Salesforce Flow Schedule-Triggered Flow

Auto Assign or Remove Permission Set to Multiple Users

Advertisements

Last Updated on May 2, 2022 by Rakesh Gupta

Big Idea or Enduring Question:

Permission Sets are helpful for providing a particular set of functionalities to a user in addition to the permissions provided by their Profile For example, you may want to allow only a few of your sales users to convert leads. In this case, rather than having a special sales profile with the convert lead permission, you can create a permission set and assign it to a specific user. What if you only want a permission set assigned for a designated time and don’t want to forget to remove it later.

  • Assign permission set for a specific time period 01-Jan-2022 to 15-Jan-2022 (Like you have defined start and end time)
  • Remove permission set from user on 31-Aug-2021 i.e. future date

I have written a few articles on automating Permission Set and automation. Why not check them out while you are at it?! 

  1. Getting Started with Salesforce Flow – Part 53 (Clone a User with their associated Public Group, Queue Membership, and Permission Sets)
  2. Getting Started with Salesforce Flow – Part 24 (Automatically Assign Permission Sets to New User)

Objectives:

After reading this article, you will be able to:

  • Use Schedule-Triggered Flow to assign or remove permission set at specified date automatically
  • Best practice to refer Permission Set into Record-Triggered Flow
  • Use a Decision element to find – record variable or record collection variable contains a record or not
  • Assign permission set to users on 1st day of the month
  • Remove the permission set from the users on the 6th day of the month 
  • Monitor Schedule job flow queue

Business Use Case 

Brenda David is a System Administrator at Universal Containers (UC). Management at UC has announced an initiative to allow their employee to update or delete vacation requests instead of sending a request via email to HR. To do this, users will need special permissions, like update or delete vacation requests (custom objects) that are outside their standard permissions. They should only have access from 1st day of every month to through 05th day of the month (Grant access for the first five days of the month). 

Automation Champion Approach (I-do):

While this can be solved using various automation tools like Apex, etc, we will use Scheduled-Triggered Flow.

Before proceeding ahead, you have to understand the PermissionSetAssignment object. Represents the association between a User and a PermissionSet. Below are the key fields from the PermissionSetAssignment object

Field Name Details
PermissionSetId ID of the PermissionSet to assign to the user specified in AssigneeId.
AssigneeId ID of the User to assign the permission set specified in PermissionSetId.

Before discussing the solution, let me show you a diagram of a Process Flow at a high level. Please spend a few minutes to go through the following Flow diagram and understand it. Let’s begin building this automation process.

Guided Practice (We-do):

There are 2 steps to solve Brenda’s business requirement using Scheduled-Triggered Flow. We must:

  1. Creating a permission set – Modify Vacation Request
  2. Salesforce Flow Steps:
    1. Define flow properties for scheduled-triggered flow
    2. Add a formula to get days from date 
    3. Add a get records element to find permission set id
    4. Add a decision element to check the permission set id from the record variable (from step 2.3)
    5. Add a get record element to find the permission set assignment Id
    6. Add a decision element to check the permission set assignment id from the record variable (from step 2.5) and day of month 
    7. Add a create records element to assign the permission set
    8. Add a Delete Records element to remove permissions set

Step 1: Create a Permission Set 

  1. Click Setup.
  2. In the Quick Find box, type Permission Sets.
  3. Select Permission Sets, then click New.
  4. Label the Permission Set then press the tab key, the API Name will auto-populate. 
  5. Click Save.

Step 2.1: Salesforce Flow – Define Flow Properties 

    1. Click Setup.
    2. In the Quick Find box, type Flows.
    3. Select Flows then click on the New Flow.
    4. Select the Schedule-Triggered Flow option and click on Next and configure the flow as follows: 
      1. How do you want to start building: Freeform
      2. Set Schedule
        1. Start Date: Apr 27, 2021
        2. Start Time: 12:00 AM
        3. Frequency: Daily
        4. Click Done.
      3. Select Object: User
    5. Select All Conditions Are Met (AND).
    6. Set Condition
      1. Row 1
        1. Field: User | IsActive
        2. Operator: Equals 
        3. Value: {!$GlobalConstant.True}
      2. + Add Condition 
      3. Row 2
        1. Field: User | UserType
        2. Operator: Equals 
        3. Value: Standard 
    7. Click Done.

