Permission Sets and Profile Settings in Packages

Permission sets, permission set groups, and profile settings are all ways to grant permissions and other access settings to a package. Only use a profile setting if permission sets don’t support the specific access you need to grant. In all other instances, use permission sets or permission set groups.

Where possible, we changed noninclusive terms to align with our company value of Equality. We maintained certain terms to avoid any effect on customer implementations.

Important

Available in: Enterprise, Performance, Unlimited, and Developer Editions
Permission sets are available in: Contact Manager, Professional, Group, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

Behavior Permission Sets Profile Settings
What permissions and settings are included?
  • Assigned custom apps
  • Custom object permissions
  • External object permissions
  • Custom field permissions
  • Custom metadata types permissions
  • Custom permissions
  • Custom settings permissions
  • Custom tab visibility settings
  • Apex class access
  • Visualforce page access
  • External data source access
  • Record types

Although permission sets include standard tab visibility settings, these settings can’t be packaged as permission set components.

If a permission set includes an assigned custom app, it’s possible that a subscriber can delete the app. In that case, when the package is later upgraded, the assigned custom app is removed from the permission set.

Note

  • Assigned custom apps
  • Assigned connected apps
  • Tab settings
  • Page layout assignments
  • Record type assignments
  • Custom field permissions
  • Custom metadata type permissions
  • Custom object permissions
  • Custom permissions
  • Custom settings permissions
  • External object permissions
  • Apex class access
  • Visualforce page access
  • External data source access
Can they be upgraded in managed packages? Yes. Profile settings are applied to existing profiles in the subscriber’s org on install or upgrade. Only permissions related to new components created as part of the install or upgrade are applied.
Can subscribers edit them? No. Yes.
Can you clone or create them? Yes. However, if a subscriber clones a permission set or creates one that’s based on a packaged permission set, it isn’t updated in subsequent upgrades. Only the permission sets included in a package are upgraded. Yes. Subscribers can clone any profile that includes permissions and settings related to packaged components.
Do they include standard object permissions? No. Also, you can’t include object permissions for a custom object in a master-detail relationship where the master is a standard object. No.
Do they include user permissions? No. No.
Are they included in the installation wizard? No. Subscribers must assign permission sets after installation. Yes. Profile settings are applied to existing profiles in the subscriber’s org on install or upgrade. Only permissions related to new components created as part of the install or upgrade are applied. Affected components (listed with the developerName) can include new:
  • Fields (CustomField)
  • Objects (CustomObject),
  • Tabs (CustomTab)
  • Apps (CustomApplication)
  • Apex classes (ApexClass)
  • Apex pages (ApexPage)
  • Layouts (Layout)
  • Record types (RecordType)
  • Custom permissions (CustomPermission)
  • Custom settings (CustomSetting)
  • Custom metadata types (CustomMetadata)
What are the user license requirements? A permission set is only installed if the subscriber org has at least one user license that matches the permission set. For example, permission sets with the Salesforce Platform user license aren’t installed in an org that has no Salesforce Platform user licenses. If a subscriber later acquires a license, the subscriber must reinstall the package to get the permission sets associated with the newly acquired license.

Permission sets with no user license are always installed. If you assign a permission set that doesn’t include a user license, the user’s existing license must allow its enabled settings and permissions. Otherwise, the assignment fails.

None. In a subscriber org, the installation overrides the profile settings, not their user licenses.
How are they assigned to users? Subscribers must assign packaged permission sets after installing the package. Profile settings are applied to existing profiles.
Can permission sets in an extension package grant access to objects installed in a base package?

A permission set in the extension package can't modify access permissions for either the parent objects in the base package or the associated child objects in the extension package.

Same behavior as for permission sets.

Best Practices

  • If users need access to apps, standard tabs, page layouts, and record types, don't use permission sets as the sole permission-granting model for your app.
  • Create packaged permission sets that grant access to the custom components in a package, but not standard Salesforce components.