If you work as a Salesforce Admin, you might have seen this: you enable a new Salesforce feature, follow the instructions, assign the Permission Set License and matching Permission Set, and everything works fine. Then, you move on to the next task.
But there’s a problem – some default Salesforce Permission Sets give more access than you think. This can put your Salesforce org at risk if not managed properly.
Why Checking Permission Sets is Important
When you install an app from Salesforce AppExchange, its Permission Sets are usually safe and limited. But Salesforce’s own Permission Sets can give powerful permissions like API Enabled or Manage Flows without you noticing.
If a user gets these permissions by default, they can do more than they should. This may lead to security risks or mistakes inside your org.
Case Study: Sales Engagement Basic User
For example, the SalesEngagementBasicUser Permission Set seems simple. Its name is “User” and it looks basic. But it has Run Flows permission, letting a user run any active flow.
Flows can run in System Context, giving access far beyond normal user rights. This can be risky if an attacker or untrained user misuses it.
Some teams use screen flow panels to control who can run flows. But giving this access to too many users can be dangerous.
How to Lock Down Salesforce Permission Sets
Since you cannot change Salesforce-provided Permission Sets, you can use Permission Set Groups with Muting Permission Sets:
- Create a new Permission Set for flows users should run (e.g., “Sales Engagement Flow Access”).
- Add this and the default Permission Set to a Permission Set Group.
- Add a Muting Permission Set to remove risky permissions like Run Flows.
- Assign the Permission Set Group to your users instead of the default set.
- Use View Summary to check permissions.
This keeps the functions working but removes risky access.
Another Example: Revenue Cloud Advanced
In Revenue Cloud Advanced, some Permission Sets give Run Flows or Manage Flows, which allow full control over all flows. Permissions like these are very powerful.
Solution:
- Add the default Permission Set to a Permission Set Group.
- Use a Muting Permission Set to remove Manage Flows.
- Assign the Permission Set Group to users.
- Verify using View Summary.
Key Tips for Salesforce Admins
- Never assume default Permission Sets are safe. Always check them.
- Use Permission Set Groups with Muting Permission Sets to remove risky permissions.
- Test changes in a sandbox first.
- Remember, security is shared: Salesforce provides tools, but you must use them safely.
Final Thoughts
Salesforce makes it easy to use new features, but default Permission Sets can cause security issues. By reviewing and adjusting them, you can protect your org without slowing your team down.
In today’s environment, where Salesforce breaches are common, checking Permission Sets is not optional. It’s necessary for safe and smooth operations – iBirds services
FAQs
Q1: What is a Salesforce Permission Set?
A: It is a set of permissions that gives users access to specific Salesforce features.
Q2: Why are default Permission Sets risky?
A: Some default sets give powerful permissions like Run Flows or Manage Flows that users may not need.
Q3: How can I reduce risky permissions?
A: Use Permission Set Groups with Muting Permission Sets to remove permissions users shouldn’t have.
Q4: Should I test changes before using them in production?
A: Yes, always test in a sandbox to avoid unexpected problems.Q5: Can Salesforce-provided Permission Sets be edited?
A: No, you cannot edit them directly, but you can control them using Permission Set Groups and Muting Sets.