Managing user permissions is a critical part of any Salesforce implementation. Whether it’s assigning permission sets, permission set licenses, adding users to queues or public groups, automation is often the key to keeping things efficient and secure. In most cases, we reach for record-triggered flows to handle these tasks. But did you know Salesforce offers a dedicated automation tool specifically designed for managing user access? It's called User Access Policies, and it might be the simpler solution for certain use cases.
A Closer Look at User Access Policies
User Access Policies are a standard Salesforce feature that allows admins to automate access related tasks based on predefined criteria. Whether it’s assigning permission sets, granting package licenses, or revoking access, these policies help streamline the process.
How to Enable the Feature
User Access Policies are not enabled by default. To use them, you need to enable the feature in User Management Settings. Once enabled, they become available in Salesforce Setup.
How to Create a New User Access Policy
In order to create a new User Access Policy, click the "New" button and provide a name. Enter an "Order" value in order to indicate the order for which active policy is applied if a user meets the criteria for multiple policies. If a user record creation or update triggers more than one user access policy, the policy with the lowest Order value is applied.
Then, click the "Edit Criteria" button to set the conditions and actions.
You can select up to three filters to determine which users the policy applies to. While the criteria logic is limited to AND (no custom logic), you can use the "In" operator to select multiple values for each filter. Available filter options are Group, Queue, Permission Set, Permission Set Group, Package License, Profile, and Role.
You can also use up to ten User fields to define criteria. Both standard and custom fields of type Text, Picklist, Number, and Checkbox on the User object are supported.
Here’s what the complete user criteria section looks like.
After defining the user criteria, it is time to set the actions. User Access Policies can both grant and revoke Permission Sets, Permission Set Groups, Permission Set Licenses, Package Licenses, Groups, and Queues.
Click the "Save" button to save the changes.
How to Run User Access Policies
Now that the User Access Policy is ready, it's time to run it. You have two options: automate the policy to run continuously, or manually apply it by selecting “Apply Policy to Users that Meet Criteria.”
Apply Policy to Users that Meet Criteria
Manually apply the User Access Policy as a one-time action to users who currently meet the policy’s criteria. When you click the “Apply Policy” button, a list of matching users is displayed, allowing you to select which users to apply the policy to.
Automate Policy
Configure the User Access Policy to run automatically when a user is created or updated. Clicking the “Automate Policy” button opens a popup where you can select the triggering event.
Click the "Activate" button to automate the User Access Policy. This will change the status from Design to Active and the policy will run automatically whenever a user is created or updated.
Regardless of whether the policy is run manually or automatically, all access changes are tracked under the Recent User Access Changes tab. Each entry shows whether the policy was applied manually or through automation, along with the user who initiated it (automated runs will list "Automated Process" as the user). You can also drill into each record to view the specific types of access that were granted or removed.
After clicking the Date:
Considerations and Limitations
- Actions performed by a User Access Policy do not trigger other User Access Policies.
- If the policy’s user criteria target a public group or queue, it only applies to users who are directly assigned to that group or queue. Users added through roles, territories, or nested public groups are not included.
- You can have up to 200 active user access policies.
- If a user record matches multiple User Access Policies, only the policy with the lowest Order value will be applied.
- An active policy is applied to existing users only when their user records are updated to meet the policy’s criteria.
- If an active User Access Policy attempts to assign licenses but there aren’t enough available, the failure is recorded in the Recent User Access Changes tab.
- When a user no longer meets the policy criteria, the actions previously applied are not automatically rolled back.
Read this post to see a comparison of flow and user access policies, with guidance on when to use each and how to choose the best approach for your use case.
Nice Summary