Assign a Permission Set Group to a User with a Expiration Date with Flow : jenwlee
by: jenwlee
blow post content copied from Jenwlee's Salesforce Blog
click here to view original post
My final flow article posted on this blog site is dedicated to my now former JH colleague and forever friend, Michael Stephenson. This one is for you! I will miss you deeply.
Here’s the answer to your question from our Tech Focused Summer ’21 Release Highlights meeting…
A new Summer ’21 feature to Permission Set Groups gives admins and users who have the Assign Permission Sets system permission to set assignment expiration dates and assign permissions that expire to users via permission set groups.
What’s a permission set group? Read up on it by checking out the blog post: Permission Set Group Assignment Automation.
Here are a few lessons learned from implementing this use case:
- Enable the feature to create permission set group assignments that expire on a date that you specify using an enhanced user interface.
- In order to assign a user to a permission set group, the running user must have the Assign Permission Sets system permission.
- You must check for the permission set group first before assigning the permission set because if the user already is assigned the permission set group, your flow will throw a duplicate permission set error.
- If the user is already assigned the permission set group, you can update the expiration date/time instead of creating a new permission set assignment record.
- Learn how you can use community built flow actions – in this post, we will use ShowToast to enhance the power of flow from UnofficialSF.
Business Use Case: Addison Dogster is the system administrator at Universal Containers. Occasionally, There are users who need to be temporarily assigned to a permission set group – Jen’s Permission Set Group. A selected users in the IT group can assign permission sets and permission set groups to users. Sometimes, they forget to remove the permission set group from these users beyond the date that is needed. This causes a security issue as those users have more privileges than needed.
Solution: Being the #AwesomeAdmin that she is, Addison, knows of a new feature in Summer ’21 that allows you to set expiration date on permission set groups. After the expiration date has passed, the user no longer has access to the permissions enabled via the permission set group. No more remembering to remove users from permission set groups. Salesforce takes care of it for you.
As a true Flownatic, she wondered if it was possible to set the expiration date via flow. And yes, indeed, it is possible. Cool!
With a screen flow, she prompts the user to select the user and the expiration date/time and either assigns the permission set group (PSG) with the expiration date to the user or updates the expiration date on an existing permission set group assignment.
Here is a demo of the solution:
The automation solution (screen flow) looks like this:
(1) The screen flow prompts the user for the user via lookup search and the expiration date/time (set to now + 2 days by default) (2) We get the Jen Permission Set Group’s Id using the PSG name. (3) Next, we query for the permission set assignment record for the user to this PSG Id. (4) We then determine from the Get Records element whether the user is already assigned the PSG or not. If there is no existing permission set assignment record for the user and PSG (outcome = No), then (5a) create a permission set assignment record and assign the user to the PSG with the specified expiration date. (5b) Lastly, we show a confirmation message “You successfully assigned Jen’s Permission Set Group to <User’s Name>.” If there is an existing permission set assignment record for the user and PSG (outcome = Yes), then (6a) we will update the expiration date for the existing permission set assignment record. (6b) Lastly, we show a confirmation message “You successfully updated the expiration date/time for Jen’s Permission Set Group for <User’s Name>.”
Highlighted Steps:
Note: The user implementing this should be a system administrator or has the Assign Permission Sets permission to be able to assign the PSG to the user.
1.Create the permission set group and assign the relevant permission sets to the permission set group.
2. Enable the org wide setting Permission Set Group Assignments with Expiration Dates (Beta) in order to set an expiration date to a PSG assignment. Go to Setup | User Management Settings, enable the setting show below.
3. Create the Screen Flow Lookup custom object from the Blog Post: Trick: Running User Must Have Create Permission to Field Used in Screen Flow Lookup Component.
4. Install the ShowToast component from UnofficialSF. This allows you to show a toast message to the user to let them know the assignment completed.
I highly recommend installing and testing this in a sandbox first. Don’t just install it directly to Production. To ensure you are installing in a sandbox, always make sure the URL is test.salesforce.com.
Right-click on the link and do a copy link address. Paste “/packaging/installPackage.apexp?p0=xxxxxxxxxxxxxxxxxx” at the end of the URL (where xxxxxxxxxxxxxxxxxx is the Id of the package installation). This will automatically install the package in your sandbox or production, whereever you are logged into.
5. Create the screen flow shown above. In Lightning Experience, it is found under Process Automation | Flows. Click on “New Flow.” Select Screen Flow.
In the flow, we would configure the following flow resources.
A. We need to create a formula resource to set the date/time to now plus 2 days to set as the default for the expiration date/time.
Best practice tip: Provide a description so you and other/future admins know what this flow resource is used for.
This is how that flow resource would be configured.
- Resource Type: Formula
- API Name: NowPlus2Formula
- Data Type: Date/Time
- Formula: Now() + 2 — This sets the date/time to now plus 2 days out.
B. First, we configure a Screen flow element called Temp Assign a PSG to a User to collect the user to assign Jen’s Permission Set Group to and set the expiration date/time.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- Screen Properties:
- Control Navigation: deselect Pause and Previous
- Add the Display Text component:
- API Name: Text
- Text: Select a user and the expiration date/time for the Jen Permission Set Group assignment.
