Skip to main content
Join us at TDX in San Francisco or on Salesforce+ on March 5-6 for the Developer Conference for the AI Agent Era. Register now.

Create a User Access Policy

Learning Objectives

After completing this unit, you’ll be able to:

  • Create a user access policy.
  • Activate the user access policy to run automatically.

Get the Business Requirements

Before you jump into creating user access policies, let’s look again at what Ursa Major Solar is hoping to achieve. Admin Maria Jimenez is currently spending a lot of time setting up access for new users. She first wants to target new sales reps so that they’re automatically given the permissions and access they need. She’s already set up the various access control features. All that’s left is to create an active user access policy that runs automatically whenever new sales reps are added.

We won’t go into detail about the permission set group and public group that will be referenced in the user access policy. If you’re looking to learn more about these features, check out Data Security and Permission Set Groups.

Sign Up for a Developer Edition Org

To complete this module, you need a special Developer Edition org that contains user access policies and our sample data. Get the free Developer Edition and connect it to Trailhead now so you can complete the challenges in this module. Note that this Developer Edition is designed to work with the challenges in this badge, and may not work for other badges. Always check that you’re using the Trailhead Playground or special Developer Edition org that we recommend.

  1. Sign up for a free Developer Edition org with user access policies.
  2. Fill out the form:
    • For Email, enter an active email address.
    • For Username, enter a username that looks like an email address and is unique, but it doesn't need to be a valid email account (for example, yourname@example.com).
  3. After you fill out the form, click Sign me up. A confirmation message appears.
  4. When you receive the activation email (this might take a few minutes), open it and click Verify Account.
  5. Complete your registration by setting your password and challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.
  6. You are logged in to your Developer Edition.

Now connect your new Developer Edition org to Trailhead.

  1. Make sure you're logged in to your Trailhead account.
  2. In the Challenge section at the bottom of this page, click the org name and then click Connect Org.
  3. On the login screen, enter the username and password for the Developer Edition you just set up.
  4. On the Allow Access? screen, click Allow.
  5. On the Want to connect this org for hands-on challenges? screen, click Yes! Save it.
  6. You are redirected back to the challenge page and ready to use your new Developer Edition to earn this badge.

Create a User Access Policy

Let’s get started! Here are the steps that Maria takes to create the new user access policy. If you’d like to, you can follow along in your Developer Edition org.

  1. To enable user access policies, from Setup, in the Quick Find box, enter User Management Settings, and then select User Management Settings.
  2. Enable User Access Policies. The Enhanced Interface for User Access Policies is enabled automatically.
  3. In the Quick Find box, enter User Access Policies, and then select User Access Policies.
  4. Click New User Access Policy.
  5. For Policy Name, enter Access for New Sales Reps. The API Name auto-populates.
  6. For Order, enter 1. This field indicates the order for which an active policy is applied if a user meets the criteria for multiple policies. Maria doesn’t have any other active policies currently.
  7. Enter a Description.
  8. Click Save.

Setup screen for creating a new user access policy.

Next, Maria specifies which users this policy is applied to and what access it either grants or revokes.

Note

Note: Policies are applied to users that meet all of the criteria filters. You can have:

  • Up to three filters for applicable users
  • Up to ten filters on standard and custom user fields of type Checkbox, Number, Picklist, or Text
  • Multiple roles or profiles referenced in the same filter using the In operator
  1. On the Access for New Sales Reps detail page, click Edit Criteria to configure the policy’s user criteria filters and actions.
  2. Under Define User Criteria, add at least one user criteria filter. Set that the user’s role must be the Eastern Sales Team:
    • Resource: Role
    • Operator: Equals
    • Value: Eastern Sales Team
  3. In the next section, “Select additional user fields to filter on,” set that the user must be active:
    • Resource: Active
    • Operator: Equals (Ignore Case)
    • Value: True
  4. Under Define Actions, you can select Grant or Revoke from the Action picklist, then select the access mechanism that the action applies to. You can have up to 20 actions. Maria wants to define three actions, granting the Sales Rep permission set group, the All Sales Reps public group, and the Sales Console permission set license. She selects:
    • Action: Grant
    • Target: Permission Set Group
    • Value: Sales_Rep
  5. She clicks Add Action and selects:
    • Action: Grant
    • Target: Group
    • Value: All_Sales_Reps
  6. She clicks Add Action again and selects:
    • Action: Grant
    • Target: Permission Set License
    • Value: Sales Console User
  7. Save your changes.

Setup screen for setting user criteria and actions in a user access policy.

Maria is pleased with her work! She still has to automate the policy though, otherwise her hard work won’t have any effect.

Automate the Policy

It just takes a few clicks to automate the policy so that it runs when new users meeting the criteria are created.

  1. Click Automate Policy, then select when to trigger the policy. You can set the policy to run when users meeting the criteria are created, updated, or both. Because your policy is just for new hires being added, select only when a user is created.
  2. Click Activate.

After she automates the policy, the status changes to Activated.

Trigger the Policy

A new sales rep, Lance Park, just joined the team. If Maria set up her user access policy correctly, he’ll get access as soon as she creates his user record.

  1. From Setup, in the Quick Find box, enter users and then select Users.
  2. Click New User.
  3. Enter Lanceand Park for First and Last name.
  4. Press Tab to generate the Alias value lpark.
  5. For Email, enter your email address.
  6. For Username, enter lpark_YourInitials_YYYYMMDD@example.com. (Usernames must be unique across all Salesforce orgs.)
  7. For Title, enter Sales Rep.
  8. For User License, select Salesforce.
  9. For Role, select Eastern Sales Team.
  10. For Profile, select Minimum Access - Salesforce.
  11. Disable Salesforce CRM Content User. (You don’t need access to this feature for this module).
  12. Click Save.

Great! Lance has officially joined Ursa Major Solar. By creating his user record, the policy should have been triggered. Maria goes back to her user access policy to check.

On the new policy’s detail page under the Recent User Access Changes tab, she can monitor when this policy is applied and the affected users.

Recent User Access Changes tab on the user access policy’s detail page.

Detail of an applied user access policy, depicting that the policy was applied to Lance Park.

She clicks the timestamp and sees that the policy was applied to Lance.

Maria created a user access policy and set it up to run automatically. She’s already saving herself time and effort when it comes to user management. However, she isn’t done yet. In the next unit, let’s see how she creates manual user access policies for access migrations.

Resources

Hands-on Challenge

+500 points

Get Ready

You’ll be completing this unit in your own hands-on org. Click Launch to get started, or click the name of your org to choose a different one.

Your Challenge

Create an Active User Access Policy and Test It Out
Create a new user access policy that runs automatically whenever a user is promoted from Sales Rep to Lead Sales Rep, to assign them the Sales Team Leader permission set group (Team Trailhead has already created this permission set group for you). Then, test the policy by updating a user’s title.
  • Create the user access policy:
    • If not yet enabled, enable user access policies
    • Policy Name: Lead Sales Rep Promotion
    • API Name: Lead_Sales_Rep_Promotion
    • Order: 5 (We won’t check for this.)
    • Add a description (We won’t check for this.)
    • For User Criteria, under ‘Select additional user fields to filter on’:
      • Title
      • Equals (ignore case)
      • Lead Sales Rep
    • For Actions:
      • Grant
      • Permission Set Group
      • Sales_Team_Leader
  • Automate the policy so that it runs only when a user is updated.
  • Trigger the policy by updating Erin Donaghue’s title to Lead Sales Rep.
Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback