Consider the familiar scenario where a request is made to provide additional access rights to a particular salesforce.com user. With profiles alone, the administrator has three options:
Add the new access rights directly to the user's profile. This has the side effect of also changing the access rights of every other user assigned to the profile, which may not be desirable.
Clone the user's profile, make the changes to the cloned profile, and then assign the new profile to the impacted user. This avoids changing the access rights of those assigned to the original profile, but now the administrator must keep the old and the new profile's appropriately synchronized.
Grant the user administrative privileges such as Modify All Data, which is like giving out the keys to the kingdom. This is never recommended unless you want to enable a user to delete all data in the org. Death Star meet Alderaan; Alderaan, get blown up by the Death Star.
With permission sets, the administrator has a powerful tool at their disposal and can simply create a new permission set with the requested permissions and assign that to the impacted user. While this is certainly an option, there is a better way.
When a request comes in to grant additional access rights to a user, the administrator should take a step back and ask some important questions:
What is the job function, task, or process that requires these new access settings?
Do we already have a permission set for that?
If not, what are all the permissions and access rights required in order to perform this job function, task, or process?
The end goal is to use the changes that naturally happen within your organization to reinforce and strengthen the practice of using permission sets to encapsulates the permissions and access settings required for each job function within your organization. By using the incoming change requests to either correct existing permission sets or identify new job functions, the administrator can ensure that there exists the appropriate number of permission sets corresponding to the identified job functions within the organization. In asking the above questions and ensuring that a permission set exists which represents the entirety of the new job function requested, the administrator ensure they have something that can be reused across the entire user community.
