Permission Sets:
A Permission Set is a collection of settings and permissions that give access to users to various tools and functions. The settings and permissions in Permission Sets are additionally found in profiles, but permission sets broaden users’ functional access without altering their profiles.
Session Based Permission Sets:
Session-based permission set grants/ allows functional access to an application only during a specific session, say an authenticated session.
When to Create?
A Session based permission set can be activated only when we want the users authenticate into your environment using a token. When the token expires, the user must reauthenticate to access the application again.
How to Create?
Create a session-based permission set with access to the object, and then create a flow that uses the Activate Session-Based Permission Set action available in Flow Builder. In the flow, pass the permission name to the action. During run time, the action checks who is running the flow. When the criteria match to the specified user, it runs the flow and the activation process fires. When the flow completes, the user has access to the object for the current session.
There are 2 ways to create Session-based permission sets:
- Declarative Method without coding
- Session Based Permission Set Creation
- Assign the Permission Set to the User
- Activate the Permission Set through Flow Builder
- Through Apex coding
Based on a particular set of criteria, the Session based Permission set can be,
- Activated
- Revoked / Deactivated
Activation :
Method 1: Declarative Method
Below are the steps to create Session Based Permission Sets:
- Go to setup -> Quick Find Box -> Permission Sets -> New
- Enter the Permission Set information
- Enable the ‘Session Activation Required’ Checkbox
- For License , Click None
- Save
- In Objects -> Select the Object -> Enable the permission(s) required
- Similarly, assign the field permission for that object.
Assign User to Permission Set:
- Assign the Permission Set to the user before activating the Flow. Otherwise, the flow builder will through the following error,
Error : The permission set must be pre-assigned to the user before activated
- Assign ‘Run Flows Permission’ to the user.
Activation through Flow Builder:
When the flow activates the session-based Permission Set, the running user obtains access to the permissions specified in your Permission Set during the current user session. If the flow deactivates the session-based Permission Set, the permissions are no longer available to the user.
1. Setup -> Quick Find Box -> Flows -> New
2. Select Screen Flow -> Create
3. Drag Action into the canvas from Elements Tab
4. In Filter By Category -> Users -> Search for ‘Activate Session-Based Permission Set’
5. Set Input Values -> Permission Set Name -> Lookup the above created Permission Set
6. Click Done
7. Connect the Nodes – > Activate the Flow
Method 2: Using Apex
- Use SessionPermSetActivation
The SessionPermSetActivation object represents a Permission Set assignment activated during an individual user session. When a SessionPermSetActivation object is inserted into a Permission Set, an activation event fires, allowing the permission settings to apply to the user’s specific session. Insert a record into SessionPermSetActivation object with a combination of below,
Activation = Session Id + Permission Set
Requisite :
- API versions 37.0 and later
- As of Summer ’20 and later, only users who have one of these permissions can access this object:
- View Setup and Configuration
- Manage Session Permission Set Activations
Code :
An identified session is activated after session information is submitted via a button. Successful activation results in a confirmation message displayed to the user.
Controller:
public class SessionPermSetActivationController {
// id of the session permission set to be activated
private final String sessionPermSetId = ‘0PSxx00000004rJ’;
private final String sessionId;
public SessionPermSetActivationController() {
Map<String, String> sessionManagement = Auth.SessionManagement.getCurrentSession();
sessionId = sessionManagement.get(‘SessionId’);
}
public PageReference activate() {
// activate the permission set
}
VF Page:
<apex:page controller=”SessionPermSetActivationController”>
<apex:outputPanel rendered=”{!!Activated}”>
<h3>Activate Session Permission Set</h3>
<br />
<apex:form >
<apex:commandButton action=”{!activate}” value=”Activate” id=”activateButton”/>
</apex:form>
</apex:outputPanel>
<apex:outputPanel rendered=”{!Activated}”>
<h3>Session Permission Set is already active.</h3>
</apex:outputPanel>
</apex:page>
Deactivation :
The Permission Set will be automatically deactivated / revoked after user logs out or once the session ends.
So, based on the requirements, criteria can be set and deactivated using Flows / Apex.
Method 1: Declarative Method
Like the activation steps:
- For deactivating, in Filter By Category -> Users -> Search for ‘Deactivate Session-Based Permission Set’
Method 2: Using Apex
Query the SessionPermSetActivation Object and Delete the Record.
Query:
[SELECT Id
FROM SessionPermSetActivation
WHERE AuthSessionId=:sessionId
AND PermissionSetId=:sessionPermSetId LIMIT 1];
Summary:
This Sessions based Permission Set will provide us with a lot of advantages to calibrate the user access based on various session parameters. This approach would serve many ‘legitimate’ use-cases where they want to prevent certain access on a particular situation.