After studying this topic, you should be able to:

Describe the appropriate use of a custom profile or

permission set for various business scenario

Identify the considerations related to the use of

standard profiles

Identify how to create custom profiles and the

considerations related to their use

Describe the use of profile settings and permissions

to meet customer requirements

Describe the use of permission sets to extend a

user's permissions without modifying their profile
 Introduction

All users in Salesforce are assigned a profile that outlines which objects they
can access and actions that can be performed on the objects. Profile also
determines app access, IP restrictions, and various other permissions.
Certain profiles come out of the box and cannot be edited, but the
administrator has the ability to create custom profiles to meet needs. In
addition to profiles, additional permissions and access can be granted
through permission sets.
 Profiles & Permission Sets

Profile Settings
Profiles allow specifying settings related to user’s
access level for objects, apps, tabs, and page layouts.

Standard Profile Profile Permissions

Standard profiles are existing profiles in A profile can be used to grant app,
an org which can be assigned to users system, or custom permissions to
and cloned but cannot be edited. specific users within an organization.

Custom Profile Permission Sets

A custom profile can be created by cloning A permission set can be assigned to a
an existing profile. It can be fully customized user to extend the user’s settings and
based on security requirements. permissions granted by their profile.
 Standard Profiles
Standard profiles (permissions) are assigned to users. These cannot be edited but
can be cloned. Profiles include two types of settings:

APP SETTINGS
include settings that are
specific to apps and objects. SYSTEM SETTINGS
include settings that apply to all apps,
such as security settings and overall
data visibility.
 Profile Settings

App Settings define

which apps are
available to users with
a particular profile,
permissions specific to
apps, access to pages,
and object permissions.
 Profile Settings

System settings apply

across all apps, such
as data visibility and
security settings
 Standard Profiles Examples
MARKETING USER
Standard User + Import Leads, Manage
STANDARD USER Campaigns, Create Email Templates,
Create, Read, Edit and Delete for most
Manage Public Documents.
objects, Run Reports, View Org Setup,
View but not manage campaigns, and SOLUTION MANAGER
Create but not review solutions. Standard User + Review and Publish
solutions.
READ ONLY
View but not edit records, run reports, CONTRACT MANAGER
view organization setup. Standard User + Manage Contracts.

MINIMUM ACCESS - SALESFORCE SYSTEM ADMINISTRATOR

Least-privilege access with Access Access to all functionality that doesn’t
Activities, Chatter Internal User, Lightning require an additional license. Configure
Console User, and View Help Link and customize the application. Can View
permissions. and Modify all Data, which overrides all
sharing rules.
 Learn More

Standard Profiles
 Custom Profiles
Custom profiles are created when a profile needs to be fully customized and a
standard profile does not meet the requirements.

FULL PROFILE CUSTOMIZATION

As there are restrictions on what can be changed on a standard profile (administration, user
permissions and object permissions cannot be changed), custom profiles can be created to fully
customize a profile. A custom profile is created by cloning an existing profile.

UNAVAILABLE IN CERTAIN EDITIONS

Custom profiles are not available in Contact Manager and Group Editions.

RESTRICTED PROFILE CLONING

The Restricted Profile Cloning option can be enabled in User Management Settings to ensure
that only permissions accessible to the org are enabled when an existing profile is cloned.
Cloned from an Existing Profile
Restricted Profile Cloning

The ‘Restricted Profile Cloning’ option can be

enabled in ‘User Management Settings’ in Setup.
 Learn More

Clone Profiles
 Profile Settings
Settings can be customized for each profile.

Settings are Object Based.

Object permissions can be set at the profile

level and include: No Access, Read, Create,
Edit, Delete and View All / Modify All.
Allows access to certain Apps and Tabs.

Determines which Page Layout a profile uses.

All Object Settings
 Org Permission Categories
The permissions in a Salesforce org can be generally categorized into three groups:

APP PERMISSIONS CUSTOM PERMISSIONS SYSTEM PERMISSIONS

App permissions control what Custom permissions must be System permissions grant access to
actions can be performed in enabled, and they can be used to actions that are organization-wide,
different apps, e.g., Call Center App grant access to custom apps or e.g., create report folders or use
Chatter.
and being able to use Live Agent. processes.
System Permissions

A sampling of the many

system permissions.
 Permission Sets
Permission sets are used to expand user privileges beyond what their profile allows.

Can only be used to increase privileges,

not remove.

Enables granting of specific permissions and

settings at the user level.

Users can be assigned one or more

permission sets.
 Using a Permission Set

App Permissions
and System
Permissions can be
assigned using a
permission set.
Assign Users Based on User List View
 Permission Sets
Any privilege that can be granted on a profile can be allocated through a permission set.

