Read the screenplay: FANNIEGATE — $7 trillion. 17 years. The biggest fraud in American capital markets.
#43⚙️ AdminAnnoying

Managing Access with Profiles Instead of Permission Sets

Profiles are for login settings. Permission Sets are for everything else.

What Happened

Client had 15 custom profiles: 'Sales East', 'Sales West', 'Sales Manager East', 'Sales Manager West', and so on. Each was a copy of the Standard User profile with minor field-level security tweaks. When they needed to grant access to a new object, they had to update all 15 profiles. When someone moved from East to West, they needed a new profile. It was an unmaintainable mess that I inherited and spent two weeks refactoring.

The Wrong Way

<!-- 15 custom profiles, each a slight variation -->
Profile: Sales_East
  → Tab: Opportunities (Default On)
  → Object: Custom_Pipeline__c (Read, Create, Edit)
  → Field: Account.Revenue__c (Read)

Profile: Sales_West
  → Tab: Opportunities (Default On)
  → Object: Custom_Pipeline__c (Read, Create, Edit)
  → Field: Account.Revenue__c (Read, Edit)  ← only difference

Profile: Sales_Manager_East
  → Same as Sales_East + Delete on Custom_Pipeline__c

<!-- Repeat 12 more times... -->

The Right Way

<!-- Minimal profiles (ideally just "Standard User" and "Minimum Access") -->
Profile: Minimum_Access_User
  → Login hours, IP restrictions, page layout assignments only

<!-- Permission Sets for functional access -->
Permission Set: Sales_Core
  → Object: Opportunity (Read, Create, Edit)
  → Tab: Opportunities (Default On)

Permission Set: Pipeline_User
  → Object: Custom_Pipeline__c (Read, Create, Edit)

Permission Set: Pipeline_Manager
  → Object: Custom_Pipeline__c (Read, Create, Edit, Delete)

Permission Set: Revenue_Editor
  → Field: Account.Revenue__c (Read, Edit)

<!-- Permission Set Groups for role combinations -->
Permission Set Group: Sales_Rep
  → Sales_Core + Pipeline_User

Permission Set Group: Sales_Manager
  → Sales_Core + Pipeline_Manager + Revenue_Editor

The Lesson

Use Permission Sets and Permission Set Groups for access control. Profiles should only handle login settings and page layouts. This is Salesforce's official direction — they're deprecating profile-level permissions.

Share this mistake on X

Don't make this mistake.

Hire someone who already did.

View Consulting →
Creating an Infinite Loop with Record-Triggered FlowsWorkflow Rules, Process Builder, and Flows All Running on the Same Object

Enjoyed this? Get more like it.

Glen's Musings — AI, investing, and building things. Occasional. Free.

More Admin Mistakes

Painful

Validation Rules That Block Your Own Automations

Your validation rule doesn't care if a Flow or trigger made the change.

Read moreCareer-Ending

Creating an Infinite Loop with Record-Triggered Flows

Flow updates record. Update triggers Flow. Flow updates record. Repeat until Salesforce gives up.

Read morePainful

Workflow Rules, Process Builder, and Flows All Running on the Same Object

Three automation tools on one object means nobody knows what's happening.

Read more