If you are a system administrator of a Salesforce org you are likely to be highly skilled at multitasking as often you are expected to carry out several tasks at once.
One such task that you can spend a significant amount of time and effort on is the setting up and managing of users in the system and this is especially so with an org that has a large number of users or a complex role hierarchy.
The good news is you can delegate aspects of user administration to users who are not assigned with the system administrator profile to allow you to focus on tasks other than managing users for every department or structure that your company has within Salesforce.
Not only will his save you time and effort but this provides further benefits for global organizations with time zone and cultural differences as it allows a user based in that region with local knowledge to create the users which also saves time and provides a better user experience.
For example, you may want to allow the manager of the Asia Pacific Operations team to create and edit users in the Asia Pacific Operations Team Leader role and all subordinate roles.
There are currently two ways of setting this kind of delegated user management access:
- Create a profile with the Manage Users permission
- Use delegated administration
Create a profile with the Manage Users permission
This option is not recommended and should be very carefully considered as it allows a much greater range of system administration functions to be carried out by the user.
In addition to creating and managing users the Manage Users permission also allows the user: to expire all passwords; to clone, edit or delete profiles, to edit or delete sharing settings; to edit user login hours and a great deal more.
Not only are these non-user administration tasks allowed for users with the Manage Users permission but it is also not possible to restrict the types of profiles that can be selected when creating new users so there are several security risks with this option. For example the Manage User permission would allow someone to create users with the system administration permission.
Use delegated administration
Delegated administration is a more secure method for providing delegated user management access as it allows you to assign limited administrative privileges to the selected non-administrator users in your organization.
Delegated administrators can perform the following tasks: creating and editing users and resetting passwords for users in specified roles and all subordinate roles; assigning users to specified profiles; logging in as a user who has granted login access to their administrator.
To create delegated groups, follow the path Your Name | Setup | (Administration Setup) | Security Controls | Delegated Administration. Now click on the New button or select the name of an existing delegated administration group.
Manage Delegated Groups
Here we look at the existing group that has been named “User Management”.
Delegated Group – User Management Example
The Delegated Administrators section allows you to select and add the users that are to be given the delegated administration permission.
The User Administration section allows you to select and add roles which the delegated administrators can assign to the users they create and edit. They can assign users for the stated roles and all subordinated roles.
The Assignable Profiles section allows you to select and and add profiles which the delegated administrators can assign to the users they create and edit.
For security profiles with the “Modify All Data” permission cannot be included to be assigned by delegated administrators. See the following error when attempting to include the System Administrator profile.
Assignable Profiles – System Administrator Error
Select Enable Group for Login Access if you want to allow delegated administrators in this group to log in as users who have granted login access to their administrators and are in the roles selected for the delegated administrator group.
And there you have it.
Using the delegated administration feature takes a little effort to understand and to be comfortable with its setup but it is so much more secure and will prevent any unexpected side effects which might happen with the simple granting of the Manage Users permission.