Salesforce Flow permissions update
As part of the Winter '25 release Salesforce is updating the permissions model for Flows. The change will require Sage People users to have specific permissions (Run Flows, Flow User, or Profile-level permissions) to execute flows. This change only affects flows running in User Context. It ensures that only authorized users can run flows (such as Screen Flows, which Sage People doesn't support).
We expect this to impact few customers, because most flows within Sage People are Record-triggered or Scheduled flows. These run in System Context without Sharing, and are unaffected by this change. However, if you use custom flows as part of your configuration, it’s worth checking whether these fall into the affected flow types. Refer to the detailed instructions below. If you have further questions or require other support, contact the Customer Success team.
What are Flows?
Flows are Salesforce’s primary automation tool. Customers use them extensively to automate various actions in Sage People including, but not limited to sending emails, updating records, and creating records.
Typically, two actions trigger Flows:
-
Record-triggered: the flow triggers in response to a user creating or updating a record, or by another automated process such as a data load
-
Scheduled: the flow runs on a set schedule
These are the only two supported use-cases for flows in Sage People. Sage People doesn't support other types of flow, such as “Screen Flows”.
What's changing?
With the Winter '25 update, Salesforce is restricting a user’s ability to run flows without certain permissions. Once you deploy the update, only users with the following permissions will be able to execute flows:
-
Run Flows: Profiles and Permission Sets includes this permission
-
Flow User: you can assign this permission to users directly
-
Profile: the Profile has been granted permission to run the flow
User Context flows are the only flows affected.
Flows run in a "Context". The contexts in which Flows can run in are as follows:
- User context: When a Flow runs in user context, its access to Sage People data is defined by the Profile and Permission Sets of the user who initiated the Flow. This means that the Flow can only interact with records and fields that the user has the necessary permissions and field-level access to modify or view. For example, if the user cannot edit a specific object or field, the flow will encounter errors if it tries to perform such operations.
-
System context with sharing: In this mode, the flow respects Salesforce's sharing settings, such as org-wide defaults, sharing rules, and manual sharing. It considers these settings when determining what data is accessible. It does not respect object permissions, field-level access, or other permissions of the user that initiated the Flow.
-
System context without sharing: In this mode, the flow doesn't consider sharing settings. It has access to all data regardless of sharing rules and permissions.
Record-triggered and Scheduled flows are always run in System Context without Sharing. This behavior cannot be changed.
For more information about run context, see the Salesforce article Flow Run Context.
Why?
Flows are a powerful feature of Salesforce. This security enhancement will ensure that only authorized users can run flows with the required permissions. Before this change, sometimes users could run all flows without profiles or permission sets. This update restricts flow access to users with specific permissions.
When will Salesforce enforce the change?
You'll see this change with the Salesforce Winter '25 release.
Production release roll-out dates:
-
6 September 2024
-
5 October 2024
-
12 October 2024
To find out details of when Salesforce will upgrade your org, go to Salesforce Trust
Is there an impact on Sage People?
Yes, in the following cases:
-
Customers using specific types of Salesforce Flow in their organization.
-
Customers using the Risk Mitigation process (sometimes known as vaccination management).
-
Customers using HIREtech integration.
What types of flow will the change affect?
The tables that follow list the flow types available in Salesforce, showing which flows that change will affect. We've highlighted flow types that Sage People supports in bold.
Unaffected flow types
For these types of flow, the update will have no impact, and you don't need to act.
The following flow types aren’t affected by this update:
| Flow type | Affected? | Supported in Sage People? |
|---|---|---|
| Record-triggered | Not affected | Yes |
| Scheduled | Not affected | Yes |
| InvocableProcess | Not affected | Yes |
| PE Triggered | Not affected | No |
| Surveys | Not affected | No |
| CustomEvent (PB PE trigger) | Not affected | No |
Affected flow types
The following flow types are affected by this update.
| Flow type | Affected? | Supported in Sage People? |
|---|---|---|
|
Autolaunched (When not called by a record-triggered or scheduled flow)* |
Affected | Yes |
| Screen | Affected | No |
| Appointments | Affected | No |
| FieldServiceMobile | Affected | No |
|
FieldServiceWeb (screen used in Appointments) |
Affected | No |
| ContactRequest | Affected | No |
| RecommendationStrategy | Affected | No |
* When an Autolaunched flow is called by a record-triggered or scheduled flow, it runs in the context of the parent flow. Record-triggered and Scheduled flows always run in system context.
How do I check if the change affects my Flows?
To find out whether you have affected flows in your organization, first access your flows:
-
Go to Setup. In Quick Find, enter Flows. Select to open the Flow Definitions page.
-
Ensure you select the All Flows list view.
-
We recommend enabling at least the fields below:
-
Flow Label
-
Process Type
-
Package State
-
Active
To edit the fields displayed, select the List View Controls cog, and select Select Fields to Display.
Note Ensure you haven’t amended the filter conditions for the All Flows list view. It's important that all flows are visible. -
-
Check the list for any affected flow types.
Note Ignore any flows that have a Package State of Managed-Installed. Sage People provides these flows and you can't modify them. Sage People is responsible for the functioning and maintenance of these flows. -
For any affected flow types, ensure you can edit them. To do this, select the down arrow on the right side of the list. If you don’t see Edit Access, you don't need to act.
This is because only flows that run in User Context can have their access edited. These flows are the only ones affected. Flows running in other contexts can’t (and don’t need to) have their access edited. Therefore, for any flows that can’t have their access edited, you don't need to act.
If you have any flows that meet the following criteria, you must act:
-
The flow is of an affected type
-
The flow doesn’t have the Managed-Installed Package State
-
The flow has the Edit Access option in the dropdown menu
What action do I need to take?
To ensure there are no interruptions to affected flows, review any flows in your organization.
For any affected flows, assign permissions as detailed in the help topic Assign permissions to Flows.
If you use the Risk Mitigation process or HIREtech integration
To ensure the continued functioning of these features, ensure your HR Managers and HR Administrators have the following Permission Sets assigned to their User Records. This will depend on which features you're using:
-
Sage People HR Administrator fHCM (for Risk Mitigation)
-
Sage People HIREtech Manager (for HIREtech integration)
To check your users' Permission Set Assignments:
- Go to Setup. In Quick Find, enter Users. Select to open the Users page.
-
Select the name of the user that you want to check.
-
Select Permission Set Assignments.
- Check the list for the appropriate Permission Set. To assign a Permission Set, select Edit Assignments.
-
To assign a permission set, select it under Available Permission Sets and select Add.
-
Select Save.
See Assigning a permission set
What if I have further questions?
If you have further questions or require extra support, contact the Customer Success team.