Permission sets in Salesforce are a collection of settings and permissions that determine which platform tools, data, and functions a user can access. Think of them as an add-on layer that sits on top of a user’s profile — extending access without ever modifying the base profile itself.
Unlike profiles (which every user must have exactly one of), a single user can hold multiple permission sets simultaneously. This makes them one of the most flexible and powerful security tools available to any Salesforce Administrator.
Key Insight: Permission sets are additive. They can only grant permissions, never revoke them. If you need to restrict access, that restriction must live in the user’s profile or be managed through record-level sharing rules.
2. Why Permission Sets Matter
Historically, profiles were the primary method for controlling access inside Salesforce. Admins would create different profiles for every unique combination of permissions a role needed — resulting in profile sprawl: dozens of nearly identical profiles that were difficult to maintain and audit.
Salesforce recognized this challenge and fundamentally shifted its recommended approach. Today, profiles are designed to be stripped down to the bare minimum — handling essentials like login hours, IP restrictions, and page layout defaults. The real power of access control has moved to permission sets and permission set groups, which allow for a modular, “building block” approach to user permissions.
A real-world example: Suppose you have 40 Sales Representatives sharing the same profile, but 5 of them need the ability to delete Opportunity records — something you don’t want every rep doing. Rather than creating a separate profile for those 5, you create one “Delete Opportunities” permission set and assign it only to them. Clean, precise, and easy to audit.
3. What Do Permission Sets Control?
Permission sets can govern a broad range of access settings inside Salesforce:
| Permission Area | What It Controls |
|---|---|
| Object Permissions | Read, create, edit, delete, view all, modify all on any object |
| Field Permissions | Read and edit access on individual fields within an object |
| User Permissions | System-level permissions like “Manage Users” or “Export Reports” |
| Tab Settings | Which tabs are visible to a user within an app |
| App Settings | Access to specific connected apps |
| Apex Class Access | Access to specific Apex classes |
| Visualforce Page Access | Access to specific Visualforce pages |
4. Types of Permission Sets in Salesforce
Salesforce offers several distinct types of permission sets, each serving a different purpose.
Custom Permission Sets
Created directly by administrators in your org. These are the most common type and are built around specific tasks or job functions. For instance, you might create a “Contract Editor” permission set for users who need to create and edit contracts regardless of their department or profile.
Standard Permission Sets
Provided by Salesforce out of the box and associated with a permission set license. They include common permissions for a specific feature, which saves administrators significant setup time compared to building from scratch.
Managed Permission Sets
Bundled and installed with a managed package from the AppExchange. They carry the package’s namespace prefix and cannot be edited by subscriber organizations — only by the original package developer.
Integration Permission Sets
Used to scope data access for Salesforce integrations and connected services. Depending on the integration, they may be fully controlled by your org, pre-defined by Salesforce, or partially editable.
Session-Based Permission Sets
A specialized type that grants access only during a specific, predefined session — for example, when a user authenticates through a high-assurance login flow. When the session ends, the elevated permissions disappear automatically. This is ideal for securing access to sensitive operations or records.
5. How to Create a Permission Set (Step-by-Step)
Follow these steps to create a permission set in your Salesforce org:
- Navigate to Setup. In the Quick Find search box, type Permission Sets and select it from the menu.
- Click “New” to begin creating a new permission set.
- Fill in the details: Enter a descriptive Label (this auto-generates the API Name) and add an optional but recommended Description.
- Select the License type. Choose a specific permission set license if required, or select None if the permission set will be assigned to users with varying licenses.
- Click Save. You’ll be taken to the permission set’s detail page.
- Configure the permissions. Click on sections like Object Settings, App Permissions, or System Permissions to add the access you need. Click Edit on each section to make your changes.
- Save each section as you configure it. Your permission set is now ready to assign.
Pro Tip: Always write a clear Description when creating a permission set. As your org grows, it becomes critical to understand why each permission set exists. Treat it as mandatory documentation — your future self (and colleagues) will thank you.
6. How to Assign a Permission Set to a User
Once a permission set is created, assigning it to a user is straightforward:
- Go to Setup → Users and click the user’s name (do not click Edit).
- Scroll down to the Permission Set Assignments related list and click Edit Assignments.
- Highlight the permission set you want to add from the Available Permission Sets column and click Add.
- Click Save. The permission set is now active for that user.
For bulk assignments, open the permission set’s own detail page and click Manage Assignments — far more efficient when rolling out access to a large group of users at once.
7. Permission Set Assignment Expiration
One of the most underutilized features of permission sets is the ability to set an expiration date on an assignment. This is perfect for granting temporary access — for contractors, project-specific roles, or seasonal permissions — without having to remember to clean it up later.
When assigning a permission set, Salesforce allows you to choose from preset durations:
- 1 day
- 7 days
- 30 days
- 60 days
- Custom date
When the expiration date arrives, the permission set is automatically removed from the user — no manual cleanup required.
Use case: A temporary consultant needs access to your financial data object for 30 days. Assign the relevant permission set with a 30-day expiration and you’re done — no follow-up needed.
8. Permission Set Groups Explained
As your org scales, you may find yourself assigning the same collection of permission sets to the same type of user repeatedly. That’s exactly what Permission Set Groups solve.
A Permission Set Group is a container that bundles multiple permission sets together. Instead of assigning five individual permission sets to each new Sales Manager, you create a “Sales Manager Group” once — containing all five permission sets — and then assign the group to each user with a single action.
From a management standpoint, this is transformative. If the permissions for that role need to change, you update the group once and the change propagates to every user assigned to it automatically.
