A permission set can be described as a collection of extra permissions and settings that extends users' existing permissions. Permission sets can be used to give extra permissions to users without modifying their profiles. User can have only one profile but they can have multiple permission sets assigned to them. This way, you can have minimum profiles in the system but give various permissions to specific people.
Permission sets can be assigned only to users. It is not possible to assign a them to a public group, role, or profile. Read this article to learn more about permission sets.
There are two different way to assign a permission set. First one is directly from the user record.
Second way is opening the permission set and clicking on the Manage Assignments button.
You have to go to the setup to perform both of these actions, which means that you need admin permissions.
However, using a flow, it is possible to build a screen that lets the current user select a user and a permission set to assign to him/her. This would be a great admin tool for manual assignments. It is also possible to build a record-triggered flow to automatically assign permission set(s) when a user becomes active. This is a great way to reduce manual work. You can read this post to learn about flow types and their differences.
Building a Screen Flow to Assign Permission Sets
1- Create a new screen flow and add screen element as the first element of the flow. Add the lookup element that will let the you select a user. Then add a picklist element, which will display the permission sets in the system. In order to do so, create a record choice set that will display only the permission sets. If you want the flow to display only a few permission sets and not all of them, add your criteria.
Picklist field should display the label of the permission set but store the Id of the selected record. Optionally, store the label of the selected record, it will be useful when displaying a message to the user.
Optionally, rename the Next/Finish button as "Assign". This will make the user think that he/she doesn't need anything else to do. And yes, actually the user doesn't need to do anything else, flow will do everything.
Your screen should look like this.
Optionally, you can set an expiration date for the permission set assignment. If you do so, assigned users receive access to all aggregate permissions until the expiration date. In order to set the expiration date, add a date/time input field.
2- Add a Get Record element and get the PermissionSetAssignment record to check if the selected user already has this permission set.
3- Add a Decision element to check if the user already has the selected permission set.
4- If it already exists, you cannot assign again. So, you will need to display a message to the user. Add a new Screen element to display a message. Optionally, rename the Previous button as "Assign Another". Since you stored the label of the selected permission set in the first step, use it in the error message. This will make the error more clear.
5- If it doesn't exist, then create a new PermissionSetAssignment record to assign the it to the selected user.
If you want to set an expiration date, don't forget to populate the ExpirationDate field.
6- At the end of the flow, display a success message. Like you did in the 4th step, rename the Previous button as "Assign Another" and use variables in the message.
At the end, your flow should look like this. Optionally, make the flow run in the system context.
Record-Triggered Flow to Automatically Assign a Permission Set
Let's create a record-triggered flow that will automatically assign a permission set called "SSO" when a user becomes active.
1- Create a Record-Triggered flow and choose to run it after create/update. Select User as the object and enter the criteria. So that the flow will run only when a user becomes active.
2- Add a Get Records element to get the "SSO" permission set. To assign it, you need the Id of the permission set. You can use a hardcoded value but if you do so, don't forget to change it after you deploy to other environments.
3- Add another Get Records to check if it is already assigned. In order to do so, you have to get the PermissionSetAssignment record according to the user Id and permission set Id that you got in the previous step.
4- Add a Decision element to check if the permission set is already assigned to the selected user.
5- If it doesn't exist, then add a Create Record element to create a PermissionSetAssignment record. This action will assign the permission set to the user.
Optionally, populate the expiration date field.
At the end, your flow should look like this.
These are some simple flows to assign permission sets. You can improve them and add more logic according to your needs. Don't forget, the idea is to help the users. Try to automate the process to reduce time or give the users more capabilities that they cannot perform using the standard permission set assignment screen.
Permission Assignment Expiration Considerations
If you set the ExpirationDate field on the PermissionSetAssignment record, assigned users receive access to all aggregate permissions until the expiration date. It means that, after the expiration date, user will not have those permissions anymore. However, PermissionSetAssignment record will still exist in the system as inactive.
