Mastering Salesforce User Access: Profiles, Permission Sets, and Groups — A Pawfect Step-by-Step Guide
Table of Contents
- Licenses
- Creating New Users
- Company Structure Example
- Step 1: Create the Pet App (Prerequisite)
- Step 2: Create a New Profile
- Step 3: Using Permission Sets
- Step 4: Permission Set Group
- Step 5: Control Record Visiblity with Sharing Rules
- Bonus: Role Hierarchy vs Sharing Rules
- Summary
- Conclusion
Managing users and their permissions is one of the most important responsibilities of a Salesforce Administrator.
In this post, we’ll explore how Profiles, Permission Sets, and Permission Set Groups work together to handle complex access requirements — all through our friendly Pawfect Care App example.
Previously, we created Pawfect Care App.
Licenses
Everything in Salesforce depends on Licenses.
Each user must be assigned the correct license based on their job role and required access.
A license defines which features and objects a user can access.
You can view available licenses in Setup → Company Information.
There are three main types of licenses in Salesforce:
| License Type | Description |
|---|---|
| User License | Determines basic access to standard and custom features. |
| Feature License | Grants additional feature-specific capabilities. |
| Permission Sets | Define specific permissions and visibility on top of the user license. |
💡 Tip: You can only assign users profiles that match their user license type.
Creating New Users
To add a new user:
- Go to Setup → Users → New User
- Enter details like name, username, and email.
Key Points:
- Username must be globally unique across all Salesforce orgs. It uses an email format but doesn’t need to be a real email address.
- A user cannot be deleted, but they can be deactivated, frozen, or locked.
- You can enforce email domain restrictions under User Management Settings → Email Domain Allowed = True.
- Configure locale, language, and time zone for regional preferences.
- From the user detail page, you can view login history, reset password, or log in as another user.
Company Structure Example
Imagine your company, Pawfect Care, has the following structure:
CEO
└── Operations Officer
├── Dog Team Manager
│ ├── Dog Specialist
│ └── Dog Nurse
├── Cat Team Manager
│ ├── Cat Specialist
│ └── Cat Nurse
└── Bird Team Manager
├── Bird Specialist
└── Bird Nurse
Permission Overview
| Role | Access |
|---|---|
| CEO | Full access to everything in the org. |
| Operations Officer (OO) | Full CRUD access across all pets (Dog, Cat, Bird). |
| Dog Team Manager | Full CRUD for Dog records only. |
| Dog Specialist | Read/Create/Edit limited fields for Dog records; no Delete. |
| Dog Nurse | Read-only for Dog records. |
The same structure applies to Cat and Bird teams.
Now, as an Administrator, your task is to assign these permissions according to the organization’s structure.
Step 1: Create the Pet App (Prerequisite)
Before managing permissions, ensure you already have:
- A Pawfect Care app created via App Manager
- A Pet custom object with record types: Dog, Cat, and Bird
- Corresponding page layouts for each record type which we already have covered in the previous post.
Step 2: Create a New Profile
A Profile provides the base permissions a user needs. It defines the minimum access for their role.
Dog Specialist - Profile
- Clone the Salesforce Platform User profile. → Name: Dog Specialist
- Edit the profile:
- Assigned Apps → Edit → add Pawfect Care App
- Object Settings → Pet → Edit
- Record Type → Check ✅ Dog only and assign the Dog Layout
- Object Permissions → Read, Create, Edit (❌ No Delete)
- Field Permissions →
- Read: all Dog-related fields
- Edit: only editable Dog fields (e.g., Breed, Age, Owner)
If you have different view then follow:
- Clone the Salesforce Platform User profile. → Name: Dog Specialist
- Edit the profile
- Custom Object Layout → Edit → Make sure Proper layouts are assigned to the profile.
- Field Level Security → Edit → Assign and Enable Read Access and Edit Access related to Dog Pet.
- Custom App Settings → Visible and Edit → Pawfect Care
- Record Type settings → Pets → Check ✅ Dog only and assign the Dog Layout
- Custom Object Permissions → Pets → Read, Create, Edit (❌ No Delete)
Similarway you can create Specialist profiles for Cat and Bird.
Dog Nurse - Profile
- Clone the Salesforce Platform User profile. → Name: Dog Nurse
- Edit the profile:
- Assigned Apps → Edit → add Pawfect Care App
- Object Settings → Pet → Edit
- Record Type → Check ✅ Dog only and assign the Dog Layout
- Object Permissions → Read (❌ No Delete, Create, Edit)
- Field Permissions →
- Read: all Dog-related fields
- Edit: ❌ No
✅ Now, you can assign these profiles to new users based on their job role.
