Salesforce allows you to add Permission Sets to User to extend user’s functional access without changing their profile. For example, if you want to grant Modify all access to Account objects to a set of users without changing their profile or create a new profile.
Business Use case
Universal Container is using Two Factor Authentication, to grant two-factor authentication permission to the user they created a Permission Set. Now Higher management wants to auto assign this Permission Sets to the new User.
Solution for the above business requirement
This is a basic use case to start with the Headless flow. To solve this requirement we will use Visual Workflow, Workflow rule to fire Flow Trigger. Before proceeding you have to understand PermissionSetAssignment objects in Salesforce.
PermissionSetAssignment :- This object represents an association between a User and a PermissionSet.
| Field Name | Details |
| AssigneeId | ID of the user to assign the permission set. |
| PermissionSetId | ID of the PermissionSet to assign to the user. |
Now we will create a flow to add Permission Set (Two Factor Authentication) to the new user. To do that follow the below instructions
1. Click on Name | Setup | App Setup | Create | Workflows & Approvals | Flows
2. Click on New Flow, it will open flow canvas for you. Create One Text type variable UserID (to pass the new user id through Workflow Rule Flow Trigger action) as shown in the below screenshot
Variable UserID
3. To add Permission Set (Two Factor Authentication) to new users, drag and drop a Record Create ( Give the name Add Permission Set) onto the window and map the fields according to below details
- Select Object PermissionSetAssignment
- Enter criteria AssigneeId= {!UserID} and PermissionSetId= ID of Permission Set (Two Factor Authentication), as shown in the below screenshot
Add Permission Sets to new User
4) Finally, your flow should looks like below screenshot
5) Save the flow with name (Add Permission Sets To User) and close the canvas.
Create Workflow rule to fire our Flow
Our next task is to create a workflow on User object on creating event to Fire our Flow Trigger. To create a workflow on the User object follow the below instructions
1) Click on Name | Setup | App Setup | Create | Workflows & Approvals | New Rule
2) Select object User from the drop-down
3) Enter Name, for Evaluate the rule when a record is select Created, For Rule Criteria select is Active= True, as shown in the below screenshot
Workflow Rule on User Creation
4) Add one Immediate Workflow Actions i.e. New Flow Trigger and Select Flow and set Variable (UserID) value as shown in the below screenshot
New Flow Trigger Action
5) Save the workflow and activate it.
It’s time to test this feature
To test this application follow the below steps
1) Navigate to Name | Setup | Administration Setup | Manage Users | Users
2) Create a New User
3) Now navigate to Permission Set Assignment related list in the user detail page and check for Permission Set (Two Factor Authentication).
Automatically add Permission Sets to new User
Note: – To migrate from Workflow rule to Process builder please see my comment:- https://rakeshistom.wordpress.com/2014/07/18/automatically-add-permission-sets-to-new-user/#comment-1811
39 thoughts on “Automatically assign Permission Sets to new User”
Pingback: Rakesh Gupta’s Salesforce Newsletter of the Week – 20th July 2014 « Rakesh Gupta's Blog
Steffan
Thanks for this HowTo; unfortunately i am stuck at
4) Add one Immediate Workflow Actions i.e. New Flow Trigger and Select Flow and set Variable (UserID) value as show in the below screenshot
After a bit of googling, it seems that flow triggers have been superseded by Process Builder, which is currently not “publicly” available: https://help.salesforce.com/apex/HTViewHelpDoc?id=workflow_flow_action_considerations.htm&language=en_US
Rakesh Gupta
Thnaks, I am aware of it. You can able to do same thing through Process builder as well.
Rakesh Gupta
1) Navigate to Setup | Build | Create | Workflow & Approvals | Process Builder and click on the New button to create the new Process
2) Enter the Process Name, Description and API Name, Once done click on Save button as shown in the following screenshot
https://rakeshistom.files.wordpress.com/2015/03/define-process-criteria.png
3) Now Click on Object then Select the User Object and Evaluation Criteria for Process, as shown in the following screenshot
https://rakeshistom.files.wordpress.com/2015/03/evaluation-criteria5.png
Once done click on Save button
4) Next step is to add Process Criteria, To do that Click on Add Criteria, Please refer to the following screenshot for more details
https://rakeshistom.files.wordpress.com/2015/03/process-criteria10.png
Once done click on Save button.
5) Next task is to add one Immediate Actions i.e. Flows, Please refer to the following screenshot for more detail
https://rakeshistom.files.wordpress.com/2015/03/launch-a-flow.png
Once done click on Save button.
7) Activate the Process. After you activate a process, you can no longer edit that process
Chris Picking
Rakesh, I’m running into a problem where I get no matches found when trying to select the flow in the “add immediate actions” section… I have never had the ability to create a flow trigger so i’m thinking this is the problem. Can you shed some light on how I can accomplish this by building it from scratch via process builder? — Thanks, Chris
Rakesh Gupta
Make sure that you have activated the Flow. Currently it’s not possible to assign permission sets using the Process Builder.
Chris Picking
Revisiting this and started from scratch. When creating my Process Builder process I do not get the flow variable option like you show. With out that I’m not able to pass the userID to the flow, am I missing something?
Rakesh Gupta
Make sure to select Input and Output (Type) for UserID Flow variable
Chris Picking
Noticed it right after I sent the reply. Works perfect!!! Thanks for creating this, it will take a few minutes out of every user set up I do.
Rakesh Gupta
Happy to help!
Smith
How can i do it based on a filed value- if user.xxx filed is not blank then assign the permission set. If that filed is blank then remove the permission set if there is any.
