The recent announcement by Salesforce for Spring ‘23 revealed a timeline for implementing considerable changes to the existing User Management experience. For the past few years, Salesforce has advocated for greater use of Permission Sets in an effort to prepare customers for the Next Generation of User Management.
Now, a definitive timeline for customer-wide adoption has been announced. Spring '26 will officially mark the end of life (EOL) of permissions on Profiles.
This change will fully separate Profiles from permissions, requiring all Salesforce customers to use Permission Sets and Permission Set Groups for permissions as well as the majority of other user management options currently available on Profiles.
This change is quite significant since right now Profiles serve as a catch-all when it comes to user management. Once the EOL changes take effect in 2026, the only user management options available on Profiles will be page layout assignment, defaults, and 1:1 relationships.
Why are these changes taking place?
The next generation of user management heavily considers the principles of least privilege access (LPA). LPA involves giving users the minimum levels of access needed to perform their normal job functions. This offers a finer level of control over user access as LPA inherently limits the number of excess permissions provisioned to users.
What’s necessary for one user may not be essential for all users sharing a single standard Profile. Since Profiles grant broad access, users assigned to the same Profile are almost always given more permissions than are actually needed. This inefficiency is a key reason why Permission Sets and Permission Set Groups will serve as the eventual decentralized replacement for permissions on Profiles.
How to Prepare
Salesforce customers in administrative roles should consider creating a number of new Permission Sets and Permission Set Groups in advance to serve as replacements for Profile-based permission assignments. A good place to start would be to begin constructing targeted Permission Sets for specific use cases. One best practice is to name each Permission Set after the functionality it provides so that it is easier to manage and keep track of in the future.
Using third-party solutions, it is possible to convert an existing Profile into a Permission Set equivalent. This method essentially extracts the Profile-based permissions which are co-available in a Permission Set, resulting in the creation of a Permission Set based on that Profile’s permissions. This Permission Set will carry over as many eligible items as possible from that Profile which in the future can function as a substitute following the EOL update.
In 2024, Salesforce plans to roll out a feature that allows users to disable user management options in Profiles which will be removed following the EOL update. Users with access to this upcoming feature will be able to prepare for the EOL update ahead of time by using this restricted view, making it necessary to use Permission Sets over permissions on Profile.
Salesforce also regularly offers customers beta access to a number of new features like User Access Policies which aim to improve the out-of-the-box user management experience. Staying up to date with Salesforce Admin news and blog posts is a great way to learn about and sign up for the latest features currently in beta.
Taking a proactive approach will help Salesforce customers prepare for the EOL update, however, there are still a number of challenges with Permission Sets to keep in mind.
In their current state Permission Sets and Permission Set Groups are not easy to keep track of and manage out of the box, nor are they particularly efficient. It takes nearly a dozen mouse clicks to reach the Setup page to manage Permission Set assignments, and with Permission Sets, user assignments must be individually managed.
As of right now, there is no out-of-the-box solution for assigning multiple Permission Sets to multiple users at once.
More Permission Sets mean more unique sources of permissions. Although a Profile typically provides many more permissions than a single Permission Set would, an individual user can still only be assigned to one single Profile. In an environment without many Permission Sets, it is much easier to determine how a user got a particular permission since there are fewer provisioning sources.
In an Org with many users assigned to many different Permission Sets at once, it can be overwhelming to figure out which users have which permissions from which unique sources.
Exploring Salesforce ISV Partner Solutions
Without a highly structured and comprehensive process to document and monitor changes, it can be easy to lose track of which users have which permissions.
To simplify the visibility of permission assignments, Permatrix, a Salesforce-native search engine, provides detailed search results and quick permission assignment and source identification for any user or permission.
You can find Permatrix along with other helpful user management solutions on the Salesforce AppExchange.
The EOL update for Permissions on Profiles will take some getting used to. However, with this change, ultimately Org security will improve and user management will be more structured and refined.
When it comes to Salesforce, LeedsSource is here to help. Reach out to us anytime at firstname.lastname@example.org.
Also, be sure to follow us on LinkedIn for all the latest updates, blog posts, and Salesforce video tutorials.