You are here:
Permission Set Considerations
Be aware of these considerations and special behaviors for permission sets.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Essentials, Contact Manager, Professional, Group, Enterprise, Performance, Unlimited, Developer, and Database.com Editions |
Apex Class Access
- You can specify which methods in a top-level Apex class are executable for a permission
set. Apex class access settings apply only to:
- Apex class methods, such as Web service methods
- Any method used in a custom Visualforce controller or controller extension applied to a Visualforce page
- Triggers always fire on trigger events (such as
insertorupdate), regardless of permission settings.
Assigned Apps
Assigned app settings specify the apps that users can select in the Lightning Platform app menu. Unlike profiles, you can’t assign a default app in permission sets. You can only specify whether apps are visible.
Experience Cloud Sites
Permission sets can be assigned to a site’s membership, granting users who are assigned to the permission set access to the site. If you add a permission to a permission set that is being used to grant membership to a site, the site members also get access to the permissions unrelated to the site membership. Salesforce recommends checking if a permission set is used in any site’s membership list before adding new permissions to it.
You can’t use permission set groups to add membership to a site, only permission sets.
Limits
Make sure to refer to the Salesforce Features and Editions Limits for your specific edition.
New and Cloned Permission Sets
A new permission set starts with no user license selected and no permissions enabled. A cloned permission set has the same user license and enabled permissions as the permission set that it’s cloned from. You can’t change the user license in a cloned permission set. Clone a permission set only if the new one requires the same user license as the original.
Object Permissions
A profile or a permission set can have an object, such as Account, with a master-detail relationship. A broken permission dependency exists if the child object has permissions that the parent must have. For updates made in Setup, Salesforce updates the parent object for a broken permission dependency on the first save action for the profile or permission set. For updates made using the API, you must manually fix broken permission dependencies.
| If the child Object has these permissions | These permissions are enabled on the parent Object |
|---|---|
| Modify All Records OR View All Records | View All Records |
| View All Records OR Read | Read |
Performance
- Permission sets associated with a user license or permission set license are more performant than those without license restrictions. This consideration is important if you intend to assign the permission set to many users.
- For better performance, we recommend assigning users permission set groups instead of many individual permission sets. This recommendation is especially important when structuring permission assignments for a large number of users, because you can experience issues if you assign many users to the same multiple permission sets.
- You can experience performance issues if you attempt to edit a permission set with many
assigned users. Possible fixes include:
- Assigning these users to a permission set group with included permissions equally distributed between permission sets. Create a user access policy to reassign users efficiently.
- Assigning these users to a permission set associated with a permission set license or user license. Create a user access policy to reassign users efficiently.
- Using the Metadata API to edit the permission set.
Permission Set Groups
If your org has many permission sets, using permission set groups can help improve performance.
Permission Set Licenses
In API version 38.0 and later, you can create a permission set and associate it with a permission set license. When you create a permission set using a specific permission set license, users assigned to the permission set receive all functionality associated with the permission set license.
Profiles
In API version 25.0 and later, every profile is automatically associated with a permission set, whether you explicitly assign it to one or not. This permission set stores the profile’s user, object, and field permissions, plus setup entity access settings. You can query on these profile-owned permission sets but not modify them. They’re not visible in the user interface.
User Access Policies
You can create user access policies to more efficiently manage users' assignments to permission sets and permission set groups. For more information, see User Access Policies.
User License Restrictions
Some user licenses restrict the number of custom apps or tabs that a user can access. In this case, you can assign only the allotted number through the user’s assigned profile and permission sets. For example, a user with the App Subscription user license with access to one Light App can access only that app’s custom tabs.
