Profile? So Yesterday! – Auto Assign Permission Set Group to a User

Profile? So Yesterday! – Auto Assign Permission Set Group to a User

Last Updated on April 3, 2022 by Rakesh Gupta

Big Idea or Enduring Question:

  • How can you use Flow to automatically assign the permission set group to new users?

Has it only been five years since I wrote, ‘auto-assign Permission Set to new users’?. The article was written using Flow Trigger – now, an obsolete functionality. You can read it here. Wow! How time flies! Similarly, just two years ago, I wrote another article showing how one can assign a Permission Set to new users using Process Builder and Flow. 

Salesforce continues to transform at a lightning speed – yes, an understatement, I know! Three releases a year are keeping me on my toes! – making it harder and harder to keep my blogs abreast of the new features and functionalities! Whew! Hot out of the oven comes – Permission Set Group! Now, this is hot, indeed!

Let us taste it together!

What is a Permission Set Group?

Let us relish the moment and understand the Permission Set Group For user access/management, we assign multiple permission sets to users – either manually or via automation. The onset of ‘Permission Set Group’ shows how time-consuming both these methods are! Blog 96.2 What if we group permission sets – based on (1) either logical user groups; or, (2) on the tasks performed by users – in a single entity and then, assign the entity to users? Well, now we can! As shown in the following image, the Permission Set Group does just that! Blog 96.3 Permission Set Group comprises multiple permission sets a user needs. Wait, this is not it! One can add and remove individual permissions from a Permission Set Group – using the permission muting feature – to ensure that users do not get permissions that are not relevant to his/her job functions! 

For example, you can compile three permission sets – CRM UserSalesforce Console User, and custom permission set View and Edit Convert Leads – in a group; a.k.a, the Permission Set Group. You can label the group as ‘Sales Manager Users’ Permission Set Group – see image below.

Then, you can assign the ‘Sales Manager Users’ Permission Set Group, as a single entity, to your users instead of the three different permission sets

Blog 96.1.1

Now suppose you assigned the ‘Sales Manager Users’ Permissions Set Group to User A. Then comes User B. In addition to all the permission sets contained in the ‘Sales Manager Users’ Permission Set Group, User B also needs the Manage External Users permission set.

Now what? No worries! Clone the ‘Sales Manager Users’ Permission Set Group and add to it the ‘Manage External Users’ permission set and save it as a new Permission Set Group! You could say, name the new Permission Set Group as ‘External Sales Manager Users’. Simple!

Explore this article to learn more about the Permission Set Group. 

Business Use case

Martin Jones is a System Administrator at Gurukul on Cloud (GoC). Today he was going through the release notes and found that Permission Set Group is now generally available (GA). He just created a permission set group called ‘Sales Manager Users’. Now, Martin has a requirement to auto-assign the ’Sales Manager Users’ Permission Set Group to all new users with the Sales Manager Role. 

Automation Champion Approach (I-do):

To solve this requirement, we will use the Custom Metadata Types and After-save Record-Triggered Flow. Check out this article to understand why we are using after-save record-triggered flow for this scenario.

Before proceeding, ahead, PermissionSetAssignment (It represents an association between a User and a PermissionSet) object in Salesforce.

Field Name Details
AssigneeId The ID of the user to assign the permission set.
PermissionSetGroupId If associated with a permission set group, this is the ID of that group.

Before discussing the solution, let me show you a diagram of a Process Flow at a high level. Please spend a few minutes going through the following Flow diagram and understand it.

We will create an automation that will not only work for the current scenario but, it will also work for other Roles as well. This means that, if Martin wants to automate the Permission Set Group assignment for other Roles (Sales Rep, Sales Director, VP of Sales) – it should work without him having to modify automation

Let’s begin building this automation process.

Guided Practice (We-do):

There are 2 steps to solve Martin’s business requirement using Record-Triggered Flow. We must:

  1. Create custom metadata types to store user role and permission group mapping
  2. Salesforce Flow
    1. Define flow properties for record-triggered flow
    2. Formula to determine whether the user is created or updated
    3. Add a Decision element to check whether the user is created and has a user role populated 
    4. Add a get records element to find the permission set Id for a given role
    5. Add a decision element to check the record variable (from step 2.3)
    6. Add a Create Records element to assign a permission set group to a user 

Step 1: Create Custom Metadata Types to store User Role and Permission Set Group Mapping

  1. First, we will create a Custom Metadata Type to store Role Name and Permission Set Group Id mapping. 
    1. To create a new custom metadata type, navigate to Setup | Custom Code | Custom Metadata Types and click on the New Custom Metadata Type button. Now populate the form as shown in the following screenshot: Blog 96.4
    2. Once you are done, click on the Save button.
    3. Create a Text field PS Group Id to store the Permission Set Group Id for each User Role. In the end, the User Role PS Group Mapping custom metadata type should look as follows: Blog 96.5
    4. The next step is to insert a few records into the custom metadata type. Click on the Manage User Role PS Group mapping button on the custom metadata type detail page, and then click on New to insert some records, as shown in the following screenshot:Blog 96.6.1

Step 2.1: Define Flow Properties

  1. Click Setup.
  2. In the Quick Find box, type Flows.
  3. Select Flows then click on the New Flow.
  4. Select the Record-Triggered Flow option, click on Create and configure the flow as follows:
    1. Object: User
    2. Trigger the Flow When: A record is created and updated
    3. Set Entry Criteria
      1. Condition Requirements: None
    4. Optimize the Flow For Action and Related Records
  5. Click Done.

