Big Idea or Enduring Question:

• How can organizations streamline and automate Salesforce user access management to enhance security, compliance, and operational efficiency – without relying on manual processes or custom automation?

Objectives:

After reading this blog, you’ll be able to:

1. Understand how User Access Policies simplify and automate user access management in Salesforce.
2. Seamlessly assign users to the right Permission Sets, Groups, and Licenses eliminating manual work.
3. Effortlessly manage user membership in Public Groups and Queues without intervention.
4. Grant Package Licenses dynamically, without the need for custom automation.
5. Ensure security and compliance by automatically revoking access when no longer needed.
6. And much more!

Business Use case

Emma Johnson, a Salesforce Administrator at Gurukul on Cloud (GoC), struggles with the manual and time-consuming process of managing user access. Each time an employee joins, changes roles, or leaves, she must update profiles, permission sets, and role assignments manually.

Her manager tasks her with automating user access management to improve efficiency and security. Seeking guidance, Emma turns to her mentor, Joe Smith, who suggests a hands-on approach to learning User Access Policies.

Joe proposes this solution: When a new user is created with the Role: Eastern Sales Team, the system should automatically grant:

1. Permission Set License – Field Service Dispatcher
2. Permission Set Group – Eastern Sales Team
3. Package License – FSL Summer 2024
4. Public Group – Sales Team Eastern
5. Queue – Sales Team Global

Think Beyond Apex & Flow: The Smarter Way to Automate User Access

Most of the time, we Salesforce professionals, when designing a solution, immediately think, Hey, we can do this using Apex code or Flow. However, this is one of our biggest mistakes because we don’t always keep ourselves up to date with Salesforce releases.

In many organizations, when it comes to automatically granting the right access to users upon creation or updates (such as job duty changes), we often rely on Custom Metadata, Flow, or Apex. But now, there’s a better way that may better fulfill our requirements.

With User Access Policies, Salesforce now offers a rule-based framework that automates access management without custom development. This not only simplifies the process but also ensures compliance, reduces errors, and enhances efficiency – allowing admins to focus on more strategic tasks instead of repetitive user provisioning.

Simplifying User Access Management with User Access Policies

With User Access Policies, there’s no need to manually assign or revoke user access for different features separately. Instead, you can automate both provisioning and revocation in a single step, ensuring consistency, reducing manual effort, and improving efficiency.

With this approach, you can easily add or remove users from:

• Permission Sets
• Permission Set Groups
• Permission Set Licenses
• Package Licenses
• Public Groups
• Queues

By leveraging User Access Policies, you can simplify access control, enhance security and compliance, and save valuable admin time – all without relying on custom automation.

Automation Champion Approach (I-do):

Now, let’s bring User Access Policies to life to fulfill Joe’s business requirement seamlessly. Joe proposes that when a new user is created with the Role: Eastern Sales Team, the system should automatically grant the necessary access without manual intervention:

1. Permission Set License – Field Service Dispatcher
2. Permission Set Group – Eastern Sales Team
3. Package License – FSL Summer 2024
4. Public Group – Sales Team Eastern
5. Queue – Sales Team Global

Step 1: Enable User Access Policies 

Before using User Access Policies, they must be enabled in Salesforce Setup. Enabling this feature allows admins to automate user access provisioning without using Flows, Apex, or other custom automation.

1. Click Setup.
2. In the Quick Find box, type User Management Settings, and select it.
3. Enable the feature by toggling Enable User Access Policies and Enhanced Interface for User Access Policies ON.

Step 2: Create a New User Access Policy

Now that User Access Policies are enabled, the next step is to create a policy that will automate access assignment. 

1. Click Setup.
2. In the Quick Find box, type User Access Policies, and select it.
3. Click New User Access Policy, and enter the following details:
   1. Name: Eastern Sales Team Access
   2. Order: 1
   3. Description: Automatically grants access for users assigned to the Eastern Sales Team role.
4. Click Save.

Step 3: Define User Criteria

Now that the User Access Policy is created, the next step is to define user criteria to ensure the policy is applied only to the intended users. In this case, we want it to trigger for users assigned to the Eastern Sales Team role.

1. On the User Access Policies for Eastern Sales Team Access page and click Edit Criteria.
2. Navigate to the Define User Criteria section and configure the following:
   1. Resource: Role
   2. Operator: Equals 
   3. Value: Eastern Sales Team
3. Click Save.

Step 4: Configure Access Assignments

Now that we have defined the user criteria, the next step is to assign the necessary access that users will receive when they meet the policy conditions. This ensures that users in the Eastern Sales Team role are automatically granted the appropriate permissions, licenses, and group memberships without manual intervention.

1. On the User Access Policies for Eastern Sales Team Access page and click Edit Criteria.
2. Navigate to the Define Actions section and configure the following access types one by one:
   1. Row 1: 
      1. Action: Grant
      2. Target: Package License  
      3. Value: FSL Summer 2024
   2. Click Add Action
   3. Row 2: 
      1. Action: Grant
      2. Target: Permission Set License   
      3. Value: Field Service Dispatcher 
   4. Click Add Action
   5. Row 3: 
      1. Action: Grant
      2. Target: Permission Set Group 
      3. Value: Eastern_Sales_Team
   6. Click Add Action
   7. Row 4: 
      1. Action: Grant
      2. Target: Group 
      3. Value: Sales_Team_Eastern
   8. Click Add Action
   9. Row 5: 
      1. Action: Grant
      2. Target: Queue
      3. Value: Sales_Team_Global
3. Click Save.

Step 5: Automate and Activate the Policy

Now that the User Access Policy is fully configured, the final step is to activate it so it starts automatically provisioning access based on the defined criteria. Once activated, Salesforce will continuously evaluate users against this policy and grant or revoke access as needed, ensuring seamless user management.

1. On the User Access Policies for Eastern Sales Team Access page, navigate to Automate Policy section and click Automate Policy.
2. Under Trigger the Policy, select Only when a user is created to ensure the policy runs upon user creation.
3. Click Activate to enable the policy.

Proof of Concept

Feel free to modify the User Access Policy as needed to align with evolving business requirements.

Things to Remember 

1. An action performed by a User Access Policy can’t trigger another User Access Policy.
2. The Recent User Access Changes section only displays active policy changes; overridden changes won’t appear.
3. Policies targeting Public Groups or Queues apply only to directly added users, not those added via roles, territories, or nested groups.
4. Updating Public Group memberships in bulk can cause long recalculations or timeouts; defer sharing calculations before applying policies.
5. You can have up to 200 active User Access Policies; complex filters can slow down application time.
6. When multiple policies are triggered, the one with the lowest Order value is applied first.
7. Active policies apply only when a user record is updated to match the criteria, not retroactively.

Formative Assessment:

I want to hear from you!

What is one thing you learned from this post? How do you envision applying this new knowledge in the real world? Feel free to share in the comments below.