Step 2.2: Salesforce Flow – Create a Formula to Get Day from Date 

  1. Under Toolbox, select Manager, then click New Resource to create a formula to get day from date. 
  2. Input the following information: 
    1. Resource Type: Formula
    2. API Name: forNDaysOfMonth
    3. Data Type: Number
    4. Decimal Places: 0
    5. Formula: {DAY({!$Flow.CurrentDate})
  3. Click Done.

Step 2.3: Lightning Flow – Adding a Get Record Element to Find the Permission Set Id

The next step is to use the Get Records element to find the permissions set Modify Vacation Request. To do that follow the below instructions:

  1. Under Toolbox, select Element
  2. Drag-and-drop Get Records element onto the Flow designer. 
  3. Enter a name in the Label field; the API Name will auto-populate.
  4. Select the Permission Set object from the dropdown list.
  5. Select All Conditions Are Met (AND)
  6. Set Filter Conditions
    1. Row 1:
      1. Field: Name
      2. Operator: Equals
      3. Value: Modify_Vacation_Request
  7. How Many Records to Store:
    1. select Only the first record
  8. How to Store Record Data:
    1. Choose the option to Automatically store all fields
  9. Click Done.

Step 2.4: Salesforce Flow – Using Decision Element to Check the Permission Set Id from the Record Variable (from step 2.3)

Now we will use the Decision element to check the Record Variable from step 2.3 to find if it returns the permission set id or not. 

  1. Under Toolbox, select Element
  2. Drag-and-drop Decision element onto the Flow designer. 
  3. Enter a name in the Label field; the API Name will auto-populate.
  4. Under Outcome Details, enter the Label the API Name will auto-populate.
  5. Condition Requirements to Execute OutcomeAll Conditions Are Met (AND)
    1. Row 1:
      1. Resource: {!Get_Permission_Set}
      2. Operator: Is Null 
      3. Value: {!$GlobalConstant.False}
  6. Click Done.

Step 2.5: Lightning Flow – Adding a Get Record Element to Find the Permission Set Assignment Id

The next step is to use the Get Records element to find the permissions setassignment id. To do that follow the below instructions:

  1. Under Toolbox, select Element
  2. Drag-and-drop Get Records element onto the Flow designer. 
  3. Enter a name in the Label field; the API Name will auto-populate.
  4. Select the Permission Set Assignment object from the dropdown list.
  5. Select All Conditions Are Met (AND)
  6. Set Filter Conditions
    1. Row 1:
      1. Field: AssigneeId
      2. Operator: Equals
      3. Value: {!$Record.Id}
    2. + Add Condition 
    3. Row 2:
      1. Field: PermissionSetId
      2. Operator: Equals
      3. Value: {!Get_Permission_Set.Id}
  7. How Many Records to Store:
    1. select Only the first record
  8. How to Store Record Data:
    1. Choose the option to Automatically store all fields
  9. Click Done.

Step 2.6: Salesforce Flow – Using Decision Element to Check the Permission Set Assignment Id from the Record Variable (from step 2.5) and Day of Month 

We will use the Decision element to check the Record Variable from step 2.5 to find if the permission set is assigned to the user or not with the day of the month. There are two possibilities:

    • If today is the first day of the month and the permission set is not assigned to the user, then assign the permission set.
    • If today is the sixth day of the month and the permission set is assigned to the user, remove the permission set.

