permission-set-groups-and-muting
Use when designing or reviewing permission-set-group architecture, especially profile minimization, group composition, muting strategy, and migration away from profile-heavy security models. Triggers: 'permission set group', 'muting permission set', 'profiles to permission sets', 'PSG architecture', 'muted permissions'. NOT for record-sharing design or CRUD/FLS review in Apex code.
Best use case
permission-set-groups-and-muting is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when designing or reviewing permission-set-group architecture, especially profile minimization, group composition, muting strategy, and migration away from profile-heavy security models. Triggers: 'permission set group', 'muting permission set', 'profiles to permission sets', 'PSG architecture', 'muted permissions'. NOT for record-sharing design or CRUD/FLS review in Apex code.
Teams using permission-set-groups-and-muting should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/permission-set-groups-and-muting/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How permission-set-groups-and-muting Compares
| Feature / Agent | permission-set-groups-and-muting | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when designing or reviewing permission-set-group architecture, especially profile minimization, group composition, muting strategy, and migration away from profile-heavy security models. Triggers: 'permission set group', 'muting permission set', 'profiles to permission sets', 'PSG architecture', 'muted permissions'. NOT for record-sharing design or CRUD/FLS review in Apex code.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Permission Set Groups And Muting Use this skill when access design has outgrown direct profile customization and one-off permission-set assignments. Permission Set Groups let teams compose reusable access bundles, while muting lets them subtract permissions from the group evaluation when the bundle is almost right but still too broad. --- ## Before Starting Gather this context before working on anything in this domain: - How many profiles, permission sets, and ad hoc assignments already exist? - Are the target access bundles feature-based, role-based, or a mix? - Is the real problem composition, or is it record visibility and sharing instead? --- ## Core Concepts ### PSGs Are The Composition Layer Permission Set Groups bundle compatible permission sets so access can be assigned as a meaningful unit. That reduces repeated manual combinations and makes review easier. ### Muting Subtracts From The Group Evaluation Muting is for narrowing the effective permissions of a group when a shared bundle grants a bit too much. It is not a new permission source, and it should not become an excuse for chaotic permission-set design. ### Minimal Profiles Still Matter Profiles do not disappear, but they should stop carrying most feature-specific access. The cleaner the base profile, the more valuable PSG composition becomes. ### Migration Is An Access-Architecture Project Moving from profile-centric design to PSG-driven design requires naming, testing, and rollout discipline. It is not just a metadata conversion task. --- ## Common Patterns ### Feature Bundle PSG **When to use:** Multiple users need the same collection of capabilities such as service console plus case tools. **How it works:** Create focused permission sets per feature, then group them into one assignable PSG. **Why not the alternative:** Repeating many direct assignments scales poorly and is harder to audit. ### Base Bundle Plus Muting **When to use:** Two personas are almost identical except for a few restricted capabilities. **How it works:** Reuse the same base PSG and mute only the permissions that one persona should not inherit. ### Profile-Minimization Migration **When to use:** The org has many feature-heavy profiles and access changes are risky. **How it works:** Move feature access into permission sets, compose PSGs, and leave profiles as thinner bases. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | Many recurring permission-set combinations exist | Permission Set Groups | Better composition and assignment hygiene | | One bundle is almost right for multiple personas | PSG plus muting | Reuse without cloning many bundles | | Profiles still hold most feature access | Migrate toward minimal profiles plus PSGs | Better long-term governance | | Access issue is record visibility, not granted permissions | Use sharing/security-model skills instead | PSGs do not solve sharing architecture | --- ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner activating this skill: 1. Gather context — confirm the org edition, relevant objects, and current configuration state 2. Review official sources — check the references in this skill's well-architected.md before making changes 3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above 4. Validate — run the skill's checker script and verify against the Review Checklist below 5. Document — record any deviations from standard patterns and update the template if needed --- ## Review Checklist Run through these before marking work in this area complete: - [ ] Profiles are being minimized instead of expanded. - [ ] Permission sets have clear, focused purposes. - [ ] PSGs represent meaningful bundles, not random collections. - [ ] Muting is used intentionally and not as a cleanup tool for bad design. - [ ] Access combinations are tested with real user personas. - [ ] Migration and rollback are planned for profile-centric orgs. --- ## Salesforce-Specific Gotchas Non-obvious platform behaviors that cause real production problems: 1. **Muting narrows effective group access, it does not grant new access** - teams misuse it when they have not designed the base bundle clearly. 2. **Profiles still exist** - a PSG strategy fails if profiles remain overloaded with feature permissions. 3. **Bundle naming becomes governance** - unclear names create access-review chaos later. 4. **Testing combinations matters** - composed access can behave differently than designers expect. --- ## Output Artifacts | Artifact | Description | |---|---| | PSG design review | Findings on composition, muting, and profile minimization | | Access-bundle plan | Recommended permission-set and PSG structure | | Migration outline | Phased approach for moving from profile-heavy access to PSGs | --- ## Related Skills - `security/org-hardening-and-baseline-config` - use when baseline org controls are the concern rather than feature-access composition. - `admin/permission-sets-vs-profiles` - use for the broader admin-side distinction between permission sets and profiles. - `apex/apex-security-patterns` - use when code-level sharing and CRUD/FLS enforcement are the real issue.
