Permission Set Bloat: The Silent Security Risk in Your Salesforce Org

Here's a question most Salesforce admins can't answer: how many permission sets does your average user have?

If the answer is "I don't know," you're not alone. And you probably have a problem.

What Permission Bloat Looks Like

A user joins the Sales team. They get the Sales User permission set. Then they need access to a custom app — another permission set. Then someone creates a "Fix for SF-1234" permission set to solve a ticket, and it never gets removed. Then they move to a different role but keep the old permissions.

Two years later, that user has 14 permission sets, half of which give them access they don't need and shouldn't have.

Why It Matters

• Security audit failures. SOC 2, HIPAA, and ISO audits flag over-permissioned users. You'll spend weeks cleaning it up under pressure.
• Data exposure. Users can see records they shouldn't. This isn't theoretical — I've found field service reps with access to executive comp data.
• Debugging nightmares. When a user reports "I can see things I shouldn't," good luck figuring out which of their 15 permission sets is the culprit.

How to Find It in Your Org

Run this SOQL in Developer Console:

SELECT AssigneeId, COUNT(Id) FROM PermissionSetAssignment GROUP BY AssigneeId HAVING COUNT(Id) >= 10 ORDER BY COUNT(Id) DESC

Or just run a free health scan — it checks this automatically and tells you exactly who's over-permissioned.