Business Use case

Sophia Reed is a Sr. System Administrator at Gurukul on Cloud (GoC). She refreshes sandboxes once every quarter. After each refresh, granting access to the sandbox is a time-consuming and redundant process. She recently learned that Salesforce has launched new features that can make her life easier.

What she wants is to automatically grant sandbox access to a public group named DevBiz Collaborators as soon as a sandbox is refreshed or created.

What Are Salesforce Sandboxes?

Salesforce Sandboxes are isolated environments that allow developers, administrators, and testers to build, test, and deploy changes without affecting the production org. These environments are essential for ensuring that new features, configurations, or integrations are thoroughly validated before being rolled out to end-users.

Uses of Salesforce Sandboxes

Development: Build and test new applications or features.
Testing: Conduct quality assurance, user acceptance testing, stress, and performance testing.
Training: Train users without risking production org data.
Integration: Test external system integrations safely.

By using Salesforce Sandboxes, organizations can maintain the integrity of their production org while innovating and adapting to business needs.

Why the Old Sandbox Access Method Falls Short

Before diving into Selective Sandbox Access, let’s take a moment to understand the challenges with the old approach and why Salesforce introduced this new feature.

By default, when a System Administrator creates or refreshes sandboxes, all active users in the source organization automatically gain access to the sandbox. However, only the user who creates the sandbox retains their email address in its original format (without the .invalid appended to it).

This means the System Administrator is tasked with removing the .invalid suffix from users’ email addresses, waiting for them to verify their updated email, and resetting their passwords if needed. Moreover, granting sandbox access to all active production users, even those who don’t need it, further complicates the process.

Unlocking the Power of Selective Sandbox Access

With Selective Sandbox Access, a Salesforce admin can grant sandbox access to a group of users by assigning them to a public group. The email addresses of users in this group remain in their original format, eliminating the need for manual modifications. Users outside the group will remain frozen, ensuring access is intentional and granted only when necessary. Additionally, this approach helps speed up sandbox creation and refresh processes!

When creating or refreshing a Developer or Developer Pro sandbox, access must be granted using a public group. For Partial Copy and Full sandboxes, Salesforce recommends granting access via a public group; however, you still have the option to allow access for all active users.

As of the Spring ’25 release, Selective Sandbox Access is not available when cloning a sandbox.

Perform the steps below to solve the above business use case:

Create a public group DevBiz Collaborators and add users to it.
When creating or refreshing a sandbox, select the public group. In the screenshot below, I am creating a partial sandbox and selecting the group DevBiz Collaborators created in Step 1.

From there, it’s the usual process: the sandbox will be created or refreshed, you’ll receive a notification once it’s ready, and no update the user’s email.

Formative Assessment:

I want to hear from you!

What is one thing you learned from this post? How do you envision applying this new knowledge in the real world? Feel free to share in the comments below.

Go back