Automatically Assign Permission Sets to New User
Salesforce Flow User Management

Automatically Assign Permission Sets to New User

Last Updated on February 10, 2022 by Rakesh Gupta

Big Idea or Enduring Question:

  • How can you use Flow to automatically assign permission sets to new users?

Objectives:

After reading this blog post, the reader will be able to:

  • Use After-save Record-Triggered Flow to assign permission sets to new users
  • Best practice to refer Permission Set into Record-Triggered Flow
  • Use a Decision element to find – record variable or record collection variable contains a record or not
  • Use After-save Record-Triggered Flow to create a record

Business Use case

Brenda David is a System Administrator at Universal Containers (UC). She has received a requirement to auto-assign Two Factor Authentication permission set to the new users.

Automation Champion Approach (I-do):

Salesforce allows you to add Permission Sets to the User to extend the user’s functional access without changing their profile. For example, you can grant Modify All access to the Account object to a set of users without changing their profile or creating a new profile.

This is a basic use case to start with the lightning flow. To solve the above requirement, we will use the After-save Record-Triggered Flow.

Before proceeding, you have to understand the PermissionSetAssignment objects in Salesforce.

  • PermissionSetAssignment:- This object represents an association between a User and a PermissionSet.
Field Name Details
AssigneeId ID of the user to assign the permission set.
PermissionSetId ID of the PermissionSet to assign to the user.

Before discussing the solution, let me show you a diagram of a Process Flow at a high level. Please spend a few minutes to go through the following Flow diagram and understand it. Let’s begin building this automation process.

Guided Practice (We-do):

There are 2 steps to solve Brenda’s business requirement using After-save Record-Triggered Flow. We must: 

  1. Creating a permission set – Two-factor authentication 
  2. Salesforce Flow Steps:
    1. Define flow properties for record-triggered flow
    2. Add a get records element to find permission set id
    3. Add a decision element to check the permission set id from the record variable (from step 2.2)
    4. Add a create records element to assign the permission set to users

Step 1: Create a Permission Set 

Before we begin on a solution for this use case, check out the Two Factor Authentication article on how to set it up.

  1. Click Setup.
  2. In the Quick Find box, type Permission Sets.
  3. Select Permission Sets, then click New.
  4. Label the Permission Set then press the tab key, the API Name will auto-populate. 
  5. Click Save.

Step 2.1: Salesforce Flow – Define Flow Properties 

As we have a requirement of creating a related record (PermissionSetAssignment), this is why we have to use After Save flow. 

    1. Click Setup.
    2. In the Quick Find box, type Flows.
    3. Select Flows then click on the New Flows.
    4. Select the Record-Triggered Flow option and click on Next and configure the flow as follows: 
      1. How do you want to start building: Freeform
      2. Trigger the Flow When: A record is created
      3. Run Flow: After the record is saved
      4. Object: User
    5. Select All Condition Are Met (AND)
    6. Set Conditions
      1. Row 1
        1. Field: User | IsActive
        2. Operator: Equals
        3. Value: {!$GlobalConstant.True}
    7. Click Done.

Step 2.2: Salesforce Flow – Adding a Get Record Element to Find Permission Set Id

The next step is to find the permissions set Two Factor Authentication Id. To do that follow the below instructions:

  1. Under Toolbox, select Element
  2. Drag-and-drop Get Records element onto the Flow designer. 
  3. Enter a name in the Label field; the API Name will auto-populate.
  4. Select the Permission Set object from the dropdown list.
  5. Select All Conditions Are Met (AND)
  6. Set Filter Conditions
    1. Row 1:
      1. Field: Name
      2. Operator: Equals
      3. Value: Two_Factor_Authentication
  7. How Many Records to Store:
    1. select Only the first record
  8. How to Store Record Data:
    1. Choose the option to Automatically store all fields
  9. Click Done.

Step 2.3: Salesforce Flow – Using Decision Element to Check the Permission Set Id from the Record Variable (from step 2.2)

Now we will use the Decision element to check the Record Variable from step 2.2 to find if it returns the permission set id or not. 

