets:
• Sales Orders
• Sales Contracts
• Finally, we checked which users perform the sales processing job function and assigned Eric to the permission set group.

TIP : The permissions you include in the permission sets in your permission set group must align with the tasks that the users perform in their job function. If not, review the job function’s goals. For example, if Eric shouldn’t have the Activate Orders permission, ask if the sales processing permission set group needs this permission. If it does, then check if Eric can be assigned to a different permission set group that's better suited to what he needs to do.

By the way, if you find that you must create a new permission set to include in your permission set group, consider how you can use it outside of the group, too. Look at other job functions to see if users need to perform some of the same tasks. You might want to include permission sets in other permission set groups. Use the flexibility of permission sets strategically by modeling your permission sets on the tasks that your users perform. 

If the job function for a permission set group changes, you can update the permission set group. That’s the great thing about permission set groups: they’re easy to adjust. For example, let’s say that you find out people who perform the sales processing job function must also have edit ability on the Opportunities object. Just add a new permission set to the permission set group or add a new permission to an existing permission set in the permission set group.  

Your permission assignment analysis might take some time. The User Access and Permissions Assistant app, available on the AppExchange , can help. The app can help you see what permissions a user has, convert some profiles to permission sets, and more. For example, you might want to grab permissions from an existing profile, then use the app to convert them to a permission set. 

When you complete your analysis, you can begin to migrate your profile-based model to the more flexible permission set and permission set group model. 

Look at that! You’ve already created your first permission set group and learned about a tool that can help you analyze your existing permission sets. We’ve covered a lot of material and hope that you see the value that permission set groups offer. However, we aren’t done yet. In the next unit, you learn about the flexibility that muting permission sets can bring to your permission set groups.

• Salesforce Help : Create a Permission Set Group
• Salesforce Help :  
• AppExchange : User Access and Permissions Assistant App
• Get personalized recommendations for your career goals
• Practice your skills with hands-on challenges and quizzes
• Track and share your progress with employers
• Connect to mentorship and career opportunities

• Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers
• Advertising & Talent Reach devs & technologists worldwide about your product, service or employer brand
• OverflowAI GenAI features for Teams
• OverflowAPI Train & fine-tune LLMs
• Labs The future of collective knowledge sharing
• About the company Visit the blog

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Get early access and see previews of new features.

Query Salesforce users and their permission sets (SOQL)

i'm trying to run an SOQL query on salesforce to get all users and their permission set id. it is important the list return will be by user not by permission sets, meaning if i have 1000 users i will get back 1000 records and for each record the user attributes like email etc + permission sets list of Id's assign to him

SELECT+id,PermissionSet.id+FROM+User i tried finding the relationship field name but i'm not so familiar wtih salesforce, please assist

• permissions

https://developer.salesforce.com/docs/atlas.en-us.238.0.object_reference.meta/object_reference/sforce_api_erd_profile_permissions.htm

The table you're looking for is PermissionSetAssignment

or bottom-up

• thanks this is exactly what i was looking for and it works perfect. i will use the Top-Down. –  Yaniv Rozenzweig Commented Nov 1, 2022 at 3:57
• what about permission set groups and public groups, how can i add those to the Top-Down –  Yaniv Rozenzweig Commented Nov 1, 2022 at 3:57
• perm sets assigned as part of the group will be something like select id, (select permissionsetid, permissionsetgroupid from permissionsetassignments) from user . Groups are pain to query, you can't get group assignments top-down, the "relationship name" is not present. You'll need some recursive mess on Group and GroupMember table. Easy when user is added directly as human, painful when he's added indirectly, based on his user role or the fact he's a member of another group... salesforce.stackexchange.com/a/13511/799 may be a start but you won't do it in 1 query –  eyescream Commented Nov 1, 2022 at 8:51
• what if i need only the direct assignments not indirect, will that help making the query possible for public groups adding to same query? –  Yaniv Rozenzweig Commented Nov 7, 2022 at 7:54
• Nope, sorry. If you run "describe" (for example in workbench.developerforce.com go to Standard & Custom Objects -> User and view "Child relationships" you'll see that data for GroupMember is incomplete. If the "relationshipName" field isn't present we can't do it as top-down query. compare with what same screen returns for PermissionSetAssignment.AssigneeId child relationship. You'll need multiple requests or ask SF dev to make for you a piece of Apex that would generate simple flat view. Have it exposed as REST service with "@httpget" annotation for example.... –  eyescream Commented Nov 7, 2022 at 11:57

Your Answer

Reminder: Answers generated by artificial intelligence tools are not allowed on Stack Overflow. Learn more

Sign up or log in

Post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy .

