LinkedIn

Explore new features of Permission Sets and Permission Set Groups

-



1. Introduction 

In the last few years, a significant change happened in how user permissions are getting handled in Salesforce. When I started my career in Salesforce as a Developer, it was just profiles, and later Salesforce introduced permission sets - when there was a need to give additional permission to specific users who belong to the same profile. 

Later Salesforce introduced the Permission Set Groups where we can combine multiple Permission Sets and assign them to a specific user.

Now the direction from Salesforce is to use minimal profiles and assign Permission Set Groups to users based on their job description or Persona. 

The advantage here is that the same permission set can be assigned to multiple groups, and we can control access very easily, not like earlier- whenever we need to have some additional features for a specific user, we will end up creating a new profile. 

In this post let us see some latest features from Salesforce to handle Permission Sets and Permission Set Groups.

2. Permission Set Overview

Permission Sets help to extend a user's access with additional permissions. A user can be assigned with multiple permission sets or we can combine multiple Permission Sets to a Permission Set Group and assign that Permission Set Group to a user.

Example - If Account Organization Wide Default is private, and if we need to give specific users Read All permission, we can create a separate Permission Set just with Account- View All and assign this to needed users. 

3. Permission Set Group Overview

Permission Set Group helps to combine related permission sets and assign them to users based on their job role. The same permission set can be assigned to multiple Permission Set Groups and a single permission set can hold multiple Permission Sets.

4. Scenario Overview -Opportunity Access Control

We have 2 Sales Personas in the system. 

  • Sales Manager
  • Sales Rep
The expected access:
  • Sales Manager - Create, Read and Edit
  • Sales Rep - Read and Edit
Opportunity OWD is private.

To control the above access, we have defined the below Permission sets:

  • Opportunity Create



  • Opportunity Edit


  • Opportunity Modify All

And let us create 2 Permission Set Groups with the below Permission Set Assignment:

  • Sales Manager


  • Sales Rep


Instead of the traditional approach to create 2 different profiles and assign each to Sales Manager and SalesRep, we are going to give a single profile - Sales to both Personas. Then they will be assigned a specific Permission Set Group to control the access.

Now let us explore some new features, and how they can be used to accomplish some of our requirements. 

Requirement - Give Modify All Permission to Sales Managers for a specific period of time. We can achieve this in multiple approaches. 

5. Permission Set expiry Date

Suppose we need to give all Sales Managers, access to Modify All on Opportunities for a specific period of time. Let us see how we can achieve this using the Expiry Date feature.

Follow the below steps to achieve this:

1. First Enable this feature in User Management Setting under Set up


2. Create a new User - John Doe and assign him with Sales Profile. Also, assign him Sales Manager Permission Set Group


3. Since we need to give this user Modify All permission temporarily, what we can do is - Open the Permission Set, and click on Manage Assignment


Click on Add, assignment, and select user to add


Click, on next and you can see by default no expiry is set:


We can change this to select expiry date and in our case let us choose this as 1 week


Click on assign and you can see it got assigned successfully:


So John doe will be getting Modify All permission for 1 week and after 1 week, it will get automatically removed and we don't need to do anything for that.

6. Muting Permission Set

Muting Permission set is used to remove specific access that is already available as part of a Permission set Group. One Permission Set Group can have only one muting Permission Set.

Now let us try to solve giving Modify All permission to the Sales Manager in a different way.

Add Modify All permission set to Sales Manager Permission Set Group as shown below:

You can login and verify as John Doe and see that all Opportunities are visible to this user now.

Now you want to remove Modify All Permission from John doe. Let us see how we can do this by Muting the Permission set. for this follow the below steps:

1. Open Sales Manager Permission Set Group and you can see muting permission sets there:


2. Click on that and you will get a New button. Click on New


3. Save this and open this Permission Set. Click on Object Settings and click on Opportunity and edit it. Opt Muted for Modify All and View all as shown below:


4. Save this. And Now try to access an opportunity that was visible to John Doe. You can see it is no more accessible.


When we need to give this access again, we just need to remove these muted settings.

Now let us explore some additional features:

7. FLS to Permission Sets on New Field Creation/Edit

Till Winter 23 there was no option to give Field Level Security to Permission Set Groups during field creation. Now we can enable this option under User Management Setting:



Once you enable this, on creating a new field, you are no longer getting profiles, instead, you will get Permission Sets to enable this field:



8. Permission Set Analyzer

Managing and reporting on Permission Sets and Groups was a bit difficult till this time, and Thank you to Salesforce Labs product to make this easy for you now.

