Skip to main content
Join us at TDX in San Francisco or on Salesforce+ on March 5-6 for the Developer Conference for the AI Agent Era. Register now.

Migrate Users with User Access Policies

Learning Objectives

After completing this unit, you’ll be able to:

  • Create manual user access policies.
  • Configure user access policies for migrating access and permissions.

Example Scenarios

As we mentioned in unit 1, user access policies can come in handy when you’re making large-scale user access changes, like migrating users from one setup to another. Some examples of this include:

  • Assigning permissions using permission sets and permission set groups, instead of profiles
  • Restructuring group and queue membership based on annual realignment
  • Rolling out new features and granting users access via permissions and licenses
  • Removing access and permissions for obsolete processes and features

For these types of changes, you create manual user access policies. You apply the policies directly to the users meeting the criteria, giving you more control over when the changes are applied. But the same benefits of user access apply. You can aggregate access and apply these changes to users in a single operation, saving you time, clicks, and effort. Plus, as always, you can easily track which users were affected.

For Ursa Major Solar, Maria Jimenez wants to migrate some of the company’s existing profiles to have a permission set- and permission set group-led access configuration. She knows that this is a user management best practice. She’s starting this work with the Support team, and wants to set up a user access policy instead of manually updating access for each member of this team.

Five office workers at Ursa Major Solar, Inc., working at a conference-room table with individual laptops open.

Set Up the User Access Policy

Maria’s ready to create another user access policy, this time a manual one. The initial creation and configuration steps are the same.

  1. From Setup, in the Quick Find box, enter User Access Policies, and then select User Access Policies.
  2. Click New User Access Policy.
  3. Enter a value for the Policy Name. Maria enters Support Profile Migration. The API Name auto-populates.
  4. Because this policy is manual, not active, she skips adding a value for Order.
  5. She enters a Description.
  6. Then click Save.

Setup screen for creating a new user access policy.

Like before, Maria sets up the user criteria to target the Support Team and then configures the actions.

  1. On the user access policy’s detail page, click Edit Criteria to configure the policy’s user criteria filters and actions.
  2. Under Define User Criteria, set up the filter:
    • Resource: Profile
    • Operator: Equals
    • Value: Custom: Support Profile
  3. In the “Select additional user fields to filter on” section, set up the filter:
    • Resource: Active
    • Operator: Equals (Ignore Case)
    • Value: True
  4. Under Define Actions, grant the Support User permission set group:
    • Action: Grant
    • Target: Permission Set Group
    • Value: Support_User
  5. Click Save.
Note

Note: Maria can’t revoke the Custom: Support Profile profile, because users must still have one profile. But after the policy is applied, Maria can go back and remove the profile’s included permissions so that it only contains default settings.

Setup screen for setting user criteria and actions in a user access policy

Did that process seem familiar? You’ll soon be a pro at creating user access profiles. Pay attention to the next steps, though, because applying the policy is a bit different for manual user access policies.

Apply the User Access Policy

  1. Back on the policy’s detail page, Maria clicks Apply Policy. She sees a list view with all the users that meet the policy’s criteria.
  2. You can select a subset of users to apply the policy to, or click Apply to All. In this case, Maria clicks Apply to All to update all three members of the Support team in one click.

User access policy user application screen.

On the new Support Profile Migration policy’s detail page, under Recent User Access Changes, Maria can see when this policy was applied and the affected users. She also reviews the user records to confirm that the users were granted access correctly.

Well done! In this badge, you learned all about user access policies and practiced creating multiple policies. We hope that user access policies become a trusty tool in your tool belt of user management features.

Resources

Hands-on Challenge

+500 points

Get Ready

You’ll be completing this unit in your own hands-on org. Click Launch to get started, or click the name of your org to choose a different one.

Your Challenge

Migrate Access with a Manual User Access Policy
Remove users from the Technical Support and Expert Support public groups and add them to the new Tier 3 Support public group (Team Trailhead has already created the users and the public group for you).
  • Create the user access policy and configure its criteria and actions:
    • Policy Name: Tier 3 Group Setup
    • API Name: Tier_3_Group_Setup
    • Don’t specify a value for Order.
    • Add a description (We won’t check for this.)
    • For User Criteria:
      • Group
      • Equals
      • Technical_Support
        AND
      • Group
      • Equals
      • Expert_Support
    • Define three Actions:
      • Grant
      • Group
      • Tier_3_Support group
        AND
      • Revoke
      • Group
      • Technical_Support
        AND
      • Revoke
      • Group
      • Expert_Support
  • Apply the policy to all the users who meet its criteria.
Share your Trailhead feedback over on Salesforce Help.

We'd love to hear about your experience with Trailhead - you can now access the new feedback form anytime from the Salesforce Help site.

Learn More Continue to Share Feedback