Getting Started with Process Builder – Part 96 (Profile? So Yesterday! – Auto Assign Permission Set Group to a User)

Getting Started with Process Builder – Part 96 (Profile? So Yesterday! – Auto Assign Permission Set Group to a User)

Last Updated on May 5, 2021 by Rakesh Gupta

Has it only been five years since I wrote, ‘auto-assign Permission Set to new users’?. The article was written using Flow Trigger – now, an obsolete functionality. You can read it  here. Wow! How time flies!

Similarly, just two years ago, I wrote another article showing how one can assign a Permission Set to new users using Process Builder and Flow. 

Salesforce continues to transform at a lightning speed – yes, an understatement, I know! Three releases a year are keeping me on my toes! – making it harder and harder to keep my blogs abreast of the new features and functionalities! Whew!

Hot out of the oven comes – Permission Set Group! Now, this is hot, indeed! Let us taste it together!

What is a Permission Set Group?

Let us relish the moment and understand the Permission Set Group

For user access/management, we assign multiple permission sets to users – either manually or via automation. The onset of ‘Permission Set Group’ shows how time-consuming both these methods are!

Blog 96.2

What if we group permission sets – based on (1) either logical user groups; or, (2) on the tasks performed by users – in a single entity and then, assign the entity to users? Well, now we can! As shown in the following image, the Permission Set Group does just that!

Blog 96.3

Permission Set Group’ comprises of multiple permission sets a user needs.

Wait, this is not it! One can add and remove individual permissions from a Permission Set Group – using the permission muting feature – to ensure that users do not get permissions that are not relevant to his/her job functions! 

For example, you can compile three permission sets – CRM UserSalesforce Console User, and custom permission set View and Edit Convert Leads – in a group; a.k.a, the Permission Set Group. You can label the group as ‘Sales Manager Users’ Permission Set Group – see image below. Then, you can assign the ‘Sales Manager Users’ Permission Set Group, as a single entity, to your users instead of the three different permission sets.

Blog 96.1.1

Now suppose you assigned the ‘Sales Manager Users’ Permissions Set Group to User A. Then comes User B. In addition to all the permission sets contained in the ‘Sales Manager Users’ Permission Set Group, User B also needs ‘Manage External Users’ permission set. Now what? No worries! Clone the ‘Sales Manager Users’ Permission Set Group and add to it the ‘Manage External Users’ permission set and save it as a new Permission Set Group! You could say, name the new Permission Set Group as ‘External Sales Manager Users’. Simple!

Explorer this article to learn more about the Permission Set Group. 

Business Use case

Martin Jones is a System Administrator at Gurukul on Cloud (GoC). Today he was going through the Spring’20 release notes and found that Permission Set Group is now generally available (GA). He just created a permission set group called ‘Sales Manager Users’. Now, Martin has a requirement to auto-assign ’Sales Manager Users’ Permission Set Group to all new users with the Sales Manager Role. 

Solution for the above business requirement

To solve this requirement we will use Lightning Flow and Process Builder as follows:

  • Process builder will fire when a new user is assigned a Sales Manager Role; and, it will also trigger the Flow.
  • Lightning Flow will add a Permission Set Group to the new user.

Before proceeding, ahead, PermissionSetAssignment (It represents an association between a User and a PermissionSet) object in Salesforce.

Field Name Details
AssigneeId The ID of the user to assign the permission set.
PermissionSetGroupId If associated with a permission set group, this is the ID of that group.

Before discussing it, let me show you a diagram of a Process Flow at a high level. Please spend a few minutes to go through the following Flow diagram and understand it.

Blog 96.19

We will create an automation that will not only work for the current scenario but, it will also work for other Roles as well. This means that, if Martin wants to automate the Permission Set Group assignment for other Roles (Sales Rep, Sales Director, VP of Sales) – it should work without him having to modify automation (Flow or Process Builder). 

