Permission Sets and Profile Settings in Packages
Permission sets, permission set groups, and profile settings are all ways to grant
permissions and other access settings to a package. Only use a profile setting if permission
sets don’t support the specific access you need to grant. In all other instances, use permission
sets or permission set groups.
Available in: Enterprise, Performance, Unlimited, and Developer Editions |
Permission sets are available in: Contact Manager, Professional, Group, Enterprise, Performance, Unlimited, Developer, and Database.com Editions |
Behavior | Permission Sets | Profile Settings |
---|---|---|
What permissions and settings are included? |
|
|
Can they be upgraded in managed packages? | Yes. | Profile settings are applied to existing profiles in the subscriber’s org on install or upgrade. Only permissions related to new components created as part of the install or upgrade are applied. |
Can subscribers edit them? | No. | Yes. |
Can you clone or create them? | Yes. However, if a subscriber clones a permission set or creates one that’s based on a packaged permission set, it isn’t updated in subsequent upgrades. Only the permission sets included in a package are upgraded. | Yes. Subscribers can clone any profile that includes permissions and settings related to packaged components. |
Do they include standard object permissions? | No. Also, you can’t include object permissions for a custom object in a master-detail relationship where the master is a standard object. | No. |
Do they include user permissions? | No. | No. |
Are they included in the installation wizard? | No. Subscribers must assign permission sets after installation. | Yes. Profile settings are applied to existing profiles in the subscriber’s org
on install or upgrade. Only permissions related to new components created as part of
the install or upgrade are applied. Affected components (listed with the
developerName) can include new:
|
What are the user license requirements? | A permission set is only installed if the subscriber org has at least one user
license that matches the permission set. For example, permission sets with the
Salesforce Platform user license aren’t installed in an org that has no Salesforce
Platform user licenses. If a subscriber later acquires a license, the subscriber
must reinstall the package to get the permission sets associated with the newly
acquired license. Permission sets with no user license are always installed. If you assign a permission set that doesn’t include a user license, the user’s existing license must allow its enabled settings and permissions. Otherwise, the assignment fails. |
None. In a subscriber org, the installation overrides the profile settings, not their user licenses. |
How are they assigned to users? | Subscribers must assign packaged permission sets after installing the package. | Profile settings are applied to existing profiles. |
Can permission sets in an extension package grant access to objects installed in a base package? |
A permission set in the extension package can't modify access permissions for either the parent objects in the base package or the associated child objects in the extension package. |
Same behavior as for permission sets. |