A permission set can be described as a collection of extra permissions and settings that extends users' existing permissions. Permission sets can be used to give extra permissions to users without modifying their profiles. User can have only one profile but they can have multiple permission sets assigned to them. This way, you can have minimum profiles in the system but give various permissions to specific people.
Permission sets can be assigned only to users. It is not possible to assign a them to a public group, role, or profile. Read this article to learn more about permission sets.
There are two different way to assign a permission set. First one is directly from the user record.
Second way is opening the permission set and clicking on the Manage Assignments button.
You have to go to the setup to perform both of these actions, which means that you need admin permissions.
However, using a flow, it is possible to build a screen that lets the current user select a user and a permission set to assign to him/her. This would be a great admin tool for manual assignments. It is also possible to build a record-triggered flow to automatically assign permission set(s) when a user becomes active. This is a great way to reduce manual work. You can read this post to learn about flow types and their differences.
Building a Screen Flow to Assign Permission Sets
1- Create a new screen flow and add screen element as the first element of the flow. Add the lookup element that will let the you select a user. Then add a picklist element, which will display the permission sets in the system. In order to do so, create a record choice set that will display only the permission sets. If you want the flow to display only a few permission sets and not all of them, add your criteria.
Picklist field should display the label of the permission set but store the Id of the selected record. Optionally, store the label of the selected record, it will be useful when displaying a message to the user.
Optionally, rename the Next/Finish button as "Assign". This will make the user think that he/she doesn't need anything else to do. And yes, actually the user doesn't need to do anything else, flow will do everything.
Your screen should look like this.
Optionally, you can set an expiration date for the permission set assignment. If you do so, assigned users receive access to all aggregate permissions until the expiration date. In order to set the expiration date, add a date/time input field.
2- Add a Get Record element and get the PermissionSetAssignment record to check if the selected user already has this permission set.
3- Add a Decision element to check if the user already has the selected permission set.
4- If it already exists, you cannot assign again. So, you will need to display a message to the user. Add a new Screen element to display a message. Optionally, rename the Previous button as "Assign Another". Since you stored the label of the selected permission set in the first step, use it in the error message. This will make the error more clear.
5- If it doesn't exist, then create a new PermissionSetAssignment record to assign the it to the selected user.
If you want to set an expiration date, don't forget to populate the ExpirationDate field.
6- At the end of the flow, display a success message. Like you did in the 4th step, rename the Previous button as "Assign Another" and use variables in the message.
At the end, your flow should look like this. Optionally, make the flow run in the system context.
Record-Triggered Flow to Automatically Assign a Permission Set
Let's create a record-triggered flow that will automatically assign a permission set called "SSO" when a user becomes active.
1- Create a Record-Triggered flow and choose to run it after create/update. Select User as the object and enter the criteria. So that the flow will run only when a user becomes active.
2- Add a Get Records element to get the "SSO" permission set. To assign it, you need the Id of the permission set. You can use a hardcoded value but if you do so, don't forget to change it after you deploy to other environments.
3- Add another Get Records to check if it is already assigned. In order to do so, you have to get the PermissionSetAssignment record according to the user Id and permission set Id that you got in the previous step.
4- Add a Decision element to check if the permission set is already assigned to the selected user.
5- If it doesn't exist, then add a Create Record element to create a PermissionSetAssignment record. This action will assign the permission set to the user.
Optionally, populate the expiration date field.
At the end, your flow should look like this.
These are some simple flows to assign permission sets. You can improve them and add more logic according to your needs. Don't forget, the idea is to help the users. Try to automate the process to reduce time or give the users more capabilities that they cannot perform using the standard permission set assignment screen.
Permission Assignment Expiration Considerations
If you set the ExpirationDate field on the PermissionSetAssignment record, assigned users receive access to all aggregate permissions until the expiration date. It means that, after the expiration date, user will not have those permissions anymore. However, PermissionSetAssignment record will still exist in the system as inactive.
Assignments that expire are treated as soft-deletes. Moreover, SOQL queries don’t return the expired permission set assignments. You can still retrieve them using the ALL ROWS clause. However, there is no standard option to use ALL ROWS clause in flow. Therefore, your Get Records element will not find the expired permission set assignments. This may cause an issue because if you try to create a PermissionSetAssignment record, the system will say that it is a duplicate value.
Read this post to learn how to use flow to assign a permission set with an expiration date.
