Managing permissions within Salesforce can often be complex and error-prone, especially when performed manually for large organizations.
Therefore, it’s great news to see the introduction of User Access Policies in Salesforce, marking a significant advancement in how admins can manage user permissions. This development not only enhances efficiency and security but also significantly improves the overall user experience.
“Automating permission assignments with User Access Policies has the potential to save countless hours that would otherwise be spent on manual configurations or building complicated flows,”
Patrick Reed, Revenue Systems Administrator at Affinity
Understanding User Access Policies
User Access Policies in Salesforce are a powerful new tool designed to streamline and automate the assignment of user permissions.
Previously, many admins relied on flows to manage user permissions, but between designing the flow, building the flow logic, adding actions, and testing and maintaining the flow, it could get quite complicated.
With the introduction of User Access Policies, admins may no longer have to rely on these kinds of complex flows in the future. User Access Policies offer a more streamlined, scalable way to manage permissions. The administrative workload is significantly reduced and simplified.
Key benefits include:
- Automation of permission assignments reduces manual tasks.
- Consistency in user access across the organization.
- Scalability allows for efficient management as the organization grows.
- Enhanced security through dynamic permission adjustments.
- Ease of compliance with internal and external regulations.
- Significant reduction in admin workload.
“Personally, it will take some further refinement of the solution for me to move access provisioning from Flows to User Access Policies,” Reed says, “but it will likely serve teams that leverage consultants and don’t have in-house admins, as the User Interface on UAP is easier to digest.”
This is because it’s a single, simple line of logic that applies to one set of users and is relatively easy to change.
Simplifying Salesforce Permission Management
The introduction of User Access Policies is not just about adding a new feature—it redefines and significantly improves the process of permission management within Salesforce.
Let’s explore why admins should take advantage of this new feature.
- Streamlined Permission Assignment: User Access Policies enable sweeping permission automations, minimizing manual configurations (or other workarounds) and simplifying the elaborate process of permission assignments.
- Consistency and Reduced Errors: The system ensures uniform permission assignments, significantly reducing the likelihood of human errors.
- Enhanced Security: Permissions can dynamically adjust when there are changes (e.g. department, division, title, role, or status changes), maintaining system security with minimal manual intervention.
- Improved Onboarding and Offboarding: Automating permission processes ensures a seamless transition for users entering or leaving the organization.
- Scalability: Access policies are designed for easy scalability, effectively accommodating a growing number of users without additional complexity.
- Retroactive Implementation: The ability to retroactively apply User Access Policies while maintaining past permission behaviors makes it easy to transition to using this tool to ensure consistency.
- Integration with AppExchange Apps: These policies can also be applied to AppExchange applications and integrations, ensuring consistent and secure permissions across all connected tools and extensions.
- Compliance and Auditing: Automation and standardization support compliance efforts and make auditing processes more straightforward.
- Better User Experience: Immediate and correct access permissions enhance overall CRM adoption and long-term productivity right from the start.
How to Create User Access Policies
Implementing User Access Policies in Salesforce is a relatively straightforward process. By default, a User Access Policy is a one-time process to grant or revoke access for designated users. However, you should use an Active User Policy if you want to automatically grant or revoke user access based on a triggered event such as a created or updated user record.
“If you set your User Access Policy to run automatically, the automation must be tested like any other flow,” says Reed.
At Affinity, we recommend customers who are installing the Affinity for Salesforce managed package to use User Access Policies to automate the assignment of Affinity’s permission set.
Let’s walk through the process of setting up a new User Access Policy using Affinity for Salesforce as a practical example:
- Go to Setup, then search for “user” and click on User Management Settings. Then, turn on the toggle for User Access Policies.
- From here, click User Access Policies, then click New User Access Policy.
- Give the New User Access Policy a name and a description, then click Save.
- Then, click Edit Criteria.
- From here, you can define the user criteria. Fill out the following two sections (Define User Access and Define Actions), then click Save.