  1. Under Toolbox, select Element
  2. Drag-and-drop Decision element onto the Flow designer. 
  3. Enter a name in the Label field; the API Name will auto-populate.
  4. Under Outcome Details, enter the Label the API Name will auto-populate.
  5. Condition Requirements to Execute OutcomeAll Conditions Are Met (AND)
    1. Row 1:
      1. Resource: {!Find_Permission_Set_Id.Id}
      2. Operator: Is Null 
      3. Value: {!$GlobalConstant.False}
  6. Click Done.

Step 2.4: Salesforce Flow – Create Records – Add Permission Set to New Users

The next step is to add Permission Sets to New Users. We will use the Create Records element. To do this, drag-and-drop the Create Records element onto the flow designer and map the fields according to the details below:

  1. Under Toolbox, select Elements. Drag and drop Create Records onto the canvas. 
  2. Input the following information:
    1. Enter Label the API Name will auto-populate.
    2. How Many Records to Create: One
    3. How to Set the Record Fields: Use separate resources, and literal values
    4. Object: PermissionSetAssignment
    5. Set Field Values for the Permission Set Assignment
    6. Row 1:
      1. Field: AssigneeId
      2. Value: {!$Record.Id}
    7. Click Add Row
    8. Row 2:
      1. Field: PermissionSetId
      2. Value: {!Find_Permission_Set_Id.Id}
  3. Click Done.

In the end, Brenda’s Flow will look like the following screenshot:

Once everything looks good, perform the steps below: 

  1. Click Save.
  2. Enter Flow Label the API Name will auto-populate.
  3. Click Show Advanced.
  4. Type: Record-Triggered Flow
  5. API Version for Running the Flow: 50
  6. Interview Label: Add Permission Set to New Users {!$Flow.CurrentDateTime}
  7. Click Save

Almost there! Once everything looks good, click the Activate button.

Proof of Concept

Now onward if a user is created, the Two Factor Authentication Permission Set will be added. 

  1. Navigate to Setup | Administration | Users | Users
  2. Create a New User and mark as Active
  3. Now navigate to Permission Set Assignment related list in the user detail page and check for Permission Set (Two Factor Authentication)

Formative Assessment:

I want to hear from you!  

What is one thing you learned from this post? How do you envision applying this new knowledge in the real world? 

Let me know by Tweeting me at @automationchamp, or find me on LinkedIn.

Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!
Preferred Timing(required)

Share
Facebook Twitter Pinterest Linkedin

Similar Posts

56 thoughts on “Automatically Assign Permission Sets to New User

  1. write a flow where I have to add multiple permission sets to a multiple user check the condition if user already have existing permission sets or not. If they already have at least one set ignore that set and add remaining sets if not add all. Please help me to solve this share screens to my mail or explain how to do this.
    email-rameshpeddine@gmail.com

  2. Pingback:Automatically Assign New Leads to a Sales Engagement Cadence - Automation Champion

    1. You have two options:

      Option 1
      1. Create a Record Collection Variable of type PermissionSetAssignment
      2. Create a Record Variable of type PermissionSetAssignment
      3. Use two (or multiple assignment element) to add values to Record Variable
      4. Make sure to add all Record Variable to Record Collection Variable
      5. Use Record Create element to assign Permission Sets

      Option 2

      Use Permission Set Group (https://automationchampion.com/2022/04/03/auto-assign-permission-set-group-to-a-user/)

  4. Hello sir. I followed your process and it worked perfectly. I have a follow up scenario please. Let’s say my org has 2 profiles (SAM and JD), and I want to create a flow that assigns new SAM users to permission set Java, and JD users to permission set Apex (just examples). How do I automate that with flow please?

  5. Pingback:Mass Assign Permission Sets Using Data Loader - Automation Champion

  6. Hi Rakesh,

    Can we assign more than one permission set through a single flow. Also can you let me know whether we can do it based on some criteria.

    Thanks,
    Pramod

  7. Hello!

    I’ve tried to set this up via flow and am getting this error message when a community user goes to sign up. They are unable to complete the process. Any idea why this is happening? Thanks!

    Error element Assign_Permission_Set (FlowRecordCreate).
    This error occurred when the flow tried to create records: MIXED_DML_OPERATION: DML operation on setup object is not permitted after you have updated a non-setup object (or vice versa): PermissionSetAssignment, original object: Contact. You can look up ExceptionCode values in the SOAP API Developer Guide.

