Get Started with Permission Set Groups

Learning Objectives

After completing this unit, you’ll be able to:

  • State what a permission set group is.
  • Describe two use cases for using permission set groups.
  • Explain how permissions are calculated in a permission set group.

The Basics of Permission Set Groups

As an admin, it’s very possible that you have many permission sets that you assign to users. And you likely spend a lot of time managing the permissions that users require while trying to ensure that they have only the permissions that they need to perform their work. For example, your assignment structure might resemble this image, where you must assign several users to several permission sets. 

Three individual users with each user assigned to three separate permission sets.Given how quickly permission sets can multiply, you may have wondered how to simplify permission set management while maintaining the principle of least privilege to protect your org. Well, we have a solution for you: permission set groups. With permission set groups, you can bundle permission sets together based on a job function. A permission set group includes all permissions in the permission sets. You can even include a permission set in more than one permission set group.Three individual users with each user assigned to a single permission set group that contains three permission sets. Granting permissions to users based on the tasks they perform in their different job functions becomes much simpler.

Benefits of Permission Set Groups

Assigning permissions to users via permission set groups does look simpler, but how does grouping permission sets make your job easier and help you to enforce assignments based on least privilege? 

Let’s say that the vice president of your sales department, E.J. Agarwal, has users who require permissions to create, edit, and delete surveys; create and customize list views and reports; and create and edit price books. These users all perform work involving price surveys.

There are a couple of ways that you can provide E.J.’s users with what they need. You can create a new permission set with all of the permissions needed for this job function. However, permission sets should remain fairly limited—in general, you don’t want a permission set with too many permissions. Alternatively, you can grant the permissions by individually assigning users to permission sets that include permissions for each task, but this is a messy approach and becomes challenging to manage. 

Complicating our scenario further is that the users who need permissions for price surveys have different job titles and responsibilities.

  • Maria Hernandez, Consultant
  • Shaun Chen, Sales Manager
  • Aaron Jones, Sales Service Director

By using permission set groups, you create a single group that contains the permission sets with the permissions needed for the price surveys job function. The individual permission sets in the group can also be used outside of the group. 

There’s more, too: E.J. has informed you of other changes coming. Maria’s consultancy ends next month, and a contractor will soon require the same permissions that Maria has. And two new hires also need permissions to manage price surveys. Streamlining how you assign user permissions becomes more important as the team continues to change and grow.

For example, you could create a single permission set group called Price Surveys organized around the requirements of the price surveys job function. With this approach, you can ease the user assignment process now and as the team grows.

Just assign the Price Surveys permission set group to users who need permissions to create, edit, and delete surveys; create and customize list views and reports; and create and edit price books. There’s no need to create a new permission set specific to price surveys or to add users to several permission sets.

 Several users assigned to a single permission set group named price surveys.

TIP: If you need to create a new permission set for a permission set group, you can. However, we strongly suggest that you limit the permissions within a permission set to a few related tasks. In the next unit, we cover strategies for thinking about and modeling permission sets and permission set groups to maximize their functionality. 

Use Permission Set Groups in Package Development

There’s one more thing. If you’re a subscriber to an app with permission set groups, you can add managed permission sets to your local group. Or, you can add a local permission set to a managed group. Why are these options so great? The package development team might include permission changes in a package upgrade; if so, you can receive important updates while making sure that your users retain the access that they need. 

You can also take advantage of a function we call muting, which comes in handy when you’re working with managed packages in your org. We go into detail about muting in an upcoming unit.

Calculating Permissions in a Permission Set Group

You might ask how the permissions in a permission set group are determined, especially if you update permission sets within the group. For example, in the Price Surveys permission set group, we have three permission sets. 

  • Survey Creator Standard Permission Set
  • A Custom Permission Set for List Views and Reports Access
  • A Custom Permission Set for Price Book Access

Let’s say that E.J comes to you and says that he forgot to tell you something: Users in the price surveys permission set group also need to delete price books. You add delete permission to the permission set for price books. When you add the permission, you kick off a permission set recalculation. A recalculation propagates the change you make in the permission set through to the permission set groups that contain the permission set.  

While a permission set group recalculates, assigned users retain the permissions as of the last completed recalculation. 

Changes that trigger a recalculation of a permission set group include:

  • Changing existing permission sets
  • Adding permission sets
  • Removing permission sets

The status of a permission set group appears in the Status column of the Permission Set Groups list view page.

Valid statuses are Updated, Outdated, Updating, and Failed. 

The Permission Set Groups list view displaying the Price Surveys permission set. The Status column shows that the status is Outdated.
IMPORTANT: When you update permissions in a permission set, review the business requirements of all users assigned to the permission set and related permission set groups.

In the next unit, you create a permission set group and assign it to users. 

Resources

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities