Menu
AI Admin
● AI Admin Essentials — $399/mo● AI Admin Pro — $699/mo● AI Admin Enterprise — $1,199/mo● AI Org Audit — $799● Pipeline Intelligence — $2,499● AI Health Monitor — $1,999
One-Time Projects
Pipeline ArchitectLead Handoff AutomationDuplicate CleanupEmail Deliverability FixDashboard OverhaulView all 15 projects →
Full-Org Services
Revenue Operations OverhaulFull Admin Delegation
AI Implementation
AI Process Audit — $2,499
ResultsFAQNot Sure?
Browse All ProjectsFind My Project
All posts
how-to Jun 14, 2026 8By RevKit

Salesforce Permission Sets vs Profiles: What's the Difference?

Salesforce permission sets vs profiles — what they actually do, how they interact, and Salesforce's official recommendation for which to use in 2026 and beyond.

Salesforce Permission Sets vs Profiles: What's the Difference?

If you've inherited a Salesforce org with 47 profiles and 3 permission sets, your predecessor was doing it the old way. Salesforce's official guidance for several years now is the opposite: small number of profiles, large library of permission sets.

Here's why, and how to do it right.

Estimated read time: 8 minutes

The 30-second answer

  • A profile is a user's foundational access. Every user has exactly one profile.
  • A permission set grants additional access on top of the profile. Users can have many permission sets.

You can't take permissions away with a permission set — only add. So profiles set the floor; permission sets raise the ceiling.

What each one controls

Both profiles and permission sets can control:

  • Object permissions (CRUD)
  • Field-level security
  • App access
  • Tab visibility
  • Apex class access
  • Visualforce page access
  • System permissions

Only profiles control:

  • Page layout assignment
  • Record type assignment
  • Login hours and IP restrictions
  • Default app
  • Default record types

That last list is shrinking — Salesforce is migrating profile-only features into permission sets over time.

Salesforce's recommended approach (2026)

The current best practice, per Salesforce documentation:

  1. Use the Minimum Access — Salesforce profile as the baseline for as many users as possible
  2. Build permission sets for every job function (Sales Rep, Sales Manager, RevOps, Marketing User, Support Rep)
  3. Assign permission sets to users individually or via permission set groups
  4. Use permission set groups to bundle related permission sets ("Sales Rep" group might include the base Sales Rep set + Forecast Access + Lead Conversion)

This approach scales. The old "one profile per role" approach doesn't.

Why the change?

Profiles are hard to maintain. Every change requires editing a profile, which means testing every user assigned to that profile. Permission sets are modular — you build them once and assign as needed. When something changes, you edit one set, not 30.

Permission set groups (introduced 2020) sealed the deal — you get the convenience of "one assignment per user" without the rigidity of profiles.

When to still use profiles

Some things still belong in profiles:

  • Login restrictions (hours, IP) — set per profile
  • Default record types and page layouts — set per profile
  • Truly distinct user populations that need different login policies (e.g., contractors with limited login windows)

Most orgs end up with 3-5 profiles total: a baseline, an admin profile, a contractor/limited profile, and maybe one or two industry-specific exceptions.

How to migrate from profile-heavy to permission-set-heavy

If your org is the "47 profiles" kind, here's the migration playbook:

  1. Inventory. List every profile and what makes it different from the others.
  2. Identify the common baseline. Most profiles share 70-80% of permissions.
  3. Create the baseline profile as a copy of "Minimum Access — Salesforce" plus the org-wide essentials.
  4. For each existing profile, build a permission set that contains the delta — what that profile has beyond the baseline.
  5. Migrate users one batch at a time. Move them to the baseline profile, assign the relevant permission set, validate.
  6. Decommission old profiles once they have zero users.

Plan on 4-8 weeks for a typical mid-market org. Don't try to do it in one weekend.

Common questions

Can a permission set grant fewer permissions than a profile? No. Permission sets only add. To restrict, you have to change the profile.

Can a user have zero permission sets? Yes. Their profile is their only access.

What happens if a profile and permission set conflict? There's no real conflict — permission sets only add. If both grant the same permission, the user has it.

Can I clone a profile to a permission set? Yes — Setup → User Management → Migration tool, or use a third-party tool like Salesforce Inspector.

Want help untangling profiles?

A profile-to-permission-set migration is a cleanup project most admins know they need but never start. We've done dozens.

RevKit's Profile Cleanup delivers a baseline-profile + permission-set library in 48 hours for $999:

  • Audit of all current profiles
  • Baseline profile design
  • Permission set library (one per role/function)
  • Permission set groups for bundled assignment
  • Migration plan for existing users

Get Profile Cleanup →

Related reading

// Free Diagnostic

Want to see where your org stands?

Get a free diagnostic built by a team with 50+ Salesforce certifications. No email required.

Get Free Health Score

// Free Diagnostic

Find out what's broken.

Get a free Salesforce diagnostic matched to your role. No email required.

I'm an Admin →I'm a Business Leader →
RevKit

Ready to build it?

Fixed-price Salesforce builds. No retainers.

Browse all products