Discover What’s New with Access Control for Winter '26
Learning Objectives
After completing this unit, you’ll be able to:
- Assign the View All Fields object-level permission.
- Use the Manage External Users (Limited) permission.
- Apply predefined permission set groups in Public Sector Solutions.
- Update sharing group references for the Secure Roles Behavior release update.
View All Fields Permission
Field-level security is often one of the hardest parts of access design. Large orgs can have hundreds of fields across dozens of objects, making permission sets complex and prone to gaps. The new View All Fields permission is a feature that helps cut through that complexity.
This feature grants visibility to every field on an object, including any created in the future. Instead of updating permission sets every time a new field appears, you assign one permission. This reduces updates and keeps your security model predictable.
This update reduces the overhead of tracking individual fields across complex orgs and lowers the risk of missed access while keeping visibility scoped to the right object. The permission is available in Lightning Experience and Salesforce Classic (not in all orgs). It works with both standard and custom objects that support field permissions, across all editions.
Follow these steps to set it up.
- In Setup, open a permission set.
- Go to Object Settings for the object.
- Select View All Fields.
- Save your changes.
Anyone assigned to that permission set automatically gets access to all current and future fields on the object.
Assign View All Fields in permission sets, not profiles. This approach keeps your security model flexible and easier to maintain over time.
Manage External Users (Limited)
Managing external users in Experience Cloud sites is safer with the new Manage External Users (Limited) permission. Unlike the broader Manage External Users permission, this option lets users manage only the external accounts they already have read and write access to.
This change reduces the risk of unauthorized modifications and helps keep delegated administration tightly scoped. Instead of giving site managers wide-ranging control, you give them just enough access to do their jobs, following the principle of least privilege.
This permission applies to Lightning Web Runtime (LWR) sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.
Follow these steps to set it up:
- In Setup, assign the Manage External Users (Limited) permission in a permission set or profile.
- Make sure the user has read and write access to the external accounts they need to manage.
- Save your changes.
Delegated users manage only the accounts they already have access to.
Replace the full Manage External Users permission with the limited one whenever possible. It’s a straightforward way to strengthen security without adding complexity.
Persona-Based Permission Set Groups in Public Sector Solutions
Access provisioning in public sector orgs can get complicated fast. To simplify it, Public Sector Solutions now includes predefined permission set groups tied to common user personas. Instead of assigning multiple permission sets one by one, you assign a single group that matches the user’s role.
This approach cuts down on errors, speeds up audits, and keeps access aligned with job responsibilities. When someone changes roles, you just update their group assignment—no need to rebuild access from scratch.
Here’s how user personas map to permission set groups.
User Persona | Permission Set Group |
|---|---|
Recruiter or HR specialist | Talent_Recruitment_Management_Specialist |
Hiring manager | Talent_Recruitment_Management_Hiring_Manager |
Interviewer reviewing external applicants | Talent_Recruitment_Management_Employee |
External job seeker applying for open positions | Talent_Recruitment_Management_Applicant |
Compliance officer for licensing/permitting | Licensing_Permitting_Officer |
Constituent applying for licenses/permits | Licensing_Permitting_Constituent |
Grant maker managing funding opportunities | Grantmaking_Manager |
Grant seeker applying and reporting on funding | Grantmaking_Applicant |
Caseworker reviewing benefit applications | Benefit_Management_Caseworker |
Constituent applying for benefits | Benefit_Management_Constituent |
Complaint intake officer managing investigative cases | Investigative_Case_Management_Officer |
Constituent filing complaints or submitting evidence | Investigative_Case_Management_Constituent |
Caseworker managing programs, referrals, and care plans | Social_Program_Management_Caseworker |
Constituent receiving social care benefits | Social_Program_Management_Constituent |
Provider managing referrals and services | Social_Program_Management_Provider |
Employee accessing features on an employee experience site | Employee_Experience_User |
Admin configuring and managing Public Sector features | Public_Sector_Solutions_Admin |
This feature applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions with Public Sector Solutions enabled.
To assign a group:
- In Setup, open the user’s record.
- Under Permission Set Group Assignments, choose the group that matches their persona.
- Save your changes.
Use persona-based groups as the baseline for your access model. They enforce least privilege, simplify audits, and save time in complex environments.
Secure Roles Behavior and Sharing Group Update
Protect records in orgs with digital experiences by using the default sharing group once called Roles and Subordinates that is now Roles and Internal Subordinates. This shift prevents external site users from getting unintended access to records through the role hierarchy.
During the transition, Salesforce converts old references automatically. Once enforcement is live, though, any code or automation that still points to Roles and Subordinates will fail. Update your org early to avoid errors.
This update applies to Lightning Experience and Salesforce Classic (not in all orgs) in Enterprise, Performance, Unlimited, and Developer editions. It was already pushed to sandboxes in Summer ’25 and will be enforced in production with Winter ’26.
To prepare:
- Review custom code, Apex, flows, and automation that reference Roles and Subordinates.
- Update those references to Roles and Internal Subordinates.
- Test the changes in a sandbox.
- Deploy the fixes before Winter ’26 enforcement.
If you already tested this update in production, you’re done.
Don’t wait for enforcement. Update your references early so you avoid errors once Salesforce stops converting them for you.
Summary
Winter ’26 introduces important updates that make access control simpler to design and stronger to maintain. These changes reduce administrative overhead, close security gaps, and reinforce the principle of least privilege across complex orgs.
Wrap-Up
You’ve completed Salesforce Architect Certification Maintenance for Winter ’26. With these updates in mind, you’re prepared to keep your certification current and continue designing secure, efficient access models.
Resources
- Salesforce Help: Allow Users to View All Fields for a Specified Object
- Salesforce Help: Increase the Security of Your Site with When Managing External Users
- Salesforce Help: Seamlessly Manage User Access by Persona
- Salesforce Help: Enable Secure Roles Behavior and Update Sharing Group References in Production