Learn how to take control of your profile and permission sets, as well as best practices of permission management.

1. Admin's Guide to Profiles & Permissions

2. Marc Baizman
Product Manager
Salesforce
Sharon Liao
Sr. Admin Evangelist
Salesforce
@mbaizman
Today’s Speakers

3. Forward-Looking Statement
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the
assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements
we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability,
subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations,
statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service,
new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or
delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and
acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and
manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization
and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our
annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and
others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be
delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available.
Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Statement under the Private Securities Litigation Reform Act of 1995

4. Connect with Us!
Salesforce Admins
@SalesforceAdmns
#AwesomeAdmin
admin.salesforce.com
Salesforce Admins
Salesforce Admins

5. Watch the Recording
The video will be posted to YouTube
& the webinar recap page:
bit.ly/GuidetoPermissions
This webinar is being recorded!

6. Join the Admin Webinar Group for Q&A!
bit.ly/AdminWebinarGroup
Don’t wait until the end to ask your question!
● We have team members on hand to answer questions
in the webinar group.
Stick around for live Q&A at the end!
● Speakers will tackle more questions at the end, time-
allowing

7. • “Principle of Least Privilege”
• Profile and Permission Set Quick Review & Best Practices
• Next Generation of User Management
• Permissioning Tools & Demo
• Resources
• Q&A
Today’s Agenda

8. Users should have the least number of
permissions necessary to do their job and
nothing more.
Principle of Least Privilege

9. Profile and Permission Set
Quick Review and Best Practices

10. Permission Sets are the vehicle
for managing access rights in
your org.

11. Division of labor between Profiles & Permission Sets
Overview of User Access Management in Salesforce
Awesome
Admins
RightsUsers
WHO has access to WHAT?
Profile
As old as with Salesforce
● Baseline authorization
● Limit one per user
● Default settings you can not
take away from user
Permission Set
Since Winter’ 12
● Built for layering
● Many to many relationship with user
● Extensible entitlements for functional
access

12. A Sales Team Permissions Example
● One standard Sales User Profile
● Some Sales Users need additional access to view and create public reports, some do not
● Sales Users who are in manager role also need access to Team Pipeline Forecast app
Profile (4) Permission Set (1+2)
Sales UserUser 1
User 2
User 3
User 4
Sales User with Report Access
Sales User Manager
Sales User Manager with Report Access
Access to Report
Access to ReportAccess to Forecast
Access to Forecast
Sales User
Access to
Report
Sales User
Sales User
Access to
Forecast
Access to
Report
Sales User
Access to
Forecast
User x innumerable profile
...
stackable, flexible

13. What Can Move from Profiles to Permission Sets?
Determine what should be moved
YES
Permission Sets
- Access to Apps
- System & User
Management
Login Policy
Layout & Record
Types
User Permissions
- External Services
- Name Credentials
- Connected Apps
- Social Accounts
Object/Field Access
Tab Access
Apex Class
Visualforce Page
External Integration
Custom Permissions
NO
- Assigned Record Type
- Default Record Type
- Page Layout
- Login Hours & IP Ranges

14. Choose Permission Sets Over Profiles
It’s the
future!
Stackable
Reduce number of
profiles.
Flexible
Mix and match based on
individual tasks
at a more granular level.
Benefits of Permission Sets:
Easier
Assignment
Can be reused and
assigned to multiple
users.
Reduce permissions on
profiles. Switch to role based
permission management
model.

15. Next Generation of User Management

16. Introducing Permission Set Groups
● Allow combining permission sets into a
single group that represents what users
need for their job role
● Auto propagate permission set updates
to all relevant groups, giving assigned
users the aggregated permissions
● Subscriber orgs can extend managed
groups to add or remove permissions
without cloning
Currently In Pilot (Summer ‘19)

17. Roadmap Vision: Role Based User Access Control
Permission Sets
(Task Perms)
Permission Set Groups
(Job Roles)
User Profile
(1:1 Settings)
Standard
Permission Set Group
Custom
Permission Set Group
Managed(ISV)
Permission Set Group
Standard Permission Set
Custom Permission Set
Managed (ISV) Permission Set

18. Permissioning Tools
Profile and Permission Helper

19. Converter: Convert Profiles to Permission Sets
● Create assignable Permission Sets
based on the Profile you selected
with one click
● Reduce administrative overhead in
profile and permissions
management when switching user
licenses
● Support both standard Profiles and
Custom Profiles

20. Permission Analyzer: Know Who Has Access to What
● View a summation of all
permissions assigned to a user in
one screen
● View which specific profiles or
permission sets contain a
permission
● Keep all data transactions
securely within your org and
respect data access control

21. Demo
Profile to Permission Set Convertor
Permission Analyzer

22. Resources

23. Get the Permission Helper App
● Free in AppExchange from
Salesforce Labs
● bit.ly/permhelper
● Have questions? Post in the
community with
#PermissionHelperApp

24. Additional Resources
Trailhead
Data Security
Module
bit.ly/DataSecurityBadge
Blog
Simplify Your Permissions with
the Profile and Permission Set
Helper
bit.ly/PermissionHelperApp
Video
Who Sees What
sforce.co/whoseeswhatlightning
PSG Pilot Demo
sfdc.co/psgwalkthroughvideo

25. Q&A
bit.ly/AdminWebinarGroup
Slides
bit.ly/GuidetoPermissions
Wrapping Up
Survey
Please complete
GoToWebinar survey