Get Started with User Access Policies
Learning Objectives
After completing this unit, you’ll be able to:
- Describe what user access policies are and when to use them.
- Explain the difference between manual and active user access policies.
What Are User Access Policies?
Managing your users is one of an admin’s most important tasks. You must make sure that your users have the correct permissions and access to data to do their jobs. But you must also secure your data so that no one has too much access. Depending on your security and access configuration, this job can be complicated and time-consuming. There are so many features that you can assign your users to determine their default settings, permissions, and record access. Think permission sets, public groups, and queues…just to name a few!
The good news is that user access policies can make this task so much easier. With user access policies, you define aggregated access for your users in a single operation. There’s no need to separately assign your users licenses, permission sets, and public groups by clicking around multiple pages in Setup. Instead, you set up policies that target specific users and grant (or revoke) access to multiple features all at once–saving you loads of time and clicks.
In your user access policy, you can grant or revoke access for the following features.
- Permission sets
- Permission set groups
- Permission set licenses
- Package licenses
- Public groups
- Queues
When to Use User Access Policies
Let’s dig into the potential benefits of user access policies a bit more. You can create policies that cover a host of different access scenarios through the whole user management lifecycle. Here are a few examples of when user access policies really come in handy.
Migrate Users from One Setup Configuration to Another
Let’s say you’ve decided to make changes to your data access and security configuration. For example, you’re migrating from profiles to a permission set- and permission set group-led model. After you’ve configured your permission sets and permission set groups, you can create policies that can bulk assign them to your targeted users in one go.
Automate Access Configuration for New Users
Wouldn’t it be nice if your new users were magically set up and ready to go from the start? User access policies can get you pretty close to that dream. Create policies that target your various new users, perhaps filtering on their assigned profile or role.
You can also create filters based on fields on their user record, such as their title, department, or division. From there, you can configure the policy to automatically assign the permission sets, licenses, public groups, and queues they’ll need to hit the ground running. After the policy is configured, you won’t need to worry about setting up these users’ access again.
Automate Updates to Users’ Access After Job Changes
As most admins know, it’s not just the initial user setup that’s difficult, but the ongoing maintenance as users’ needs change. To make user management easier, set up user access policies that are triggered when a user’s record is updated to match the policy’s criteria. For example, you can grant and revoke access when a user is promoted, changes roles, moves departments, or is added to a public group tasked with a specific project.
Revoke Access and Licenses During Organizational Clean-Up
As a best practice, you don’t want access features and licenses assigned to users who don’t need them. If you have users who aren’t active any longer, you also want to remove their licenses to free up these licenses for other users. Create a policy that targets users who no longer need the assignments; then remove their permission sets, permission set licenses, package licenses, and more.
Manual Versus Active Policies
You may have noticed that some of the examples above involved automated, continuous processes, while others were one-time changes kicked off by the admin. There are two categories of access policies: manual and active. What’s the difference?
Manual user access policies are applied only when the admin initiates this update. They’re intended for one-time or infrequent operations, like access migrations. They can be run more than one time, but won’t occur without manual intervention.
Active user access policies run automatically off a triggered event. Specifically, you can choose to have the policy applied to users meeting the criteria whenever their user record is created, updated, or both. Active policies are intended for user access assignment processes that you want to be in effect at all times. You can have up to 200 active policies.
User Access Policies in Action
At Ursa Major Solar, Inc., Maria Jimenez has her hands full as the system administrator. In particular, she finds herself spending most of her time on user management. As the business has expanded and new hires have joined the team, setting up access for new users has become a time-consuming task. Maria needs to manually assign all the new users multiple access features depending on their role. She also manually maintains a massive spreadsheet to keep track of user access assignments in her org.
Maria also has wanted to update how permissions are assigned for some of her users on the Support team. These users are still being assigned all of their permissions through their profile, but Maria prefers to follow best practices and use permission sets and permission set groups. However, Maria hasn’t had time for what she thinks will be a complicated migration project.
Recently, she’s learned about user access policies and is excited to see how this new feature can help simplify and speed up these tasks!
From the previous examples, you might already have some ideas on how Maria can create user access policies to fit her specific needs.
Through the rest of this module you’ll follow Ursa Major Solar’s adoption. Along the way, you’ll learn more about user access policies and get some hands-on practice. Let’s go!