Permission sets

Salesforce allows you assign only one profile to a user, but sometimes it's necessary to assign more than one profile to users based on your business requirements. Through the permission set, you can grant a group of settings and permissions to your users that allows them to access various apps and functions, in addition to the profile. The settings available in these permission sets are similar to those in profiles, but they extend the user's functional access without changing their profiles.

A business scenario: Eric Cordell  is working as Sales Manager West at Universal Containers. As per the initial business requirement, Sales Manager West can only access the opportunity records for an account that belongs to North America. Over the past few years, Eric helped Universal Containers to increase their sales pipeline from $15 million to $40 million. Now Sales Director Merint Mathew wants to grant all opportunities access (either edit or delete) to Eric Cordell, so he can manage it and generate more revenue.

To solve the preceding business requirement, you have the following options:

1. Create a new profile that is a combination of the Sales Manager West profile and Modify all permissions on opportunity objects (not a recommended solution, as it is very hard to manage).
2. Using the sharing rule, you can only grant Read or Read/Write permission, not delete.
3. Use permission set to grant Modify all permission on opportunity objects (recommended solution). In future, you can assign the same permission set to other users who have different profile.

Settings available under permission sets

Use permission sets to grant the following access to users:

• Assigned apps: Select the apps whose access you want to grant to users.
• Object settings: You can grant the following permissions to users:
  • Tab settings
  • Record type settings
  • Object permissions
  • Field-level permissions
• App permissions: Select the app-specific permission you want to grant to users.
• Apex class and Visualforce page access: This defines which Apex classes and Visualforce pages users can access.
• Service providers: Use this only if you've enabled Salesforce as an identity provider.
• Custom permission: Using this you can grant permission to access custom processes and apps to users.
• System permissions: Here you can define permissions to perform actions that apply across apps, such as Password Never Expires.

Creating a  permission set

Perform the following steps to create a new permission set:

1. Click Setup (gear icon) | Setup | ADMINISTRATION | Users | Permission Sets and then click on the New button, as shown in the following screenshot:
   
2. It will redirect you to a new screen from where you can create a new permission set. To create a permission set, enter the Label, API Name, and Description, and select User License from the dropdown:
   
3. Once you are done, click Save.

If you are planning to assign the permission set to all users who have the same user license type, it is best practice to associate that user license with the permission set. But if you are planning to assign the permission set to users who currently have different licenses (or might have different licenses in the future), it is probably best to create a permission set without a User License type.