Creating a Permission Set is most often done in response to a new capability requirement: a new feature shipped, a new role emerged, a new compliance requirement needs to gate a specific action. The flow is straightforward but the design decisions before you click New matter more than the configuration itself.
- Open Setup and navigate to Permission Sets
Setup > Users > Permission Sets. The list shows every Permission Set in the org, with the number of assigned users.
- Click New
The New button at the top of the list opens the create form. If your profile lacks Manage Permission Sets, the button is hidden; admin permissions typically grant it.
- Set the Label, API Name, and License
Label is the display name; API Name is the system identifier (cannot be changed easily after save). License determines which type of user can be assigned the Permission Set (Salesforce, Salesforce Platform, Customer Community, none for license-agnostic sets).
- Configure Object and Field Permissions
For each object the Permission Set should grant access to, set Read, Create, Edit, Delete, View All, and Modify All. Configure FLS for the specific fields the Permission Set should expose. Default to least-privilege; grant only what the capability actually needs.
- Configure System Permissions and App / Tab Visibility
Decide which system permissions the Permission Set should grant (API Enabled, Run Reports, Export Reports, others). Set tab visibility and app visibility for any tabs or apps this Permission Set should expose.
- Assign Custom Permissions if applicable
If the Permission Set should grant a Custom Permission that your formula or Flow checks against, assign it in the Custom Permissions section.
- Assign the Permission Set to test users
Manage Assignments > Add Assignment. Walk through the new capability with the test users for a week before broader assignment.
Configure these first. They define the floor of what the Permission Set grants on each object.
Configure FLS for every field the Permission Set should expose. Default-off for new fields means users will not see them without explicit FLS grants.
- Permission Set Licenses must be assigned to the User before the feature Permission Set works. Forgetting the PSL is the most common cause of "I assigned the Permission Set but the feature is not enabled" tickets.
- Permission Set assignments are additive only. Removing capabilities requires unassigning a Permission Set, which is a different workflow from editing.
- Permission Set Groups support muting individual permissions. Use the mute feature if a Permission Set in a Group grants more than the Group is supposed to provide.
- Auditing assignment quarterly is the only way to catch accumulated grants. Build a report on PermissionSetAssignment and have managers review their team's assignments every quarter.