Greenery underneath text that says "Set Assignment Expiration on Permission Sets and Permission Set Groups."

How to Set Assignment Expiration on Permission Sets and Permission Set Groups

By

Hello, #AwesomeAdmins! Today, I want to tell you about a new feature in Beta, Permission Sets and Permission Set Groups with Assignment Expiration, that you can add to your superpower tool kit. This new feature will allow you to set expiration dates for assignments on permission sets and permission set groups.

What are assignments in permission sets and permission set groups?

Before we get into our new feature in Beta, I want to make sure you understand how assignments work today. As an admin, when you’re on a permission set or a permission set group, you should see a Manage Assignments button. When you click this button, you’re brought to a screen where you can add or remove assignments (or access) to this particular permission set or permission set group. Here’s an example of a permission set with three users assigned to it.

Assigned Users page on a permission set.

Until now, if you had a requirement to temporarily grant access to a permission set or permission set group, you would have to create a reminder to remember to remove a user from a specific permission set or permission set group assignment. I want to recognize that some #AwesomeAdmins have created complex automation to handle this using flows and custom metadata. We’re hoping this feature will allow all admins to easily expire permission sets and permission set groups without having to build and maintain complex automation.

So, what does assignment expiration allow us to do?

This feature is currently in Beta, so you’ll need to opt in to use it by going to Setup. Then, in Quick Find at the top left, type in “User Management Settings”. Next, navigate to the setting called Permission Set & Permission Set Group with Expiration Dates (Beta), and turn the switch to Enabled. In order to turn this on, you need the Customize Application permission.

User Management Settings page where the Beta feature can be enabled.

Once you enable this feature, when you navigate to a permission set or permission set group, you’ll see a new button called Manage Assignment Expiration. In order to see this button and use the assignment expiration feature, you need the Manage Assignments permission.

Permission Set Groups page highlighting the Manage Assignment Expiration button.

When you click on the Manage Assignment Expiration button, you’ll see any current assignments for this permission set and if they have an expiration date. For example, in this permission set group, there are two users assigned; one has an expiration and one does not.

Permission Set Group page highlighting current user assignment and expiration information.

If you click the checkbox next to any of the assigned users, you’ll be able to update or change the assignment and the expiration date of that assignment. For example, if you wanted to give the user named Sofia Sales access to this permission set group until the end of March 2022, you can do that by clicking the checkbox and then the edit icon to update the expiration date.

Permission Set Groups screen highlighting steps to assign it to a user.

On the next screen, you can enter a custom date of March 31, 2022, and the expiration date will update for Sofia once you click the Assign button at the bottom right.

Expiration date assignment page.

Suppose you had a requirement to temporarily grant Jose, the head of support at your company, access to the Sales Manager permission set group for a week while Sofia is out on vacation. In that case, you can do that easily by adding an expiration date to the permission set group assignment for Jose.

First, navigate to the Sales Manager permission set group, and then click Add Assignment.

Permission Set Groups screen highlighting the Add Assignment button.

On the next screen, you can find Jose by searching for his name. Once you do that, click the checkbox next to his name, then click Next at the bottom right of the screen.

Permission Set Groups screen highlighting how to assign it to Jose Support user.

On the next screen, you’re able to specify the expiration date of 1 week by selecting Specify the expiration date, selecting the 1 Week setting, and then clicking Assign.

Expiration date screen and how to set a 1 Week expiration date.

If the assignment is successful, you’ll see a status of “Success.” If the assignment isn’t successful, you’ll see a status of “Failed.” To return to the Current Assignment page, click Done at the bottom right.

Permission Set Group assignment summary page.

When you’re back on the Current Assignments page, you’ll see that Jose has been added to the permission set group with an expiration of 1 week. If the permission set or permission set group assignment has an expiration date that is within 7 days, you’ll see a symbol letting you know that the assignment is going to expire soon. You’ll also see a different symbol when a permission set has already expired.

Permission Set Groups current assignment page showing Jose Support user’s assignment.

So, what’s next for Permission Sets and Permission Set Groups with Assignment Expiration?

We’re hard at work improving the UI for the assignment pages with expiration where you’ll be able to have a list view to set criteria so you can easily pull up a list of users that you want to expire. Here’s a preview of what the updated UI will look like in Spring ’22. I’m really excited about it because this list view uses the same Lightning list view capabilities our #AwesomeAdmins already love, so it will be really familiar to you.

Permission Set Group page list views feature coming in Spring '22.

Try the new feature today and make your life easier over the holidays!

With the holidays approaching and everyone starting to work out their vacation schedules, now’s a great time to try out Permission Sets and Permission Set Groups with Assignment Expiration. That way, you don’t have to remember to turn off any additional access you grant to users as other users take time off. And don’t forget that you should take some time off, too! You can use these features to grant most administrative permissions to someone covering for you when you take time to reset and recharge.

Please note that the following permissions cannot currently be expired: Manage Users, Manage Profiles & Permission Sets, and Assign Permission Sets.

To share feedback and keep up with updates on this feature, please join our group on the Trailblazer Community.

Additional resources

How to Use UX Principles to Shape Your Security Model

How to Use UX Principles to Shape Your Security Model

Congratulations! Your organization, Awesome Admin Automotive, made the investment in Salesforce. You’ve absorbed so much great content and can’t wait to dive right in and try out all the new bells and whistles! While it’s a very exciting journey ahead, as Simon Sinek’s book “Start With Why” suggests, it’s important to first take some time […]

READ MORE

Introducing The Next Generation of User Management: Permission Set Groups

Introducing Permission Set Groups Permission Set Groups is a new feature that allows Admins to combine multiple permission sets into a single permission set group for user assignment. With the grouping mechanism, admins can truly apply role-based access control for managing user entitlements in Salesforce orgs. Forward Looking Statement: This blog was created to share […]

READ MORE