Permission sets include most Multi-factor authentication Multiple users can be assigned
profile settings, e.g., object and (MFA) can be set up using a to a permission set using a user
field permissions, tabs, apps, and permission set and assigned to list view.
Visualforce page access. specific users.
 Permission Set Groups
Instead of assigning multiple permission sets to a user, a Permission Set Group can be
created which groups permission sets together and then assigned to the user.

Multiple permission set groups can also be

assigned to a single user.

Permissions in a permission set group can be

disabled or “muted” by adding a Muting
Permission Set.

Only one muting permission set is allowed

in a permission set group
Permission Sets

An example Permission Set Group which

combines three permission sets
Muting Permission Sets

An example Muting Permission Set added to

the Project Analyst permission set group

This Muting Permission Set prevents

the assigned user from creating or
deleting Projects records
 Scenarios and Use of Custom Profiles or Permission Sets
Read the scenarios and consider whether custom profiles or permissions sets would
be more appropriate to meet the requirements.

SCENARIO SOLUTION
One Finance manager needs Grant access to opportunities
access to all opportunities. through a permission set. It
Opportunities are not does not make sense to
included in the Finance create a profile for one user.
profile. Permission sets can be used
to grant access to objects and
fields.
 Scenarios and Use of Custom Profiles or Permission Sets

SCENARIO SOLUTION
The CTO would like to Create a custom profile by
restrict the ability to create cloning the existing standard
and customize reports to a profile wherein the “Create
certain group of users. and Customize Reports”
permission should be
removed. In addition, a
permission set must be
created to extend “Create
and Customize Reports”
permissions to the selected
group of users.
 Scenarios and Use of Custom Profiles or Permission Sets

SCENARIO SOLUTION
Certain users should have the Due to having different profiles,
ability to import leads. They the administrator should create
have different profiles a permission set with the
depending on the department permission “Import Leads” and
they are in. assign to appropriate users.
 Scenarios and Use of Custom Profiles or Permission Sets

SCENARIO SOLUTION
The administrator is testing a During the testing, a permission
new app with custom sales set granting access to the app and
objects. Select users are helping objects can be assigned to the
to test the app as it is not ready specific users. The administrator
for a general release to the can add more users to increase
entire org. the test base as needed. Once it is
ready for release, the access to
the app and related components
can then be added directly to the
profile(s) to give access to users
who need it.
 Scenarios and Use of Custom Profiles or Permission Sets

SCENARIO SOLUTION
A group
The administrator
of sales users
is testing
who a During theusers
The sales testing,
canabe permission
assigned to
new appaccess
require with custom
to Salesforce
sales set
the granting
Minimumaccess
Access to-the app and
Salesforce
[Link]
should Select
able to
users
access
are helping objects can beisassigned
profile, which to the
a least-privilege
to test theand
activities appall
asthe
it isChatter
not ready specificthat
profile users. The the
grants administrator
Access
for a general
features in Salesforce.
release toAthefew of can add more
Activities, usersInternal
Chatter to increase
User,
entireusers
these org. should also be able the test base
Lightning as needed.
Console Once
User, and it is
View
to view the records of a custom readyLink
Help for release, the access
permissions. A to
object but not be able to access the app andset
permission related components
can be assigned to
the records of any other object. can users
the then bewhoadded
needdirectly
to viewto the
the
profile(s)
records oftoa give access
custom to users
object.
who need it.
 Scenarios and Use of Custom Profiles or Permission Sets

SCENARIO SOLUTION
A custom profile needs to be To meet this requirement, the
created and assigned to the Restricted Profile Cloning option
sales users of Cosmic Travels to can be enabled in User
SCENARIO
give them access to certain
SOLUTION
Management Settings. This
administrative
The administrator andisuser
testing a option
Duringensures permission
thataonly
the testing, the
permissions.
new app withHowever,
custom sales the permissions
set granting accessible
access to the to the
apporg
and
Standard User users
objects. Select profileare that will
helping are enabled
objects when
can be a profile
assigned is
to the
be cloned
to test thefor
appitas
provides
it is notthe
ready cloned
specificto create
users. The a custom profile.
administrator
ability to access
for a general Quotes
release which
to the In
canthe new
add custom
more usersprofile, the
to increase
have
entirebeen
org. disabled in the org. permissions
the test basefor the Quote
as needed. object
Once it is
The administrator would like to would be unavailable.
ready for release, the access to
ensure that any features or the app and related components
permissions that have been can then be added directly to the
disabled or are not accessible to profile(s) to give access to users
the org are not available in the who need it.
new custom profile.
 Learn More

Video—Salesforce Authenticator: Set Up a Multi-Factor

Authentication Requirement

Control Access to Objects

Permission Sets

Permission Set Groups

Restrict Permissions Cloning in Profiles