As a Salesforce admin, architect or CRM leader, one of the core challenges is trying to understand what is the advantage, risk in assiging all users to the default standard salesforce admin profile. Most of the organizations take either of the 2 following approaches. They either assign all admin level users to the standard system admin profile or create a cloned system admin profile and assign all users and never use the standard sytem admin profile. On top of this , there is also a need for delegated admin permissions for some users for a period of time like your contractors, business admins which adds to the level of complexity. The fact is that the standard salesforce admin profile is not going away and thinking in avoiding the standard system admin profile completely or using it fully ends up in unwarranted risks. So here are the 2 questions which all architects, admins do.
- What is the real advantage in using Standard Salesforce admin profile and who are the users who should access it?
- How can we decide which type of users should use the standard system admin profile vs the cloned system
My blog below will help you answer these questions.

Advantage of using Standard System admin profile
By default every salesforce org comes with a Standard system admin profile. This is provided by Salesforce as a place holder for organizations to understand what all permissions belong to a standard system admin. Now here is the real value of using the standard system admin. Here is the key advantage for users who get Standard system admin profile
- Proactive instance management: All the users who are part of the standard system admin profile get trust notifications from Salesforce on key notifications about system status, maintenance schedules, and critical updates. Additionally, admins can register on the Salesforce Trust website (https://trust.salesforce.com) to receive real-time notifications for scheduled maintenance, updates, or unplanned outages specific to their Salesforce instance. This ensures proactive instance management.
- Default Contact for Salesforce Support: The standard System Admin profile often acts as the primary contact point for Salesforce Support. This is crucial for immediate assistance with issues like data recovery, critical incidents, or security concerns.
- Built-in Access for Monitoring and Reporting: The profile ensures automatic access to security-related monitoring tools and dashboards that Salesforce might release, often streamlining the process of monitoring health and compliance.
Risk in Using the Standard Salesforce security
Given the advantage of using Salesforce system admin profile, there is one risk in assigning all users to the standard system administration profile. This profile is prone to Salesforce release changes and will have updates made by Salesforce on their releases. So it is important to test this profile during every salesforce release and ensure no impact.

Given the risk on release impact, what kind of users makes sense to be assigned to Salesforce system admin profile?
Given the impact of salesforce releases, it is important to keep the number of users minimal assigned to Salesforce system admin profile. Here are examples of users who should be assigned to Salesforce system admin profile.
- Salesforce admins who are responsible for the org.
- IT leaders who are responsible for hypercare, post production support.
- Business admins who would need to be notified on Salesforce down times.
Based on the above example, here are some key criterias on selecting the user for system admin profile.
- Users who would need to be notified on salesforce down time, release updates and issues.
- Users who are responsible for testing salesforce releases.

Given the direction for Salesforce to use permission sets, does the cloned system admin profile make sense?
Since Salesforce is moving towards a permission set based system, the cloned system admin profile which is cloning the salesforce system admin profile does not make sense. Here are the reasons for it.
- If you need to create admin level permissions to users, creating permission sets for those permissions will be the right away and assign the users to them.
- In the new permission set strategy, every user will have a base profile and will have permission sets on a delegated basis based on needs.
If I have a cloned system admin profile in my org, what can I do now with it along with default Salesforce system admin profile?
It was a best practice before to have a cloned system admin profile which was a copy of the salesforce admin profile. Here are couple of things you can do now to prepare for permission set migration and reduce risks.
- Ensure you have atleast 1 to 2 users assigned to the standard salesforce system admin to make use of the benefits listed above.
- Start decoupling your admin level permissions to high, moderate and low risk and start creating permission sets for them.
- Engage with IT, Business and info sec teams to ensure that your permissions categorizing is aligned with business, info sec and IT policies.
- Plan for migrating the users to the permission sets on releases.
To summarize, here are 3 key take aways for you on managing your standard salesforce system admin profile.
- Keep the number of users on Standard salesforce system admin profile to a minimum less than 10.
- Only have users who would need to be notified on salesforce trust notifications and salesforce releases to have salesforce system admin profile.
- Plan to migrate to permission sets if you are using a cloned system admin profile
As always you are welcome to reach out to me at buyan@eigenx.com or feel free to post your comments below.
Please subscribe
Subscribe to our mailing list and get tips to maximize salesforce to your email inbox.
I am honored to have your subscription. Stay tuned for tips to maximize your salesforce investment
Something went wrong.