Salesforce Flow permissions update

As part of the Winter '25 release Salesforce is updating the permissions model for Flows. This update will be enforced during September and October 2024. The change will require users to have specific permissions (Run Flows, Flow User, or Profile-level permissions) to execute flows. This change only affects flows running in User Context, ensuring that only authorized users can run flows (such as Screen Flows, which are not supported in Sage People).

We expect very few customers to be impacted, because most flows within Sage People are Record-triggered or Scheduled flows, which run in System Context without Sharing, and are unaffected by this change. However, if you use custom flows as part of your configuration, it’s worth checking whether these fall into the affected flow types. Please refer to the detailed instructions below. If you have further questions or require additional support, please contact the Customer Success team.

Note Salesforce updates are subject to change beyond our control. Sage People attempts to maintain our content in alignment, but for the most up to date information please refer to Salesforce documentation linked from the Salesforce resources section.

What are Flows?

Flows are Salesforce’s primary automation tool, and are used extensively by many customers to automate various actions in Sage People including, but not limited to sending emails, updating records, and creating records.

Typically, Flows are triggered in two ways:

  • Record-triggered: the flow is triggered in response to a record being created or updated by users or by another automated process such as a data load.

  • Scheduled: the flow runs on a set schedule.

These are the only two supported use-cases for flows in Sage People. Other types of flow, such as “Screen Flows” are not supported.

What's changing?

With the Winter '25 update, Salesforce is restricting a user’s ability to run flows without certain permissions. When the update is deployed, only users with the following permissions will be able to execute flows:

  • Run Flows: this permission is included with Profiles or Permission Sets

  • Flow User: this permission can be assigned to users directly

  • Profile: the Profile has been granted permission to run the flow.

Important If the user in question does not have the required permission, the flow will not run.

Only flows that run in User Context are affected.

Flows run in a "Context". The contexts in which Flows can run in are as follows:

  • User context: When a Flow runs in user context, its access to Sage People data is defined by the Profile and Permission Sets of the user who initiated the Flow. This means that the Flow can only interact with records and fields that the user has the necessary permissions and field-level access to modify or view. For example, if the user cannot edit a specific object or field, the flow will encounter errors if it tries to perform such operations.

  • System context with sharing: In this mode, the flow respects Salesforce's sharing settings, such as org-wide defaults, sharing rules, and manual sharing. It considers these settings when determining what data is accessible. It does not respect object permissions, field-level access, or other permissions of the user that initiated the Flow.

  • System context without sharing: In this mode, the flow doesn't consider sharing settings. It has access to all data regardless of sharing rules and permissions.

Record-triggered and Scheduled flows are always run in System Context without Sharing. This behavior cannot be changed.

For more information about run context, see the Salesforce article Flow Run Context.

Why?

Flows are a powerful feature of Salesforce. This security enhancement will ensure that flows can only be run by authorized users with the required permissions. Prior to this change, in some cases users could run all flows without profiles or permission sets. This update restricts flow access to users with specific permissions.

When will the change be enforced?

This change will be enforced with the Salesforce Winter '25 release.

Important You cannot opt out of this change.

Production release roll-out dates:

  • 6 September 2024

  • 5 October 2024

  • 12 October 2024

To find out details of when your org will be upgraded, go to Salesforce Trust

Is there an impact on Sage People?

Yes, in the following cases:

  • Customers using specific types of Salesforce Flow in their organization.

  • Customers using the Risk Mitigation process (sometimes known as vaccination management).

  • Customers using HIREtech integration.

What types of flow are affected?

The tables that follow list the flow types available in Salesforce, showing which are affected by this change. Flow types that are supported for use in Sage People are highlighted in bold.

Unaffected flow types

For these types of flow, the update will have no impact, and no action is required.

The following flow types are not affected by this update:

Flow type Affected? Supported in Sage People?
Record-triggered Not affected Yes
Scheduled Not affected Yes
InvocableProcess Not affected Yes
PE Triggered Not affected No
Surveys Not affected No
CustomEvent (PB PE trigger) Not affected No

 

Note Additionally, Action Events are not affected by this update. Custom Action Events are Record-triggered flows that run in “System Context without Sharing”. Standard Action Events are not related to flows.

Affected flow types

The following flow types are affected by this update.

Important If you have any flows in this category, including sub-flows included as part of a parent flow, you must ensure that your users have the appropriate permissions, or that the Profile is granted access to the flow. Failing to do this will mean that the flow will fail following this change.
Flow type Affected? Supported in Sage People?

Autolaunched

(When not called by a record-triggered or scheduled flow)*

 Affected Yes
Screen Affected No
Appointments Affected No
FieldServiceMobile Affected No

FieldServiceWeb

(screen used in Appointments)

 Affected No
ContactRequest Affected No
RecommendationStrategy Affected No

* When an Autolaunched flow is called by a record-triggered or scheduled flow, it runs in the context of the parent flow. Record-triggered and Scheduled flows always run in system context.

How do I check if my Flows are affected?

To find out whether you have affected flows in your organization, first access your flows:

  1. Go to Setup, and in Quick Find enter Flows. Select to open the Flow Definitions page.

    Screenshot: open Flows in Setup

  2. Ensure the All Flows list view is selected.

    Screenshot: select All Flows list view

  3. We recommend enabling at least the fields below:

    • Flow Label

    • Process Type

    • Package State

    • Active

    Screenshot: flows list

    To edit the fields that are displayed, select the List View Controls cog, and select Select Fields to Display.

    Screenshot: select fields

    Note Ensure that you have not amended filter conditions for the All Flows list view. It's important that all flows are visible.

  4. Check the list for any affected flow types.

    Note Ignore any flows that have a Package State of Managed-Installed. These flows are provided by Sage People and cannot be modified. Sage People is responsible for the functioning and maintenance of these flows.

  5. For any affected flow types, ensure that they can be edited. To do this, select the down arrow on the right side of the list. If you do not see Edit Access, then no further action is required.

    Screenshot: edit access option

    This is because only flows that run in User Context can have their access edited, and it is only these flows that are affected. Flows running in other contexts cannot (and do not need to) have their access edited. Consequently, for any flows that cannot have their access edited, no action is required.

If you have any flows that meet the following criteria, you must take action:

  • The flow is of an affected type

  • The flow does not have the Managed-Installed Package State

  • The flow has the Edit Access option in the drop-down menu.

What action do I need to take?

To ensure there are no interruptions to affected flows, please review any flows in your organization.

For any affected flows, assign permissions as detailed in the help topic Assign permissions to Flows.

If you use the Risk Mitigation process or HIREtech integration

To ensure the continued functioning of these features, please ensure that your HR Managers and HR Administrators have the following Permission Sets assigned to their User Records, depending on which features you are using:

  • Sage People HR Administrator fHCM (for Risk Mitigation)

  • Sage People HIREtech Manager (for HIREtech integration)

Note Customers using these features should already have these Permission Sets assigned to their users, but to avoid any interruption to your flows, please ensure that you check.

To check your users' Permission Set Assignments:

  1. Go to Setup, and in Quick Find enter Users. Select to open the Users page.

    Screenshot: select users in setup

  2. Select the name of the user that you want to check.

  3. Select Permission Set Assignments.

    Screenshot: edit permission set assingments

  4. Check the list for the appropriate Permission Set. To assign a Permission Set, select Edit Assignments.

  5. To assign a permission set, select it under Available Permission Sets and select Add.

  6. Select Save.

See Assigning a permission set

What if I have further questions?

If you have further questions or require additional support, please contact the Customer Success team.

Sage People resources

Salesforce resources