Learn What’s New with Access and Environments for Winter ’21

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe how to group permission sets based on job functions.
  • Explain how to mute permission sets.
  • Explain how to use Salesforce Data Mask.
  • Describe how to clone a sandbox on a different version than production.
  • Select a signing algorithm to SAML requests and responses.

What’s New with Sharing and Visibility

With the release of Winter ’21, there are updates to:

  1. Permission set groups
  2. Grouping permission sets based on job function
  3. Muting permission sets

Get to Know Permission Set Groups

Permission set groups are an ideal way to consistently and reliably assign permissions to a group of users. Assign users a single permission set group instead of multiple permission sets. Permission set groups combine selected permission sets to provide all the permissions that users need for their job function. Remove individual permissions from a group with the muting permission set feature to ensure that permissions do not exceed user job functions.

Group Permission Sets Based on Job Function

Now you can assign users a single permission set group instead of multiple permission sets. Permission set groups combine selected permission sets to provide all the permissions that users need for their job. Similarly, remove individual permissions from a group with the permission muting feature to ensure that users do not get permissions that are not relevant to their job functions. A new user interface helps you create and manage permission set groups.

Suppose that you have employees in your sales department who work with Sales Cloud Analytics templates and apps. They also create, edit, and delete surveys and read, create, edit, and delete accounts. You have three permission sets that contain the permissions needed: Sales Cloud Einstein, Survey Creator, and a permission set based on the Standard User Profile. You assign each permission set separately to your users.

You can combine the permission sets into one meaningful permission set group and then assign the permission set group to the sales employees. In this example, the permission set group Sales Staff Users contains the combined permissions of all the permission sets that you added to the group. Salesforce also aggregates and resolves permissions across all permission sets in the permission set group to ensure that inheritance and dependencies are maintained.

Muting Permission Sets 

A muting permission set is a handy way to increase security and ensure that only components that are required by your organization and users are accessible and, conversely, those components that shouldn’t be accessed are not available. When used along with permissions, a muting permission set gives you granular control over permissions and helps make sure that you’re complying with the principle of least privilege.

Suppose that your Sales Staff Users permission group contains three permission sets. And one of those three permission sets contains a Delete permission that you no longer want all group members to have. To complicate things, you also have a Managers permission set group that references the Sales Staff Users permission set. What can you do to implement this permission restriction? Instead of creating another permission set, you can use a muting permission set to constrain the Delete permission. The muting permission set contains the Delete permission that you want to disable. When you add the muting permission set to the Sales Staff Users group, those members no longer have the delete permission, but the Managers members do.

use a muting permission set to constrain the Delete permission

What’s New with Development Lifecycle and Deployment

There are updates to environment cloning and data security.

Clone a Sandbox with a Version Different from Production

You can now clone a sandbox that’s on a different major Salesforce release version than your production org. Previously, a sandbox that was on a different version from the production org due to a release transition couldn’t be cloned, and the clone link in the UI was disabled. Now you can clone preview sandboxes for development, testing, and training.

Secure Your Sandbox Data with Salesforce Data Mask

Salesforce Data Mask is a powerful new data security resource for Salesforce admins and developers. Instead of manually securing data and access for sandbox orgs, admins can use Data Mask to automatically mask the data in a sandbox.

Data Mask uses platform-native obfuscation technology to mask sensitive data in any full or partial sandboxes. The masking process lets you mask some or all sensitive data with different levels of masking, depending on the sensitivity of the data. Once the data is masked, you can’t unmask it. This irreversible process ensures that the data is not replicated in a readable or recognizable way into another environment.


  • Data Mask doesn’t post notifications of changes made to records on Chatter feeds during the masking process, even if feed tracking is enabled for an object.
  • A new configuration called Unique on text and text area field types appends more characters from the record ID to library words or random characters to make them unique. This configuration is useful for objects that have duplicate rules defined.
  • A new configuration option called Run in Serial Mode prevents errors caused by the presence of master detail and lookup relationships.
  • Chatter and Enhanced Email aren’t prerequisites for installing Data Mask.
  • You don’t have to keep the browser window open after clicking Run Now on a data mask configuration.
  • Data masking makes all email addresses unique. Emails are the most used field in duplicate rules. This change ensures that no records are skipped during masking because of duplicate email addresses.
  • New libraries for Canadian postal codes and SSN with and without dashes are available when you set up masking rules.
  • You can replace sensitive data with data generated using a pattern of your choice.
  • A new search option quickly finds objects and fields to mask.
  • You can stop an in-progress data masking job and re-enable deactivated automations.
  • You can clone existing masking configurations to quickly create ones.

What’s New with Identity and Access Management

There are Updates to SAML with the release of Winter ’21. You can:

  1. Secure SAML messages when Salesforce is the identity provider.
  2. Update identity provider SAML requests to use lowercase sandbox names.

Secure SAML Messages When Salesforce Is the Identity Provider

When your Salesforce org acts as a SAML 2.0 identity provider, you can secure its messages to the service provider with either SHA1 or SHA256. These signing algorithms secure SAML messages by transforming them with hash functions. As the identity provider, Salesforce applies the selected algorithm to its SAML requests and responses. The selected signing algorithm is applied to single sign-on (SSO) and single logout (SLO) messages from your org to the service provider.

When you configure a connected app for your service provider, select the signing algorithm to apply to SAML requests and responses initiated by your org.

select the signing algorithm to apply to SAML requests


Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities