Using Flow to Assign Permission Set

Using Flow to Asssign Permission Set

A permission set can be described as a collection of extra permissions and settings that extends users’ existing permissions. Permission sets can be used to give extra permissions to users without modifying their profiles. User can have only one profile but they can have multiple permission sets assigned to them. This way, you can have minimum profiles in the system but give various permissions to specific people.

Permission sets can be assigned only to users. It is not possible to assign a them to a public group, role, or profile. Read this article to learn more about permission sets.

There are two different way to assign a permission set. First one is directly from the user record.

Assign permission set to a user

Second way is opening the permission set and clicking on the Manage Assignments button.

Assigning a permission set

You have to go to the setup to perform both of these actions, which means that you need admin permissions.

However, using a flow, it is possible to build a screen that lets the current user select a user and a permission set to assign to him/her. This would be a great admin tool for manual assignments. It is also possible to build a record-triggered flow to automatically assign permission set(s) when a user becomes active. This is a great way to reduce manual work. You can read this post to learn about flow types and their differences.

Building a Screen Flow to Assign Permission Sets

1- Create a new screen flow and add screen element as the first element of the flow. Add the lookup element that will let the you select a user. Then add a picklist element, which will display the permission sets in the system. In order to do so, create a record choice set that will display only the permission sets. If you want the flow to display only a few permission sets and not all of them, add your criteria.

permission set record choice set

Picklist field should display the label of the permission set but store the Id of the selected record. Optionally, store the label of the selected record, it will be useful when displaying a message to the user.

permission set record choice set configurations

Optionally, rename the Next/Finish button as “Assign”. This will make the user think that he/she doesn’t need anything else to do. And yes, actually the user doesn’t need to do anything else, flow will do everything.

Your screen should look like this.

permission set assignment screen

2- Add a Get Record element and get the PermissionSetAssignment record to check if the selected user already has this permission set.

get permission set assignment record

3- Add a Decision element to check if the selected permission set is already assigned to the selected user.

decision element to check if the permission set is already assigned

4- If it is already assigned, you cannot assign again. So, you will need to display a message to the user. Add a new Screen element to display a message. Optionally, rename the Previous button as “Assign Another”. Since you stored the label of the selected permission set in the first step, use it in the error message. This will make the error more clear.

permission set assigned error message

5- If it is not assigned before, then create a new PermissionSetAssignment record to assign the it to the selected user.

creating permission set assignment record

6- At the end of the flow, display a success message to let the user know that it was assigned successfully. Like you did in the 4th step, rename the Previous button as “Assign Another” and use variables in the message.

permission set was successfully assigned

At the end, your flow should look like this. Optionally, make the flow run in the system context.

permission set assignment flow
screenshots of the flow in action

Record-Triggered Flow to Automatically Assign a Permission Set

Let’s create a record-triggered flow that will automatically assign a permission set called “SSO” when a user becomes active.

1- Create a Record-Triggered flow and choose to run it after create/update. Select User as the object and enter the criteria. So that the flow will run only when a user becomes active.

trigger of the flow
record-triggered flow

2- Add a Get Records element to get the permission set record that is called “SSO”. To assign it, you need the Id of the permission set. You can use a hardcoded value but if you do so, don’t forget to change it after you deploy to other environments.

find the SSO permission

3- Add another Get Records to check if it is already assigned. In order to do so, you have to get the PermissionSetAssignment record according to the user Id and permission set Id that you got in the previous step.

get permission set assignment

4- Add a Decision element to check if the permission set is already assigned to the selected user.

decision to check if it is already assigned

5- If it is not assigned, then add a Create Record element to create a PermissionSetAssignment record. This action will assign the permission set to the user.

create permission set assignment record

At the end, your flow should look like this.

record triggered flow

These are some simple flows to assign permission sets. You can improve them and add more logic according to your needs. Don’t forget, the idea is to help the users. Try to automate the process to reduce time or give the users more capabilities that they cannot perform using the standard permission set assignment screen.


  1. But for standard user who without “Assign Permission Sets” AND
    “View Setup and Configuration”, is this approach still available?

    • If you run the flow in the system context, then any user can run this flow and assign permission sets. I tried now and it is working.

  2. Adding to Wayne’s comment, even running in the system context, the ‘non admin’ user receives this error: “An error occurred while trying to update the record. Please try again. insufficient access rights on cross-reference id”
    I think they need Modify User permissions for this to actually work? Also tried updating another custom field on the User Object and received the same message. I don’t think non-admin users have access, even if the Flow is running as System.

    • Hi Marcus,
      I tried it again with a non-admin user and it worked. However, I tried it with another user that has Salesforce Platform license, it didn’t work for that user. I thought it was related to the license but then I saw that the user didn’t have the Run Flows permission. After giving the permission, it worked for that user as well.
      So I can say that it is working for non-admin users too.

  3. Hi Yumi

    Thank you for this, it was very helpful.

    I have followed the guidance for a Record Triggered Flow but got an error – This error occurred when the flow tried to create records: INVALID_CROSS_REFERENCE_KEY: We can’t save this assignment because there’s no permission set ID or permission set group ID.. You can look up ExceptionCode values in the SOAP API Developer Guide.

    Are you able to advise?

    • Hi,

      In the step that the flow fails, do you see the permission set id? Looks like it is missing, at least it is what I understand from this error message.

1 Trackback / Pingback

  1. What does Group role mean? – Answersglobe

Leave a Reply

Your email address will not be published.