Role-based permissions
Roles vs profiles vs permission sets vs permission set groups is famously confusing — most orgs end up with a junk drawer of stale access nobody dares clean up.
What people actually say
✕Profile management gets driven by user complaints rather than top-down design — users ask for new permissions but never ask to remove old ones, so profiles accumulate unused access and create audit risk.
Source: Salesforce Admins, profiles and permissions guide ↗✕Even seasoned admins struggle with where roles end and profiles or permission sets begin — Salesforce itself calls this the most common and painful misunderstanding in its security model.
Source: DESelect, Salesforce roles vs profiles guide ↗✕Spinning up a new profile every time someone needs access creates years-long cleanup projects and makes onboarding new staff or partners inconsistent.
Source: Gearset, profiles to permission sets ↗
We replace the four-layer security model with what most teams actually need: three or four named roles (rep, manager, ops, admin), each backed by a few lines of policy code reviewed in git. Onboarding is one dropdown; offboarding is one click; an audit is a SQL query — no permission-set group spaghetti to inherit when the admin who built it leaves.