Define User Criteria: Add at least one user criteria filter. Use the “Equals” Operator for a single value and the “In” Operator for multiple values. Policies are applied to users that meet all of the criteria filters.
Criteria access filters include:
- Role
- Queue
- Permission set
- Permission set group
- Package license
- Role
- User fields (Checkbox, Number, Picklist, or Text)
You can have up to three filters for applicable users, any number of filters on standard and custom user fields, and multiple roles or profiles referenced in the same filter using the ‘In’ Operator.
For the example with Affinity for Salesforce, you would select “Profile” and select “In” as the Operator to include as many different profiles as you’d like.
Define Actions: Select “Grant” or “Revoke” from the Action picklist, then select the access mechanism that the action applies to.
You may want to create User Access Policies to “Grant” permissions when onboarding new users or changing roles to ensure immediate and consistent access to the right resources. Conversely, you should automatically “Revoke” permissions when somebody leaves the organization or changes roles to maintain security and prevent unauthorized access.
“Grant” or “Revoke” access options are:
- Permission sets
- Permission set groups
- Permission set licenses
- Package licenses
- Public groups
- Queues
User Access Policies can support up to 20 Actions.
For this example, you would select “Grant” for the Action field, “Permission Set” for the Target field, and “Affinity_User” for the Value field.
- Now, click Automate Policy to auto-assign the “Affinity_User” permission set.
- Select your preference for which event will trigger the policy assignment. Trigger options include:
- Creation trigger: Ideal for ensuring new users are set up correctly during onboarding. This is a good option if your organization has a relatively stable structure where roles and permissions don’t change frequently after onboarding.
- Update trigger: Perfect for companies where users’ roles and attributes change frequently and permissions need to be dynamically adjusted.
- Creation or Update trigger: Best for comprehensive and continuous management of user permissions.
If you want to automate as much as possible, we suggest selecting when a user is created or updated. Then, click Activate. Now, this policy will apply to all users moving forward.
- To retroactively apply the policy for existing users, you can conduct a one-time operation by clicking Apply Policy.
- From here, click the checkboxes to identify the users for whom you’d like to apply the policy. Then, click Apply To Selected Users or Apply To All.
“I suggest creating separate policies for each type of access – i.e. Permission Sets or Permission Set Licenses – to make it easier to monitor errors in the assignment,” Reed explains. “Creating separate policies is a good way to uncover areas that may not have been provisioned as you add users.”
Reed adds, “One additional note to consider when setting up User Access Policies, the ‘Action Value’ requires the API Name, which often differs from the new name values of the clouds/tools. For example, the API Name ‘HighVelocitySalesUserIncluded’ corresponds to the permission set ‘Sales Console Unlimited.'”
For detailed instructions on managing user permissions with a User Access Policy, visit Salesforce’s setup guide.
Make Salesforce Smarter with Affinity
Affinity for Salesforce uses automation and artificial intelligence (AI) to enhance the functionality and efficiency of your CRM.
With Affinity for Salesforce, you can:
- Automatically capture engagement activity: Affinity automatically creates and updates CRM records by analyzing your company’s email and calendar activity, saving users 200+ hours of manual data entry every year.
- Improve seller productivity and efficiency: Affinity’s Chrome and Outlook extensions allow your team to access, update, and create Salesforce records directly from their inbox and browser.
- Surface network and relationship insights: Affinity uses AI to provide relationship intelligence so sellers can quickly identify who can provide the best introduction to a top prospect. Relationship scores are calculated using the recency and frequency of interactions between your colleagues and your company’s expanded network of connections.
By using User Access Policies, you can seamlessly integrate apps like Affinity for Salesforce into your workflow and ensure that users have the appropriate permissions from the start.
Summary
User Access Policies in Salesforce simplify and automate permission management, significantly reducing administrative workload and enhancing security. These policies ensure consistency, scalability, and ease of compliance, while also allowing retroactive application for seamless transitions and adherence to current policies. When combined with powerful AppExchange solutions like Affinity for Salesforce, admins can unlock new levels of productivity and data quality in Salesforce, ultimately driving better business outcomes.