Permission sets are a security nightmare waiting to happen if you don't audit them regularly. I've seen orgs with 500+ permission sets, many assigned to users with excessive access, and zero documentation. In my 9 years across 12 enterprise Salesforce orgs, I've learned that manual permission set audits aren't just possible—they're essential for compliance and reducing attack surfaces. Here's how to do it without third-party tools.
Start by listing every permission set. Go to Setup → Permission Sets → click "All Permission Sets." But don't stop there. Run this SOQL to get a complete, exportable list:
SELECT Id, Name, Description FROM PermissionSet
Export to CSV. In my last org (a healthcare provider), this revealed 147 permission sets—32 were unused since 2020. Delete those first. I once found a "Test_User_Access" set still assigned to 12 users after a pilot project ended.
Next, find who has access. Use this SOQL to see all assignments:
SELECT PermissionSet.Name, User.Name, User.Id FROM PermissionSetAssignment ORDER BY PermissionSet.Name, User.Name
Export to Excel. Sort by permission set name. In a financial services org, this showed "Admin_Finance_Viewer" assigned to 45 users—only 10 should have it. We immediately removed the excess.
Don't trust the name. Drill into each permission set’s "Permissions" tab. Look for dangerous permissions like:
Example: In a retail client org, "Store_Manager_Sales" granted "Modify All" on Orders. This was only needed for a single custom report. We stripped it down to "View" only and removed the "Modify All" permission.
Create a baseline. For each role (e.g., "Sales Rep"), document the minimal required permissions. Then, for each permission set, ask:
At a manufacturing client, we found "Plant_Admin_Special" permission set granting "Manage Workflows" to 30 users. Only 3 needed it. We split it into a new, smaller set and removed the excess.
Summarize findings in a spreadsheet with columns: Permission Set Name, Users Assigned, Excessive Permissions, Risk Level (High/Medium/Low), and Action. Prioritize high-risk items (e.g., "View All" on Financial Data).
Remediation tip: Never delete permission sets used by active users. Instead, create a new, lean set, assign it to users, then delete the old one. In a recent audit, we reduced permission sets by 37% without disrupting users by following this.
Manual audits are tedious but unavoidable. Third-party tools might promise speed, but they don't replace understanding your org. If you're overwhelmed, I've built a free health scan that does this automatically for you—no tools needed, just your credentials. It identifies orphaned permission sets, excessive access, and gaps against your role standards in minutes.
Stop guessing. Get your permission set house in order. Run your free health scan today—no credit card required. Your security team (and your auditors) will thank you.