ISVforce Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
PDF

Newer Version Available

This content describes an older version of this product. View Latest

About Permission Sets and Profile Settings

Developers can use permission sets or profile settings to grant permissions and other access settings to a package. When deciding whether to use permission sets, profile settings, or a combination of both, consider the similarities and differences.

Behavior Permission Sets Profile Settings
What permissions and settings are included?
  • Custom object permissions
  • Custom field permissions
  • Apex class access
  • Visualforce page access

Permission sets include assigned apps and tab settings, but these settings can’t be packaged as permission set components.

Note
  • Assigned apps
  • Tab settings
  • Page layout assignments
  • Record type assignments
  • Custom object permissions
  • Custom field permissions
  • Apex class access
  • Visualforce page access
Can they be upgraded in managed packages? Yes. Profile settings are applied to existing profiles in the subscriber's organization on install or upgrade. Only permissions related to new components created as part of the install or upgrade are applied.
Can subscribers edit them? Subscribers can edit permission sets in unmanaged packages, but not in managed packages. Yes.
Can you clone or create them? Yes. However, if a subscriber clones a permission set or creates one that's based on a packaged permission set, it won't be updated in subsequent upgrades. Only the permission sets included in a package are upgraded. Yes. Subscribers can clone any profile that includes permissions and settings related to packaged components.
Do they include standard object permissions? No. Also, you can’t include object permissions for a custom object in a master-detail relationship where the master is a standard object. No.
Do they include user permissions? No. No.
Are they included in the installation wizard? No. Subscribers must assign permission sets after installation. Yes. Profile settings are applied to existing profiles in the subscriber's organization on install or upgrade. Only permissions related to new components created as part of the install or upgrade are applied.
What are the user license requirements? A permission set is only installed if the subscriber organization has at least one user license that matches the permission set. For example, permission sets with the Salesforce Platform user license aren't installed in an organization that has no Salesforce Platform user licenses. If a subscriber subsequently acquires a license, they must reinstall the package to get the permission sets associated with the newly acquired license.

Permission sets with no user license are always installed. If you assign a permission set with no user license, all of its enabled settings and permissions must be allowed by the user’s license, or the assignment will fail.

 None. In a subscriber organization, the installation overrides the profile settings, not their user licenses.
How are they assigned to users? Subscribers must assign packaged permission sets after installing the package. Profile settings are applied to existing profiles.

Best Practices

  • Use permission sets in addition to packaged profiles so your subscribers can easily add new permissions for existing app users.
  • If users need access to apps, tabs, page layouts, and record types, don't use permission sets as the sole permission-granting model for your app. Assigned apps and tab settings are available in the permission set user interface, but they aren’t included in permission set package components.
  • Create packaged permission sets that grant access to the custom components in a package, but not standard Salesforce components.