Configuring a Profile is one of the more careful exercises in Salesforce admin work. The configuration touches every aspect of a user's experience, and getting it wrong creates support tickets, security exposure, or both.
- Open Setup and navigate to Profiles
Setup > Users > Profiles. The list shows every Profile in the org, standard and custom, with an indicator of how many users carry each one.
- Clone or create a new Profile
For new roles, clone the closest existing Profile (Standard User if no closer match) rather than building from scratch. Cloning preserves the field-level security defaults and saves hours of manual configuration.
- Set Object Permissions
Click into Object Settings for each object the user interacts with. Configure Read, Create, Edit, Delete, View All, and Modify All per object. Default to least-privilege; grant View All or Modify All only when explicitly justified.
- Configure Field-Level Security
For each object, review every field and set FLS to Visible or not. Read-only is the most common setting for system-of-record fields; edit access goes only to fields the user is responsible for maintaining.
- Set Tab Visibility, App Visibility, and Page Layout Assignments
Decide which tabs and apps the user sees and which page layouts render for each object record type combination. The settings live on Profile and override Permission Set assignments in some cases.
- Configure Login IP Ranges and Login Hours if applicable
For service accounts and high-security users, lock down the IP range and login window. For human users, rely on the IdP rather than Profile-level restrictions.
- Assign the Profile to test users
Before deploying broadly, assign the new Profile to two or three test users and walk through the user experience for a week. Most Profile mistakes show up only when a real user tries to do real work.
Always configure these first. They are the floor of what the user can do; everything else builds on top.
Configure FLS for every custom field your org has added. New fields default to off for some Profiles, which is the source of most "field not showing up" tickets.
- Modifying Standard Profiles loses tracking of what changed. Always clone Standard to a Custom Profile and modify the Custom version.
- A User has exactly one Profile. Add capabilities through Permission Sets, not by switching Profiles.
- Permission Set Groups have started replacing Profile-style management. New orgs should default to minimal Profiles and route operational permissions through Permission Sets.
- Field-level security is invisible to users; a user who cannot see a field cannot tell whether the field is empty or whether they lack access. Audit FLS on every new field before deployment.