In the last article Auto Add/Remove Permission Set – Part 1 I have gone through the way to automate Assign Permission Sets process based on user defined criteria. In this article I will discuss a way to automate Unassign Permission Sets based on criteria.

Business Use Case

Management in Universal Container wants to automate permission set removal or Unassigned process so that their admin workload will be reduced.

Solution for the above business requirement

In this article, I will discuss how to auto Unassign/Remove Permission Sets from the user. First of all, create few fields on the User object to save condition to auto Unassign/Remove Permission Sets to the user. In this demo, I will create a few fields on the User object as shown in the below screenshot

Custom Fields on User object

To solve this requirement we will use Visual Workflow and Workflow Rule (i.e Headless Flow).  Before going ahead with the solution you have to understand about PermissionSetAssignment Object. It represents the association between a User and a Permission Set. Below are the key fields from PermissionSetAssignment object

To develop this application follow the below instructions

1) Click on Name | Setup | App Setup | Create | Workflows & Approvals | Flows
2) Click on New Flow, it will open flow canvas for you. Create Two Text type variable UserID (To pass User ID) and RemovalPermissionsetID (To pass  ID  of permission set which system admin want to remove from user)
3) Drag and drop a Record Delete ( Give the name Delete Permission Set) onto the window to assign permission set to user and map the fields according to below details

• Select Object PermissionSetAssignment
• AssigneeId=  {!UserId}
• PermissionSetId= {!RemovalPermissionSetID}, You can take help from the following screenshot

Remove Permission Set

4) Finally, our Flow will look like the following screenshot

8) Save the flow with name Remove Permission Set and close the canvas.

Create Workflow rule to fire our Flow

Our next task is to create a workflow on the User object on the creation and every time it’s edited event. To create a workflow on the User object follow the below instructions

1) Click on Name | Setup | App Setup | Create | Workflows & Approvals | New Rule
2) Select object  User from the drop-down
3) Enter Name, for Evaluate criteria  select Created, and any time it’s edited to subsequently meet criteria ( To create a time-dependent workflow), For Rule Criteria select End Date != False  and  Remove = False as shown in the following screenshot

Workflow Rule1

4) Now Add a time trigger to set Remove flag True after 0hr of End Date. To do this click on Add Time Trigger button and Set the length after how many days/hours workflow will fire  i.e.  in hours and days, I selected 0hr after the End Date. Now add one field update action for time-dependent workflow and set Remove flag to True. You can take help from the following screenshot

Time-based action

5) Save the workflow and activate it.
6) Create another workflow (i.e. workflow Rule2 ) on the same object to fire our Flow, set entry criteria of trigger is Remove = True

Workflow Rule2

7) Add one Immediate Workflow Actions i.e. New Flow Trigger and Select Flow (Remove Permission Set) and set Variable (UserID and RemovalPermissionsetID ) value as shown in the following screenshot

New Flow Trigger Action

8) Add one Immediate Workflow Actions i.e. New Field Update and Set Remove flag to False.
9) Save the workflow and activate it.

It’s time to test this feature

1) Go to the User’s detail page to whom you want to Unassign Permission Sets and fill the detail. In this demo I am going to Unassign Permission Sets with Name “Test“,  it will look similar to below screenshot

Permission Set Removal Detail

2) To check time-dependent workflow queue Follow the path, Click on Name | Setup | Administration Setup | Monitoring | Time–Based Workflow and search the queue

Time-Based Workflow Queue

Note: -I will suggest you Implement this first on your developer org test it and then move it to Production. Let me know if you have any difficulty to Implement it.