Permission Governance & Assignment Model

This model helps keep permission assignment safe, auditable, and scalable.

High-risk permissions to tightly control

• Tenant Administrator
• Log In As User
• Generate API Tokens
• Manage SSO Enforcement
• All Delete permissions
• All Activate/Deactivate permissions
• Reindex Search Index

Assignment policy

1. Start with role/profile baseline.
2. Add only required permissions for the user’s workflow.
3. Use “View All” permissions only when org-wide visibility is required.
4. Document business justification for every high-risk grant.

Review cadence

• Monthly: review new high-risk grants.
• Quarterly: full profile/user access recertification.
• Event-driven: immediate review after org changes, audits, incidents, or SSO/domain changes.

Common mistakes to avoid

• Giving Delete or Activate/Deactivate permissions to broad user groups.
• Granting Tenant Administrator as a convenience role.
• Using one-off user-level grants instead of profile-based governance.
• Not separating setup admins from operational users.

Dependency note

Some permissions (for example View All* entries) depend on a base view permission via all_record_permission. Assign both to avoid partial access states.