Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Create a Permission Set Group

Learning Objectives

After completing this unit, you’ll be able to:

  • Create a permission set group.
  • Assign users to a permission set group.
  • Analyze existing profiles and permissions and develop a model that includes permission set groups.
Note

Accessibility

This unit requires some additional instructions for screen reader users. To access a detailed screen reader version of this unit, click the link below:

Open Trailhead screen reader instructions.

Get the Business Requirements

Before you start creating a permission set group, let’s analyze the business needs. The VP of sales, E.J. Agarwal, needs team members to perform certain tasks as part of the sales orders processing function. E.J. says that some sales staff need permissions to make changes to orders, and other sales staff members need to make changes to both orders and contracts. 

Create a couple of permission sets based on tasks. Then include them in a permission set group that focuses on the job function that E.J.’s users perform. 

“Wait,” you think. “How does this save me time if I’m still creating new permission sets?”

Fair question, but remember: You can reuse permission sets! When you group these permission sets for E.J’s requirements, you retain the ability to assign the individual permission sets to other groups as needed. 

In other words, you avoid creating a unique permission set just for E.J., yet you can tailor the permission set group according to his needs. Create two custom permission sets.

Permissions

User Group 1

User Group 2

Permission Set

Activate orders

Yes

Yes

Sales Orders 

Read orders

Yes

Yes

Sales Orders 

Create orders

Yes

Yes

Sales Orders 

Edit orders

Yes

Yes

Sales Orders 

Delete orders

Yes

Yes

Sales Orders 

Read contracts

No

Yes

Sales Contracts

Create contracts

No

Yes

Sales Contracts

Edit Contracts

No

Yes

Sales Contracts

Delete Contracts

No

Yes

Sales Contracts

Ready to Get Hands-on with Permission Set Groups?

Launch your Trailhead Playground now to follow along and try out the steps in this module. To open your Trailhead Playground, scroll down to the hands-on challenge and click Launch. You also use the playground when it's time to complete the hands-on challenges.

Create Permission Sets

OK, let’s create a permission set for sales orders.  

  1. From Setup, in Quick Find type Permission Sets and select Permission Sets.
  2. Click New.
  3. For Label, enter Sales Orders.
  4. For License, keep None.
  5. Save the permission set.

Add an app permission (user permission) to activate orders.

  1. In the Find Settings box, type Orders and then click Activate Orders.
  2. On the App Permissions page, click Edit.
  3. Scroll to the Sales section and enable Activate Orders.
  4. Save the permission set. A Permission Changes Confirmation box opens. Notice that both Read Order and Edit Order were also enabled. That’s because Order Activation depends on being able to read and edit orders.
  5. Save your changes.

Add object permission to create and delete orders.

  1. In the Find Settings box, type Orders and then click Orders.
  2. On the Object Settings page for Orders, click Edit.
  3. Enable the Create and Delete object permissions.
  4. Save your changes.

Create the permission set for contracts. 

  1. Navigate to the main Permission Sets Setup page. Click New.
  2. For Label, enter Sales Contracts.
  3. For License, keep None.
  4. Save the permission set.

Add permission to read, create, edit, and delete contracts.

  1. In the Find Settings... box, type Contracts and then click Contracts.
  2. On the Object Settings page for Contracts, click Edit.
  3. Enable the Read, Create, Edit, and Delete object permissions.
  4. Save your changes.

Yay! Now you can create a permission set group to contain the two permission sets. 

Create Users

Permission sets and permission set groups are worthless without users. So first, add two users to your org. 

  1. In Setup, open Users.
  2. Create two users:
  • Max Jackson:
    • Title: Sales Contracts Manager
    • License: Salesforce
    • Profile: Minimum Access - Salesforce
    • Email: Enter any email address. The Username and Nickname populate automatically.
  • Anuj Singh:
    • Title: Sales Coordinator
    • License: Force.com - Free
    • Profile: Force.com - Free User
    • Email: Enter any email address. The Username and Nickname populate automatically.

Finally, the main event! 

Create a Permission Set Group

  1. From Setup, in Quick Find, type Permission Set Groups and then select Permission Set Groups.
  2. Click New Permission Set Group.
  3. For Label, enter Sales Processing.
  4. Save the permission set group.

Add permission sets to the permission set group.

  1. Under Permission Sets, click Permission Sets in Group.
  2. Click Add Permission Set.
  3. Select Sales Orders and Sales Contracts.
  4. Click Add.
  5. Click Done.

