Salesforce security models confuse more admins than any other topic. Profiles, Permission Sets, Permission Set Groups — they overlap, they interact, and Salesforce keeps changing the rules. This guide cuts through the noise with a clear model you can apply today.
The Honest Short Answer
Profiles: Assign the minimum baseline. Every user must have one. Use the most restrictive profile that makes sense for the user's role group — ideally a "Minimum Access" profile for most users.
Permission Sets: Grant additive permissions on top of the profile. One user can have many Permission Sets. Use them for anything beyond the baseline.
Permission Set Groups: Bundle multiple Permission Sets into one assignable unit. Use these once you have more than two or three Permission Sets that consistently go together.
Profiles: What They Still Control
Despite Salesforce's push toward Permission Sets, Profiles still exclusively control several settings that Permission Sets cannot:
- Login hours and IP restrictions — only on Profiles
- Default record types — Profiles set the default; Permission Sets can add more
- Page layout assignments — still Profile-only
- App settings (default app) — Profile-driven
This is why you cannot eliminate Profiles entirely, even in the most modern Salesforce org. Use them only for these things and nothing else.
Permission Sets: The Right Model
Build Permission Sets around job functions, not job titles. A "Sales Rep" profile is a trap — the moment one sales rep needs something different, you create a new profile. Instead:
- PS: "Manage Opportunities" — edit/delete Opportunities, view forecasting
- PS: "View Accounts" — read-only on Accounts
- PS: "Run Reports" — run/export reports
Mix and match. A Sales Rep gets Manage Opportunities + View Accounts + Run Reports. A Sales Manager gets the same plus a "Manage Users" set. No new profiles ever created.
Permission Set Groups
Once you have 5+ Permission Sets that always go together for a user type, group them. Assign the group, not the individual sets. When something changes, update the group — not 200 user records.
Groups also support muting: within a group, you can mute a specific permission that one of the member sets would otherwise grant. This is the most underused feature in Salesforce security.
The Migration Warning
Salesforce has announced the eventual deprecation of most Profile permissions in favour of Permission Sets. If your org runs on heavily customised Profiles with dozens of object/field permissions, start migrating now. It is a long project — do it incrementally by team, not all at once.
Quick Decision Framework
| Need | Use |
|---|---|
| Restrict login hours | Profile |
| Set default record type | Profile |
| Assign page layouts | Profile |
| Grant object CRUD | Permission Set |
| Grant field access | Permission Set |
| Grant Apex class access | Permission Set |
| Bundle sets for a role | Permission Set Group |