  8. Pingback:Getting Started with Process Builder – Part 96 (Profile? So Yesterday! – Auto Assign Permission Set Group to a User)

  9. Hi Rakesh,

    I’ve been seeing flow errors come through due to duplicate permission sets/licenses being assigned to users that already have a license/perm set. I was wondering how I could go about having a way to look at the user record and if the permission set already exists, skip the flow? I’m sure I could create a checkbox that populates to “true” once a permission set/license is assigned to a user, but I would like to avoid that if it’s possible to set something within the flow itself.

    So the business case is I have a checkbox on the user record that will assign a license and permission set once a checkbox is true. If a license/permission set is already assigned (either from it being set prior building this flow, or a checkbox being uncheck/rechecked) then I would like it to view the User Record to see if either the Perm Set or License exists. If it does, allow the checkbox to save as “true” and skip the flow.

    1. Travis, very good question. Let’s take an example, if you want to assign a permission set “Lead Convert” to a users through Flow.

      First of all you have to use Lookup Records element (on PermissionSetAssignment object) to find that, if Lead Convert permission set is assigned to the designated user or not. Then use the decision element to define the path based on Lookup Records outcome.

      I hope this make sense.

  10. Hi Rakesh,

    Can we assign more than one permission set through a single flow. Also can you let me know whether we can do it based on some criteria.

    Thanks,
    DD

  11. Pingback:Getting Started with Process Builder – Part 78 (Auto Enable Lightning Experience for New Users)

  13. Hello Rakesh,

    Thank you for putting this together. I got a response from Salesforce saying that FlowTriggers were a beta program and cant be used at this time unless it was enabled previously. What would be the workaround to firing this without the ability of FlowTriggers? Can this be done exclusively done in Process Builder?

    1. sorry about the confusion. They are right FlowTriggers were a beta program and can’t be used at this time.
      An alternative option is to use Process Builder to launch a Flow.
      Move all Workflow part into Process builder and you are good to go.

      1. Make sure to save your Flow as type = Autolaunched
      2. Use Flow action in Process Builder to launch it.

      Help link :- https://automationchampion.com/2016/11/23/getting-started-with-process-builder-part-58-restrict-users-on-switching-from-lightning-experience-to-classic/#.WThsesaZO_E

      1. It worked great. Many thanks. I saw the links to the screenshots of the Process Builder flow in the comments above which helped as well.

  14. Hi Rakesh,

    Thank you for your help! If you have any screenshots related to Record Lookup element or link how to use this in flow, could you please forward the same..

  15. Hi Rakesh,

    We have activated a Process builder to assign Permission sets to User records. We have created a flow and the flow has been assigned in the process. The action in this process is started whenever a User record is created or edited. We also have the process criteria implemented for this. This process is absolutely working fine…

    Now the issue is – For some users we have already assigned the needed permission sets. For these users If we try to edit other fields like Manager, Email etc. the process builder throws the following error message as the process builder is activated for the User object. So my requirement is – the process builder should allow to edit other fields in User records irrespective of the permission set assignments in User records.Please let me know how to resolve this issue?

    Workflow Action Failed to Trigger Flow
    The record couldn’t be saved because it failed to trigger a flow. A flow trigger failed to execute the flow with version ID 301400000004NsS. Flow error messages: <b>An unhandled fault has occurred in this flow</b><br>An unhandled fault has occurred while processing the flow. Please contact your system administrator for more information. Contact your administrator for help.

    1. In your Flow, use a record lookup element to identify whether Permission set is assigned to a user or not.If Permission Set is not assigned then only use Record Create element to assign Permission to a user.

  16. Hi Rakesh,

    I’ve been following your instructions (which are great, thank you) – I keep running into a problem. I’m trying to assign a particular permission set to new users with a certain profile only – how would I add that to the flow/process builder to get it to fire properly? I can’t get it to work. Thank you for your help!

  17. Hi,

    In step 3, under criteria..I can’t locate the permissionSetId value for the permission set I would like added. Are there prior steps that I need to be doing in order to locate the ID?

  18. I followed steps 1-4 and got an error. “Activation Warning (1) All issues listed must be fixed before you can activate this flow. *The flow must have a start item.” Did I miss a step?

