SimplePerm vs. Manual Migration: Why Free Tools Beat Spreadsheets

We have seen teams spend three months on what should take an afternoon.

The scenario repeats across every Salesforce org we work with at Simplementix. A capable admin decides to tackle the permission set migration. They export their profiles, open a spreadsheet, and start mapping permissions. Two weeks in, the spreadsheet has 40 tabs. The admin has discovered permission conflicts nobody knew existed. The project gets quietly shelved. The org stays on profiles. Security debt grows. The admin moves on to the next fire.

This is not a skill problem. The admins who attempt manual migration are often the most technically proficient people on the team. Manual approaches just do not scale to the complexity of a real Salesforce org with years of accumulated permission decisions baked in.

Better options exist. Some are free. Some cost less than a single day of consultant time per month. The best approach combines automation for the migration itself with intelligence for what comes after.

Here is an honest comparison of the paths available.

The Manual Approach: What It Actually Takes

A mid-size Salesforce org, say 200 to 500 users with 15 to 30 profiles and five-plus years of accumulated permissions, presents a real migration challenge. Here is what the actual work looks like.

Discovery and mapping alone runs 15 to 25 hours. Before changing anything, you need a complete picture of the current state. That means exporting every profile's object permissions, field-level security settings, and system permissions. Then mapping each profile to a target permission set structure. Then comparing profiles to identify shared permissions that could become Permission Set Groups versus unique permissions that need individual permission sets.

This mapping step is where most projects stall. A single profile can have hundreds of field-level security assignments across dozens of objects. Comparing 20 profiles against each other to find common patterns is work spreadsheets were never designed for. The data volume is manageable. The relationships between permissions are not. You need to understand not just what each profile grants, but how those grants interact when users hold multiple profile-based permissions.

Implementation takes another 15 to 30 hours. With a mapping document in hand, the admin creates permission sets one at a time in Salesforce Setup. Each permission set requires setting object permissions, field-level security, and system permissions individually. For a migration that produces 30 to 50 permission sets (a typical number for a mid-size org), this is repetitive, detail-oriented work where a single missed checkbox can break a business process.

Then come Permission Set Groups. These are the organizational layer that makes permission sets manageable at scale. Deciding which permission sets to group together requires understanding role relationships, and implementing those groups means yet another round of configuration.

Testing and validation adds 10 to 25 more hours. After implementation, every permission set needs testing. Does each user still have access to the records, fields, and features their role requires? Are there permission interactions that produce unexpected access? Do all business processes, from automation to flows to reports, still function correctly?

Testing is where the Phase 2 errors surface. A field-level security setting missed on one object breaks a report that three teams rely on. A system permission omitted from a permission set prevents a user from running a flow they use daily. Each fix requires tracing back to the mapping, updating the permission set, and retesting.

All told, expect 40 to 80 hours for a mid-size org. Larger orgs with 1,000-plus users, 50-plus profiles, and complex sharing rules can exceed 100 hours.

That estimate assumes the migration goes smoothly. It does not account for institutional knowledge: understanding why each permission was granted, which ones are still needed, and which are artifacts of decisions made by admins who left the company years ago.

What "Free" Tools Actually Offer

Several free options exist for teams that want to automate the basic conversion step without doing everything by hand.

Native Salesforce tooling gives you the permission set creation UI in Setup and a basic permission comparison that handles two profiles at a time. It is the minimum viable path. You can create permission sets and manually assign permissions through point-and-click configuration, but there is no automated migration, no bulk conversion, and no structural recommendations.

Free AppExchange utilities like Permatrix offer profile-to-permission-set conversion. They automate the most tedious part of implementation, creating permission sets that mirror existing profiles. That saves real time.

The limitation every free tool shares: they handle one-time conversion and stop there. They do not analyze whether the permissions being converted are appropriate. They do not recommend an optimal permission set structure. They offer nothing for what happens after migration, which is the ongoing governance challenge of keeping permissions right-sized as the org evolves.

This gap matters more than people realize. A one-time conversion transfers your existing permission model from profiles to permission sets, including all the over-permissioning, redundancy, and stale access that accumulated over the years. You have changed the data model but not improved the security posture.

Where SimplePerm Fits

SimplePerm by Simplementix is designed to approach permission set migration differently from both manual processes and existing free tools. The free tier's one-click migration wizard will handle profile-to-permission-set conversion the same way other free tools do. Where it diverges is what comes before, during, and after that conversion.

The Free Migration Wizard

SimplePerm's free tier will include a migration wizard designed to run entirely within your Salesforce org as a managed package. No data leaves your Salesforce trust boundary. The wizard walks through a structured process: select the profiles to migrate, review a preview of the resulting permission sets, execute the migration, and validate the results.

For teams that just need the basic conversion, the migration itself without the optimization, the free wizard will handle it. This will be comparable to what other free tools offer. It will be genuinely free with no trial period or feature locks on the migration functionality.

