Salesforce Admin ADM-211 – Security and Access : Delegated Administration
- Delegated Administration
Delegated administration. Delegated administration, as the name says it is basically delegating the administrative privileges, limited administrative privileges to no administrators. So when we say that we are delegating the administrative privileges to no administrators, there would be a question in our mind why would we do that? When would we do that? Right? So in any salesforce. org there would be a team of technical sales force people, right? Business analysts, the developers, the admins. So those technical people, they work on a salesforce. org, the customizing, the salesforce. org, the taking care of the admin task and everything. However, in large organizations, when there are large number of users, in those scenarios we might need this concept of delegated administration. Otherwise, like the sales support, the technical salesforce team, there would be overflowing of cases from every single user for every minor task, maybe unlocking a user, assigning a specific permission set to a user.
So in those scenarios, what we do is we assign some limited administrative privileges to non administrators. Basically. Mostly it will be business users. Like for example, we may give some administrative privileges to the sales manager so he can take care of his sales team or to a support manager so he can take care of his support team like that. So when we say about this limited administrative privileges so what are all the administrative privileges a delegated administrator gets? Does he get all privileges that an administrator has? Salesforce administrator has definitely not. He does not get all the privileges. He only gets limited privileges. So what are all the privileges that he gets? The delegated administrator can create and edit users in some specific roles and subordinate roles, so only specific roles that are assigned to him. So whenever we create a delegated administration group and we assign users, we also specify which are all the roles that they can work with. So they’ll be able to create and edit users only in those roles.
They can unlock users, they can reset passwords and they can assign users to specific profiles. So they can work only with those specific profiles that are assigned to them. They cannot create users in all the profiles across the no, not possible, only in specific roles, only on specific profiles and only some specific permission sets which is assigned to them. Only those permission sets they will be able to assign or remove for those users. And they can log in as a user who has granted login access to the administrator. They can manage custom objects, but again, not all custom objects, only custom objects that are assigned to them. But when we say manage custom objects and not all of the features of the custom objects, they will not be able to work with relationships, they cannot create any relationships, they cannot edit any relationships, they cannot edit any arguide sharing defaults, so they can work only with those components that are assigned to them.
And maybe there is a possibility that the same person can be in different delegated groups. There can be different delegated groups in a salesforce. org and the same person can be a part of both the groups. So in those scenarios what happens is he gets access to both the components of the system. Say for example from one group he gets access to a permission set, permission set A and in other group he gets access to permission set B. So in those scenarios he can basically work with both the components in the delegated groups. And as mentioned here, we should also note that while selecting roles, while creating new users, we have the nonspecified option. But then for these delegated administrators we do not have that nonspecified option. He has to assign a role for those new users and the role also would be one of those roles which is assigned to him or maybe a subordinate role, the role that is below that assigned role in the role hierarchy. And he cannot modify profiles, he cannot modify permission sets. So this is all the privileges that a delegated administrator gets. Basically delegated administrator, as I already mentioned it would be some business user who gets access to some limited administrative duties so he can take care of his own team. Perfect.
And now that we have understood the concept of delegated administration, what we are going to do is we are going to go to our salesforce. org, the developer. org and we are going to create a delegated administrator group and in that we are going to add some users and we are going to test our results. I have now logged into our salesforce developer. org and as you can see I have logged in as user too. Basically the user who is not the system administrator, we know we can have only two users. The first user is a system admin user, the second user is not a system admin user.
So I have logged in as a user who is not a system administrator. So basically to replicate the scenario that we have in real time when user do not have the administrator privileges. So he is that kind of a user. So now go for users, manage user users and you can see that there is no new button meaning that this user can as such cannot create any new users. So now what we are going to do is we are going to log in as a system administrator, we are going to create the delegated administrator group in that we are going to add user to and we are going to see if this user gets the privilege of creating a new user.
Now I have logged in as a system administrator, let’s created a delegated administrator group. So this is our delegated groups. As such we do not have any delegated groups in our system. So I’m going to create one, say for example delegated sales team and enable group for login access. So enabling this would basically give the access privileges for these users to log in as the other user. Okay, now the delegated sales team group is created. Now we are going to add who are all will be the Delegated Administrators. So we as such have only one user which we can add, that is user two. So let me add user to as part of this group. Okay, so now we have added the administrators out here. Now we have to specify what are all the privileges that he can do. So user administration here we have to specify what are all the roles that he can work with.
Say for example, the Delegated Administrator is creating a user. So which are all the roles that he can assign to. So let me say VP Marketing and VP International Sales. Perfect. And assignable profiles. Let me say only the sales profile and the support profile. The data may not be appropriate because in real time we wouldn’t be actually like working on these kind of profiles. The Sales team would basically work with a sales profile and its related profiles. If you are creating a Delegated Sales Team group, they would work only with those related profiles. For Sales team they would only work with those related permission sets. But as we do not have that data set up, I’m just randomly adding a couple of permission sets. We are just going to test the scenario and understand the functionality. So here, let me just say access to marketing app. So permission sets are also assignable public groups. We only have only one public group. And finally custom object administration.
So which are all the objects that they can work with? Let me just choose one single object. Let’s say the student object. Perfect. So what we did, we created a Delegated group and then we added a Delegated Administrators to the group. We can add more administrators in real time, we’ll have more users, so we can add more administrators. And these are all the privileges that the administrators get for user administration. They can work with these roles, these profiles, these permission sets, these public groups and these objects. In fact, they can work only with these components. So now that we have created this group and assigned the administrators, it’s time for us to log in as a Delegated Administrator and check how it is working. I’ve now logged in as User to let me go for users. And now I see these buttons. Previously I was not able to because I wasn’t the administrator then, but now I’m given the administrative privileges. So I see these buttons, hit the new user button and here you see like which are all the roles that I can assign to. Unlike System Administrator, wherein I get the list of all the roles in the arc, I do not get all these roles. I only get those roles which are assigned to me as part of this Delegated Administrator and also the roles that are reporting basically under this in the role hierarchy and for profiles, we do not asset jesse any options because it depends on the user license. This is developer. org. We have already created two users.
So that’s a reason like we are not able to access those profiles, but otherwise in real time yes, when you select this option, we would be able to select those profiles. So now let me hit cancel because we’ll not be able to create this user without assigning a profile. However, I just wanted to show you the concept, how it works going back here. So as part of this delegated administration, we were actually not able to create technically. However, in real time yes, we would be able to create and we also see that those options are available out to us and reset passwords that also we have that button and unlock users when users get unlocked yes, we can unlock them. Assigning users to specific profiles. Assigning or removing permission sets. Yeah. So these administrators will also get access to permission sets, those which are assigned to them.
So go for permission sets. I think this is the only permission set that we give access to this particular user. So you see the manage assignments and do you also see the user? And here there is only one user, but otherwise in real time you will have all the users listed out here, meaning this user gets the access level to assign this permission set to other users. And the delegated administrator, he would be able to log in as the other users. Yes. And managing custom objects. Yes, this we did not see it in our so basically, when some custom objects are assigned to the delegated administrator, they will get those privileges to customize those custom objects. However, they cannot work on relationships or the wide sharing defaults. So let me go to the and I think we provided access to the student object. So the student object go for setup, go for custom objects. Right. So as you see here, this particular user has only got access to this particular object. Why? He has got the access through delegated administration. He doesn’t have access access to the other objects. So this is what we see where he can go to the object definition page and he can do some edits over here.