For our user provisioning (from AD) I want to automate the permission set groups that are assigned to user with a specific function title. What I have found is how to assign a permission set using the Flow Builder (create a record in the object 'Permission Set Assignment'. But I have not been able to find the same for Permission Set Groups. Is this even possible?
[SalesForce] Automated Permission Set Group Assignment
Related Solutions
Before deleting, you may want to use RecordLookup in Flow to check if the permission set is being assign to the user.This Flow can be invoked from Process Builder.In Process builder you can set the user id as input.
You can choose PermissionSetAssignment Lookup and look for the AssigneeId. Put the outcome in Decision, if it 's not exist do not delete.
The overall idea is something like this:
Hope it helps.
In short: I managed to do this in Apex by using apex-mdapi AFTER I updated the code to support flowAccesses. - here's the github commit with changes needed to support it. This is the only way I can see to do this through Apex as you need to hit the Metadata API.
Very Long Version
I didn't see anything within SOQL or Tooling API that can be used. It seems like it's only available with the Metadata API based on the simple fact that you can retrieve this information with the following package.xml
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
<types>
<members>test</members>
<name>PermissionSet</name>
</types>
<version>47.0</version>
</Package>
This returns the following
<?xml version="1.0" encoding="UTF-8"?>
<PermissionSet xmlns="http://soap.sforce.com/2006/04/metadata">
<flowAccesses>
<enabled>true</enabled>
<flow>Test_Flow_Name</flow>
</flowAccesses>
<hasActivationRequired>false</hasActivationRequired>
<label>test</label>
<license>Salesforce</license>
</PermissionSet>
That leaves you with trying to use Apex and the Metadata API. This isn't a supported type for what Salesforce provides access to through Apex. Likewise, I don't see any mention of flow access in the Metadata API Developer Guide which puzzled me. However, they do list the other naming conventions for other "access" types:
PermissionSetApplicationVisibility[]
PermissionSetApexClassAccess[]
PermissionSetCustomMetadtaTypeAccess[]
etc.
So now I looked towards apex-mdapi which does allow you to interact with apex/Metadata API
You can see the code/github here and this is a helpful answer with links to many questions concerning it. I had to make edits to it since it hasn't been updated since flowAccesses was brought into play. I used customMetadataTypeAccess (which is also relatively new) as a test since that one is at least documented in the developer guide.
You can see my changes in my forked repo and the latest commits contains all the changes needed for this in particular. Based on the naming convention in the developer guide (and testing that PermissionSetCustomMetadataTypeAccess[] worked first), I used PermissionSetFlowAccess[] and the example of the returned retrieve file to populate what the field names would be. You can see that the name of the flow is stored in <flow></flow>
So now, going off all that above...
Depending on when/where your code is executing, you'd probably first want to get a list of permission sets assigned to the user using SOQL. From this, you can see the following should do the trick
SELECT PermissionSet.Name FROM PermissionSetAssignment WHERE AssigneeId = 'User Name here'
Once you have a list of permission set names, you can call the Metadata API through the MetadataService you modified above to simply get those permission sets returned and loop through them to get a list of the Flows they have access to.
public class testmetadata {
public static MetadataService.MetadataPort createService()
{
MetadataService.MetadataPort service = new MetadataService.MetadataPort();
service.SessionHeader = new MetadataService.SessionHeader_element();
service.SessionHeader.sessionId = UserInfo.getSessionId();
return service;
}
public static void testPerm()
{
//presumably you'd pass this list based on the SOQL query
String[] permissionSetNames = new String[] {'test', 'test2', 'test3'};
String message = '';
MetadataService.MetadataPort service = createService();
List<MetadataService.PermissionSet> perm = (List<MetadataService.PermissionSet>) service.readMetadata('PermissionSet', permissionSetNames).getRecords();
//loop through returned permission sets based on the names assigned to user
for(MetadataService.PermissionSet permSet : perm){
message = permSet.fullName + ' with access to the following flow(s): ';
//loop through flows that are enabled for access in each perm set to display name
for(MetadataService.PermissionSetFlowAccess singleFlow : permSet.flowAccesses){
message += singleFlow.flow + ', ';
}
System.debug(message);
}
}
}
What I tested (using only 3 different flows):
- Created 3 permission sets - test1, test2, test3
- Gave test1 access to one flow
- Gave test2 access to 2 flows
- Gave test3 access to 3 flows
See the debug log returned below:
Update: Just to show that the assumptions I made above for the naming convention at least are now corroborated by info in the Metadata API WSDL. You can see the naming for Profile and Permission Set.
Best Answer
Both PermissionSetAssignments and PermissionSetGroups are accessible as SObjects and can be created in the database when the appropriate permissions exist. I suggest you simply need to create the PermissionSetAssignment for the User referencing the PermissionSetGroup instance. This can be done straight-forwardly in Apex using something like:
Of course, you should ensure this code is bulkified if you are handling bulk provisioning, and can be accessed from a flow as long as you create an InvocableMethod for it.