Assignments that expire are treated as soft-deletes. Moreover, SOQL queries don’t return the expired permission set assignments. You can still retrieve them using the ALL ROWS clause. However, there is no standard option to use ALL ROWS clause in flow. Therefore, your Get Records element will not find the expired permission set assignments. This may cause an issue because if you try to create a PermissionSetAssignment record, the system will say that it is a duplicate value.
Read this post to learn how to use flow to assign a permission set with an expiration date.
But for standard user who without "Assign Permission Sets" AND
"View Setup and Configuration", is this approach still available?
If you run the flow in the system context, then any user can run this flow and assign permission sets. I tried now and it is working.
Adding to Wayne's comment, even running in the system context, the 'non admin' user receives this error: "An error occurred while trying to update the record. Please try again. insufficient access rights on cross-reference id"
I think they need Modify User permissions for this to actually work? Also tried updating another custom field on the User Object and received the same message. I don't think non-admin users have access, even if the Flow is running as System.
Hi Marcus,
I tried it again with a non-admin user and it worked. However, I tried it with another user that has Salesforce Platform license, it didn't work for that user. I thought it was related to the license but then I saw that the user didn't have the Run Flows permission. After giving the permission, it worked for that user as well.
So I can say that it is working for non-admin users too.
Hi Yumi
Thank you for this, it was very helpful.
I have followed the guidance for a Record Triggered Flow but got an error - This error occurred when the flow tried to create records: INVALID_CROSS_REFERENCE_KEY: We can't save this assignment because there's no permission set ID or permission set group ID.. You can look up ExceptionCode values in the SOAP API Developer Guide.
Are you able to advise?
Hi,
In the step that the flow fails, do you see the permission set id? Looks like it is missing, at least it is what I understand from this error message.
If you set an expiration on the permission set and the permission set expires, the permission set assignment record persists. However, when you query the Permission Set Assignment object, you *cannot* retrieve the expired record, so you'll always get a duplicate permission set assignment error when trying to recreate the assignment.
Have you seen the same?
Hi Adam,
Yes, that's right. In the official documentation it says "SOQL queries don’t return user assignment information for permission assignments that expire. Assignments that expire are treated as soft-deletes. You can retrieve the expiring assignment information using the ALL ROWS clause."
So it is not possible to find this record using standard elements of flow. However, when you try to create a new one, it will say that it is duplicate.
I think we may need an Apex action for this. I will try to find a solution.
I found a solution for this issue and wrote a post. Let me know if it answers your question.
https://salesforcetime.com/2023/05/04/using-flow-to-assign-a-permission-set-with-an-expiration-date/
My screen one is all good but for some reason the RTF is getting flagged at the Get permission Assignment Element more specifically the PermissionSetID EQUALS Permission Set From, can you explain what that is supposed to be?
Find all PermissionSetAssignment records where
AssigneeId Equals {!$Record.Id} (005Dn0000075DESIA2)
AND PermissionSetId Equals {!Find_AC_Permission_Set.PermissionsViewDeveloperName} (false)
Store the values of these fields in Get_Permission_Set_Assignment: Id
Result
Info
Failed to find records.
Hi,
I see a problem here:
PermissionSetId Equals {!Find_AC_Permission_Set.PermissionsViewDeveloperName} (false)
You have to use the Id of the permission set.
Hi, I am attempting to assign two permissions sets with record triggered Flow, but I am keep getting an error.
"This error occurred when the flow tried to create records: INVALID_CROSS_REFERENCE_KEY: We can't save this assignment because there's no permission set ID or permission set group ID.. You can look up ExceptionCode values in the SOAP API Developer Guide."
Hi,
From the error message, I understand that the permission set id is missing. Can you check if you mapped that field?
Thank you for the article. Very helpful.
Would there be a way to add more than 1 permission while creating a new user in a flow?
For instance, I usually setup new users similarly to another user. This user may have 3 permission sets. Can I add all 3 at the same time, or would I need to build in the "Assign Additional Permissions" button like you did in the article?
You can get all these 3 permission sets, then use loop and assignment elements in order to prepare a PermissionSetAssignment collection in the flow. Then you can create all of them at once.
How can send email option to the end of the flow, after user assigned to a permission set?
Hi,
I didn't understand the question well, but you can send an email using the Send Email core action.