Rakesh Gupta
Use user.xxxx as PB entry criteria
Smith
One More question – Will it work if the users are created or updated using data loader or ETL tools using batch mode (200 records)
Rakesh Gupta
No, but there are few workarounds for it
Jen
Hi, I have followed all the steps outlined above but when attempting to save the flow I am getting a ‘General Warning’ that states, “Add_Permission_Set” is not connected to anything and I am unable to activate the flow. Do you know what is causing this?
Rakesh Gupta
Please ignore the warning message
Jen
Hi Rakesh, I found what I was doing wrong. Thanks again for this post and your help. This will save me a lot of time. Much appreciated.
Rakesh Gupta
Make sure to save the flow as Autolaunched Flow and active it. Happy to help 🙂
Rob Kaplan
Hello Rakesh. Context then a few questions if I might. The desired business outcome for us is the auto-assigning of 3 Permission sets, to new (Community) Users when they are created (by Apex). I have an existing Process Builder that send each user a “Welcome Letter” upon creation of the (Community) User. I thought I would use that Process Builder to also invoke Flows that assign the 3 Permissions to the user. I examined your post, made a start on my Flow (first time), and have these questions:
Thanks so much Rakesh!
Rob Kaplan
Rakesh Gupta
Here you go
1. a) I will suggest you to use three Record Create element and connect them
b) please ignore the message, leave it blank
2) yes please ignore the warning message
Rob Kaplan
That’s great will give it a try and update the post later.
Michael
I found out how to remove a user from the permission set. Sorry for asking, because it
s too simple at the end. In Flow Designer its the same way as you create a permission set assignment. On the left side you choose Record Delete and enter the same fields. Afterwards add the flow to the process (if checkbox is FALSE) and you are done.Thanks anyway. Without this article I would have not been able to do it.
Ludovic C
Hi Rakesh,
I am trying to follow your instructions but I am not able to add my process builder action. When I select “flow” as an action, I see only my active flows. So I can’t see my ‘”add permission set” flow because i can’t activate it (the activate button is not available). Did i miss something in the process?
Thanks for your help,
Ludovic
Ludovic C
Hi,
I finally managed to solve my problem. My flow hadn’t any start event and i had to click on “set as start element”.
Thanks!
Rakesh Gupta
Glad you were able to sort it out!
topherrinek
I followed steps 1-4 and got an error. “Activation Warning (1) All issues listed must be fixed before you can activate this flow. *The flow must have a start item.” Did I miss a step?
Rakesh Gupta
Before you can save a flow, indicate which element to execute first by selecting a start element.
Mariana
Hi,
In step 3, under criteria..I can’t locate the permissionSetId value for the permission set I would like added. Are there prior steps that I need to be doing in order to locate the ID?
Rakesh Gupta
Make sure that you have selected PermissionSetAssignment object under Create.
Nicolle Bennett
Hi Rakesh,
I’ve been following your instructions (which are great, thank you) – I keep running into a problem. I’m trying to assign a particular permission set to new users with a certain profile only – how would I add that to the flow/process builder to get it to fire properly? I can’t get it to work. Thank you for your help!
Rakesh Gupta
Thanks for your kind words!
What problems are you experiencing? If you don’t mind could you share the screenshots with at info@automationchampion.com
Bhanu
Hi Rakesh,
We have activated a Process builder to assign Permission sets to User records. We have created a flow and the flow has been assigned in the process. The action in this process is started whenever a User record is created or edited. We also have the process criteria implemented for this. This process is absolutely working fine…
Now the issue is – For some users we have already assigned the needed permission sets. For these users If we try to edit other fields like Manager, Email etc. the process builder throws the following error message as the process builder is activated for the User object. So my requirement is – the process builder should allow to edit other fields in User records irrespective of the permission set assignments in User records.Please let me know how to resolve this issue?
Workflow Action Failed to Trigger Flow
The record couldn’t be saved because it failed to trigger a flow. A flow trigger failed to execute the flow with version ID 301400000004NsS. Flow error messages: <b>An unhandled fault has occurred in this flow</b><br>An unhandled fault has occurred while processing the flow. Please contact your system administrator for more information. Contact your administrator for help.
Rakesh Gupta
In your Flow, use a record lookup element to identify whether Permission set is assigned to a user or not.If Permission Set is not assigned then only use Record Create element to assign Permission to a user.
SF Admin
Hi Rakesh,
Thank you for your help! If you have any screenshots related to Record Lookup element or link how to use this in flow, could you please forward the same..
Rakesh Gupta
Sorry, I didn’t get you.
I have used Record Create element in this article not Record Lookup element.
Andrew Morales
Hello Rakesh,
Thank you for putting this together. I got a response from Salesforce saying that FlowTriggers were a beta program and cant be used at this time unless it was enabled previously. What would be the workaround to firing this without the ability of FlowTriggers? Can this be done exclusively done in Process Builder?
Rakesh Gupta
sorry about the confusion. They are right FlowTriggers were a beta program and can’t be used at this time.
An alternative option is to use Process Builder to launch a Flow.
Move all Workflow part into Process builder and you are good to go.
1. Make sure to save your Flow as type = Autolaunched
2. Use Flow action in Process Builder to launch it.
Help link :- https://automationchampion.com/2016/11/23/getting-started-with-process-builder-part-58-restrict-users-on-switching-from-lightning-experience-to-classic/#.WThsesaZO_E
Andrew Morales
It worked great. Many thanks. I saw the links to the screenshots of the Process Builder flow in the comments above which helped as well.
Rakesh Gupta
I am glad it worked out for you!