- Add a Lookup Component:
- API Name: UserLookup
- Field API Name: CreatedById
- Label: User
- Object API Name: Screen_Flow_Lookup__c
- Required: {!GlobalConstant.True}
- Add a Date & Time Component:
- Label: Expiration Date/Time
- API Name: Expiration_Date_Time
- Required: Check
- Default Value: {!NowPlus2Formula}
C. Next, we get the Id for Jen’s Permission Set Group by doing a query. This avoids hardcoding Ids in your flow. Read my blog post “Did I Just See You “Hardcode” a Salesforce ID? Aw, Hell No!” to learn why you shouldn’t hardcode Ids.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- Object: Permission Set Group
- Filter Permission Set Group Records: Condition Requirements to Update Records: All Conditions Are Met (AND)
- DeveloperName Equals Jens_Permission_Set_Group (References the API name of the PSG)
- How Many Records to Store: Only the first record
- How to Store Record Data: Automatically store all fields
D. We need to set up the Get Records flow element called Get Permission Set Group Assignment to query the Permission Set Assignment object to see if the user is already assigned to Jen’s Permission Set Group.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- Object: Permission Set Assignment
- Filter Permission Set Assignment Records: Condition Requirements to Update Records: All Conditions Are Met (AND)
- AssigneeId Equals {!UserLookup.recordId}
- AND PermissionSetGroupId Equals {!Get_the_Jen_PSG_Id.Id}
- How Many Records to Store: Only the first record
- How to Store Record Data: Automatically store all fields
E. Now, we need a Decision flow element called Is the User Already Assigned to the PSG? where we determine whether the Get Records from Step D found a permission set assignment record with the user and Jen’s Permission Set Group. The “No” outcome checks to see if the Id is blank, which means no record was found. The “Yes” outcome assumes that there was a record found.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- Outcome: No
- {!Get_Permission_Set_Group_Assignment.Id} Is Null {!$GlobalConstant.True}
- Default Outcome: Yes
F. Following the “No” decision outcome, we need a Create Records flow element called Assign Jen’s PSG to the User which will create the new permission set assignment record for the user and Jen’s Permission Set Group with an expiration date.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- How Many Records to Create: One
- How to Set the Record Fields: Use separate resources, and literal values
- Object: Permission Set Assignment
- Set Field Values for the Permission Set Assignment:
- AssigneeId: {!UserLookup.recordId} (Points to the screen component value for the user lookup)
- ExpirationDate: {!Expiration_Date_Time} (Points to the screen component value for the expiration date/time)
- PermissionSetGroupId: {!Get_the_Jen_PSG_Id.Id} (This is the Id in the Get the Jen PSG Get Records)
G. Lastly, for the “No” outcome, create an Action showToast called Success – Created New to show a toast message to the user.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- Message: Include
- You successfully assigned {!Get_the_Jen_PSG_Id.MasterLabel} to {!UserLookup.recordName} (This will show the PSG name and the user’s name dynamically)
- Type (success, error, warning, info, other): Include
- success
H. For the “Yes” outcome, we need an Update Records flow element called Update the Expiration Date/Time, which will update the expiration date on the existing permission set assignment record.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- How to Find Records to Update and Set Their Values: Specify conditions to identify records, and set fields individually
- Object: Permission Set Assignment
- Filter Permission Set Assignment Records: Condition Requirements to Update Records: All Conditions Are met (AND)
- AssigneeId Equals {!UserLookup.recordId}
- AND PermissionSetGroupId Equals {!Get_the_Jen_PSG_Id.Id}
-
Set Field Values for the Permission Set Assignment Records
- ExpirationDate: {!Expiration_Date_Time}
I. Lastly, for the “Yes” outcome, create an Action showToast called Success for Expiration Date/Time update to show a toast message to the user that the update was successful.
Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.
Configure as follows:
- Message: Include
- You successfully updated the expiration date/time for {!Get_the_Jen_PSG_Id.MasterLabel} for {!UserLookup.recordName} (This will show the PSG name and the user’s name dynamically)
- Type (success, error, warning, info, other): Include
- success
J. Toggle on Auto-Layout.
K. Debug the flow to ensure it is working as expected.
L. Save your flow. Let’s call it Temp Assign a PSG to a User.
Best practice tip: Provide a description so you and other/future admins know what this flow is for.
M. Activate the flow.
6. Open Lightning App Builder, create an app record page called Temp Assign a PSG. Make this a one column page and add the flow component called Temp Assign a PSG to a User screen flow.
7. Create a custom tab for the Assign a Permission Set Group app page.
Test your automation before production deployment.
- On the Assign a Permission Set Group app page, select a user and leave the expiration date/time to the default (i.e. now + 2 days).
- Navigate to the user record and confirm that the PSG is assigned with the expiration date.
- Back on the Assign a Permission Set Group app page, select a same user and update the expiration date/time to a date/time in the future.
- Navigate to the user record and confirm that the existing PSG has an updated expiration date.
Deployment Notes/Tips:
- The flows and related components can be deployed to Production in a change set (or can be deployed using a tool such as Metazoa’s Snapshot).
- You will find the flows in a change set under the Flow Definition component type.
- Activate the flow post deployment as flows deploy inactive in Production, unless you have opted in on the Process Automation Settings screen, to “Deploy processes and flows as active.” NOTE: With this change, in order to successfully deploy a process or flow, your org’s Apex tests must cover at least 75% of the total number of active processes and active autolaunched flows in your org or you can select 0%, which will run the apex classes not related to your flow.
June 14, 2021 at 09:29AM
Click here for more details...
=============================
The original post is available in Jenwlee's Salesforce Blog by jenwlee
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
Post a Comment