Object permissions are granted on a profile or, preferably, a permission set. Here is the modern point-and-click flow for granting object access on a permission set and assigning it to a user, so you add access without editing the user's profile.
- Open or create the permission set
In Setup, go to Permission Sets, then open an existing set or click New to create one. Give it a clear, role-based label such as Case Worker so its purpose is obvious to the next admin.
- Go to Object Settings
Inside the permission set, click Object Settings (or Assigned Apps then Object Settings). This page lists every object the permission set can grant access to, with the current permission level beside each one.
- Select the object and edit permissions
Click the object you want to grant, for example Case, then click Edit. Tick the object permissions the role needs, such as Read, Create, and Edit, and only add View All or Modify All when org-wide reach is truly required.
- Save the permission set changes
Click Save. Salesforce stores the object permissions on the permission set immediately, but no user has them yet until the set is assigned.
- Assign the permission set to users
From the permission set, click Manage Assignments then Add Assignments, pick the users, and save. Their effective object access now includes these grants on top of whatever their profile already allowed.
Lets the user view records of the object. The minimum required for the object to appear in the UI and API.
Layered write permissions; each includes the ones below it, so Delete implies Edit and Read.
Grants visibility of every record of the object regardless of sharing. Use for reporting or admin-style roles only.
Grants read, edit, delete, transfer, and approve on every record regardless of sharing. Treat as a near-admin privilege.
- Permission sets are additive only. To take access away you must edit the profile or the org-wide model, not the permission set.
- View All and Modify All ignore sharing rules. Granting them by accident can expose every record of the object at once.
- A new custom object grants no access until you add object permissions; a blank app for users is usually this, not a sharing problem.
- Object Read alone is not enough to see records. The org-wide default and sharing rules still decide which specific records appear.