Think in layers: one profile per user, then zero or more permission sets. For objects and fields, effective access is usually the combination of everything assigned — like stacking clear sheets on an overhead projector.
Profile is fixed below. Toggle each permission set on or off. Green = that object right is included in the merged access (simplified CRUD labels).
Profile (always on)
Minimum Access — Sales
| Object | Read | Create | Edit | Delete |
|---|---|---|---|---|
| Account | ✓ | ✓ | ✓ | — |
| Contact | ✓ | ✓ | ✓ | — |
| Opportunity | ✓ | ✓ | ✓ | — |
Field-level access (FLS) stacks the same way
Pick a field — badges show whether Read or Edit is in the merged profile + assigned sets. This is what Apex can respect when you enforce FLS in code.
Myth vs reality — tap a card
Where this shows up
// You don't type this in Apex — but the running user's // profile + permission sets decide what Setup allowed. User u = [SELECT Id FROM User WHERE Username = :username LIMIT 1]; // Apex can query with sharing / enforce FLS to match that user.