Strategy
- Profile = baseline; Permission Sets = grants
- Use Permission Set Groups per role; avoid custom profiles explosion
Steps to implement
- Inventory objects/fields and owners
- Define role hierarchy and OWD
- Create thin profiles (login hours/IPs, minimal perms)
- Add PS/PSGs for object/field perms and system perms
Sharing tools
- Criteria‑based sharing, Teams, Manual sharing, Apex sharing for edge cases