Definition
Permission Sets is a Setup page that lists all permission sets in the org and allows administrators to create, edit, and manage them. Permission Sets extend user access beyond their Profile by granting additional object permissions, field-level security, app access, and system permissions without changing the user's Profile.
Real-World Example
The admin at Helios Energy opens the Permission Sets page and creates a new set called "API Integration User" that grants API access, permission to run Apex, and read access to the custom Integration_Log__c object. She assigns it to the service account user that handles automated data syncs, giving it just the permissions needed and nothing more.
Why Permission Sets Matters
Permission Sets is the Setup page in Salesforce that serves as the administrative hub for creating, viewing, editing, and managing all Permission Sets in the org. From this page, administrators can create new Permission Sets that define specific access combinations — such as object CRUD permissions, field-level security, system permissions (like API access or Apex execution), app visibility, and tab settings. Each Permission Set listed on this page can be clicked into for detailed configuration, user assignment, and review of its included permissions. This centralized management view is essential for maintaining an organized, auditable security model.
The Permission Sets Setup page becomes increasingly important as organizations shift from Profile-based to Permission Set-based access management. With Salesforce actively deprecating permissions from Profiles, the Permission Sets page is where most access configuration will occur going forward. A well-organized Permission Sets page with clear naming conventions and documented purpose for each set makes security audits efficient and user provisioning fast. The biggest pitfall is Permission Set sprawl — organizations that create sets reactively (one for each ad-hoc access request) end up with dozens of overlapping sets that are difficult to audit. Best practice is to periodically review the Permission Sets page, consolidate sets with similar purposes, remove unused sets, and ensure every active set has a clear description. The Permission Sets page also provides a quick way to check which users are assigned to any given set, making it invaluable for investigating access-related support tickets.
How Organizations Use Permission Sets
- Helios Energy — Helios Energy's admin opens the Permission Sets page and creates an 'API Integration User' set granting API access, Apex execution permission, and read access to the custom Integration_Log__c object. She assigns it to the service account handling automated data syncs, giving it precisely the permissions needed for its function and nothing more.
- Pinnacle Corp — Pinnacle Corp's admin discovers 47 Permission Sets on their Setup page — 15 are duplicates created by different admins over the years, and 8 are assigned to zero users. She consolidates the duplicates, deletes the orphaned sets, and adds clear descriptions to the remaining 24. Post-cleanup, onboarding a new user takes 5 minutes instead of 15.
- Vanguard Logistics — Vanguard Logistics uses the Permission Sets page during their annual security audit. The auditor asks to see all sets that grant 'Modify All Data' or 'View Setup.' The admin filters the list and shows that only 2 sets contain these sensitive permissions, both assigned exclusively to the 3-person admin team. The auditor documents this as a strong access control finding.