15 April 2013
Permission Sets Best Practice: Lose Some Profile Weight
Profiles remain an important and necessary tool for the administrator. Beyond the requirement that every user is assigned to a single profile, certain user settings are available on profiles that are not available on permission sets.
Previous blogs discussed the ability of permission sets to simplify the administrator’s job as it pertains to assigning the appropriate permissions to the appropriate set of users. There are some additional simplifications available to the administrator who fully leverages that capability in order to reduce the number of profiles within an organization.
It does not take too many job functions within an organization before the possible number of profiles grows quite large. Beyond the challenge of administering each of these profiles, many screens related to object creation, field creation, page layouts, etc. become more difficult to manage as the number of profiles grows. By reducing the number of profiles, the manageability of these screens improves.
Because profiles control more user settings than permission sets, it can be a challenge to eliminate some profiles simply because those user settings are important variations within the organization. However, one user setting that is not available on permission sets, but can -- to a certain extent -- be controlled by permission sets is “Tab Settings.” In order for a tab to be visible to a user, the tab must be available to the user (either “Visible” or “Available”) and the user must have at least read access on the object in question. Profiles control the tab setting, but permission sets can control the object level access. So, if you want your users to have the tab when they have access to the underlying object, you can set the profile to “Visible” (or off, as appropriate) without also defining on the profile any object level permissions for the object. Then, any individual user’s ability to see the tab will be controlled by the permission sets assigned to them and whether those permission sets grant read access to the object in question.