Example architecture:
Your “Pilot Group” might contain two permission sets — “Airport View” (read access to airport records) and “Navigational View” (read access to navigational aid records). Any user assigned to the Pilot Group instantly gets both sets of permissions through a single assignment.
9. Muting Permissions in a Permission Set Group
This is where permission set groups become truly powerful. Within a Permission Set Group, you can create a Muting Permission Set — a special override that removes a specific permission that would otherwise be granted by one of the group’s member permission sets.
Muting doesn’t delete or modify the underlying permission set. It simply suppresses a specific permission for users assigned to that particular group. The same permission set could be used in other groups where muting does not apply.
Continuing the pilot example: The “Navigational View” permission set grants read access to all fields in the Navigational Aid object, including a sensitive “File Name” field. By adding a muting permission set to the Pilot Group that mutes access to “File Name,” pilots can see navigational aid records — but not that specific field. Precision access control without duplicating or modifying any existing permission set.
Important: Muting permission sets are specific to the group they’re created in. They cannot be shared or reused across multiple permission set groups.
10. Profile vs. Permission Set: Key Differences
| Aspect | Profile | Permission Set |
|---|---|---|
| Assignment | Every user must have exactly one | A user can have multiple |
| Purpose | Sets the minimum baseline access | Extends and adds to profile access |
| Nature | Restrictive — sets floors, not ceilings | Additive — can only grant, not remove |
| Required | Yes — mandatory for every user | No — optional, used as needed |
| Expiration | No built-in expiration | Supports timed/expiring assignments |
| Grouping | Cannot be grouped | Can be bundled into Permission Set Groups |
| Best practice role | Authentication, defaults, core settings | All functional access and permissions |
Â
The modern Salesforce best practice is clear: keep profiles minimal, and use permission sets for everything else. This reduces profile count, simplifies maintenance, and makes auditing significantly easier.
11. Best Practices for Salesforce Admins
Working effectively with permission sets in Salesforce comes down to disciplined design. Here are the practices that top Salesforce Admins follow:
Design Around Tasks, Not Job Titles
Create permission sets based on what users do, not what their title is. A “Delete Lead Records” permission set is far more reusable than a “Senior Account Executive” permission set, because the same deletion capability may apply to users across multiple teams and titles.
Always Write Meaningful Descriptions
Every permission set should have a clear description explaining its purpose and the use case it serves. Treat this as mandatory documentation — not optional metadata.
Use Permission Set Groups for Roles
If a persona or role requires more than two permission sets, bundle them into a Permission Set Group. This dramatically simplifies assignment and change management at scale.
Leverage Expiration for Temporary Access
Never grant permanent access for a temporary need. Use assignment expiration dates to automate the cleanup of contractor, consultant, or project-specific permissions.
Audit Regularly
Run periodic reviews of permission set assignments. Use Salesforce reports or the Permission Set Assignment report to identify over-privileged users or orphaned permission sets that are no longer in use.
Test Before Deploying
Always test a new permission set in a Sandbox environment before pushing it to production. Use the “Login As” feature to verify the access behaves exactly as intended.
Ready to Master Salesforce Administration?
Permission sets are just one chapter in the Salesforce Admin story. If you’re serious about becoming a certified Salesforce Administrator, our comprehensive Salesforce Admin Certification Course covers everything you need — from data security and user management to automation, reports, and dashboards — to confidently pass your ADM 201 exam and excel in your career.
What you'll get:
- Structured, exam-focused curriculum
- Hands-on labs with real Salesforce scenarios
- Coverage of all key admin topics: profiles, permission sets, sharing rules, flows, reports, and more
- Guidance from experienced Salesforce professionals
12. Frequently Asked Questions
Can permission sets remove access that a profile already grants?
No. Permission sets are strictly additive — they can only grant additional access on top of what the profile provides. If you need to restrict access, that restriction must be built into the profile itself or managed through sharing and record-level security settings.
How many permission sets can be assigned to a single user?
Salesforce does not enforce a hard cap on the number of permission sets per user. For most standard orgs, you can assign many permission sets to a single user if needed — though best practice is to consolidate them into Permission Set Groups for easier management.
What is the difference between a Permission Set and a Permission Set Group?
A Permission Set is a single collection of permissions for a specific purpose (e.g., “Delete Leads”). A Permission Set Group is a bundle of multiple permission sets assigned together as one unit (e.g., “Sales Manager Group”). Groups also support muting, which lets you suppress specific permissions within the group.
Can I set an expiry date on a Permission Set Group assignment?
Yes. Just like individual permission set assignments, Permission Set Group assignments also support expiration dates — applying the same time-limited access control to the entire group at once.
What happens if a permission set is part of a managed package — can I edit it?
No. Managed permission sets installed from AppExchange packages are controlled by the package publisher and cannot be edited by the subscriber org. If you need to customize access further, you must create your own separate custom permission set.
Is it possible to clone a permission set in Salesforce?
Yes. On a permission set’s detail page you’ll find a “Clone” button. This creates an exact copy with all settings intact, which you can then modify — a significant time saver when you need a slightly varied version of an existing set.
Wrapping Up
Permission sets in Salesforce are one of the most essential tools in any administrator’s toolkit. They provide the flexibility to grant granular access without bloating your profile structure, support time-limited assignments, and — when combined into Permission Set Groups — make managing access for entire teams effortless.
The shift away from profiles as the primary access mechanism is well underway. Admins who master permission sets and permission set groups today are building the exact skill set that modern Salesforce orgs demand.
Whether you’re preparing for the Salesforce Administrator certification exam or managing a complex production org, a solid understanding of permission sets will serve you at every step.