Step 3: Using Permission Sets
As your org grows, creating and maintaining multiple profiles for every small change becomes tedious. This is where Permission Sets shine — they extend permissions on top of the user’s profile without changing it.
Steps to Create a Permission Set
- Go to Setup → Permission Sets → New
- Label:
Dog Profile User - Description: Access for Dog-related data and app.
- User Licence: (keep None) so it’s assignable to any licence.
- Save.
- Label:
- Inside the new Permission Set:
- Assigned Apps → Edit → Add Pawfect Care
- Object Settings → Pets → Edit
- Tab Settings: Available = ✅, Visible = ✅
- Record Type: Dog
- Object Permissions: Read, Create, Edit
- Field Permissions:
- Read: all Dog-related fields
- Edit: only editable Dog fields (e.g., Breed, Age, Owner)
- Assign to Users:
- Open the permission set → Manage Assignments → Add Assignments → Select user.
✅ The user can now access the App and create Dog records with the defined fields and record type.
Step 4: Permission Set Group
Permission Set Groups combine multiple permission sets into one — and you can mute specific permissions within them. This means you don’t need to edit permission sets every time you add a new feature.
Behind the scenes: User Access = Profile + Permission Set + Permission Set Group - Muted Permissions
Steps:
- Setup → Permission Set Groups → New
- Name:
Dog Specialist - Permission Sets → Permission Sets in Group → Add Permission Set → Select the
Dog Profile User> Done - Permission Sets → Muting Permission Set in Group
- New → Give it Label → Save → Edit
- Object Settings → Search: Pets → Edit
- Record Type Assignments: Check Muted Record Types = ✅ Bird, ✅ Cat
- Object Permissions: Check Muted Record Types = ✅ Delete, ✅ View All Records, ✅ Modify All Records, ✅ View All fields
- Field Permissions: Check Muted for Read/Edit Access related to Cat and Birds.
- Manage Assignments
- Remove Permission Set from the user.
- And Assign permission set group to the user.
If you still see Cat and Bird record types in the interface:
It means the base profile still has access to those record types.
Tip: When creating new record types, never apply them to all profiles by default. Remove unnecessary record type assignments from the Salesforce Platform User profile.
This ensures users only see relevant options — e.g., Dog users see only Dog records.
Best Practice
- Keep profiles minimal (just base access).
- Add permissions via permission sets for flexibility.
- Group multiple permission sets using Permission Set Groups, and mute permissions when needed.
Step 5: Control Record Visiblity with Sharing Rules
Now, let’s control record visiblity - who can see which records.
Public Group
- Setup → Public Groups → New
- Label:
Dog Team - Members: add all Dog team users
- Save.
Sharing
- Setup → Sharing Settings
- Manage sharing settings for > Select: Pet
- Organization-Wide Defaults (OWD)
- Edit > set Default Internal Access = Private
- Now, each user sees only their own records.
Sharing Rules
- We want to display all the Pet Dogs created by his team as well.
- Under Pet > Sharing Rules > Pet Sharing Rules > New
- Label:
Share Dog Records with Dog Team - Rule Type: Based on Criteria
- Criteria: Type = Dog
- Access Level: Read/Write
- Save.
✅ Now, Dog Team members can see and edit each other’s Dog records — but not Cat or Bird data.
Bonus: Role Hierarchy vs Sharing Rules
| Mechanism | Purpose | Scope |
|---|---|---|
| Role Hierarchy | Grants visibility to subordinates’ records | Vertical (managerial) |
| Sharing Rules | Grants additional access across teams | Horizontal (cross-department) |
Managers (like Operations Officer) automatically see records owned by users below them in the hierarchy.
Summary
Access in Salesforce is built layer by layer:
User Access = User Licence + Profile (base permissions) + Permission Sets (extra permissions) + Role & Sharing Rules (record visibility)By combining profiles and permission sets strategically, you can manage complex access structures without creating a profile for every new job role.
Conclusion
In our Pawfect Care example:
- Profiles give each user baseline access.
- Permission Sets add flexibility without modifying profiles.
- Permission Set Groups simplify management and mute unnecessary permissions.
- Sharing Rules control record visibility across teams.
This modular approach scales beautifully — whether you’re managing n number of users.
Test Your Knowledge!
Note: These questions are generated by AI manually using the content of the blog post.
1. What is the recommended best practice for using Profiles and Permission Sets?
2. What unique capability does a Permission Set Group offer that a standard Permission Set does not?
3. In the 'Pawfect Care' example, after setting the Organization-Wide Default (OWD) for the 'Pet' object to 'Private', what is used to allow the 'Dog Team' to see each other's dog records?