Not the answer you're looking for? Browse other questions tagged permissions salesforce soql or ask your own question .

• The Overflow Blog
• Mobile Observability: monitoring performance through cracked screens, old...
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites
• What does a new user need in a homepage experience on Stack Overflow?
• Feedback requested: How do you use tag hover descriptions for curating and do...
• Staging Ground Reviewer Motivation

Hot Network Questions

• World Building Knowledgebase - How to write good Military World Building
• Are there probabilistic facts of the matter about the universe?
• Seinfeldisms in O.R
• Why are Christians told by the Bible not to consume any blood yet are told to consume Jesus' blood?
• Does measuring a quantum object collapse the wave function even if the particle is not found in the position where it was measured?
• All four children have England birth index page changes
• Pros and cons of ESPRIT versus MUSIC
• Does an airplane fly less or more efficiently after an mid-flight engine failure?
• If you have two probabilities, how do you describe how much more likely one is than the other?
• Create random points using minimum distance calculated on the fly using ModelBuilder in ArcGIS Pro
• Journal keeps messing with my proof
• Is consciousness a prerequisite for knowledge?
• Whats the safest way to store a password in database?
• Lore reasons for being faithless
• Is a company liable for "potential" harms?
• Is it possible to travel to USA with legal cannabis?
• Why is GParted distributed as an ISO image? Is it to accommodate Linux needs as well as Windows needs?
• Issues with Python in Ubuntu 24.04 LTS
• How to Construct Phonotactics?
• Doesn't counting hole and electron current lead to double-counting of actual current?
• We are travelling to Phu Quoc from Perth Australia and have a 9 hour stop over in kuala lumpur do we need a visa to go out the airport?
• Soldering RG179 coaxial cable directly to PCB
• Can taut membranes and strings that are clamped at both ends propagate non-standing waves?
• Percentage changes versus absolute changes when comparing rankings

• AppAssessor

Articles by role:

• Consultants
• Business Analysts

By Lucy Mazalon

By Ben McCarthy

• Dreamforce Events
• Courses Login

What’s trending

Agentforce: The Next Evolution in Salesforce’s AI Story

Salesforce Winter ’25 Release Date + Preview Information

Salesforce Winter ‘25 Release: What to Expect and How to Prepare

Salesforce List Views: 7 Best Practices You Should Implement Right Away

10 Hottest Salesforce Winter ’25 Features For Admins

UPCOMING EVENTS

How to build a successful salesforce devops process, streamline lead assignment in salesforce, salesforce revops trends & insights (ask me anything), charity hackathon – third edition.

Wrocław, Poland

Unlocking Einstein Copilot: What You Need to Know

Introduction to permission set groups.

By Bill Appleton

Permission Set Groups allow Permission Sets to be grouped together and assigned to Users. This technology promises to reduce the dependence on Profiles and provide greater clarity and agility for all permission assignments, because sometimes, Profiles are too big, and Permission Sets are too small.

Profiles Are Too Big

Permission sets are too small, permission set groups are just right.

Your Permission Architecture

So how do we get there.

 Assignment Complexity

Bill appleton.

More like this:

Measuring team and process performance in salesforce.

By Sayer Martin

Salesforce Blockchain for Dummies

Best practices for formatting & fixing formulas in salesforce + video.

By Chris Emmett

Leave a Reply Cancel reply

Save my name and email in this browser for the next time I comment.

• App Building
• Be Release Ready – Winter ’25
• Integration
• Salesforce Well-Architected ↗
• See all products ↗
• Career Resources
• Salesforce Admin Skills Kit
• Salesforce Admin Enablement Kit
• Career Paths ↗
• Trailblazer Career Marketplace ↗
• Trailblazer Community Online ↗
• Trailblazer Community Group Meetings ↗

Home » Article » Introducing The Next Generation of User Management: Permission Set Groups

• Introducing The Next Generation of User Management: Permission Set Groups

Introducing Permission Set Groups

Permission Set Groups is a new feature that allows Admins to combine multiple permission sets into a single permission set group for user assignment. With the grouping mechanism, admins can truly apply role-based access control for managing user entitlements in Salesforce orgs.

