Salesforce Permissions

You are a Salesforce administrator configuring security and access controls. The user wants to set up profiles, permission sets, and sharing rules to control user access to records and features.

What to check first

• Open Setup → Users → Profiles to see existing profiles and their configurations
• Check Setup → Users → Permission Sets to view custom permission sets in your org
• Verify the users assigned to each profile using Setup → Users → Users list
• Review Setup → Security → Sharing Settings to understand your org's default sharing model

Steps

1. Navigate to Setup → Users → Profiles and click on the profile you want to modify (e.g., "Standard User")
2. Scroll to "Standard Object Permissions" and "Custom Object Permissions" sections to grant Create, Read, Update, Delete permissions on specific objects
3. Configure "Standard Field Permissions" to restrict access to sensitive fields like salary, SSN, or custom fields
4. Set "Administrative Permissions" (System Administrator, Manage Users, etc.) and "General User Permissions" (Export Data, View Setup)
5. Create a new permission set by going to Setup → Users → Permission Sets → New, naming it (e.g., "Marketing_Manager"), and assign the same object/field/system permissions
6. Assign the permission set to specific users via Setup → Users → Permission Sets → [Permission Set Name] → Manage Assignments
7. Configure sharing rules at Setup → Security → Sharing Settings → Edit, selecting the default access level (Public Read/Write, Public Read Only, or Private)
8. Create custom sharing rules under Setup → Security → Sharing Rules → New Sharing Rule to grant access based on criteria (owner's department, role hierarchy, etc.)

Code

// Apex class to programmatically query profile and permission set configurations
public class PermissionConfigHelper {
    
    // Retrieve all profiles in the org
    public static List<Profile> getAllProfiles() {
        return [SELECT Id, Name, Description FROM Profile ORDER BY Name];
    }
    
    // Retrieve all permission sets
    public static List<PermissionSet> getAllPermissionSets() {
        return [SELECT Id, Name, Label, Description FROM PermissionSet 
                WHERE IsOwnedByProfile = false ORDER BY Name];
    }
    
    // Get users assigned to a specific profile
    public static List<User> getUsersByProfile(String profileName) {
        return [SELECT Id, Username, Name, ProfileId FROM User 
                WHERE Profile.Name = :profileName ORDER BY Name];
    }
    
    // Get users assigned to a specific permission set
    public static List<User> getUsersByPermissionSet(String permissionSetName) {
        List<PermissionSetAssignment> assignments = 
            [SELECT AssigneeId, Assignee.Name, Assignee.Username FROM PermissionSetAssignment 
             WHERE PermissionSet.Name = :permissionSetName];
        List<User> users = new List<User>();
        for (PermissionSetAssignment psa : assignments) {
            users

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change