The optimal solution is to clone the existing Sales Rep profile. This new, cloned profile can then be modified to grant access to the new application's components (e.g., objects, tabs, Visualforce pages) while simultaneously revoking access to the legacy functionality. Assigning this new profile to the small set of pilot users ensures they have the correct permissions without impacting the majority of sales reps who remain on the original profile. This approach correctly uses profiles to define a user's baseline access, which includes both granting and restricting permissions.

B. Revoke access to legacy functions in the Sales Rep profile and create a permission set for the new functionality.

This is incorrect because modifying the base Sales Rep profile would revoke legacy access for all sales reps, not just the pilot group, disrupting business operations.

C. Create a permission set to grant access to the new functionality and hide the old functionality.

This is incorrect because permission sets are additive; they can only grant permissions, not revoke or hide access that is already granted by a user's base profile.

---

1. Salesforce Help Documentation - "Profiles":

Content: "Profiles define how users access objects and data, and what they can do within the application... A profile is a collection of settings and permissions that determine what users can see... and what they can do."

Reference: Salesforce Help, Article "Profiles". This establishes that a profile is the correct tool for defining a user's fundamental access, which includes what they can and cannot see/do.

2. Salesforce Help Documentation - "Permission Sets":

Content: "A permission set is a collection of settings and permissions that give users access to various tools and functions... Permission sets extend users’ functional access without changing their profiles."

Reference: Salesforce Help, Article "Permission Sets". This source confirms that permission sets are for extending or granting additional access, not for revoking permissions already granted by the profile, which is a key requirement of the scenario.

3. Trailhead - "Data Security" Module, "Control Access to Objects" Unit:

Content: "The principle of least privilege states that you should only give users the access they need to do their jobs... While both profiles and permission sets are used to configure a user’s permissions, they serve different purposes... A user can have only one profile, but they can have multiple permission sets. When a user’s permissions are determined, Salesforce takes the union of all permissions from the user’s profile and any assigned permission sets."

Reference: Trailhead, Data Security Module. This reinforces that permissions are cumulative and that a permission set cannot override a profile to remove access. To create a different baseline of access (adding new and removing old), a different profile is required.