All the details of how to install and configure this application are mentioned here.

The App is available here

This App is having below major features:




  1. Permissions Analyzer
This has the below capabilities

  • Analyze Permissions Assigned to a User

  • Analyze by Assigned Permissions

  • Analyze Permission Set Group Details

2. Converter

Convert existing profiles to Permission sets


3. Report

Report on all the permissions that are enabled in your org, or report on all user access permissions. You can create a report with the User Access and Permissions Assistant that you can review and export.




We can also export the report.

4. Manage

Used to manage Permission Set Groups


Manage Assignments



Manage Permission Set Groups


9. Considerations
  • Permission Sets/ Permission Set Groups cannot handle the below settings:
    • Defaults such as Default Apps, Default Tabs, Default Record Types
    • Page Layout Assignments
    • Login IP Ranges/Login Settings
  • Create Permission Set Groups based on user Persona
  • Better to keep similar type of permissions in a single permission set, so that we can assign the same permission set to multiple Permission Set Groups
  • You can add up to 100 permission sets to a permission set group
  • When viewing Permission Set Groups in a list view, no actions are available in the list view dropdown menu.
  • When a permission set is part of a group, you can still assign the individual permission set, apart from the permission set group, to specified users as needed.
You can watch the demo of all these features in the below video:



References:
  • https://help.salesforce.com/s/articleView?id=sf.perm_sets_overview.htm&type=5
  • https://help.salesforce.com/s/articleView?id=sf.perm_set_groups.htm&type=5
  • https://help.salesforce.com/s/articleView?id=sf.perm_uapa.htm&type=5
  • https://appexchange.salesforce.com/appxListingDetail?listingId=a0N3A00000FeF99UAF&tab=r

Comments

Post a Comment

Popular posts from this blog

Subscribing to Salesforce Platform Events using External Java Client - CometD

-
Image
Platform Events follow event based Architecture, where multiple subscribers can subscribe to a published event in real time manner.  Below diagram shows the basic Architecture of the event-based communication Model: Event - This is a change in state for a business process Event Message - Data about the event Producer - Publisher of the event Event Bus - A communication and storage service for published events Event Consumer - A subscriber to the channel Platform events can be subscribed internally and also externally Platfrom events  - Internal Subscription Below are some scenarios in which you can consume platform events internally: 1. When we need to execute functionalities asynchronously to save govornor limits 2. To build a proper exception logging framework - You can find more details here  How to subscribe Internally? we can see more details about this in a different blogpost. Platfrom events  - External Consumption Many Organizations are moving to event-based integration appr
Read more

Salesforce Security - Restriction Rules and Scoping Rules

-
Image
1. Overview Salesforce provides a very effective security model where we always start with the most restrictive access and then open up access using additional mechanisms like sharing rules, and manual sharing based on the requirements.   But there might be scenarios where we need to restrict access based on specific criteria. Salesforce recently introduced 2 approaches to support this requirement. Those are restriction rules and scoping rules. Let us see this in detail. 2. Restriction Rules - Overview Using restriction rules we can apply an additional level of filter on top of records to which a specific user is having access. 3. Scoping Rules - Overview Scoping rules help to filter the default records visible for a user based on specific criteria. But it is not preventing access to other records. 4. Compare Restriction Rules and Scoping Rules 5. Restriction Rule - Example Company ABC is having Job Applications getting created through their company portal and synched to Salesforce. T
Read more

How to develop reusable Invocable Apex methods for Flows

-
Image
 Salesforce is adding many new features and capabilities to Flows. But there are still some scenarios where you need to call apex methods from Flows to execute complex operations - when Flow is not capable of doing that or the performance will be low when you implement that using flows. Let us see how we can build reusable apex methods for Flows. For this let us consider 2 sample scenarios: Scenario 1 - Quick Create Account/Contact I want to build a screen, where the user can select the object needs to be created, and then create a record of that object by entering the required details. Also if the record creation is getting failed, I want to create an exception record with details. Solution Let us see how we can utilize Apex action for this. For this first let us create an Apex Invocable method, which can accept a list of wrapper class as shown below: You can see, this invocable method is accepting a List of wrapper class variables and also returning a list of wrapper class variables.
Read more