Related Skills
permission-set-deployment-ordering
Use when deploying permission sets, permission set groups, or profiles and encountering cross-reference errors, silent permission loss, or ordering failures. Triggers: 'permission set deployment fails', 'cross-reference id error during deploy', 'permissions disappear after deployment', 'permission set group deployment error'. NOT for permission set design or architecture decisions (use permission-set-architecture), NOT for creating permission sets from scratch (use admin/permission-set-architecture).
apex-user-and-permission-checks
Use when Apex needs to check what the running user is, can see, or can do — via UserInfo, FeatureManagement, FeatureManagement.checkPermission, or FeatureManagement.checkPermissionType. Covers custom permissions, permission sets, user licenses, and profile checks. NOT for FLS/CRUD (use Security.stripInaccessible or `with user_mode`), sharing rules, or external user license logic.
apex-custom-permissions-check
Custom Permissions in Apex: FeatureManagement.checkPermission, $Permission global variable, permission-set gating of feature code, Custom Permission metadata. NOT for CRUD/FLS enforcement (use security-apex-crud-fls). NOT for standard Salesforce permissions (use permission-set-architecture).
queues-and-public-groups
Use this skill when creating or managing queues, configuring queue membership, setting up case or lead queues, creating public groups, or using groups in sharing rules and manual sharing. Trigger keywords: queue, public group, queue membership, queue email, group sharing, case queue, lead queue. NOT for assignment rules that route records to queues automatically (use assignment-rules). NOT for Omni-Channel routing configuration (separate routing engine).
permission-sets-vs-profiles
Use when designing or auditing Salesforce access control — deciding between Profiles, Permission Sets, and Permission Set Groups. Triggers: 'user can't see field', 'too many profiles', 'permission model', 'least privilege', 'profile migration'. NOT for sharing rules or record-level access — use security/fls-crud for that.
fsc-relationship-groups
Use this skill when creating, configuring, or troubleshooting FSC Relationship Groups — including Household, Professional Group, and Trust group types; member role assignment via AccountContactRelation FSC fields; Primary Group designation; and group-level wealth aggregation rollups. NOT for standard account relationships, Contact-Account relationships outside FSC, NPSP household configuration, or Financial Account role setup (use admin/financial-account-setup).
custom-permissions
Use when creating, assigning, or checking custom permissions to control feature access beyond CRUD and FLS. Trigger keywords: 'custom permission', 'FeatureManagement.checkPermission', '$Permission global variable', 'feature gate', 'named access grant', 'beta feature flag'. NOT for permission sets (use permission-set-architecture).
analytics-permission-and-sharing
Use this skill when configuring CRM Analytics (formerly Einstein Analytics) app sharing, dataset-level permissions, row-level security predicates, sharing inheritance, or license assignment. Trigger keywords: CRM Analytics security, row-level security predicate, dataset permissions, analytics sharing inheritance, Analytics Plus license. NOT for standard Salesforce OWD/sharing rules, profile-based record access, or non-Analytics report folder sharing.
xss-and-injection-prevention
Use when writing or reviewing Visualforce pages, Apex controllers, or LWC components that output user-supplied data, build dynamic queries, or construct HTTP responses. Triggers: 'XSS in Visualforce', 'SOQL injection vulnerability', 'how to encode output in Apex', 'JSENCODE Visualforce', 'open redirect prevention'. NOT for Apex CRUD/FLS enforcement (use soql-security or apex-crud-and-fls), NOT for Shield encryption (use shield-encryption-key-management), NOT for AppExchange security review process (use secure-coding-review-checklist).
visualforce-security-and-modernization
Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).
transaction-security-policies
Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.
sso-saml-troubleshooting
Diagnosing broken SAML SSO into Salesforce — IdP-initiated vs SP-initiated flows, signing-certificate validity / expiry, NameID format mismatches, RelayState handling, audience / entityId / issuer mismatches, clock skew, the SAML Assertion Validator in Setup, the Login History debug log, and the My Domain prerequisite for SSO. Covers the standard diagnostic loop: read the SAML response, identify which check failed, fix at the IdP or SP. NOT for OAuth / OpenID Connect SSO (see security/oauth-openid-troubleshooting), NOT for setting up SSO from scratch (see security/sso-saml-setup).