A permission set extends users' existing permissions with extra permissions and settings. It avoids modifying their profiles while giving them extra permissions. Users can have multiple permission sets assigned to them, even if they can have only one profile. By doing so, the system can have minimum profiles while granting specific people various permissions. Although permission sets have been around for a long time, there was no option to set an expiration date. After a long time, Salesforce introduced an option to assign a permission set with an expiration date. Now it is possible to set an expiration date to a permission set or permission set group for a user.
How to Use Flow to Assign a Permission Set
In order to assign a permission set to a user, you have to create a PermissionSetAssignment record. This object stores the AssigneeId (Id of the user) and PermissionSetId (or PermissionSetGroupId). Optionally, you can set an expiration date by populating the ExpirationDate field. You should make sure that the expiration date is in the future. Read this post to learn how to use a flow to assign a permission set.
Before you create the Permission Set Assignment record, make sure that the user doesn't already have it. Otherwise, you will get an error that it is a duplicate record.
Here comes the problematic part. If a permission set assignment has an expiration date and the date has passed, assignment becomes inactive. It means that the permission set assignment record still exists in the system as inactive.
Okay, what is the problem?
Well, there is a big problem. According to an official Salesforce documentation, assignments that expire are treated as soft-deletes. Moreover, SOQL queries don’t return the expired permission set assignments. You can still retrieve them using the ALL ROWS clause. However, there is no standard option to use ALL ROWS clause in flow. Therefore, your Get Records element will not find the expired permission set assignments. This may cause an issue because if you try to create a PermissionSetAssignment record, the system will say that it is a duplicate value.
As you can see, SOQL query finds the inactive permission set assignment record.
However, Get Records element cannot find this inactive record.
How to Find the Expired Permission Set Assignments
The standard Get Records element cannot bring deleted records. Moreover, you cannot find the inactive permission set assignment records in the recycle bin. It is possible to find them using a SOQL query, but it is not possible using the standard elements.
In order to get records by writing a SOQL query, you should install this action from UnofficialSF. This action lets you execute a SOQL query and returns a collection of records.
Let's see an example.
Build a Screen Flow to Assign a Permission Set with an Expiration Date
1- Create a screen flow and add a screen element. Add selection components in order to select a permission set and a user. In this example, we have Choice Lookup components for user and permission set selection. Then, add a date field for the permission set assignment expiration date.
2- Create a text template for the SOQL query that you want to run. Pay attention that it has 'ALL ROWS' at the end. This clause makes the query bring the deleted records as well.
3- Add the 'Execute SOQL Query' action that you installed. Select PermissionSetAssignment as the object and then select the text template that you created.
4- Add a decision element to check the result of this action. If it is null, it means that you can assign the permission set.
In order to assign the permission set, create a Permission Set Assignment record using the selected values.
5- This Apex action returns a record collection. Therefore, add a loop and an assignment element to take the one and only record. Pay attention that 'ExistingPermissionSetAssignment' is a record variable.
6- Add a screen element that has a selection component with choices like 'Change Expiration Date', 'Delete', and 'Cancel'. Optionally, display some information about the existing permission set assignment record. You can a display text, data table, or this custom read only screen component package.
Add a date field and make it visible only if the user selects 'Change Expiration Date'.
7- Add a decision element to understand what to do.
8- If the user wants to delete the existing permission set assignment, simply use the standard Delete Records element.
If the user wants to change the expiration date, use an assignment element to change the expiration date and update the record.
If the user wants to cancel, go to the next element.
9- Add a screen element with success message and connect all the final elements to this screen. Then add an error screen and connect all the fault paths to this screen.
End of the Flow
At the end, your flow should look like this.