Create a Permission Set Group | Trailhead Screen Reader Instructions

Learning Objectives

After completing this unit, you’ll be able to:

Get the Business Requirements

Before you start creating a permission set group, let’s analyze the business needs. The VP of sales, E.J. Argawal, needs team members to perform certain tasks as part of the sales orders processing function. E.J. says that some sales staff need permissions to make changes to orders, and other sales staff members need to make changes to both orders and contracts. 

Create a couple of permission sets based on tasks. Then include them in a permission set group that focuses on the job function that E.J.’s users perform. 

 

“Wait,” you think. “How does this save me time if I’m still creating new permission sets?”

Fair question, but remember: You can reuse permission sets! When you group these permission sets for E.J’s requirements, you retain the ability to assign the individual permission sets to other groups as needed. 

In other words, you avoid creating a unique permission set just for E.J., yet you can tailor the permission set group according to his needs. Create two custom permission sets.

Permissions User Group 1 User Group 2 Permission Set

Activate orders

Yes

Yes

Sales Orders 

Read orders

Yes

Yes

Create orders

Yes

Yes

Edit orders

Yes

Yes

Delete orders

Yes

Yes

Read contracts

No

Yes

Sales Contracts

Create contracts

No

Yes

Edit Contracts

No

Yes

Delete Contracts

No

Yes

 

Ready to Get Hands-on with Permission Set Groups?

Launch your Trailhead Playground now to follow along and try out the steps in this module. To open your Trailhead Playground, return to this unit’s page on Trailhead. Navigate down to the hands-on challenge heading and locate the Launch element just above the Check Challenge button. You also use the playground when it's time to complete the hands-on challenges.

 

Create Permission Sets

OK, let’s create a permission set for sales orders.   

  1. From Setup, search for and select Permission Sets.
  2. Activate the New button.
  3. For Label, enter Sales Orders.
  4. For License, keep None.
  5. Save the permission set.

 

Add permission to activate orders.

  1. In the Find Settings edit box, type the word Orders. As you type, results appear as “on mouse over” elements below the edit field on the page itself.
  2. JAWS users, press down arrow to exit forms mode and view the list of results on the page. NVDA users will need to exit focus mode to view the results. The results may take a moment to load, so explore with the arrow keys if you don’t immediately see the list. IT may be located above your current focus.
  3. Press ENTER on Activate Orders.
  4. Press ENTER on the Edit link located below the App Permissions heading.
  5. Navigate to the Sales heading and check the checkbox for Activate Order.
  6. Save the permission set. A Permission Changes Confirmation box opens. Notice that both Read Order and Edit Order were also enabled. That’s because Order Activation depends on being able to read and edit orders.
  7. Save your changes again.

 

Add permission to create and delete orders.

  1. In the Find Settings edit box, type the word Orders and then press down arrow. Results will appear on the page. Press ENTER on Orders. This should be located directly below Order Products.
  2. Activate the Edit link located below the Orders heading.
  3. Check the checkboxes for the Create and Delete object permissions below the Object Permissions heading.
  4. Save your changes.

 

Create the permission set for contracts. 

  1. Return to the main Permission Sets screen in Setup and activate the New button.
  2. For Label, enter Sales Contracts.
  3. For License, keep None.
  4. Save the permission set.

 

Add permission to read, create, edit, and delete contracts.

  1. In the Find Settings edit box, type the word Contracts and then press down arrow to find and select Contracts.
  2. Activate the Edit link below the Contracts heading.
  3. Check the checkboxes for the Read, Create, Edit, and Delete object permissions found below the Object Permissions heading.
  4. Save your changes.

Yay! Now you can create a permission set group to contain the two permission sets. 

 

Create Users

Permission sets and permission set groups are worthless without users. So first, add two users to your org. 

  1. From the Setup search box at the top of the  Setup page, type Users then find and select the result for Users.
  2. Create two users:

Finally, the main event! 

 

Create a Permission Set Group

  1. From the Setup search field, type Permission Set Groups and then press down arrow to find and select the result for Permission Set Groups.
  2. Activate the button for New Permission Set Group.
  3. For Label, enter Sales Processing.
  4. Save the permission set group.

 

Add permission sets to the permission set group.

  1. Under the Permission Sets heading, activate the link for Permission Sets in Group.
  2. Activate the Add Permission Set button.
  3. You are presented with a table listing all available permission sets . Check the boxes to select Sales Orders and Sales Contracts.
  4. Activate the Add button.
  5. Activate the Done button.

Ta-da! Your first permission set group, Sales Processing. 