Step 2.2: Formula to Determine Whether the user is Created or Updated

  1. Under Toolbox, select Manager, then click New Resource to determine whether the record is created or updated. 
  2. Input the following information:
    1. Resource Type: Formula
    2. API Name: forB_IsNew
    3. Data Type: Boolean
    4. Formula: IsNew()
  3. Click Done.

Step 2.3: Using Decision Element to Check Whether the User is Created/Updated and has a User Role Populated 

Now we will use the Decision element to check whether the user is created or updated and has a user role populated. 

  1. On Flow Designer, below the Run Immediately node, click on the +icon and select the Decision element.
  2. Enter a name in the Label field; the API Name will auto-populate.
  3. Under Outcome Details, enter the Label the API Name will auto-populate.
  4. Condition Requirements to Execute Outcome: All Conditions Are Met (AND)
    1. Row 1:
      1. Resource: {!forB_IsNew}
      2. Operator: Equals
      3. Value: {!$GlobalConstant.True}
    2. Click Add Condition 
    3. Row 2:
      1. Resource: {!$Record.UserRoleId}
      2. Operator: Is Null
      3. Value: {!$GlobalConstant.False}
  5. When to Execute Outcome: If the condition requirements are met.
  6. Click Done.

Step 2.4: Adding a Get Record Element to Find Permission Set Group Id for a Given User

The next step is to use the Get Records element to find the permission set group id for a given role. 

  1. On Flow Designer, below the Created node, click on the +icon and select the Get Records element.
  2. Enter a name in the Label field; the API Name will auto-populate.
  3. Select the User Role PS Group Mapping object from the dropdown list.
  4. Select All Conditions Are Met (AND)
  5. Set Filter Conditions
    1. Row 1:
      1. Field: Label
      2. Operator: Equals
      3. Value: {!$Record.UserRole.Name}
  6. How Many Records to Store:
    1. select Only the first record
  7. How to Store Record Data:
    1. Choose the option to Automatically store all fields
  8. Click Done.

Step 2.5: Using Decision Element to Check If Permission Set Group Id was Found or Not 

Now we will use the Decision element to check the Record Variable from step 2.3 to find if the permission set group id was found or not.  

  1. On Flow Designer, click on the +icon and select the Decision element.
  2. Enter a name in the Label field; the API Name will auto-populate.
  3. Under Outcome Details, enter the Label the API Name will auto-populate.
  4. Condition Requirements to Execute OutcomeAll Conditions Are Met (AND)
    1. Row 1:
      1. Resource: {!Find_Permission_Set_Group}
      2. Operator: Is Null 
      3. Value: {!$GlobalConstant.False}
  5. When to Execute Outcome: If the condition requirements are met.
  6. Click Done.

   

Step 2.6: Add Create Records Element to Assign Permission Set Group to a User

Next, we will use the Create Records element to assign a Permission Set Group to a User.

  1. On Flow Designer, below the Yes node, click on the +icon and select the Create Records element.
  2. Enter a name in the Label field; the API Name will auto-populate.
  3. Input the following information:
    1. How Many Records to Create: One
    2. How to Set the Record Fields: Use separate resources, and literal values
    3. Object: Permission Set Assignment 
    4. Set Field Values for the Permission Set Assignment
    5. Row 1:
      1. Field: AssigneedId
      2. Value: {!$Record.Id}
    6. Click Add Field
    7. Row 2:
      1. Field: PermissionSetGroupId
      2. Value: {!Find_Permission_Set_Group.PS_Group_Id__c}
  4. Click Done.

In the end, Martin’s Flow will look like the following screenshot:

Once everything looks good, perform the steps below: 

  1. Click Save.
  2. Enter Flow Label the API Name will auto-populate.
  3. Click Show Advanced.
  4. API Version for Running the Flow: 54
  5. Interview Label: Auto Assign Permission Set Group {!$Flow.CurrentDateTime}
  6. Click Save.

Almost there! Once everything looks good, click the Activate button.  

Proof of Concept

Next time, when a User is created by a System Administrator at Gurukul on Cloud, the process we created (Using a Record-triggered Flow) will fire and assign Permission Set Group to the User based on his/her Role (In this scenario, Sales Manager Role). 

  1. Create a user and assign the Sales Manager Role to the user. Then, check Permission Set Assignment Group:Blog 06.17

Great! You are done!

Now you can streamline your user access/management process by leveraging Permission Set Group! Availability of Permission Set Group will transform a super Admin into a super-duper Admin. No more lugging through multiple individual Permission Sets! What is there not to love?!

Formative Assessment:

I want to hear from you!

What is one thing you learned from this post? How do you envision applying this new knowledge in the real world? Feel free to share in the comments below.

Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!

7 thoughts on “Profile? So Yesterday! – Auto Assign Permission Set Group to a User

  1. What happens if a user changes roles? I’m guessing we will have to add steps to the flow to remove the permission set and assign to permission set to the user.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.