Salesforce Permission Sets vs Profiles: A Complete Guide for Admins

As your Salesforce org scales, managing user access becomes a key concern. The traditional method of assigning Profiles has limitations, and modern best practices now recommend leveraging Permission Sets and Permission Set Groups.

In this in-depth guide, you’ll learn the difference between Profiles vs Permission Sets, when to use each, and how to adopt least privilege access models for better security, compliance, and scalability.

What Are Profiles in Salesforce?

Profiles are the original way Salesforce managed user permissions. Every user has exactly one profile, which defines:

• Object permissions (CRUD)
• Field-level security (FLS)
• Record types
• Tab visibility
• Login hours/IP ranges
• Apex class and Visualforce access

Limitations of Profiles:

• Can’t assign more than one profile per user
• Hard to scale in complex orgs
• Changes require profile cloning or new profile creation
• Difficult to manage granular access without overlap

What Are Permission Sets?

Permission Sets are reusable, modular permission bundles that extend user access on top of a profile.

They can grant:

• Object/Field permissions
• App and tab access
• Apex class/Visualforce page access
• System permissions

You can assign multiple permission sets to the same user, making them highly flexible and scalable.

Permission Sets vs Profiles: Key Differences

Introducing Permission Set Groups

Permission Set Groups allow you to combine multiple permission sets into a single group that you can assign like a bundle.

Example:

A user in the Sales department might need:

• Account access
• Lead conversion permissions
• Report builder access

Rather than assigning 3+ individual permission sets, you can group them into a Sales User Group.

When to Use Profiles vs Permission Sets

Use Profiles for:

• Login hours and IP restrictions
• Org-wide defaults (baseline access)
• Basic object/tab visibility

Use Permission Sets for:

• Granting additional permissions
• Role changes without profile changes
• Short-term or project-specific access
• Managing access across business units

Real-World Use Case: Marketing Team Access

You have a Standard User profile for most employees.

To give Marketing users access to Campaigns, Reports, and Pardot:

1. Create Permission Sets:

   • Campaign Access
   • Report Builder
   • Pardot Integration

2. Create a Permission Set Group:

   • Name: Marketing Team Access
   • Add the above sets

3. Assign the group to all Marketing users

This model is flexible and doesn’t require a custom profile.

Best Practices for Managing Access

1. Adopt a Least Privilege Model

Give users only the permissions they need—no more.

2. Minimize Custom Profiles

Use a generic profile as a baseline, then layer access with Permission Sets.

3. Use Naming Conventions

Name permission sets clearly (e.g., Edit_Accounts, Access_Reports, Marketing_Email_Admin).

4. Audit Permission Assignments

Use tools like Permission Set Assignment Reports and Field Accessibility Viewer.

5. Track with Custom Metadata

Store access policy documentation or mappings using Custom Metadata Types to improve governance.

Monitoring Tools for Admins

• Setup Audit Trail
• Permission Set Assignment Reports
• Field-Level Security Settings
• OrgConfessions Scanner
• Salesforce Optimizer

These tools help identify over-permissioned users and outdated assignments.

Migrating from Profiles to Permission Sets

Salesforce recommends using Permission Sets as the future of user access control.

Steps to migrate:

1. Analyze profiles – Identify redundant or overlapping permissions.
2. Create modular permission sets – Break down permissions into logical roles.
3. Use Permission Set Groups – Consolidate assignments.
4. Test and validate – Ensure access parity before switching profiles.
5. Gradually assign – Transition departments one at a time.

Bonus: Use Apex for Dynamic Assignments

You can automate permission set assignments via Apex:

Id psId = [SELECT Id FROM PermissionSet WHERE Name = 'Access_Reports'].Id;
PermissionSetAssignment psa = new PermissionSetAssignment(
    AssigneeId = UserInfo.getUserId(),
    PermissionSetId = psId
);
insert psa;

This is useful during user onboarding, sandbox refreshes, or automation.

Conclusion

Understanding and leveraging Permission Sets and Profiles correctly is essential for every Salesforce Admin. It not only improves your org’s security posture but also prepares you for scalable user access management.

Ready to reduce your custom profiles? Start building permission sets today and future-proof your Salesforce access model.

Need a template or example set strategy? Drop a comment or check out our downloadable permission set architecture guide!