CRM Analytics Licenses & Permission Sets Explained

Understand the CRM Analytics Plus permission-set license versus permission sets, and how Manage Analytics and scoped permission sets grant the right access to each user.

Licenses & Permission Sets

To turn a Salesforce user into a CRM Analytics user you grant two different things, and beginners constantly mix them up. This lesson pins down the difference between a permission-set license and a permission set, then shows how permission sets let you scope access from all-powerful admin down to a single capability.

The license: a permission-set license (PSL)

The CRM Analytics Plus entitlement is delivered as a permission-set license, or PSL. A PSL is not the same as a user's profile license — it is an add-on you assign directly on the user record that says, in effect, "this person is entitled to CRM Analytics."

The PSL is the seat you paid for. Assigning it does not by itself grant any specific ability — it only unlocks the right to be granted those abilities through a permission set. License first, capabilities second.

Alongside the core CRM Analytics Plus PSL you may see related, app-specific licenses — for example entitlements tied to prebuilt analytics apps such as Sales Analytics or Service Analytics. These sit next to the main license and enable the templated app content, but the pattern is the same: a license entitles, a permission set authorizes.

The permission set: what actually grants access

Once the license is in place, one or more permission sets do the real work of authorizing what the user can do. Salesforce ships a set of analytics System Permissions, and you switch them on by including them in a permission set and assigning that set to the user.

At the top of the pile sits one all-powerful permission:

Manage Analytics is the master key. A user with Manage Analytics can do essentially everything in CRM Analytics — create and edit apps, dashboards, datasets, connections, and dataflows, and manage other users' assets. Reserve it for administrators and platform owners, not everyday users.

For everyone else, you compose scoped permission sets that switch on only the capabilities a role actually needs. A few common building blocks:

Use Analytics

The baseline permission to open the Studio and view analytics assets shared with the user.

Create and edit dashboards

Lets a user build and modify dashboards and lenses, without granting data-engineering rights.

Create apps

Allows the user to create apps (folders) to organize and share their own analytics content.

Download data

Permits exporting query results and dashboard data to CSV or Excel — often restricted for governance.

Composing the right access

Because permissions are granular, you can tailor access precisely. A dashboard builder might get Use Analytics, Create and edit dashboards, and Create apps — but not the ability to add data connections or edit dataflows. A pure viewer might get only Use Analytics and nothing else. An analyst who needs to pull data out might additionally get Download data.

The best practice is least privilege: start from what the role truly needs and add only those permissions, rather than handing out Manage Analytics to avoid thinking about it. You will build exactly this kind of scoped permission set by hand in the hands-on lesson later in this section.

Next up: two special, behind-the-scenes users that CRM Analytics relies on — starting with the Integration User.

Discussion

No comments yet — be the first to start the discussion.