Pro: AI-Powered Intelligence (Planned)

The Pro tier is where SimplePerm will separate from every other tool in this category. Built on AI and machine learning, the AI recommendation engine is designed to do what no manual process or free tool can: analyze the full permission structure and recommend optimizations.

The AI will identify over-permissioned users by comparing assigned permissions against usage patterns. It will detect redundant permission sets where multiple sets grant overlapping access. It will recommend how to organize Permission Set Groups for clarity and maintainability. It will flag security risks that manual reviews consistently miss.

The result is not just a migration but a modernization. SimplePerm's AI is designed to find and reduce over-permissions, not by removing access users need, but by surfacing the structural redundancies and stale permissions that accumulate in every profile-based org.

Planned Pro features include advanced analytics dashboards, premium role-based templates, unused permission detection, and change history for tracking permission drift.

Enterprise: Compliance Automation (Planned)

For organizations in regulated industries, the planned Enterprise tier will add compliance automation covering SOC 2, HIPAA, PCI, SOX, and GDPR frameworks. It will include multi-org dashboards for companies managing multiple Salesforce instances, a least-privilege analyzer, permission set templates, scheduled access reviews, and API access for tying into existing governance tooling.

The Comparison: SimplePerm vs. Alternatives

Here is how the available approaches stack up across the factors that actually matter.

On migration speed, manual migration takes 40 to 80 hours. Free tools (including SimplePerm's free tier) reduce the implementation phase to minutes by automating the conversion. SimplePerm Pro will add analysis time on the front end but is designed to produce a better result: optimized permissions, not just converted ones.

On cost, manual migration has zero licensing fees but eats 40 to 80 hours of admin time. At a fully loaded cost of $75 to $150 per hour for a Salesforce admin, that is $3,000 to $12,000 in labor. Free tools cost nothing. SimplePerm will offer advanced tiers at a fraction of enterprise platform pricing. Enterprise alternatives, platforms like Own Secure or add-on governance tools, run thousands per month. SimplePerm is designed to deliver governance capabilities without the enterprise price tag.

On ongoing governance, the options diverge sharply. Manual migration and free tools produce a point-in-time result with no ongoing governance. The permission model starts degrading the day after migration as new users are onboarded and permissions are granted ad hoc. SimplePerm Pro is designed to provide continuous AI-powered monitoring and recommendations. Enterprise tools provide full compliance automation and scheduled reviews.

On accuracy, manual migration is only as accurate as the person executing it. Free tools accurately convert what exists but do not evaluate whether what exists is correct. SimplePerm Pro is designed to evaluate permission appropriateness and recommend improvements. Enterprise tools add compliance-specific accuracy checks against regulatory frameworks.

On data security, manual processes keep everything within Salesforce. Free tools vary, so check whether they export data externally. SimplePerm's free tier is designed to run entirely within the Salesforce trust boundary. SimplePerm Pro will send only permission metadata (not customer data or PII) to its cloud AI, using OAuth 2.0 and AES-256 encryption. Enterprise tools typically require broader data access.

When Each Approach Makes Sense

Manual migration works when your org has fewer than five profiles, minimal complexity, and an admin with time to dedicate. For a simple org, a spreadsheet and a week of focused work can produce a clean result.

Free tools (including SimplePerm Free) work when you need the basic conversion automated but do not have budget for ongoing governance. They save the 15 to 30 hours of manual implementation time. The trade-off: you get converted permissions, not optimized ones, and no ongoing monitoring. SimplePerm's free tier will deliver this capability once launched.

SimplePerm Pro will work when you want to use the migration as an opportunity to right-size your permissions, reduce over-permissioning, and set up ongoing governance. At a fraction of enterprise costs, it will deliver continuous AI-powered optimization rather than a one-time migration.

Enterprise tools work when regulatory compliance is a hard requirement, you manage multiple Salesforce orgs, and you need integration with existing security governance platforms. The price tag is justified by the compliance automation, but the starting cost puts these tools out of reach for most mid-market organizations.

The Real Question

The "I can do this myself" instinct is understandable. Salesforce admins are resourceful professionals who solve complex problems daily. Permission set migration is technically within their capability.

But the question is not whether you can do it manually. The question is whether that is the best use of 40 to 80 hours of a skilled admin's time, especially when free tools can automate the conversion in minutes and an AI-powered service is designed to optimize the result in ways no spreadsheet ever will.

The free migration wizard handles the conversion. The Pro tier's AI is designed to handle the optimization. The time your admin saves goes back to the projects that actually need human judgment.

Join the waitlist at simplementix.com/simpleperm. No spreadsheets required.

Related articles

How AI-Powered Recommendations Eliminate Salesforce Over-Permissioning

Most Salesforce orgs do not discover they are over-permissioned until something forces the question. AI-powered analysis can identify and eliminate excessive permissions at scale.

Read Article →

Introducing SimplePerm: Migrate Salesforce Profiles to Permission Sets in Minutes

SimplePerm by Simplementix is a free Salesforce AppExchange tool that migrates profiles to permission sets in minutes. AI-powered Pro and Enterprise tiers.

Read Article →