PocketKnife

In almost any organization, an individual’s responsibilities may represent their job function, processes that they use or are part of, individual tasks they need to perform on a daily basis, the region in which they work, etc.  As the organization grows, and the user's responsibilities with it, the administration of profiles becomes harder as one-off profiles become common place.

With permission sets, a user’s total access is determined by both a their profile and their assigned permission sets.  This allows the administrator to focus on individual job functions, tasks, processes, etc., instead of trying to build the perfect profile for any given user.  

Some organizations define their access requirements by making use of a simple matrix, for example team + process.  That is, different teams within an organization have different access requirements, but there are some processes that span all teams and various team members can participate in any number of these processes.  

MatrixRoles

Even considering the simplest case where users are members of a single team and must participate in exactly one of these processes leads to 16 distinct profiles to manage, one for each cell in the above table.

Even considering the simplest case where users are members of a single team and must participate in exactly one of these processes leads to 16 distinct profiles to manage, one for each cell in the above table.

Permission sets can make this simpler.  We can define 8 permission sets (that’s half the number of profiles we would have had to manage in the simplest of cases) corresponding to each row and column in the above table, and can assign those permission sets out as appropriate to our users.  This also means any individual user may participate in more than one team and more than a single process, a capability that would have required a lot of profiles!

For example, consider an organization where the administrator has identified 10 different job functions or tasks that a user may be part of.  In theory, a user may participate in a single job function, or all 10.  That’s a lot of possible profiles; in math terms:

MathFormula
In practice, a lot of these possible combinations do not actually exist within an organization, but it is difficult for an administrator to know exactly which.  Permission sets have the potential to greatly simplify the administrator’s job while allowing for all 1,023 possible combinations with less work overall.

Applying the best practice from this section, the administrator need only define 10 separate permission sets, each encapsulating all the permissions and access settings required to perform one of the 10 job functions or tasks identified.  With permission sets, each user has exactly the set of permissions required in order to perform all the functions and tasks for which the user is responsible.