Forward Looking Statement: This blog was created to share our product roadmap and contents in this doc contain forward-looking statements about services that are not currently available and may not be delivered. Any decisions, including purchase decisions, of our service should be made based upon features that are generally available.

In the context of permission set groups, role is intended to reflect some job function within a business organization. Historically, the term role has been used in reference to the built in “role-based” record access hierarchy. An example might be Customer Support or Marketing. As such, the role is reflected in the naming of the Permission Set Group rather than an object that represents the role. This should be strongly encouraged as a best practice.

Why is Role-Based Access Control the Best Practice

The essence of role-based access control is to grant permissions based on the roles of individual users. It allows users to have access rights only to the information they need to do their jobs and prevents them from accessing information that does not pertain to their job function. As mentioned above, the role concept in the context is not referring to Salesforce Role Hierarchy. By roles, we are referring to job roles or job functions that a user plays in the organization. For the purpose of this discussion, “role” and “permission set group” are equivalent. The permissions to perform certain jobs are put into specific roles, and through role assignments, users acquire the permissions needed to perform particular system functions for their daily jobs. Since users are not assigned with permissions directly, but only acquire them through their membership within a role, management of individual user rights becomes a matter of simply assigning users to the appropriate roles.

How DO Permission Set Groups Represent Roles

Admins are encouraged to create permission sets based on tasks that users regularly perform and group those task-based permission sets into groups that represent user’s job role. You can include the same permission sets in multiple groups. Updates in the permission set will propagate to all permission set groups that the permission set is part of, giving users assigned to the groups the aggregated permissions. ISV partners can package permission sets in groups and allow subscribers to extend the groups with their own local permission sets.

• Spend two minutes on this walkthrough video (from 2:00 to 3:45) to better understand roles and permission set groups with an example.

We are looking to invest in standard permission set groups (not available yet today) as the out-of-the-box roles that Salesforce defines for typical application use, which will be the counterpart of standard profiles in your org today. For example, an Invoice Manager role for Sales Cloud users, or a Support Center role for Service Cloud users.

Moving Away from Profile

In the above visionary model, the labor of permission management is completely delivered by permission sets and permission set groups. We are discouraging admins from relying on profile for permissions management going forward and encouraging admins to adopt these best practices to provide more scalable and secure configurations while also enabling admins to deliver least privilege (and no more) access rights to end-users.

Profiles today have many constraints due to their one-to-one relationship with the user object and therefore does not provide the appropriate mechanism for scalable permission assignment. Eventually, we want to get a point where profile only contains settings that require the one-to-one relationship to users, such as the default page layout assignment.

Migrating Profiles to Permission Sets

We also offer tools to help you with the migration. Check out the Permission Set Helper App on the Appexchange. The app contains a profile converter and a permission analyzer.

Profile Converter

• Create assignable Permission Sets based on the Profile you selected with one click
• Reduce administrative overhead in profile and permissions management when switching user licenses
• Support both standard Profiles and Custom Profiles

Permission Analyzer

• View a summation of all permissions assigned to a user in one screen
• View which specific profiles or permission sets contain a permission
• Keep all data transactions securely within your org and respect data access control

Is It True That Profile Will Be Deprecated?

We have shared the idea of sunsetting permissions on profiles as part of product roadmap preview. We are certainly moving towards that direction. Releasing Permission Set Groups is indeed a concrete start. However, until we publicly send out the the end of life announcement, there is no expected timeframe associated with the path. It’s also worth noting that the plan is to get rid of permission management on profile since permission sets and groups can better deliver it . The concept of profile with those 1:1 settings will likely remain.

There are certainly product gaps we, as Salesforce, need to fill to make this change as pain-free for our customers as we can. It will take a long runway to get to the optimal access control model. We will continue to engage with customers to get the requirements around what tools and features they want us to build, incorporating feedback into our future product iterations. Listed below are some significant gaps that have been identified. If your concerns are not yet covered, please feel free to post to the Idea Exchange or discuss with us in the permission set group pilot community group .

• Allow assignment of FLS to perm set when creating a field
• Tools to identify where profile is referenced, locating profile names in code and configurations
• Migration path for profile reference in custom settings
• Allow permission sets or permission set groups mapping when installing managed package
• For more info about the feature, check out the Winter ’20 Release Notes
• Help & Training Help topic
• Trailhead Module: Data Security

Sharon Liao

Sharon is a product manager for Admin Services at Salesforce.

