Print this page

What can Manage Users permission do?

Knowledge Article Number 000005253

If a subset of rights is needed to manage users but not manage Profiles or Sharing, check out the Delegate User Administration.


    Manage Users allows you to do the following:

    Please Note: With as many different features available to customize within Salesforce and new features added with each release, it is difficult to list out every single action that "Manage Users" will enable a user to do. Discretion should be used when enabling a user to have the "Manage Users" permission, as this is typically intended for administrators needing access to make organizational changes.


    • Manage Profiles (more detail below)
    • Assign Profiles
    • View Field Accessibility
    • User Management


    • Manage User Roles
    • Manage Forecast Roles
    • Assign Roles
    • Manage Public Groups
    • Manage ALL Personal Groups
    • Assign Public Groups
    • Manage Queues
    • Assign Queues
    • Manage Territories
    • Manage Sharing Settings
    • Recalc Sharing Rules
    • Manage Dimension Categories
    • Manage Sales Teams
    • Manage Account Teams
    • Manage Opportunity Teams

    ​​        User Management

    • Create/Edit Internal User and have access to all User fields
    • Manage Hierarchical User Fields
    • Assign License
    • Activate User
    • Expire All Passwords
    • Set Org Password Policies
    • Reset User Password
    • Reset Username
    • Reset Email
    • Assign Mobile Configuration
    • Assign Workflow Manager Field
    • Manage a User's Divisions
    • Manage a User's OAuth
    • Remove user sessions
    • View Login History
    • View Training History
    • Delegated Portal Administration
    • Create/Edit Portal User
    • Edit Self-Service User
    • Change the Account Name on Portal enabled contact records
    • Enable, Disable, View, Login as Community/Portal Users

    Other Permissions

    • Manage Opportunity Update Reminders
    • Activate Opportunity Update Reminders
    • Manage SAML Subject
    • Mass Emailing Users

    The rights to manage a profile is more complex than what is required for most setup objects. Because of the various relationships between setup components and a profile, (objects, fields, layouts, apex, etc...) there are multiple permissions that govern access to manage *all* aspects of the profile but in reality, there are specific permissions to manage different controls within a profile. To be safe, an Admin with both Customize Application and Manage Users can manage all aspects of a profile. However, if a user only has Manage Users, they can: 

    • clone/delete a profile *or* change any of the following:
      • Properties (Description/Name)
      • Page Layouts
      • Record Types
      • Tab Settings
      • Assigned Apps
      • User Permissions
      • Desktop Client Access
      • Login Hours

    If a user has *both* Manage Users and Customize Application, in addition to everything above, they can change the following:

    • Object Permissions
    • Field Permissions
    • Apex Class Access
    • Visualforce Page Access

    promote demote