Delegated Administration in Salesforce is a powerful feature that allows administrators to assign specific administrative privileges to non-admin users, enabling them to perform certain tasks on behalf of the primary system administrator. This capability helps distribute the administrative workload…Delegated Administration in Salesforce is a powerful feature that allows administrators to assign specific administrative privileges to non-admin users, enabling them to perform certain tasks on behalf of the primary system administrator. This capability helps distribute the administrative workload across an organization while maintaining security and control.
A Delegated Administrator can be granted permissions to manage users within specified roles and subordinate roles, create and edit users, reset passwords, assign permission sets, and manage public groups. This is particularly useful in large organizations where a single administrator cannot efficiently handle all user management tasks.
To set up Delegated Administration, the system administrator creates a Delegated Administration group from Setup by navigating to Security Controls and then selecting Delegated Administration. Within this group, administrators define which users will serve as delegated administrators and specify the scope of their authority.
Key configuration options include:
1. User Administration - Define which roles the delegated admin can manage, allowing them to create and modify users only within those role hierarchies.
2. Custom Object Administration - Grant permissions to manage specific custom objects, including creating, editing, and deleting records.
3. Permission Set Assignment - Allow delegated admins to assign specific permission sets to users they manage.
4. Profile Assignment - Specify which profiles the delegated admin can assign to new or existing users.
Delegated Administration differs from granting full administrative access because it provides granular control over what actions can be performed and on which subset of users or data. This follows the principle of least privilege, ensuring users have only the access necessary to perform their designated tasks.
Best practices include regularly reviewing delegated administration groups, documenting the scope of each delegation, and auditing changes made by delegated administrators to maintain organizational security and compliance requirements.
Delegated Administration in Salesforce
What is Delegated Administration?
Delegated Administration is a Salesforce feature that allows administrators to assign limited administrative privileges to non-administrator users. This enables designated users to perform specific administrative tasks for defined groups of users, such as creating users, resetting passwords, and managing public groups, all while maintaining the security and integrity of the overall Salesforce organization.
Why is Delegated Administration Important?
Delegated Administration is crucial for several reasons:
• Scalability: In large organizations, a single administrator cannot efficiently manage thousands of users. Delegated admins help distribute the workload.
• Regional Management: Organizations with multiple regions or departments can assign local administrators who understand their specific needs.
• Security: Rather than granting full system administrator access, you can provide limited permissions, following the principle of least privilege.
• Faster Response Times: Local delegated administrators can handle routine tasks quickly, reducing bottlenecks.
How Delegated Administration Works
Delegated Administration is configured through Delegated Groups in Setup. Here's how it functions:
1. Create a Delegated Group: Navigate to Setup → Security → Delegated Administration → New
2. Define the Group of Administrators: Add a public group containing users who will serve as delegated administrators
3. Specify User Administration Scope: Define which roles and subordinates the delegated admins can manage. They can only manage users in roles at or below their specified scope.
4. Assign Permissions: Select what the delegated admins can do: - Create and edit users in specified roles - Reset passwords and unlock users - Assign specific profiles to users - Log in as users who have granted login access - Manage public groups - Assign permission sets
5. Assignable Profiles: Specify which profiles the delegated administrators can assign to users they manage
6. Assignable Permission Sets: Define which permission sets can be assigned by delegated admins
Key Limitations to Remember
• Delegated admins cannot assign profiles with Modify All Data or Customize Application permissions • They cannot manage users outside their defined role hierarchy scope • They cannot modify their own user record through delegated administration • Custom objects can be enabled for delegated administration to allow creation of custom object records
Exam Tips: Answering Questions on Delegated Administration
1. Understand the Role Hierarchy Connection: Questions often test your knowledge that delegated admins can only manage users in roles at or below the roles specified in the delegated group. Pay attention to role hierarchy scenarios in questions.
2. Know the Profile Restrictions: Remember that profiles containing Modify All Data or Customize Application cannot be assigned by delegated administrators. This is a common exam topic.
3. Public Groups are Key: The delegated administrator group itself must be a public group. Questions may present other group types as distractors.
4. Focus on Use Cases: Exam scenarios often describe a business need, such as regional managers needing to create users. Recognize that Delegated Administration is the solution for distributing user management tasks.
5. Custom Object Administration: Know that administrators can enable specific custom objects for delegated administration, allowing delegated admins to manage records of those objects.
6. Permission Set Assignment: Delegated admins can only assign permission sets that have been explicitly added to their delegated group configuration.
7. Password and Unlock Capabilities: Delegated administrators can reset passwords and unlock user accounts for users within their scope, which is a frequently tested capability.
8. Watch for Trick Questions: Be cautious of answer options suggesting delegated admins can perform full administrative tasks or manage users outside their designated scope.