Permission Set Assignment
A Permission Set Assignment in Salesforce (PermissionSetAssignment in the API) is a standard junction object that records a single grant of a Permission Set or Permission Set Group to a specific User.
Definition
A Permission Set Assignment in Salesforce (PermissionSetAssignment in the API) is a standard junction object that records a single grant of a Permission Set or Permission Set Group to a specific User. Each Permission Set Assignment record holds an AssigneeId (the User receiving the permissions), a PermissionSetId (the Permission Set being granted) or a PermissionSetGroupId, an optional ExpirationDate that automatically removes the assignment when reached, and standard system fields. Permission Set Assignments are the operational mechanism for the additive-permissions model that Salesforce recommends over Profile-based permissions: every User gets a baseline Profile (assigned permanently), and incremental access is layered on through Permission Set Assignments that can be added, removed, or expired without modifying the underlying Profile. This pattern dramatically simplifies permission management - instead of maintaining hundreds of variant Profiles, admins maintain a smaller set of base Profiles plus a library of focused Permission Sets that are mixed and matched per User.
In plain English
“A Permission Set Assignment is one user's grant of one Permission Set - like adding "Pardot User" access to a sales rep on top of their base Sales User Profile. Each grant is its own Permission Set Assignment record, easy to add, remove, or expire without touching the user's Profile.”
Worked example
A new sales rep, Maya, joins the company with the Sales User Profile assigned to her. Her role requires three additional capabilities: Pardot access, advanced report editing, and the ability to manage shared customer assets. The admin creates three Permission Set Assignment records linking her User to the "Pardot Marketing User", "Advanced Reports Editor", and "Asset Library Curator" Permission Sets respectively. A few months later when Maya temporarily covers for a colleague during parental leave, the admin grants her additional access through a Permission Set Assignment to "Manager Reports Access" with ExpirationDate set to the colleague's expected return - the assignment auto-removes when the colleague comes back, with no admin reminder needed. Throughout, Maya's underlying Sales User Profile never changes; her effective permissions are the union of her Profile and her four Permission Set Assignments.
Why Permission Set Assignment matters
Permission Set Assignment ExpirationDate is one of the most useful but underused features in the Salesforce permissions model. Setting an ExpirationDate causes the assignment to be automatically removed when reached, eliminating the manual cleanup that historically followed temporary access grants for cover-during-leave, project teams, and audit-period elevated access. Without ExpirationDate, temporary grants frequently became permanent simply because no one remembered to remove them.
Salesforce now strongly recommends an additive-permissions model - minimize Profile-level permissions to a baseline (typically just the Profile's required object access and login defaults) and grant all variations through Permission Set Assignments. This separates 'identity' (Profile, persistent) from 'capability' (Permission Set, additive and revocable), making access management dramatically more flexible. Migrating from Profile-heavy to Permission-Set-heavy is a multi-quarter project for any large org but pays off in long-term operational simplicity.
Permission Set Group Assignments work identically to Permission Set Assignments but reference a PermissionSetGroupId instead of a PermissionSetId. The Group bundles multiple Permission Sets together - assigning the Group is equivalent to assigning each member Permission Set, with the additional benefit that the Group's membership can change centrally and all assignees inherit the new composition. This is the recommended pattern for role-based access bundles ('Sales Manager Bundle', 'Marketing Ops Bundle') that group together related permissions.
How to create Permission Set Assignment
Permission Set Assignments are the records that link a User to a Permission Set (or Permission Set Group). They're the operational mechanism for the additive-permissions model — a User has one Profile (the floor) plus many Permission Set Assignments (incremental access). Modern best practice favors Permission Sets over Profile-based permissions because they're composable.
- Open Setup → Permission Sets → click into a set → Manage Assignments
Or from the User detail page: Permission Set Assignments related list → Edit Assignments.
- Click Add Assignment
Top-right.
- Pick the User(s) to assign
Multi-pick. Up to 1000 users at a time via the UI.
- (Optional) Set an Expiration Date
When ticked, the assignment auto-removes at the date. Useful for time-bound access ("24-hour admin escalation").
- Click Assign
Assignment is created. Each (User, Permission Set) pair is a record.
- Verify access
Login as the user (or Login As) → confirm the granted permissions are in effect. Permission cache may take a moment to refresh.
- For bulk: use Data Loader / API to insert PermissionSetAssignment records
API supports bulk insert; UI caps at 1000 per Add Assignment.
Required.
Required (one of).
- Assignments granting Permission Sets with PSL-required features need the User to ALSO have the PSL. Without the PSL, the assignment exists but the gated permissions don't activate.
- Expiration Dates fire on a schedule — typically nightly batch. An assignment expiring today may stay active for hours after midnight before the cleanup job runs.
- Removing an assignment revokes access immediately. If the user had built-up records / sessions under that access, sharing recalculates — sessions may need refresh.
How organizations use Permission Set Assignment
Provisions new employees through SCIM/SAML integration that automatically assigns the right base Profile plus a role-appropriate Permission Set Group via Permission Set Assignment. Termination removes the User assignments, instantly revoking all incremental access without touching Profile-level configuration.
Audits Permission Set Assignments quarterly to verify each User still requires their granted permissions. Assignments without recent usage (no activity tied to the granted access) are flagged for removal - a Permission-Set-based model makes this audit dramatically easier than auditing Profile-permission deltas.
Grants Permission Set Assignments with ExpirationDate set to the project's end date for project-team members who need temporary access to systems they don't normally touch. Assignments auto-remove when the project ends - no ticket follow-up required, no risk of forgotten standing access.
Trust & references
Straight from the source - Salesforce's reference material on Permission Set Assignment.
- PermissionSetAssignment in Object Reference for the Salesforce PlatformSalesforce Developer Documentation
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Discussion
Loading discussion…