Permission sets are a security nightmare waiting to happen if you don't audit them regularly. I've seen orgs with 500+ permission sets, many assigned to users with excessive access, and zero documentation. Across enterprise Salesforce orgs, I've learned that manual permission set audits aren't just possible—they're essential for compliance and reducing attack surfaces. Here's how to do it without third-party tools.
Step 1: Inventory All Permission Sets
Start by listing every permission set. Go to Setup → Permission Sets → click "All Permission Sets." But don't stop there. Run this SOQL to get a complete, exportable list:
SELECT Id, Name, Description FROM PermissionSet
Export to CSV. In my last org (a healthcare provider), this revealed 147 permission sets—32 were unused since 2020. Delete those first. I once found a "Test_User_Access" set still assigned to 12 users after a pilot project ended.
Step 2: Map Users to Permission Sets
Next, find who has access. Use this SOQL to see all assignments:
SELECT PermissionSet.Name, User.Name, User.Id
FROM PermissionSetAssignment
ORDER BY PermissionSet.Name, User.Name
Export to Excel. Sort by permission set name. In a financial services org, this showed "Admin_Finance_Viewer" assigned to 45 users—only 10 should have it. We immediately removed the excess.
Step 3: Verify Actual Permissions
Don't trust the name. Drill into each permission set’s "Permissions" tab. Look for dangerous permissions like:
View All Data on critical objects (e.g., Contacts, Opportunities)
Modify All Data on custom objects
Manage Public Groups (a common misassignment)
Example: In a retail client org, "Store_Manager_Sales" granted "Modify All" on Orders. This was only needed for a single custom report. We stripped it down to "View" only and removed the "Modify All" permission.
Step 4: Compare Against Role Standards
Create a baseline. For each role (e.g., "Sales Rep"), document the minimal required permissions. Then, for each permission set, ask:
Is this permission set actually used by users in this role?
Is it necessary? (e.g., "Edit Account" is standard for Sales Reps—no need for a separate set)
Is it excessive? (e.g., "View All" on Leads when "View" suffices)
At a manufacturing client, we found "Plant_Admin_Special" permission set granting "Manage Workflows" to 30 users. Only 3 needed it. We split it into a new, smaller set and removed the excess.
Step 5: Document & Remediate
Summarize findings in a spreadsheet with columns: Permission Set Name, Users Assigned, Excessive Permissions, Risk Level (High/Medium/Low), and Action. Prioritize high-risk items (e.g., "View All" on Financial Data).
Remediation tip: Never delete permission sets used by active users. Instead, create a new, lean set, assign it to users, then delete the old one. In a recent audit, we reduced permission sets by 37% without disrupting users by following this.
Manual audits are tedious but unavoidable. Third-party tools might promise speed, but they don't replace understanding your org. If you're overwhelmed, I've built a free health scan that does this automatically for you—no tools needed, just your credentials. It identifies orphaned permission sets, excessive access, and gaps against your role standards in minutes.
Stop guessing. Get your permission set house in order. Run your free health scan today—no credit card required. Your security team (and your auditors) will thank you.
Need a second opinion on your Salesforce org? Request a diagnostic.
Top comments (0)