 

Locate the link for Back to Permission Set Groups and activate it. We want to confirm that the group status is Updated. Locate the Permission Set Groups Overview heading. Check the table below the heading and make sure the status says Updated.

If it is, navigate by heading down to the Combined Permissions heading and activate the link for Object Settings. Notice that the settings for both the Contracts and Orders objects reflect the access you gave in the two permission sets in the group. 

 

Next you add users to the group. 

  1. Return to the Sales Processing permission set group. You can just press Alt Left arrow or use your browser's back button to move back one page.
  2. Activate the Manage Assignments button.
  3. Activate the Add Assignments button.
  4. You are presented with a table of all the users in your org. Find the checkbox for Eric Jackson and check the box, then activate the Assign button.

A confirmation message states that the permission set group has been assigned to one user.

  1. Activate the Done button.
  2. Try to add Anuj Singh.

You get an error. Just like with permission sets, you cannot assign a user to a permission set group if their license does not permit the permissions you want to assign. 

  1. Ignore the message and activate the Done button.

Anuj Singh won’t be added to the group until his license is updated. Licensing requirements remain the same when you work with permission set groups.

Nifty stuff! But there’s more! 

 

Analyze Your Existing Permissions Structure

You’ve created a permission set group and experienced some of the power that permission set groups can offer. But what do you do with your existing permission sets and users? You might wonder what to consider as you analyze your org’s assignment structure and prepare to begin using permission set groups. First, remember the principle of least privilege: Users should have the least permissions necessary to do their job. We keep this principle in mind as we work with permission set groups. 

Let’s review the purposes of profiles, permission sets, and permission set groups.

Profiles provide default settings for each user, such as default record type, IP range, and so on. Salesforce recommends using the Minimum Access - Salesforce profile as a best practice for assignment to users. Each user has only one profile

Permission Sets are collections of settings and permissions. Profiles allow users to perform some tasks, but permission sets allow additional tasks (tasks not enabled by profiles). For example, you can add permissions to create and customize list views, activate contracts, or any number of other permissions. 

Permission Set Groups bundle permission sets together. Users assigned to a permission set group receive the combined permissions of all the permission sets in the group. Permission set groups correspond to the job functions of users. 

With these definitions in mind, let’s revisit the permission set group you created for E.J. The goal was to give sales staff members the ability to perform the Sales Processing job function. 

  1. First, we listed the tasks the sales processing job function includes.
    • Activate orders
    • Read, create, edit, and delete orders
    • Read, create, edit, and delete contracts
  2. Then we asked, “Can we modify existing permission sets, or do we need to create new ones?” We discovered that we needed to create two new permission sets:
    • Sales Orders
    • Sales Contracts
  3. Finally, we checked which users perform the sales processing job function and assigned Eric to the permission set group.

TIP: The permissions you include in the permission sets in your permission set group must align with the tasks that the users perform in their job function. If not, review the job function’s goals. For example, if Eric shouldn’t have the Activate Orders permission, ask if the sales processing permission set group needs this permission. If it does, then check if Eric can be assigned to a different permission set group that's better suited to what he needs to do.

 

By the way, if you find that you must create a new permission set to include in your permission set group, consider how you can use it outside of the group, too. Look at other job functions to see if users need to perform some of the same tasks. You might want to include permission sets in other permission set groups. Use the flexibility of permission sets strategically by modeling your permission sets on the tasks that your users perform. 

If the job function for a permission set group changes, you can update the permission set group. That’s the great thing about permission set groups: they’re easy to adjust. For example, let’s say that you find out people who perform the sales processing job function must also have edit ability on the Opportunities object. Just add a new permission set to the permission set group or add a new permission to an existing permission set in the permission set group.  

 

Help As You Begin Using Permission Set Groups

Your permission assignment analysis might take some time. The Permission Helper app, available on the AppExchange, can help. The helper app can help you see what permissions a user has, convert some profiles to permission sets, and more. For example, you might want to grab permissions from an existing profile, then use the app to convert them to a permission set. 

When you complete your analysis, you can begin to migrate your profile-based model to the more flexible permission set and permission set group model. 

 

Summing It Up

Look at that! You’ve already created your first permission set group and learned about a tool that can help you analyze your existing permission sets. We’ve covered a lot of material and hope that you see the value that permission set groups offer. However, we aren’t done yet. In the next unit, you learn about the flexibility that muting permission sets can bring to your permission set groups.

Resources

Click to return to the unit on Trailhead to access your challenge at the end of the reading.