  1. Under Toolbox, select Element
  2. Drag-and-drop Decision element onto the Flow designer. 
  3. Enter a name in the Label field; the API Name will auto-populate.
  4. Under Outcome Details, enter the Label (Add Permission Set) the API Name will auto-populate.
  5. Condition Requirements to Execute OutcomeAll Conditions Are Met (AND)
    1. Row 1:
      1. Resource: {!Get_Permission_Set_Assignment}
      2. Operator: Is Null 
      3. Value: {!$GlobalConstant.True}
    2. + Add Condition 
    3. Row 2:
      1. Field: {!forNDaysOfMonth}
      2. Operator: Equals
      3. Value: 1
  6. Now add second node to decison element.
  7. Under Outcome Details, click on the +
  8. Under Outcome Details, enter the Label (Remove Permission Set) the API Name will auto-populate.
  9. Condition Requirements to Execute OutcomeAll Conditions Are Met (AND)
    1. Row 1:
      1. Resource: {!Get_Permission_Set_Assignment}
      2. Operator: Is Null 
      3. Value: {!$GlobalConstant.False}
    2. + Add Condition 
    3. Row 2:
      1. Field: {!forNDaysOfMonth}
      2. Operator: Equals
      3. Value: 6
  10. Click Done.

Step 2.7: Salesforce Flow – Create Records to Add Permission Set

The next step is to add Permission Sets to Users. We will use the Create Records element. To do this, drag-and-drop the Create Records element onto the flow designer and map the fields according to the details below:

  1. Under Toolbox, select Elements. Drag and drop Create Records onto the canvas. 
  2. Input the following information:
    1. Enter Label the API Name will auto-populate.
    2. How Many Records to Create: One
    3. How to Set the Record Fields: Use separate resources, and literal values
    4. Object: PermissionSetAssignment
    5. Set Field Values for the Permission Set Assignment
    6. Row 1:
      1. Field: AssigneeId
      2. Value: {!$Record.Id}
    7. Click Add Row
    8. Row 2:
      1. Field: PermissionSetId
      2. Value: {!Fet_Permission_Set.Id}
  3. Click Done.

Step 2.8: Salesforce Flow – Add a Delete Records Element to Remove Permission Set

The next step is to remove Permission Sets to Users. We will use the Delete Records element. To do this, drag-and-drop the Delete Records element onto the flow designer and map the fields according to the details below:

  1. Drag-and-drop Delete Records element onto the Flow designer. 
  2. Enter a name in the Label field; the API Name will auto-populate.
  3. For How to Find Records to Delete select Use the IDs stored in a record variable or record collection variable.
  4. Select Record(s) to Delete
    1. Record or Record Collection: {!Get_Permission_Set_Assignment}
  5. Click Done.

In the end, Brenda’s Flow will look like the following screenshot (I turned on Auto-Layout) for this flow:

Once everything looks good, perform the steps below: 

  1. Click Save.
  2. Enter Flow Label the API Name will auto-populate.
  3. Click Show Advanced.
  4. Type: Schedule-Triggered Flow
  5. API Version for Running the Flow: 52
  6. Interview Label: Auto Add or Remove Permission Set {!$Flow.CurrentDateTime}
  7. Click Save.

Almost there! Once everything looks good, click the Activate button.  

Monitor Your Schedule Flow

To monitor Flows that are scheduled, navigate to the following path: 

  1. Navigate to Setup (Gear Icon) | Environments | Jobs | Scheduled Jobs.
  2. Now look for your Scheduled Flow displaying information as shown in the following screenshot:
  3. Use the Del link to delete the Scheduled Flow job from the queue.

Proof of Concept

Every night at 12:00 AM, a scheduled job will run and add or remove the or remove the permission set to user based on the day of month. 

  1. On 1st day of the month, navigate to the User record and confirm permission set Modify vacation request has been assigned.
  2. On 6th day of the month, navigate to the User record and confirm permission set Modify vacation request has been removed.

Formative Assessment:

I want to hear from you!  

What did you learn from this post, is it relevant to you, and how will you modify the concepts taught in the post for your own business processes?  

Make a post and tag me on Twitter @automationchamp using #AutomationChampionFlow.

Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!
Preferred Timing(required)

Share
Facebook Twitter Pinterest Linkedin

Similar Posts

16 thoughts on “Auto Assign or Remove Permission Set to Multiple Users

  1. Pingback:Mass Assign Permission Sets Using Data Loader - Automation Champion

  2. Yes! I just answered a NGO’s request on a Trailblazer Community Group with a link to your article. Thank you, Rakesh!

    Their use case is “I don’t want to allow everyone delete access on Accounts & Contacts, but they need to merge duplicates. How can we do that?”
    My answer is to create a permission set with delete access, then assign it to the Account & Contact Merge Guru. This can be automated to grant that permission only rarely – calendar dates like your idea might be perfect.

    As always, Rakesh: I love your work. Keep it up!

    1. Hey Charles, thanks for the great comment. Hearing stuff like this makes my day.

  3. Thanks for sharing this!!

    I followed the steps but my flow is not able to find the permission set.
    The user i want to assign the permission to, the license should be “Salesforce”?
    Any idea what the issue could be?

    1. Rakesh Gupta – Mumbai – 9x Salesforce MVP | Senior Solution Architect | 8x Author | 5x Dreamforce Speaker | Salesforce Coach | Co-host of AutomationHour.com and AppXchangeHour.Com
      Reply

      I’m glad you’re enjoying the posts 🙂

  5. Hi Rakesh,

    I see that you are holding the permission set ID at the header of the user record, how would you manage the assignment of multiple permission sets being assigned on creation of a user without having to create a unique field to hold each permission set ID or would this have to be handled via a trigger?

    Thanks,
    Brenden

    1. Rakesh Gupta – Mumbai – 9x Salesforce MVP | Senior Solution Architect | 8x Author | 5x Dreamforce Speaker | Salesforce Coach | Co-host of AutomationHour.com and AppXchangeHour.Com
      Reply

      There are multiple ways to handle it. For example, use text area field to save the IDs of several Permission Sets and then in the Flow parse it to a collection variable.

  6. Hi Rakesh,,

    Thanks for your topics it’s very useful.

    I try to automatically add permission set to user but i think i miss something.
    The 2 conditions in my process builder are :
    – the user role name must contain “ABC”
    – the marketing user checkbox must be checked

    Everything works well, excepted when i want to edit a user who has no assigned role, I meet an error. Do you know if i did something wrong?

    Here the Salesforce error when i try to save : Workflow Action Failed to Trigger Flow
    The record couldn’t be saved because it failed to trigger a flow. A flow trigger failed to execute the flow with version ID 3017E000000ADAT. Flow error messages: <b>An unhandled fault has occurred in this flow</b><br>An unhandled fault has occurred while processing the flow. Please contact your system administrator for more information. Contact your administrator for help.

    Here the flow error by mail : An error occurred at element myDecision (FlowDecision).
    The flow failed to access the value for myVariable_current.UserRole.Name because it hasn’t been set or assigned.

    Thanks for help,

    Ludovic

    1. Thanks for the feedback, Ludovic! I am glad this was useful!

      Seems like user doesn’t have a Role defined. Make sure to add one additional line in your Process Builder criteria as follow

      Role is null Fasle

      1. Hi Rakesh,

        Yes you are right, search “EML” in role name when role is blank gives an error. In my process builder, I had to include a condition to handle cases where role is blank.

        to automatically add the permission set:
        AND(
        Not(IsBlank([User].UserRoleId)),
        CONTAINS([User].UserRole.Name, “EML”),
        [User].UserPermissionsMarketingUser=TRUE
        )
        to automatically remove the permission set :
        OR(
        ISBLANK([User].UserRoleId),
        NOT(CONTAINS([User].UserRole.Name, “EML”)),
        NOT( [User].UserPermissionsMarketingUser)
        )

        It seems to be important that the condition concerning blank role comes before “EML” condition in formula. Can you confirm?

        Thanks again for your help,

        Ludovic

  7. Pingback:Admin Commandment #9 An Awesome Admin should protect their org… for more reasons than you think! - SFDC All
  8. Pingback:Auto Add/Remove Permission Set – Part 2 « Rakesh Gupta's Blog

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Automation Champion

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%