What are User Access Policies?
With User Access Policies, we can automate assigning/removing permission sets, permission set groups, permission set licenses, package licenses, queues, and groups to users. So, no more manual assignments or flows are needed.
How to enable User Access Policies?
From Setup => Users => User Management Settings => Enable "User Access Polices"
Once Enabled, we will see it Under Setup => Users => User Access Policies.
NOTE: This feature is in Beta as of Winter '24.
Few use cases:
* When a new user is created with a specific role or profile, assign a permission set or permission set group to the created user.
* When the user role is updated, remove existing permission sets, remove the user from a group, and add permission sets and groups related to the new role.
* When a new user is created and meets specific conditions, then assign a permission set license.
How to Create a User Access Policy?
From Setup => Users => User Access Policies => New => Enter Label, Trigger Type, and leave Status as Design => Save.
=> Click Edit to apply filters.
Here we can apply filters for which users this user policy is applied and select the actions to grant or revoke permission sets, permission set groups, permission set licenses, package licenses, queues, and groups.
I applied filters to Role = CSR, and Active = true.
If the above filters are satisfied, then apply the actions to grant a permission set, group access, and revoke a group.
=> Save the policy.
This policy is not in Active status yet, it is in Design status. We can run the policy in two ways, manually or automatically.
To run the policy manually, leave the policy in Design status and click on Preview Users
We will see all the users with the applied filters on this policy, Select the users and apply the policy.
To run the policy automatically, update the policy status to Active. In my policy here, when User Role = CSR, and User is active, then I'm asking my user access policy to grant a permission set, group access, and revoke a group.
When the active user role is changed to CSR then my user access policy will run automatically and apply the changes.
What do different statuses mean:
Design: You are still creating the policy and you don't want it to run automatically but apply the policy manually by previewing users.
Active: When you want the policy to run automatically when applied filters are met.
Migrate: If the policy has to run for more than 1000 users, then update the status to Migrate, It will run asynchronously.
Completed: This status will be updated after the Migrate status is run and completed successfully.
Failed: This status will be updated after the Migrate status is run and failed with errors.
Since this feature is still in beta, there are still a few gotchas that Salesforce needs to address in later releases.
For considerations refer to this article - User Access Policy Considerations
Open Ideas on IdeaExchange: Apply multiple User Access Policies when triggered User Access Policies revoke all access option
Known Issues: Saving a User Access Policy with multiple profiles and roles in the Select Applicable Users shows an internal server error Admin User is unable to utilize the remaining licenses and assign them to users due to User Access Policy in place.
Thanks for reading.
The SFDC Post 