What is the difference between Salesforce profiles and permission sets?

Profiles set baseline permissions and are required (one per user). Permission sets layer additional access on top of profiles. Best practice is to keep profiles minimal and use permission sets for role-specific access - this gives you modular, scalable control.

How many permission sets should a typical Salesforce org have?

Most mid-market orgs need 8–15 permission sets. Organize them by function (Sales, Marketing, CS) and by access level (Read, Edit, Admin). Avoid creating per-person permission sets - that signals a design problem.

Salesforce Permission Sets: A RevOps Guide to Getting Them Right

Salesforce permission sets are one of the most powerful - and most misused - tools in the admin toolkit. When structured well, they give you granular, scalable access control. When structured poorly, you end up with hundreds of overlapping permissions, security gaps, and a system that nobody can audit. This guide covers how RevOps teams should think about permission architecture.

Profiles vs. Permission Sets: The Right Mental Model
Structuring Permission Sets by Function
- Functional Permission Sets
- Scope Permission Sets
Permission Set Groups
Common Mistakes
Governance Model
Key Takeaways

Profiles vs. Permission Sets: The Right Mental Model¶

Think of it like building access:

Profile = Your base keycard. Gets you into the building and the main floor. Every employee gets one, and it grants the minimum access needed.
Permission Set = Additional keys. Need access to the finance office? Add that key. Need access to the lab? Add that one too.

The golden rule: Keep profiles as restrictive as possible. Layer access up through permission sets.

Most orgs should have 2–4 base profiles at most:

Profile	Description	Assigned To
Standard User	Basic CRUD on core objects	All non-admin users
System Administrator	Full access	Admins only (2–3 people)
Integration User	API-only access	Connected apps
Read-Only User	View access only	Board members, auditors

Structuring Permission Sets by Function¶

Organize permission sets along two axes: team function and access scope.

Functional Permission Sets¶

Sales Core - Access to Leads, Opportunities, Quotes, Activities
Marketing Core - Access to Campaigns, Campaign Members, Lead fields
CS Core - Access to Cases, Accounts (expanded), custom CS objects
Finance - Access to Invoices, Payment objects, revenue fields

Scope Permission Sets¶

Territory: AMER / EMEA / APAC - Record-level visibility by geography
Sensitive Fields - Access to compensation, margin, or PII fields
Report Builder - Ability to create and export reports
Data Loader - Bulk import/export permissions

Example: A sales rep in EMEA gets the Standard User profile + Sales Core permission set + Territory: EMEA permission set. Three layers, cleanly separated.

Permission Set Groups¶

Salesforce Permission Set Groups bundle multiple permission sets into a single assignable unit. Use them to simplify user provisioning:

Sales Rep Group = Sales Core + Report Builder + Territory assignment
Sales Manager Group = Sales Rep Group + Sensitive Fields + Dashboard access
Marketing Ops Group = Marketing Core + Report Builder + Data Loader

This turns a 15-minute onboarding checklist into a single assignment.

Common Mistakes¶

Cloning the System Admin profile - Creating “power user” profiles with near-admin access because someone asked for one more permission. This creates security and audit nightmares.
One-off permission sets - Creating a permission set for a single person’s request. If only one user needs it, ask why before building it.
Forgetting field-level security - Object access without field-level security is like giving someone a key to a room but leaving the filing cabinets locked. Check both layers.
No documentation - Every permission set should have a description field explaining who it’s for and why it exists.
Ignoring permission set assignments during offboarding - Deactivating a user doesn’t remove their permission sets. Audit assignments quarterly.

Governance Model¶

Implement this process to keep permissions manageable:

Activity	Frequency	Owner
New permission set requests via intake form	As needed	RevOps
Review of permission set assignments	Quarterly	RevOps + Security
Audit of System Admin profile holders	Monthly	IT + RevOps
Permission set cleanup (unused/redundant)	Bi-annually	RevOps
Documentation updates	With every change	Requesting team

Require a business justification for every new permission set. The request should answer: Who needs this? Why can’t an existing permission set cover it? What’s the security impact?

Key Takeaways¶

Keep base profiles minimal - use permission sets to layer additional access
Organize permission sets by function (team) and scope (geography, sensitivity)
Use Permission Set Groups to streamline user provisioning and reduce admin overhead
Document every permission set and audit assignments quarterly
Never create a permission set for a single user without questioning the design