Permission Set
A Permission Set is a collection of settings and permissions that grant users access to specific tools, objects, fields, and features without changing their Profile.
Definition
A Permission Set is a collection of settings and permissions that grant users access to specific tools, objects, fields, and features without changing their Profile. Permission Sets are additive, meaning they extend what a user can do on top of their base Profile permissions. They are a best practice for managing access in Salesforce.
In plain English
“Here's a simple way to think about it: a Permission Set is additive permissions on top of someone's base Profile. Like an extra access key for a specific job - assigned cleanly, removable cleanly, far better than cloning Profiles for every variation.”
Worked example
At SkyBridge Consulting, most users have a standard Profile that provides read-only access to the Contract object. When a user is promoted to senior consultant and needs to edit contracts, the admin assigns the "Contract Editor" Permission Set. This grants edit access to Contract records without affecting any other user or requiring a new Profile.
Why Permission Sets are the modern way to grant access without rebuilding profiles
For decades, Salesforce admins managed access by cloning Profiles - every new role with a slightly different mix of permissions got its own profile, and the count grew until the Profiles list became unmanageable. Permission Sets break that pattern. A Permission Set grants additional permissions on top of whatever Profile a user already has, which means one base Profile per user plus a stack of Permission Sets that match their job's specific needs.
The reason this is best practice now is composability. Five Permission Sets representing distinct capabilities can be mixed in any combination across users, where the equivalent profile-cloning approach produces an exponential explosion of profiles to maintain. Build Permission Sets around capabilities (Can manage Cases, Can run reports on Pipeline, Can edit Pricebooks), assign them à la carte, and treat new Profile creation as a last resort.
How to set up Permission Set
Permission Sets grant *additional* permissions on top of a user's profile — they only add, never subtract. Modern Salesforce strongly favors permission sets over profile-based permissions because they're composable and easier to audit.
- Open Setup → Permission Sets
Top-right gear icon → Setup → quick-find "Permission Sets" → click the result.
- Click New
Top-right of the list.
- Set Label, API Name, and License
Label and API Name are the human and machine names. License = "--None--" for max flexibility (any user can be assigned); a specific license restricts assignment to users with that license.
- Save and configure permissions
After Save, you land on the permission set's detail page. Click into Object Settings, Field Permissions, System Permissions, App Permissions, and Apex Class Access to grant each.
- Manage Assignments
From the permission set's detail page, click Manage Assignments → Add Assignment → pick users → Assign. Without this step, the permission set exists but does nothing.
- (Optional) Bundle into a Permission Set Group
For groups of users who need the same permission sets, build a Permission Set Group instead of assigning individually.
"--None--" lets you assign to any user. A specific license (Salesforce, Salesforce Platform, etc.) restricts who can be assigned. Pick "--None--" unless the permission set is license-specific.
Per-object Read/Create/Edit/Delete + per-field Read/Edit. The bulk of what permission sets are for.
Org-wide toggles like "View All Data", "Modify All Data", "Customize Application". Grant sparingly — these bypass sharing.
Optional: require certain login conditions (e.g., HIGH_ASSURANCE) for users assigned this permission set. Off by default.
- Creating a permission set does nothing on its own — assignment is a separate step. The #1 "my user can't see X" ticket is forgotten assignment.
- Permission sets only ADD. If a user's profile is too restrictive (e.g., no Read on a field), no permission set can hide that field — they can only grant access, not revoke.
- License field is locked after Save. Pick carefully — to change it, you must delete and recreate the permission set.
How organizations use Permission Set
Replaced 14 cloned Profiles with a base Profile plus a stack of capability-based Permission Sets ("Manage Patient Records", "Run Adherence Reports", "Edit Provider Network"). The Profile count went from 17 to 3, and onboarding a new compliance auditor went from "clone the auditor profile and tweak it" to "assign three Permission Sets".
Built a Permission Set Group for the Plant Manager role, bundling six Permission Sets that previously had to be assigned individually. New plant-manager hires get the group assigned and inherit every capability instantly; offboarding to a different role is a single revocation.
Use a "Break-Glass Admin" Permission Set with Setup access enabled, assigned to senior admins only when an emergency change is required and then revoked at end of shift via a scheduled flow. The audit log shows precisely who held elevated rights and for how long - a control their SOC 2 auditor specifically called out as best-in-class.
Trust & references
Straight from the source - Salesforce's reference material on Permission Set.
- Permission SetsSalesforce Help
Test your knowledge
Q1. Why is understanding Permission Set important for Salesforce admins?
Q2. In which area of Salesforce would you typically find Permission Set?
Q3. Can a Salesforce admin configure Permission Set without writing code?
Discussion
Loading discussion…