Session-Based Permission Sets and Security
These are technical notes I compiled while studying using Trailhead, Salesforce's free self-learning portal.
Get Started with Session-Based Permission Sets
Describe what a session-based permission set is. Explain why you’d want to use a session-based permission set. Create a session-based permission set.The What and Why of Session-Based Permission Sets
- Permission Sets allow you to create a set of permissions for assignment to users
- Ex: giving Edit Case Comments, Manage Cases, and Edit Activated Orders permissions for all Support managers in the org
- Session-Based Permission Sets are similar,but have an added session-activation option
- Computer session begins when you authenticate into your computer network at work and continues until you log off or the session ends for another reason
- Ex: if a security policy requires that inactive sessions time out after a certain number of minutes
- Session-based permission sets let you limit functional access for select permissions in a permission set to an activated session
- Computer session begins when you authenticate into your computer network at work and continues until you log off or the session ends for another reason
- Example: assume hiring managers need access to employment contracts, but the info in them can be sensitive
- Once a manager finishes reviewing a contract, one of the recruiters has the option of ending the session, deactivating the permission set and ending access
- To gain access to the contracts again, the hiring manager needs to reactivate the permission set
Create a Session-Based Permission Set
- Create a Session-Based Permission Set via: Setup > Quick Find > Permission Set
- Create a new Permission Set, and check the Session Activation Required checkbox
- Assign permissions to the permission set as required
Activate Session-Based Permission Sets Without Code
Name the ways in which you can activate a session-based permission set. Explain why you might want to use declarative tools to activate a session-based permission set. Activate a session-based permission without code.Activation Options for Session-Based Permission Sets
- Once a session-based permission set is created, you have to make it usable, which means “activating” the session for the permission set
- Can use APIs:
PermissionSetobject in the SOAP API has a field calledHasActivationRequired, a boolean that indicates whether the permission set requires an active session- Insert a record into the
SessionPermSetActivationobject with the combination of session ID and permission set to achieve the activation
- Can also use Flows:
- A flow Action called Activate Session-Based Permission Set is available. Use a Screen Flow.
- Can use APIs:
Create Easy Access to the Activation Flow
Explain why you might want to use a Lightning app page to activate a permission set. Create a Lightning app page that references a flow. Run a flow from a Lightning app page to activate a session-based permission set.Why Use a Lightning App Page?
- Previous unit involved activating a session-based permission set using a flow. Users could activate the session-based permission set by running the flow, but this may not be ideal
- Instead, can set up a Lightning app page via Setup > Quick Find > “Builder” > Lightning App Builder
- Add the new screen flow to a new Single Region App Page, then activate that App Page and add it to one of the Apps, such as Sales
- Then, managers can activate the session-based permission set by clicking that tab