Exclusive differences Profiles vs permission sets?

What permission sets allow you to do is minimize the number of profiles that you have to create. It also allows you to temporarily add and remove permissions for users without needing to change their entire profile. In that sense it's a huge time saver. They help keep your org's profiles simpler and your org "cleaner". There always tend to be "exceptions to the rule" where someone needs unique access to certain records. Permission sets allow you to provide them that access without creating a "special profile" just for that single user.

They also allow ISVs to provide permissions to use their applications without changing your user profiles. Instead, permissions can be added and provisioned for your users who need access to those applications. You only need to purchase licenses for those who really need them (when those licensing models apply or are available).


As far as i know anything you can do w permission sets you can do w profiles, but there are a few things that can as of now only be done w profiles.

The key UI difference in my experience is that only profiles can be used to control page layout assignment.

I took a look and at a top level, it looks like the following items are profile only. There may be others, I have not been able to find a clean list

  • Page layout assignment
  • Desktop client access
  • Login Hours
  • Login IP Ranges
  • Session settings
  • Password policies
  • Delegated authentication
  • Two-factor authentication with Single Sign on
  • Organization-Wide Email Addresses are assignable by Profile only (idea to fix this)
  • Default record type per object
  • Profile specific search layouts (winter 20)

Permission sets and profiles have come very close to parity. Now that record type assignment can be done in either, it's just a few key things that remain, and these likely would remain on profile, as a user can only be assigned one page layout at a time, so it wouldn't really make sense on a permission set.

FWIW, besides for the page layouts, which I knew about from general experience, I came up w this list by looking at a perm set and a profile in the enhanced editor and noted which top-level sections were missing from perm set.

Permission Set

permission set

Profile

profile


In addition to Crmprogdev's answers and comments, this paragraph taken from here may be helpful:

The key difference between the two is that the Profile is the users base set of permissions and all users are assigned to one. A Permission set is just a way to give a user or a set of users extended permissions without granting them to the entire group of users with a certain Profile.

Key example would be that 5 users share the same Profile which does not have permission to create custom report types, but one of the 5 users needs to create custom report types. Rather than create a new Profile just for this one user, you would create a Permission Set that included the Create Custom Report Types permission and assign it to that one user.

Profiles can be used to give or take away permission from the users assigned to it. Permission Sets can only give or extend permission to the users assigned to it.

Tags:

Administration

Profile

Permission Sets

Recent Posts