Salesforce Flow permissions update
As part of the Winter '25 release Salesforce is updating the permissions model for Flows. This update will be enforced during September and October 2024. The change will require users to have specific permissions (Run Flows, Flow User, or Profile-level permissions) to execute flows. This change only affects flows running in User Context, ensuring that only authorized users can run flows (such as Screen Flows, which are not supported in Sage People).
We expect very few customers to be impacted, because most flows within Sage People are Record-triggered or Scheduled flows, which run in System Context without Sharing, and are unaffected by this change. However, if you use custom flows as part of your configuration, it’s worth checking whether these fall into the affected flow types. Please refer to the detailed instructions below. If you have further questions or require additional support, please contact the Customer Success team.
What are Flows?
Flows are Salesforce’s primary automation tool, and are used extensively by many customers to automate various actions in Sage People including, but not limited to sending emails, updating records, and creating records.
Typically, Flows are triggered in two ways:
-
Record-triggered: the flow is triggered in response to a record being created or updated by users or by another automated process such as a data load.
-
Scheduled: the flow runs on a set schedule.
These are the only two supported use-cases for flows in Sage People. Other types of flow, such as “Screen Flows” are not supported.
What's changing?
With the Winter '25 update, Salesforce is restricting a user’s ability to run flows without certain permissions. When the update is deployed, only users with the following permissions will be able to execute flows:
-
Run Flows: this permission is included with Profiles or Permission Sets
-
Flow User: this permission can be assigned to users directly
-
Profile: the Profile has been granted permission to run the flow.
Only flows that run in User Context are affected.
Flows run in a "Context". The contexts in which Flows can run in are as follows:
- User context: When a Flow runs in user context, its access to Sage People data is defined by the Profile and Permission Sets of the user who initiated the Flow. This means that the Flow can only interact with records and fields that the user has the necessary permissions and field-level access to modify or view. For example, if the user cannot edit a specific object or field, the flow will encounter errors if it tries to perform such operations.
-
System context with sharing: In this mode, the flow respects Salesforce's sharing settings, such as org-wide defaults, sharing rules, and manual sharing. It considers these settings when determining what data is accessible. It does not respect object permissions, field-level access, or other permissions of the user that initiated the Flow.
-
System context without sharing: In this mode, the flow doesn't consider sharing settings. It has access to all data regardless of sharing rules and permissions.
Record-triggered and Scheduled flows are always run in System Context without Sharing. This behavior cannot be changed.
For more information about run context, see the Salesforce article Flow Run Context.
Why?
Flows are a powerful feature of Salesforce. This security enhancement will ensure that flows can only be run by authorized users with the required permissions. Prior to this change, in some cases users could run all flows without profiles or permission sets. This update restricts flow access to users with specific permissions.
When will the change be enforced?
This change will be enforced with the Salesforce Winter '25 release.
Production release roll-out dates:
-
6 September 2024
-
5 October 2024
-
12 October 2024
To find out details of when your org will be upgraded, go to Salesforce Trust
Is there an impact on Sage People?
Yes, in the following cases:
-
Customers using specific types of Salesforce Flow in their organization.
-
Customers using the Risk Mitigation process (sometimes known as vaccination management).
-
Customers using HIREtech integration.
What types of flow are affected?
The tables that follow list the flow types available in Salesforce, showing which are affected by this change. Flow types that are supported for use in Sage People are highlighted in bold.
Unaffected flow types
For these types of flow, the update will have no impact, and no action is required.
The following flow types are not affected by this update:
Flow type | Affected? | Supported in Sage People? |
---|---|---|
Record-triggered | Not affected | Yes |
Scheduled | Not affected | Yes |
InvocableProcess | Not affected | Yes |
PE Triggered | Not affected | No |
Surveys | Not affected | No |
CustomEvent (PB PE trigger) | Not affected | No |
Affected flow types
The following flow types are affected by this update.
Flow type | Affected? | Supported in Sage People? |
---|---|---|
Autolaunched (When not called by a record-triggered or scheduled flow)* |
Affected | Yes |
Screen | Affected | No |
Appointments | Affected | No |
FieldServiceMobile | Affected | No |
FieldServiceWeb (screen used in Appointments) |
Affected | No |
ContactRequest | Affected | No |
RecommendationStrategy | Affected | No |
* When an Autolaunched flow is called by a record-triggered or scheduled flow, it runs in the context of the parent flow. Record-triggered and Scheduled flows always run in system context.
How do I check if my Flows are affected?
To find out whether you have affected flows in your organization, first access your flows:
-
Go to Setup, and in Quick Find enter Flows. Select to open the Flow Definitions page.
-
Ensure the All Flows list view is selected.
-
We recommend enabling at least the fields below:
-
Flow Label
-
Process Type
-
Package State
-
Active
To edit the fields that are displayed, select the List View Controls cog, and select Select Fields to Display.
Note Ensure that you have not amended filter conditions for the All Flows list view. It's important that all flows are visible. -
-
Check the list for any affected flow types.
Note Ignore any flows that have a Package State of Managed-Installed. These flows are provided by Sage People and cannot be modified. Sage People is responsible for the functioning and maintenance of these flows. -
For any affected flow types, ensure that they can be edited. To do this, select the down arrow on the right side of the list. If you do not see Edit Access, then no further action is required.
This is because only flows that run in User Context can have their access edited, and it is only these flows that are affected. Flows running in other contexts cannot (and do not need to) have their access edited. Consequently, for any flows that cannot have their access edited, no action is required.
If you have any flows that meet the following criteria, you must take action:
-
The flow is of an affected type
-
The flow does not have the Managed-Installed Package State
-
The flow has the Edit Access option in the drop-down menu.
What action do I need to take?
To ensure there are no interruptions to affected flows, please review any flows in your organization.
For any affected flows, assign permissions as detailed in the help topic Assign permissions to Flows.
If you use the Risk Mitigation process or HIREtech integration
To ensure the continued functioning of these features, please ensure that your HR Managers and HR Administrators have the following Permission Sets assigned to their User Records, depending on which features you are using:
-
Sage People HR Administrator fHCM (for Risk Mitigation)
-
Sage People HIREtech Manager (for HIREtech integration)
To check your users' Permission Set Assignments:
- Go to Setup, and in Quick Find enter Users. Select to open the Users page.
-
Select the name of the user that you want to check.
-
Select Permission Set Assignments.
- Check the list for the appropriate Permission Set. To assign a Permission Set, select Edit Assignments.
-
To assign a permission set, select it under Available Permission Sets and select Add.
-
Select Save.
See Assigning a permission set
What if I have further questions?
If you have further questions or require additional support, please contact the Customer Success team.