Salesforce has announced that it will be retiring permissions on profiles in the Spring ’26 release. This means that all permissions will be managed through permission sets instead. This is a significant change, but it is a good one. Permission sets are more flexible and powerful than profiles, and they can help you to implement a more secure and efficient user management strategy.
Creating a Baseline Profile with Permission Set Groups and Permission Sets.
The best approach to preparing for the retirement of permissions on profiles is to create a baseline profile by cloning the Salesforce Minimum Access profile, then adding another layer on top of it with permission set groups and permission sets.
This approach offers a number of benefits:
- It ensures that all users have the least privileges required to perform their jobs.
- It allows you to easily assign permissions to users based on their job roles and responsibilities.
- It makes it easier to manage and update permissions for large numbers of users.
To create a baseline profile with permission set groups and permission sets, follow these steps:
- Clone the Salesforce Minimum Access profile.
- Create permission set groups for each job role.
- Add the appropriate permission sets to each permission set group.
- Assign users to the appropriate permission set groups.
For example, you might create permission set groups for the following job roles:
- Sales Representative
- Account Manager
- Customer Support Representative
- Marketing Manager
- System Administrator
Within each permission set group, you would add the permission sets that are needed for users in that role to perform their jobs effectively. For example, the Sales Representative permission set group might include the following permission sets:
- Sales Cloud User
- Opportunity Management
- Lead Management
- Quote Management
The Account Manager permission set group might include the following permission sets:
- Account Management
- Opportunity Management
Once you have created the permission set groups and assigned permission sets to them, you can assign users to the appropriate permission set groups. This will give users the permissions that they need to perform their jobs effectively, while also minimizing the risk of data breaches and other security threats.
And on the top of it, it would be an opportunity to get some documentation about the overall security of the org, the leadership team would definitely appreciate that 😎.
Here is an example of the “building blocks” approach described above:
Finally, bear in mind that some features are only available at the Profile level at the moment like “Default Record Type” and access to features/objects like Quicktext, Email Templates..
Hopefully Salesforce will bridge those gaps in the near future!
If you would like to learn more check out the Salesforce Help documentation located here.