You are here:
Automatically Grant or Revoke Access with a User Access Policy
Grant or revoke access for a specified set of users through a triggered event, such as a created or updated user record.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: Enterprise and Unlimited editions |
| User Permissions Needed | |
|---|---|
| To modify user access policies: | Manage User Access Policies |
These instructions describe how to create user access policies that automatically run whenever qualified user records are created or updated. If you want to create user access policies that you run manually, such as for a user access migration or a one-time user access update, see Manually Grant or Revoke Access with a User Access Policy.
-
From Setup, in the Quick Find box, enter User Management Settings,
and then select User Management Settings. Make sure that both the User
Access Policies and Enhanced Interface for User Access Policies settings are enabled.
If Salesforce enabled user access policies for you before the Summer ’23 release, you must enable this feature again on the User Management Settings page.
- In the Quick Find box, enter User Access Policies, and then select User Access Policies.
- Click New User Access Policy.
- Enter a value for the Policy Name and Description. The API Name auto-populates.
- Add a value for the Order field. If a user meets the criteria for multiple active policies, the policy with the lowest order value is applied.
- Click Save.
- On the user access policy’s detail page, click Edit Criteria to configure the policy’s user criteria filters and actions.
-
Under Define User Criteria, add at least one user criteria filter. Use the
Equalsoperator for a single value and theInoperator for multiple values. Policies are applied to users that meet all of the criteria filters. You can have:- Up to 3 filters for applicable users
- Up to 10 filters on standard and custom user fields of type Checkbox, Number, Picklist, or Text
-
Multiple roles or profiles referenced in the same filter using the
Inoperator
-
Under Define Actions, select Grant or Revoke
from the Action picklist, then select the access mechanism that the action applies to. Access
options are:
- Permission sets
- Permission set groups
- Permission set licenses
- Package licenses
- Public groups
- Queues
User access policies support up to 20 actions. - Save your changes.
-
Click Automate Policy, then select when to trigger the policy:
- The user access policy runs only when a user who matches the policy criteria is created.
- The user access policy runs only when a user is updated to match the policy criteria.
- The user access policy runs when a user who matches the policy criteria is either created or updated.
-
Click Activate.
After you automate the policy, the status changes to Active.
On the policy’s detail page under the Recent User Access Changes tab, you can monitor when this policy is applied and the affected users.
Did this article solve your issue?
Let us know so we can improve!
