Permissions Set Groups and Muting Permissions 101

Understanding the differences between Permission Sets and Profiles is crucial for managing user access and maintaining security in your Salesforce environment. With that in mind, let's explore the differences between these two fundamental Salesforce components.
Cloudy sky header image

Why Profiles?

Profiles have been around for a long time, and, until recently, they were the best way to segment users into access groupings in order to restrict access to Salesforce objects and fields. They are the traditional baseline of access control. But sometimes, it is easy to have too much of a good thing, and Salesforce orgs quickly became overly propagated with profile after profile, some going as far as a profile for every Salesforce user. Enter the newcomer Permission Sets

Why Permission Sets?

Permission Sets are not technically new since they have been around since 2012. However, the use of Permission Sets is now being encouraged and will soon be forced as Salesforce transitions away from Profile-level, field-level access. The handling of multiple Permission Sets was difficult, so Salesforce introduced the concept of Permission Set Groups to aggregate multiple Permission Sets under one umbrella, then, soon after, Muting Permissions to restrict access for Permission Set groups. A little confusing? 

How to Set up Permission Sets, Permission Set Groups, and Muting Permissions 

Let’s walk through the scenario together; then, we will go into the solution.  

Let’s say that your B2C sales organization has three core teams:

Permission set groups

Roles

A role hierarchy is set up to ensure visibility to records based on each person’s position:

List of role hierarchies
  • Account Executives report to Sales Managers, however, this structure ensures that Customer Success has visibility into only the records that their Account Executives own, while the Sales Manager has access into all records owned by all of their Account Executives and Customer Success reps.
  • Sales Managers need a sweeping view and edit access to all objects related to the customer journey. 
  • Customer Success is responsible for retention and upsells, so fields related to these processes should be editable.

Account Executives are solely focused on new sales, so their visibility should be limited to hone all focus on data that leads to deals.

Permissions set table

Let’s use our imaginations and assume that this list of field and object permissions fills up a few pages. It’s not a simple set of three items! 

Luckily, there’s a solution to manage access and move on from just using Profiles: 

Profile

We have one Profile – Sales – that we use for these roles since the requirements for these groups are the same across three key items controlled by profile:

  • Login IP ranges
  • Default Record Types
  • Page Layout Assignment (AND dynamic forms) 

Permission Sets

We should also expect that there will be field additions and changes to requirements over time, so the Permissions Sets need to be set up so that a future admin would understand exactly what we have in each one. Ie, A permission set for each role could technically work, but it would be harder to maintain than permissions set up by Object and then grouped.

Let’s create two permission sets:

  1. Accounts and Contacts – since they have similar access requirements for our team.
  2. Assets – Accounting also needs to update this data, but this team does not edit Accounts or Contacts. Thus, we will keep it separate to make our Permission Set reusable! 

We also need three Permissions Set Groups – one for each role. These groups will aggregate our two permissions sets and allow us to add muting permissions to restrict access per role.

Back to our Permission Sets:

  • Accounts and Contacts:
    • Rating Field (Account): Read/Edit
    • Warranty Expiration Field (Contact): Read/Edit 
  • Asset: Read/Edit all fields

At the time that this article was written, read and edit access to all fields on an object is a.. pain in the **insert emoji of Donkey from Shrek**, but there is hope! Follow the progress of “Select All” here.

Field Level Security

Permission Set Groups & Muting

There are three Permission Set Groups for each of our core user groups:

Sales Manager

Our Sales Manager group is the easiest one to create – we just assign the two permission sets, and we are good to go. Why? This position has the widest data access level out of the three. All our permission sets are designed for the widest level of access -then access is limited via muting permission sets.  

Sales manager role settings

Customer Success

For this position, we apply both of our permissions sets and then apply Muting Permissions to limit access to the Warranty Expiration filed on Contact and the Asset object. Unlike Permission Sets, we create Muting Permissions directly from the Permission Set Group – not the Permission Sets page. 

A muted permission in a permission set group restricts access to the field, object, or feature regardless of what the permission sets assigned to the group grant:

Field muting permissions

We simply mute edit access to the field and mute edit access to all Asset records – then we can reuse the same permission sets for the Customer Success position.

Account Executives

Again, another Permission Set Group, the same two permission sets, then muting permissions. 

How do I transition from Profiles to Permission Sets?

Salesforce has a Profile -> Permission Set conversion tool, which may work for some smaller Salesforces. Those that are larger, need to watch limits, as there are only 1,000 permission sets allowed for most implementations. 

Trailhead’s Data Categorization Data Categorization and Access Superbadge is a great starting point.

Salesforce Ben’s Clean Up Profiles and Permission Sets article has some great advice. The User Access and Permissions Assistant can also be helpful. However, only you know your Salesforce! 

CapStorm Helps You Transition to Permissions

Permissions transitions can be a tricky thing to master. It’s often tough to ensure that you do not accidentally impact a user’s day-to-day job by removing access to something that you did not know that they used in the first place! 

A good plan is to minimize risk by backing up metadata frequently. Backups with CapStorm automatically version meta changes so that you can, in just a few clicks, roll back to the original profile, if needed, or fix a permission set. If you’re ever in doubt about what permissions your backup users may not have access to that could result in incomplete backups, use our Salesforce Permission Checker tool to verify access!

Ready to learn more? We’re here to answer your questions!

Rebecca Gray

Rebecca Gray

Rebecca is 5 year Salesforce fanatic and certified Salesforce Admin, Service Cloud Consultant, Sales Cloud Consultant, and App Builder. She volunteers in the Salesforce community, leading the Saint Louis, MO Salesforce Admin Group and is a former Lightning Champion. In her day job, Rebecca supports Customer Success, helping CapStorm customers achieve their goals for Salesforce data management.

About CapStorm

CapStorm is the most technologically advanced Salesforce data management platform on the market. Billions of records per day flow through CapStorm software, and our solutions are used in every industry from credit cards, telecom providers, insurance agencies, global banks and energy providers.

Recent Posts

Follow Us

Become a CapStorm Insider

Become a CapStorm Insider

Subscribe to the CapStorm Forecast

Name
This field is for validation purposes and should be left unchanged.