Session-Based Permission Set Groups

Let's say you have a Salesforce app that contains confidential information. You only want specific users to be able to access the information in this app during a specific session. Some users (for example, team managers) require expanded access for the same length of time. You can create a permission set group that includes the different permission sets required for the confidential access. To create custom logic for the expanded access, create a Flow or use the API. The session-based permission set group activates only when the manager-level users authenticate into your environment using a token. When the token expires, the users must reauthenticate to access the application again.

To activate session-based permission set groups via the API, provide a value for the PermissionSetGroupId field on the SessionPermSetActivation SOAP API object.

Before assigning session-based permission set groups to users, ensure that they can meet the conditions of the permission sets in the permission set group. For example, grant user access to the required tools, such as authenticators. As a best practice, inform users of the conditions under which they can access certain applications and tools.

Important If you include a regular permission set in your session-based permission set group, the permission set group makes the permission set session-based. Users assigned to the permission set group have access to the permission set for the duration of the session. If a user is separately assigned permissions from a different permission set, those permissions remain effective for that user, even when the permission set group session ends. For example, you assign a session-based permission set group that contains View All Data. The user is assigned View All Data from a separate permission set outside the session-based permission set group. When the session ends for the permission set group, the user still has the View All Data permission from the regular permission set.

• Create Session-Based Permission Set Groups
  To allow users functional access to permission sets only during specified sessions, create a session-based permission set group. For example, grant access to an application only during an authenticated session. Then activate the session-based permission set group in a flow or via the API.
• Allow Users to Activate or Deactivate a Session-Based Permission Set Group
  Create a flow that users can run to activate or deactivate a session-based permission set group. The session-based permission set group grants users functional access to permission sets only during specified sessions.