Technical May 25, 2023
Preparing for the Salesforce User Management Revolution
Introduction
At TrailblazerDX this year, CapTech learned more about the potential impact permissions changes will have on all new and existing Salesforce implementations. If your organization uses Salesforce, then it is likely that these changes will impact how you manage and provision users.
Below is an overview of Salesforce’s planned changes to the user management process that are expected to go into effect over the next 12 to 18 months. These three changes represent a major shift in how Salesforce user management and provisioning has been implemented in the past. While the removal of permissions from profiles is not expected to take effect until the Spring 2026 release, we recommend preparing a strategy for the big shift now, as well as aligning any current configuration and development with the new policies.
Removal of Permissions from Profiles
The first big change planned for the Spring 2026 release is the removal of system and object permissions from user profiles. If you have an existing profile-heavy Salesforce org, or are planning a new Salesforce implementation, now is the time to begin thinking about the impact of these changes, specifically around how to best architect profiles, permission set groups, and permission sets in your organization as a whole.
User Access Policies Generally Available (GA)
As it stands in closed beta, User Access Policies solves a major user provisioning challenge, allowing users to automatically assign (or remove) permission set groups, permission sets, and public groups based on your business logic. This feature should become available within the next 12-18 months and will be a major improvement in how users are managed.
Permission Set User Experience Improvements
To remove barriers in the transition to permission sets, Salesforce is investing in the overall permission set management experience. This includes the following features, which are planned for release within the next three to 18 months:
- Setting field level security on permissions during field creation
- Setting permission groups in delegated admin
- Reporting on permission set assignment in reports and dashboards
- Displaying how many permission groups in which a set is included
- Offering more granular user permissions and investigating ways to split up permissions like "modify all data"
- Improving permission set views and edit capabilities
- Improving the record type assignment experience
These enhancements should make the significant move to permission sets more seamless and easier to manage and maintain. While these improvements are not available yet, it is important to be aware of these changes so you can include them in your permissions strategy once they are launched.
Recommendations
While Salesforce continues to prepare for the release of these updates, we recommend taking some time to plan and prepare for the potential impact these changes will have on your business. This process starts with understanding the current state of your user permissions.
Analyze and Map Your Permissions to Personas
To start the analysis, one option is to align your permissions to personas. Defining these personas first will help you organize and review the users that need access to Salesforce. In addition, it is useful to apply a naming convention across the final permissions sets and permission set groups. The following is an example structure of permissions aligned to personas:
Example Mapping of various permissions and groups to persona.
Persona identification is followed by defining the new structure of your permissions. A simple spreadsheet is a useful tool to keep track of the many permissions you will review and how they align to your profiles and permission sets.
Profile Considerations
The considerations below should aid in the creation and reduction of the number of profiles you will need in your updated architecture.
- Use the “Minimal Access” profile whenever possible. This should be the profile most of your users fall under unless your persona falls into one of the exceptions below:
- The persona’s default page layout assignment differs from the minimal profile
- The persona’s default record type assignment differs from the minimal profile
- The persona has specific login or IP restrictions
- Other profile-only settings
- Ensure no System or Object Permissions are included in your new profiles
Example Persona-based profile for Sales Management vs. Minimal Access profile for the Sales User persona.
Permission Set Considerations
As you work through each persona, consider a more generalized approach to each permission set by object if possible. Only create persona-based permission sets when a generic permission set or permission set group muting will not suffice.
- Create object-based generic permission sets with the appropriate CRUD (Create, Read, Update, Delete) access. Here is an example of permission sets created for the lead object. A subset of these permissions sets may be:
- Lead – Generic Access – Read Only
- Lead – Generic Access – Read, Create, Edit
- Lead – Generic Access – Read, Create, Edit, Delete
- Lead – Generic Access – View All
- Lead – Generic Access – Modify All
- Consider creating a persona-based Systems Permissions permission set. This permission is only needed if the Minimal Access profile does not provide enough access for the person.
- System Permissions – Sales
Permission Set Group Considerations
Permission set groups can be aligned to the personas that were defined during the analysis and mapping process.
- Muting permissions can be used to remove certain permissions from users that are assigned to the permission set group.
- Lead – Mute – Delete | This permission set mutes (disables) the “delete” access on the lead object.
- Persona based permission set group
- Sales Management Persona
- Assigned Permission Sets
- Lead – Generic Access – Read, Create, Edit, Delete
- Assigned Permission Sets
- Sales User Persona
- Assigned Permission Sets
- Lead – Generic Access – Read, Create, Edit, Delete
- Lead – Mute – Delete
- Assigned Permission Sets
- Sales Management Persona
Example Sales personas with Profiles, Permission Set Groups, and Permission Sets.
Useful Tools
It can be a tedious task to move a profile to permission set groups and permission sets. Here are some tools that may aid in understanding what permissions are assigned to existing profiles.
- User and Permission Analyzer (i)
- After completing the required steps and installing the AppExchange package (in a sandbox) from Salesforce Labs, you will have access to a new app that allows you to quickly see the permissions aligned to a user's profile.
- Other AppExchange Products
- Many AppExchange solutions have features that make it easier to review and analyze profiles. Depending on your situation, it may be worth considering one of these solutions to aid in your conversion.
Test Your New Permissions in a Sandbox
With the analysis complete, create a sandbox and configure your new profiles and permission sets. It is important to test your solution for each persona you have defined. While you may not be ready to fully implement these changes in production, going through this process for a few key personas in your org will help inform your future implementation scope and timeline.
Prepare for User Access Policies
Another key feature that is currently in closed beta but is planned to be in open beta soon is User Access Policies. You may want to consider how this feature could change the way you provision users in your Salesforce org. If users are manually provisioned in your current state, user access policies could help you automate that process.
Benefits of User Access Policies
- Automate granting access to your Salesforce users; Includes assigning the permission sets, permission set groups, Permission Set Licenses, Managed Package Licenses, Public Groups, and Queues
- Automate revoking access to users based on the policies criteria
- Manually update user access en masse based on an access policy
User Access Policy Considerations
- A maximum of 20 user access policies can be active at one time
- If a user meets the criteria for multiple policies, the most recently updated policy will be applied
Source (ii)
Closing
While implementing these changes may seem daunting, getting a head start on analyzing the impact these updates will have on your organization can help you prepare and streamline the process.
References
- (i) “Install the User Access and Permissions Assistant,” Salesforce Help, 2023. https://help.salesforce.com/s/articleView?id=sf.perm_install_uapa.htm&type=5
- (ii) “The Future of User Management,” Salesforce Admins, October 18, 2022. https://admin.salesforce.com/blog/2022/the-future-of-user-management
- (iii) “Convert a Profile to a Permission Set,” Salesforce Help, 2023. https://help.salesforce.com/s/articleView?id=sf.perm_uapa_convert_profile_to_a_permission_set.htm&type=5
- (iv) “Permissions Updates | Learn MOAR Spring ’23,” Salesforce Admins, January 16, 2023. https://admin.salesforce.com/blog/2023/permissions-updates-learn-moar-spring-23
- (v) “Admin Best Practices for User Management,” Salesforce Admins, April 19, 2022. https://admin.salesforce.com/blog/2022/admin-best-practices-for-user-management
- (vi) “User Access Policies (Beta),” Salesforce Help, 2023. https://help.salesforce.com/s/articleView?id=sf.perm_user_access_policies.htm&type=5
