Give Users the Functionality They Need
- Explain how permissions and preferences are implemented at the org and user levels.
- Define profiles and permission sets.
- Describe how admins use profiles and permission sets to control user access to functionality.
Behind the Curtain: Permissions and Preferences
As you learned earlier, platform, user, and permission set licenses contain permissions and preferences, or perms and prefs, which are metadata settings that define access to product functionality. But where do perms and prefs come from? Developers at Salesforce create perms and prefs when they develop new software features. After they create the new perms or prefs, developers may add them to an existing license if the new features are related to existing functionality, or they may create a new license.
Platform-level and user-level perms and prefs in licenses get implemented in different ways to determine the functionality that a given user has access to. (As a reminder, prefs are settings that customers can turn off or on.) Let’s take a closer look.
- Platform-level perms
- Specify features and capabilities for the org as a whole. Platform-level perms are turned on or off by the provisioning system, based on what a customer purchases. As a customer, you can’t turn platform-level perms on or off. Examples of platform-level perms include support for creating custom objects or making API requests.
- Platform-level prefs
- Like platform-level perms, these prefs also specify features and capabilities for the org as a whole. Unlike platform-level perms, as an org admin you can turn platform-level prefs on or off, usually through Setup. Examples of platform-level prefs include language settings and time zone settings.
- User-level perms
- Specify functionality for individual users. As an admin, you use profiles and permission sets to control which user perms in a license are activated for a given user, so that users with the same license can have different levels of functionality. We explain more about how you modify user-level perms later in this unit.
- User-level prefs
- Specify personalization choices, such as tab display. Each user can configure user prefs for themselves. (User prefs don’t control functionality related to feature access or security.)
Profiles and Permission Sets: Setting User Functionality
As an org admin, you assign each user one user license that defines user-level functionality. As we mentioned in Unit 1, an org may have multiple user license types, such as Full CRM, Chatter Only, and so on. As an admin you assign the user license that best suits the user’s role. Optionally, you may assign each user one or more permission set licenses, to grant the user access to functionality not included in the assigned user license. Metadata settings in the assigned licenses define how users access objects and data, and what they can do within the application.
The assigned licenses define the maximum functionality available to the user. But many times, users with similar roles have different responsibilities. At Ursa Major Solar, 100 users need the Full CRM user license with access to data and objects. But, the users need different levels of access. Some users only need to read records, some need to create and delete records, and some need to create new objects. Salesforce doesn’t provide a different user license for every possible variation of user access. Instead, Salesforce provides admins with tools to modify the access that is defined in user licenses and permission set licenses, so that each license can be tailored to fit numerous different user roles. As an admin, you use profiles and permission sets to modify the access defined in licenses.
- A subset of the functionality defined in a user license or permission set license. As an admin you assign each user one profile, based on the user’s job requirements. The functionality in the profile can’t exceed the functionality in the user license or permission set licenses assigned to the user. Profiles ensure that users have the functionality they need, but don’t have any functionality that exceeds their job requirements. For example, a user license may provide the capability to read, edit, and delete records, but an assigned profile may only provide the capability to read and edit records. The profile defines baseline functionality for the user, which can’t be revoked as long as the profile is assigned. Each Salesforce edition includes several standard profiles. Some editions include the option to create custom profiles.
- Permission set
- Like a profile, a permission set is a subset of the functionality defined in a user license or permission set license. But, while a user can have just one profile, each user can be assigned multiple permission sets. Each permission set can extend a user’s access beyond the functionality defined in the profile. Like profiles, permission sets can’t exceed the functionality defined in the assigned user license or permission set licenses. Salesforce provides standard permission sets, and some editions include the option to create custom permission sets.
So, why would you use both profiles and permission sets? The profile, as we described, defines the baseline access for a user. Permission sets provide a way to layer additional functionality, to supplement the baseline. With permission sets, as an admin you can grant functional access to a user for specific scenarios, regardless of the user’s primary job function. You can use permission sets to reduce the number of unique profiles you need to create, and to reduce the number of permissions you need to include in the profiles.
For example, Maria Jimenez, the admin at Ursa Major Solar, assigns several users a profile called Service User. This profile allows assignees to read, create, and edit customer cases. Some, but not all, of these users also need to be able to delete and transfer cases. Instead of creating another profile, Maria creates a permission set called Delete And Transfer Cases, and assigns that permission set to the users who need the additional functionality.
Putting It All Together
There are a lot of variables that affect a user’s access to features and services in an org. Let’s see how it all works together.
- At Ursa Major, the company executives purchase the Salesforce Service Cloud Enterprise Edition and the Service Cloud Einstein add-on. The edition and add-on include platform-level preferences that the admin can enable or disable.
- Admin Maria Jimenez enables or disables platform-level preferences in the edition and add-on, to suit Ursa Major’s business needs.
- For each Ursa Major employee who will be using Salesforce, Maria creates a Salesforce user account, then assigns the appropriate user license and profile. Users with the same license may get different profiles, depending on their role and responsibilities. The profile can’t exceed the functionality in the assigned user license.
- Maria also assigns permission set licenses to users as needed. She assigns the Service Cloud Einstein permission set license to account executives who need to use the Einstein functionality, and then assigns the appropriate profile to enable the Einstein functionality for the users.
- Finally, Maria assigns permission sets to those users who need additional functionality besides what is provided by the assigned profile.
- Each user adjusts their own user prefs to customize Salesforce for their own needs.
And that’s it! If you know the relationship between licenses, profiles, and permission sets, you understand what determines the functionality that a given user has in an org.
Terms from This Unit
- Permission set
- A subset of the functionality defined in a user license or permission set license. Permission sets are optional supplements that can extend the functionality in the profile assigned to a user. Each user may be assigned one or more permission sets. Note that a permission set is different from a permission set license, defined in the first unit.
- A group of user-level settings that comprise a subset of the functionality defined in a user license or permission set license. Each user is assigned one profile, which defines the baseline functionality enabled for the user.