Permission Set Assignment
A Permission Set Assignment in Salesforce (PermissionSetAssignment in the API) is a standard junction object that records a single grant of a Permission Set or Permission Set Group to a specific User.
Definition
A Permission Set Assignment in Salesforce (PermissionSetAssignment in the API) is a standard junction object that records a single grant of a Permission Set or Permission Set Group to a specific User. Each Permission Set Assignment record holds an AssigneeId (the User receiving the permissions), a PermissionSetId (the Permission Set being granted) or a PermissionSetGroupId, an optional ExpirationDate that automatically removes the assignment when reached, and standard system fields. Permission Set Assignments are the operational mechanism for the additive-permissions model that Salesforce recommends over Profile-based permissions: every User gets a baseline Profile (assigned permanently), and incremental access is layered on through Permission Set Assignments that can be added, removed, or expired without modifying the underlying Profile. This pattern dramatically simplifies permission management — instead of maintaining hundreds of variant Profiles, admins maintain a smaller set of base Profiles plus a library of focused Permission Sets that are mixed and matched per User.
In plain English
“A Permission Set Assignment is one user's grant of one Permission Set — like adding "Pardot User" access to a sales rep on top of their base Sales User Profile. Each grant is its own Permission Set Assignment record, easy to add, remove, or expire without touching the user's Profile.”
Worked example
A new sales rep, Maya, joins the company with the Sales User Profile assigned to her. Her role requires three additional capabilities: Pardot access, advanced report editing, and the ability to manage shared customer assets. The admin creates three Permission Set Assignment records linking her User to the "Pardot Marketing User", "Advanced Reports Editor", and "Asset Library Curator" Permission Sets respectively. A few months later when Maya temporarily covers for a colleague during parental leave, the admin grants her additional access through a Permission Set Assignment to "Manager Reports Access" with ExpirationDate set to the colleague's expected return — the assignment auto-removes when the colleague comes back, with no admin reminder needed. Throughout, Maya's underlying Sales User Profile never changes; her effective permissions are the union of her Profile and her four Permission Set Assignments.
Why Permission Set Assignment matters
Permission Set Assignment ExpirationDate is one of the most useful but underused features in the Salesforce permissions model. Setting an ExpirationDate causes the assignment to be automatically removed when reached, eliminating the manual cleanup that historically followed temporary access grants for cover-during-leave, project teams, and audit-period elevated access. Without ExpirationDate, temporary grants frequently became permanent simply because no one remembered to remove them.
Salesforce now strongly recommends an additive-permissions model — minimize Profile-level permissions to a baseline (typically just the Profile's required object access and login defaults) and grant all variations through Permission Set Assignments. This separates 'identity' (Profile, persistent) from 'capability' (Permission Set, additive and revocable), making access management dramatically more flexible. Migrating from Profile-heavy to Permission-Set-heavy is a multi-quarter project for any large org but pays off in long-term operational simplicity.
Permission Set Group Assignments work identically to Permission Set Assignments but reference a PermissionSetGroupId instead of a PermissionSetId. The Group bundles multiple Permission Sets together — assigning the Group is equivalent to assigning each member Permission Set, with the additional benefit that the Group's membership can change centrally and all assignees inherit the new composition. This is the recommended pattern for role-based access bundles ('Sales Manager Bundle', 'Marketing Ops Bundle') that group together related permissions.
How organizations use Permission Set Assignment
Provisions new employees through SCIM/SAML integration that automatically assigns the right base Profile plus a role-appropriate Permission Set Group via Permission Set Assignment. Termination removes the User assignments, instantly revoking all incremental access without touching Profile-level configuration.
Audits Permission Set Assignments quarterly to verify each User still requires their granted permissions. Assignments without recent usage (no activity tied to the granted access) are flagged for removal — a Permission-Set-based model makes this audit dramatically easier than auditing Profile-permission deltas.
Grants Permission Set Assignments with ExpirationDate set to the project's end date for project-team members who need temporary access to systems they don't normally touch. Assignments auto-remove when the project ends — no ticket follow-up required, no risk of forgotten standing access.
Trust & references
Straight from the source — Salesforce's reference material on Permission Set Assignment.
- PermissionSetAssignment in Object Reference for the Salesforce PlatformSalesforce Developer Documentation
Discussion
Loading discussion…