  19. Hi,

    I finally managed to solve my problem. My flow hadn’t any start event and i had to click on “set as start element”.

    Thanks!

  20. Hi Rakesh,

    I am trying to follow your instructions but I am not able to add my process builder action. When I select “flow” as an action, I see only my active flows. So I can’t see my ‘”add permission set” flow because i can’t activate it (the activate button is not available). Did i miss something in the process?

    Thanks for your help,

    Ludovic

  21. I found out how to remove a user from the permission set. Sorry for asking, because its too simple at the end. In Flow Designer its the same way as you create a permission set assignment. On the left side you choose Record Delete and enter the same fields. Afterwards add the flow to the process (if checkbox is FALSE) and you are done.

    Thanks anyway. Without this article I would have not been able to do it.

  23. Hello Rakesh. Context then a few questions if I might. The desired business outcome for us is the auto-assigning of 3 Permission sets, to new (Community) Users when they are created (by Apex). I have an existing Process Builder that send each user a “Welcome Letter” upon creation of the (Community) User. I thought I would use that Process Builder to also invoke Flows that assign the 3 Permissions to the user. I examined your post, made a start on my Flow (first time), and have these questions:

    1) In the Record Create dialog -
    a. I can only set one PermissionSetID at a time, is that correct?  What is the Flow (element) design to add 3 Permissions to each user?
    b. The dialog asks me to Assign the record ID to a variable to reference it in your flow.  Do I leave that blank, or is there an expected entry that I'm missing?
2) Can I also ignore the ‘General Warning’ that states, “Add_Permission_Set” is not connected to anything and I am unable to activate the flow, as you advised Jen on 4/27/16?

    Thanks so much Rakesh!
    Rob Kaplan

    1. Here you go
      1. a) I will suggest you to use three Record Create element and connect them
      b) please ignore the message, leave it blank
      2) yes please ignore the warning message

  24. Hi, I have followed all the steps outlined above but when attempting to save the flow I am getting a ‘General Warning’ that states, “Add_Permission_Set” is not connected to anything and I am unable to activate the flow. Do you know what is causing this?

      1. Hi Rakesh, I found what I was doing wrong. Thanks again for this post and your help. This will save me a lot of time. Much appreciated.

  25. One More question – Will it work if the users are created or updated using data loader or ETL tools using batch mode (200 records)

  26. How can i do it based on a filed value- if user.xxx filed is not blank then assign the permission set. If that filed is blank then remove the permission set if there is any.

  27. Rakesh, I’m running into a problem where I get no matches found when trying to select the flow in the “add immediate actions” section… I have never had the ability to create a flow trigger so i’m thinking this is the problem. Can you shed some light on how I can accomplish this by building it from scratch via process builder? — Thanks, Chris

      1. Revisiting this and started from scratch. When creating my Process Builder process I do not get the flow variable option like you show. With out that I’m not able to pass the userID to the flow, am I missing something?

      2. Noticed it right after I sent the reply. Works perfect!!! Thanks for creating this, it will take a few minutes out of every user set up I do.

  28. 1) Navigate to Setup | Build | Create | Workflow & Approvals | Process Builder and click on the New button to create the new Process
    2) Enter the Process Name, Description and API Name, Once done click on Save button as shown in the following screenshot
    https://rakeshistom.files.wordpress.com/2015/03/define-process-criteria.png
    3) Now Click on Object then Select the User Object and Evaluation Criteria for Process, as shown in the following screenshot
    https://rakeshistom.files.wordpress.com/2015/03/evaluation-criteria5.png
    Once done click on Save button
    4) Next step is to add Process Criteria, To do that Click on Add Criteria, Please refer to the following screenshot for more details
    https://rakeshistom.files.wordpress.com/2015/03/process-criteria10.png
    Once done click on Save button.
    5) Next task is to add one Immediate Actions i.e. Flows, Please refer to the following screenshot for more detail
    https://rakeshistom.files.wordpress.com/2015/03/launch-a-flow.png
    Once done click on Save button.
    7) Activate the Process. After you activate a process, you can no longer edit that process

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Automation Champion

Subscribe now to keep reading and get access to the full archive.

Continue reading