SalesforceGuides

How to Convert Salesforce Profiles to Permission Sets: Benefits, Steps, and Best Practices for Better Security

M
Matt
4 min read
Simplify Salesforce security—learn how to migrate Profiles to Permission Sets with expert steps, benefits, and best practices. Start optimizing now!

Managing permissions in Salesforce can become complex as organisations grow, often leading to inefficiencies in user access and security. Transitioning from Profiles to Permission Sets offers a more modular approach. This post outlines the benefits and provides a step-by-step guide to implementing the change, with expanded details on analysis techniques using reports, SOQL queries, and SAQL for advanced insights.

Why Convert from Profiles to Permission Sets?

Profiles in Salesforce assign permissions and access settings to users based on job roles. They are useful initially but can become difficult to manage with expansion.

Permission Sets provide a flexible alternative, allowing permissions to be grouped into smaller units that can be assigned as needed, without altering core Profiles.

Benefits of Converting to Permission Sets

  • Enhanced Flexibility: Permission Sets can be assigned or removed quickly, enabling adjustments to user access without broad changes.
  • Improved Maintainability: Reducing reliance on multiple Profiles simplifies ongoing management and keeps the organisation clean.
  • Streamlined Security: Granting only essential permissions helps minimise risks and ensures appropriate access.

Step-by-Step Guide to Sorting and Cleaning Permissions

Step 1: Audit Your Existing Permissions

Before starting the conversion, conduct a thorough audit of current Profiles and permissions to identify redundancies, unnecessary access, or gaps. This step is crucial for understanding the existing structure.

  • Use Reports: Create standard reports on Permission Set Assignments or Profiles. For example, run a report on users and their assigned Profiles to see distribution. If you have the User Access and Permissions Assistant (UAPA) app installed (available via Salesforce Labs or AppExchange), use its reporting features to generate detailed views of who has what permissions, including exports for analysis.
  • Query with SOQL: In the Developer Console, execute SOQL queries to analyze permissions. For instance:
    • To list all Profiles with a specific permission like "Modify All Data": SELECT Id, Name FROM Profile WHERE PermissionsModifyAllData = true.
    • To view object permissions for a Profile: SELECT Id, SObjectType, PermissionsRead, PermissionsCreate, PermissionsEdit, PermissionsDelete FROM ObjectPermissions WHERE ParentId IN (SELECT Id FROM PermissionSet WHERE IsOwnedByProfile = true AND Profile.Name = 'YourProfileName').
    • For Permission Sets: SELECT Assignee.Name, PermissionSet.Name FROM PermissionSetAssignment. These queries help map out permissions systematically.
  • Advanced Analysis with SAQL: For deeper insights, use CRM Analytics (formerly Einstein Analytics) to create datasets from permission-related objects (e.g., PermissionSet, PermissionSetAssignment). Import data via dataflows, then query with SAQL to aggregate and visualize. Example SAQL query: q = load "PermissionDataset"; q = group q by 'PermissionSet.Name'; q = foreach q generate 'PermissionSet.Name' as 'PermissionSet', count() as 'UserCount'; q = order q by 'UserCount' desc;. This can show how many users have each Permission Set, aiding in identifying over-assignments.

Step 2: Plan Your Permission Sets

Define required permissions for various roles, grouping them by tasks or responsibilities to create a logical structure. Use findings from the audit to consolidate overlapping permissions into modular sets. Consider Permission Set Groups to bundle multiple sets for easier assignment.

Step 3: Create Permission Sets

In Setup > Users > Permission Sets, build the sets and assign relevant permissions and access levels. Clone existing Profiles as a starting point if needed, then refine by removing unnecessary permissions identified in the audit.

Step 4: Assign Permission Sets to Users

Apply the sets to users individually via the user detail page or in bulk using tools like Data Loader. Export a list of current Profile assignments from your audit queries and map them to new Permission Sets for a smooth transition.

Step 5: Test and Validate

Verify the new structure through testing and user feedback to confirm correct access. Use the same SOQL queries or UAPA reports from Step 1 to compare before-and-after states. Simulate user scenarios in a sandbox to check for issues.

Step 6: Disable Old Profiles

Once validated, deactivate outdated Profiles to avoid confusion and maintain organisation. Retain minimal system Profiles if required, but migrate all custom permissions to sets.

Step 7: Monitor and Maintain

Conduct regular reviews to update Permission Sets as the organisation changes, adding, modifying, or removing them as necessary. Schedule periodic audits using the reporting and querying methods from Step 1 to ensure compliance and efficiency.

Conclusion

Shifting to Permission Sets can enhance the management of permissions in Salesforce, promoting efficiency and security. For further guidance, consult a Salesforce specialist.

© 2025 EKWIS

About the Author

M
Matt