Profiles vs permission sets in Salesforce (2026)
In Salesforce, a profile sets a user's baseline access and certain org settings, and each user has exactly one. Permission sets grant additional, modular permissions on top, and a user can have many. The modern best practice is a minimal base profile plus permission sets (and permission set groups) for granular, least-privilege access — Salesforce's strategic direction.
What is the difference between Profiles and Permission Sets?
A profile defines a user's baseline — object and field access plus settings like login hours, IP ranges, and default record types — and every user has exactly one. A permission set grants extra permissions to specific users without changing their profile, and a user can have many; permission set groups bundle them. Profiles set the floor; permission sets add modular access on top.
Should you use Profiles or Permission Sets?
It's not either/or — you use both. Salesforce has been shifting access management toward permission sets, so the best practice is a minimal "base" profile that grants only what everyone needs, with permission sets and permission set groups layering on role-specific access. This keeps security least-privilege, auditable, and easier to maintain than profile sprawl.
Profiles vs Permission Sets: side by side
| Dimension | Profiles | Permission Sets |
|---|---|---|
| Purpose | Baseline access + org settings | Additional, modular permissions |
| Per user | Exactly one | Many (additive) |
| Model | Broad baseline | Granular, least-privilege |
| Salesforce direction | Being slimmed down | The strategic direction |
| Bundling | — | Permission set groups |
| Still controls | Login hours/IP, defaults | Object, field, app, system perms |
| Maintainability | Profile-sprawl risk | Reusable, easier to audit |
When to choose Profiles — and when to choose Permission Sets
- A minimal baseline every user needs
- Login hours, IP ranges, and password policy
- Default record types and app assignment
- Settings not yet available in permission sets
- Granting extra access to specific users
- Least-privilege, modular access design
- Bundling role access with permission set groups
- Most new access management going forward
Designing a clean, least-privilege model
A clean security model is a minimal base profile plus permission sets and permission set groups — least-privilege and auditable, not profile sprawl. ForceFolks designs and refactors org security and sharing as part of architecture consulting and implementation. See the Salesforce glossary.
Frequently asked questions
Are Salesforce profiles being deprecated?
Not removed — but Salesforce has signaled a shift away from managing permissions on profiles toward permission sets. Profiles still exist and control baseline access and some org settings (like login hours and default record types). The guidance is to keep a minimal base profile and grant access via permission sets.
Can a user have more than one permission set?
Yes. Unlike profiles (one per user), a user can be assigned many permission sets, and their permissions are additive — each set only grants access, never removes it. Permission set groups bundle multiple sets for easier assignment.
What is a permission set group?
A permission set group bundles several permission sets so they can be assigned together — for example, all the access a given role needs. It simplifies administration and supports a clean, least-privilege model in larger orgs.
Related
Make Salesforce work across the business.
Tell us what you need Salesforce to do. ForceFolks will assess your Clouds, integrations, data, automation, team capacity, and delivery risks — then recommend the fastest path to a working implementation.