Ta-da! Your first permission set group, Sales Processing. 

Venn diagram corresponding to the preceding steps to create the Sales Processing permission set group.

Go to your permission set group, and confirm that the group status is Updated. 

If it is, scroll down to Combined Permissions and click Object Settings. Notice that the settings for both the Contracts and Orders objects reflect the access you gave in the two permission sets in the group. 

Next you add users to the group. 

  1. Return to the Sales Processing permission set group.
  2. Click Manage Assignments.
  3. Click Add Assignments.
  4. Select Max Jackson and then click Next.  
  5. Click Assign. A confirmation message states that the permission set group has been assigned to one user.
  6. Click Done.
  7. Try to add Anuj Singh. You get an error. Just like with permission sets, you cannot assign a user to a permission set group if their license does not permit the permissions you want to assign. 
  8. Ignore the message and click Done.

Anuj Singh won’t be added to the group until his license is updated. Licensing requirements remain the same when you work with permission set groups.

Nifty stuff! But there’s more! 

Analyze Your Existing Permissions Structure

You’ve created a permission set group and experienced some of the power that permission set groups can offer. But what do you do with your existing permission sets and users? You might wonder what to consider as you analyze your org’s assignment structure and prepare to begin using permission set groups. First, remember the principle of least privilege: Users should have the least permissions necessary to do their job. We keep this principle in mind as we work with permission set groups. 

Let’s review the purposes of profiles, permission sets, and permission set groups.

Profiles provide default settings for each user, such as default record type, IP range, and so on. Salesforce recommends using the Minimum Access - Salesforce profile as a best practice for assignment to users. Each user has only one profile

Permission Sets are collections of settings and permissions. Profiles allow users to perform some tasks, but permission sets allow additional tasks (tasks not enabled by profiles). For example, you can add permissions to create and customize list views, activate contracts, or any number of other permissions. 

Permission Set Groups bundle permission sets together. Users assigned to a permission set group receive the combined permissions of all the permission sets in the group. Permission set groups correspond to the job functions of users. 

With these definitions in mind, let’s revisit the permission set group you created for E.J. The goal was to give sales staff members the ability to perform the Sales Processing job function. 

  1. First, we listed the tasks the sales processing job function includes.
    • Activate orders
    • Read, create, edit, and delete orders
    • Read, create, edit, and delete contracts
  1. Then we asked, “Can we modify existing permission sets, or do we need to create new ones?” We discovered that we needed to create two new permission sets:
    • Sales Orders
    • Sales Contracts
  1. Finally, we checked which users perform the sales processing job function and assigned Max to the permission set group.

TIP: The permissions you include in the permission sets in your permission set group must align with the tasks that the users perform in their job function. If not, review the job function’s goals. For example, if Max shouldn’t have the Activate Orders permission, ask if the sales processing permission set group needs this permission. If it does, then check if Max can be assigned to a different permission set group that's better suited to what he needs to do.

By the way, if you find that you must create a new permission set to include in your permission set group, consider how you can use it outside of the group, too. Look at other job functions to see if users need to perform some of the same tasks. You might want to include permission sets in other permission set groups. Use the flexibility of permission sets strategically by modeling your permission sets on the tasks that your users perform. 

If the job function for a permission set group changes, you can update the permission set group. That’s the great thing about permission set groups: they’re easy to adjust. For example, let’s say that you find out people who perform the sales processing job function must also have edit ability on the Opportunities object. Just add a new permission set to the permission set group or add a new permission to an existing permission set in the permission set group.  

Help As You Begin Using Permission Set Groups

Your permission assignment analysis might take some time. The User Access and Permissions Assistant app, available on AppExchange, can help. The app can help you see what permissions a user has, convert some profiles to permission sets, and more. For example, you might want to grab permissions from an existing profile, then use the app to convert them to a permission set. 

You can also use the permission set and permission set group summaries to quickly see what object, user, field, and custom permissions are enabled. You can also see which permission set groups include the permission set and vice versa. From the detail page of the permission set or permission set group, click View Summary.

When you complete your analysis, you can begin to migrate your profile-based model to the more flexible permission set and permission set group model. 

Summing It Up

Look at that! You’ve already created your first permission set group and learned about a tool that can help you analyze your existing permission sets. We’ve covered a lot of material and hope that you see the value that permission set groups offer. However, we aren’t done yet. In the next unit, you learn about the flexibility that muting permission sets can bring to your permission set groups.

Resources

Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback