A user's baseline permissions are determined by their assigned profile. To meet the requirement of allowing Read, Create, and Edit access while explicitly denying Delete access, the most appropriate and secure method is to create a custom profile. This profile can be configured with the precise object-level permissions needed (Read, Create, Edit checked; Delete unchecked). Assigning this custom profile to the user ensures they have exactly the permissions required for their role, adhering to the principle of least privilege.

A. The standard System Administrator profile grants "Modify All Data," which includes the ability to delete all records, directly violating the core requirement of restricting deletion.

B. The role hierarchy and "View All" access control record-level visibility, not the fundamental object-level permissions (like Create, Edit, or Delete) that a user can perform.

D. Permission sets are used to grant additional permissions to users, not to restrict them. A permission set cannot remove the Delete permission if it is already granted by the user's base profile.

1. Salesforce Help - Control Access to Objects: "Object permissions determine the kinds of records (such as contacts or accounts) users can view

create

edit

or delete. You set object permissions in profiles and permission sets." This establishes that profiles are the primary tool for setting these baseline permissions.

2. Salesforce Help - Profiles: "Profiles define how users access objects and data

and what they can do within the application... For example

you can use profiles to grant a user Create and Edit permissions on an object but not Delete permission." (Found under User Management > Profiles).

3. Salesforce Help - Permission Sets: "Permission sets extend users’ functional access without changing their profiles... Use a permission set to grant additional permissions and access settings to a user." This highlights that permission sets are for additive permissions

not for creating baseline access or restrictions.