Step 1: Create Custom Metadata Types to store User Role and Permission Set Group Mapping:

  1. First, we will create a Custom Metadata Type to store Role Name and Permission Set Group Id mapping. 

    1. To create a new custom metadata type, navigate to Setup (Gear Icon) | Setup | PLATFORM TOOLS | Custom Code | Custom Metadata Types and click on the New Custom Metadata Type button. Now populate the form as shown in the following screenshot: Blog 96.4
    2. Once you are done, click on the Save button.
    3. Create a Text field PS Group Id to store the Permission Set Group Id for each User Role. In the end, the User Role PS Group Mapping custom metadata type should look as follows: Blog 96.5
    4. The next step is to insert a few records into the custom metadata type. Click on the Manage User Role PS Group mapping button on the custom metadata type detail page, and then click on New to insert some records, as shown in the following screenshot:Blog 96.6.1

Step 2: Create a Flow to find Permission Set Group Id and assign it to a user:

  1. Navigate to Setup (Gear Icon) | Setup | PLATFORM TOOLS | Process Automation | Flows. Click on the New Flow button – it will open a pop-up. Perform the following actions on the pop-up screen: 
    1. Autolaunched Flow as Flow Types
    2. Once done, click on the Create buttonBlog 6.1
  2. Now create few variables in the Flow, as shown in the following table:
    Name Variable type Input Source Input/Output type
    VarTUserId Text Process Builder Input and Output
    VarTRoleName Text Process Builder Input and Output
    VarTPermissionSetGroupId Text Lightning Flow Input and Output
  3. The next step is to find the Permission Set Group Id for a given Role. For this, we will use the ‘Get Records’ element. Drag and drop the ‘Get Records’ element onto the Lightning Flow Designer – Check out the video for step-by-step instructions:
  4. The next task is to check whether VarTPermissionSetGroupId variable contains Permission Set Group Id. Drag and drop a Decision element onto the Lightning Flow Designer and configure it – as shown in the following screenshot:Blog 96.8
  5. Next, we will use the ‘Create Records’ element to assign a Permission Set Group to a User. Drag and drop a ‘Create Records’ element onto the Lightning Flow Designer – Check out the video for step-by-step instructions:
  6. In the end, Martin’s Flow will look like the following screenshot:Blog 96.10
  7. Once done, Save the Flow and name it Assign Permission Set Group. Do not forget to activate the Flow by clicking on the Activate button. 

Step 3: Create  a Process to launch a Flow 

Our next task is to create a Process Builder on the User object to start a Flow. To create a Process Builder on the User object follow the steps below:

  1. Click on Setup (Gear Icon) | Setup | PLATFORM TOOLS | Process Automation | Process Builder
  2. To create a new process from scratch, click on the New button available on the Process Management page. A popup will appear where you have to enter the Name (Use Assign Permission Set group – PB as a name)API Name and Description as shown in the following screenshot:Blog 96.11
  3. Once done, click on the Save button.
  4. Click on the Object node to add an object and then select the User object. For the entry criteria, select only when a record is created, as shown in the screenshot below:Blog 96.12
  5. Once done, click on the Save button.
  6. The next task is to add Process Criteria so that the process will only fire when a user is created and s/he active. To do this click on Add Criteria, enter NameType of action and set filter conditions, and follow the instructions below
    1. For Criteria for Executing Actions, select Conditions are met
    2. Set condition –  [User].UserRoleId Is null Boolean FalseBlog 96.13
  7. Once done, click on the Save button.
  8. The next step is to add an Immediate action to Process. Click on Add Action (Under Immediate actions). Then, select the type of action to create (In our case Flows). Use Field Picker to choose the field as shown in the following screenshot:Blog 96.14
  9. Once done, click on the Save button. 
  10. Finally, the Process will look like the following screenshot:Blog 96.15

Don’t forget to activate the Process by clicking on the Activate button.

It’s time to test this feature!

Next time, when a User is created by a System Administrator at Gurukul on Cloud, the process we created ( Using Process Builder) will fire and assign Permission Set Group to the User based on his/her Role (In this scenario, Sales Manager Role). 

Step 1 – User Doesn’t have a Role. And, no Permission Set Group is Assigned to the User.

Blog 96.16

Step 2 – Assign the Sales Manager Role to the user. Then, check Permission Set Assignment Group:

Blog 06.17

Great! You are done!

Now you can streamline your user access/management process by leveraging Permission Set Group!

Availability of Permission Set Group will transform a super Admin into a super-duper Admin. No more lugging through multiple individual Permission Sets! What is there not to love?!

Technical Editor and Proofreader: - Munira Majmundar
Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!

5 thoughts on “Getting Started with Process Builder – Part 96 (Profile? So Yesterday! – Auto Assign Permission Set Group to a User)

  1. What happens if a user changes roles? I’m guessing we will have to add steps to the flow to remove the permission set and assign to permission set to the user.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.