在 Salesforce 中,Profile 和 Permission Set 是用来控制用户对象、字段和功能访问的两大核心机制。
| 特性 | Profile | Permission Set |
|---|---|---|
| 作用 | 定义用户的基础访问权限(登录时间、页面布局、对象 CRUD、字段权限等)。 | 在不修改 Profile 的前提下,额外授予更高或更细粒度的权限。 |
| 分配方式 | 每个用户只能有一个 Profile。 | 每个用户可以拥有多个 Permission Set。 |
| 常见场景 | 针对同类型岗位的用户设置基准权限。 | 针对个别用户临时开放额外权限。 |
| 最佳实践 | Profile 保持精简,只提供最低权限。 | 通过 Permission Set 实现灵活授权,可用 Permission Set Group 进行角色分组管理。 |
示例:
销售人员的 Profile 允许访问 Account 和 Contact,
若某个销售还需要访问 Campaign,可单独给他加一个 Permission Set,而不是复制一个新 Profile。
In Salesforce, Profiles and Permission Sets work together to manage user access at the object, field, and feature level.
| Feature | Profile | Permission Set |
|---|---|---|
| Purpose | Defines a user’s base level of access — login hours, page layouts, CRUD, and FLS. | Extends or fine-tunes access beyond the profile without cloning it. |
| Assignment | One profile per user. | Multiple permission sets per user. |
| Typical Use | Used to group users with similar job functions. | Used for exceptions or additional privileges. |
| Best Practice | Keep profiles minimal — grant only the baseline; use permission sets for flexibility. | Use Permission Set Groups to combine sets by role or function. |
Example:
A “Sales User” profile grants basic CRM access (Account, Contact).
If one user also needs access to Campaigns, assign them an extra Permission Set instead of creating a new profile.
In short:
Profile = baseline access
Permission Set = flexible extension