I have hundreds of different functionalities setup in Salesforce each with its own Permissions Set for various privleges (FLS, Class access etc), given to various roles across the business.
I wish to have only a few simple Department based Profiles and to provide Permissions using Permission Sets and Permission Set Groups, and not via Profiles.
Requirements:
- I do not want many permissions in the System Admin Profile.
- I want all of the permissions from all of the other department's features to be available to System Admin, as multiple PSets or PSetGroups.
- I prefer not to have to configure a System Admin Permission Set each time a new Feature is configured for a department.
- I want to be able to give system admin access via a Permission Set Group all of the Permission Sets.
- New Features get a new PSet, and get added to the PSetGroups of the various Departments or Users Business Role.
Questions:
If a person with System Admin Permission Group has these hundreds of Permission Sets within their Permission Set Group will that lower the performance of the user?
Also is there a limit to the number of Permission Sets or Groups allowed per user?
Also to ask it another way, are permission Sets Calculated at config time or at login time or run time, at what stage are permission sets calculated to help understand the performance impact the user would experience, and the underlying architecture would also help.
Best Answer
The Permission Set Groups Considerations and Permission Set Group Status and Recalculation documents are helpful here.
Permission Set Groups are calculated into an aggregate form, thus improving performance. In other words, they are processed at configuration/deployment time, and then reused. Having many Permission Sets may have some impact, but this impact is limited because of Salesforce Features and Edition Allocations.
Specifically, orgs are limited to at most 1,500 global Permission Sets and 1,000 global Permission Set Groups, with each group having a maximum of 100 Permission Sets. Of those limits, your org is only allowed to create 1,000 Permission Sets and 800 Permission Set Groups; installed packages can also have Permission Sets and Permission Set Groups, and installation will fail if the global limits are exceeded.
Whenever we see limits like this, we know that there is some impact to performance, even though it may not be explicitly called out in any document. These limits are in place to keep Salesforce running at an appropriate level of service.
So, in one sense, you don't need to worry about a significant impact, because there are limits in place to keep the system reasonably responsive. On the other hand, this information should inform your design decisions about how granular your Permission Set and Permission Set Groups need to be.
You can't just create one Permission Set per User or per field, for example. As long as your Permission Sets and Permission Set Groups are reasonably designed to fit within the limits from above, you should find minimal impact to your organization's performance.
So, presuming you're a typical organization, and you have a reasonable number of features and groups, your general implementation that you've described sounds like a reasonable solution in most cases.