• Learn MOAR with Summer ’20 Release Updates Setup Page

Related Posts

How to Use UX Principles to Shape Your Security Model

By Lindsay Hickey | February 13, 2023

Congratulations! Your organization, Awesome Admin Automotive, made the investment in Salesforce. You’ve absorbed so much great content and can’t wait to dive right in and try out all the new bells and whistles! While it’s a very exciting journey ahead, as Simon Sinek’s book “Start With Why” suggests, it’s important to first take some time […]

How to Set Assignment Expiration on Permission Sets and Permission Set Groups

By Cheryl Feldman | November 22, 2021

Hello, #AwesomeAdmins! Today, I want to tell you about a new feature in Beta, Permission Sets and Permission Set Groups with Assignment Expiration, that you can add to your superpower tool kit. This new feature will allow you to set expiration dates for assignments on permission sets and permission set groups. What are assignments in […]

Why It’s Important for Admins to Understand & Manage Permissions

By Mike Gerholdt | May 14, 2019

As a Salesforce Administrator I’m sure you have process on your brain. I know I do. I’m always thinking about how to make the sales process more efficient, improve the service process, or any other business process that surfaces. Process plays a huge role in everything we do, in every level of business. Building good […]

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Query on permission sets held by a user

Does anyone know a basic way that I can run a SOQL query to see which permission sets are attached to users?

We have a rather large issue where a button needs to be on a page layout for a few important users but the rest of the people on the profile should not have visibility or use of this.

I have pushed the idea to have a new profile, but my company is rather large and wont allow it... so I was going to use .js in a button to show the button to the users whom should be able to see it and hide hide it for those who should not be able to see it..

Other ideas are welcome :)

• custom-button
• permission-sets

How PermissionSet relates to User is illustrated in this User, Sharing, and Permission Objects ERD.

So for example, this SOQL will list all permission set assignments:

and this will list permission sets for a specific user:

You may wish to add further filtering.

• That's PERFECT! –  Tim Commented Apr 2, 2014 at 17:17
• For some reason the above query is not working in my Sandbox. Any idea? Developer console gives this message "sObject type 'PermissionSetAssignment' is not supported." Thanks –  Hari Commented Apr 30, 2015 at 4:19

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged soql javascript custom-button permission-sets ..

• The Overflow Blog
• Mobile Observability: monitoring performance through cracked screens, old...
• Featured on Meta
• Announcing a change to the data-dump process
• Bringing clarity to status tag usage on meta sites

Hot Network Questions

• Removing duplicate data based on multiple attributes
• What is this 3 terminal white + grey surface mount device?
• Do passengers transiting in YVR (Vancouver) from international to US go through Canadian immigration?
• How to Construct Phonotactics?
• What is this device in my ceiling making out of battery chirps?
• Extension of Sobolev function defined on unit cube
• Do eternal ordinances such as the festival of unleavened bread pose a biblical contradiction?
• Percentage changes versus absolute changes when comparing rankings
• Soldering RG179 coaxial cable directly to PCB
• In 1982 Admiral Grace Hopper said "I still haven't found out why helicopter rotors go the way they do". If she were here today, how might one answer?
• How do I configure LXQt to show text the same size as Firefox and other applications?
• How to disavow backlinks from the Bing group of websites?
• Can an international student email a professor at a foreign university for an internship opportunity?
• Understanding a proof that a bounded sequence in a separable Hilbert space contains a weakly convergent subsequence
• Issues with Python in Ubuntu 24.04 LTS
• Can it be acceptable to take over CTRL + F shortcut in web app
• How do I get GUI wokring for Ubuntu linux, How do I go about " searching your distribtion's package database for the file missing"?
• Can an APK be installed from a URI via `adb`?
• Create random points using minimum distance calculated on the fly using ModelBuilder in ArcGIS Pro
• Seinfeldisms in O.R
• We are travelling to Phu Quoc from Perth Australia and have a 9 hour stop over in kuala lumpur do we need a visa to go out the airport?
• How is an inverting opamp adder circuit able to regulate its feedback?
• Convert HEIC image into JPEG in LWC
• What does ציר"ו stand for?