After completing this unit, you’ll be able to:
Before you start creating a permission set group, let’s analyze the business needs. The VP of sales, E.J. Argawal, needs team members to perform certain tasks as part of the sales orders processing function. E.J. says that some sales staff need permissions to make changes to orders, and other sales staff members need to make changes to both orders and contracts.
Create a couple of permission sets based on tasks. Then include them in a permission set group that focuses on the job function that E.J.’s users perform.
“Wait,” you think. “How does this save me time if I’m still creating new permission sets?”
Fair question, but remember: You can reuse permission sets! When you group these permission sets for E.J’s requirements, you retain the ability to assign the individual permission sets to other groups as needed.
In other words, you avoid creating a unique permission set just for E.J., yet you can tailor the permission set group according to his needs. Create two custom permission sets.
Permissions | User Group 1 | User Group 2 | Permission Set |
---|---|---|---|
Activate orders |
Yes |
Yes |
Sales Orders |
Read orders |
Yes |
Yes |
|
Create orders |
Yes |
Yes |
|
Edit orders |
Yes |
Yes |
|
Delete orders |
Yes |
Yes |
|
Read contracts |
No |
Yes |
Sales Contracts |
Create contracts |
No |
Yes |
|
Edit Contracts |
No |
Yes |
|
Delete Contracts |
No |
Yes |
Launch your Trailhead Playground now to follow along and try out the steps in this module. To open your Trailhead Playground, return to this unit’s page on Trailhead. Navigate down to the hands-on challenge heading and locate the Launch element just above the Check Challenge button. You also use the playground when it's time to complete the hands-on challenges.
Create Permission Sets
OK, let’s create a permission set for sales orders.
Add permission to activate orders.
Add permission to create and delete orders.
Create the permission set for contracts.
Add permission to read, create, edit, and delete contracts.
Yay! Now you can create a permission set group to contain the two permission sets.
Permission sets and permission set groups are worthless without users. So first, add two users to your org.
Finally, the main event!
Add permission sets to the permission set group.
Ta-da! Your first permission set group, Sales Processing.
Locate the link for Back to Permission Set Groups and activate it. We want to confirm that the group status is Updated. Locate the Permission Set Groups Overview heading. Check the table below the heading and make sure the status says Updated.
If it is, navigate by heading down to the Combined Permissions heading and activate the link for Object Settings. Notice that the settings for both the Contracts and Orders objects reflect the access you gave in the two permission sets in the group.
Next you add users to the group.
A confirmation message states that the permission set group has been assigned to one user.
You get an error. Just like with permission sets, you cannot assign a user to a permission set group if their license does not permit the permissions you want to assign.
Anuj Singh won’t be added to the group until his license is updated. Licensing requirements remain the same when you work with permission set groups.
Nifty stuff! But there’s more!
You’ve created a permission set group and experienced some of the power that permission set groups can offer. But what do you do with your existing permission sets and users? You might wonder what to consider as you analyze your org’s assignment structure and prepare to begin using permission set groups. First, remember the principle of least privilege: Users should have the least permissions necessary to do their job. We keep this principle in mind as we work with permission set groups.
Let’s review the purposes of profiles, permission sets, and permission set groups.
Profiles provide default settings for each user, such as default record type, IP range, and so on. Salesforce recommends using the Minimum Access - Salesforce profile as a best practice for assignment to users. Each user has only one profile.
Permission Sets are collections of settings and permissions. Profiles allow users to perform some tasks, but permission sets allow additional tasks (tasks not enabled by profiles). For example, you can add permissions to create and customize list views, activate contracts, or any number of other permissions.
Permission Set Groups bundle permission sets together. Users assigned to a permission set group receive the combined permissions of all the permission sets in the group. Permission set groups correspond to the job functions of users.
With these definitions in mind, let’s revisit the permission set group you created for E.J. The goal was to give sales staff members the ability to perform the Sales Processing job function.
TIP: The permissions you include in the permission sets in your permission set group must align with the tasks that the users perform in their job function. If not, review the job function’s goals. For example, if Eric shouldn’t have the Activate Orders permission, ask if the sales processing permission set group needs this permission. If it does, then check if Eric can be assigned to a different permission set group that's better suited to what he needs to do.
By the way, if you find that you must create a new permission set to include in your permission set group, consider how you can use it outside of the group, too. Look at other job functions to see if users need to perform some of the same tasks. You might want to include permission sets in other permission set groups. Use the flexibility of permission sets strategically by modeling your permission sets on the tasks that your users perform.
If the job function for a permission set group changes, you can update the permission set group. That’s the great thing about permission set groups: they’re easy to adjust. For example, let’s say that you find out people who perform the sales processing job function must also have edit ability on the Opportunities object. Just add a new permission set to the permission set group or add a new permission to an existing permission set in the permission set group.
Your permission assignment analysis might take some time. The Permission Helper app, available on the AppExchange, can help. The helper app can help you see what permissions a user has, convert some profiles to permission sets, and more. For example, you might want to grab permissions from an existing profile, then use the app to convert them to a permission set.
When you complete your analysis, you can begin to migrate your profile-based model to the more flexible permission set and permission set group model.
Look at that! You’ve already created your first permission set group and learned about a tool that can help you analyze your existing permission sets. We’ve covered a lot of material and hope that you see the value that permission set groups offer. However, we aren’t done yet. In the next unit, you learn about the flexibility that muting permission sets can bring to your permission set groups.
Click to return to the unit on Trailhead to access your challenge at the end of the reading.