Session-Based Permission Set Groups in Salesforce
We’re going to break down a feature in Salesforce that solves a real access control problem: giving users the permissions they need only at the exact moment they need them. Think about confidential apps, data-heavy dashboards, or workflows tied to higher approval levels. You don’t want those doors open all the time, and permanent access doesn’t always make sense. That’s where session-based access becomes the smarter choice.
What Are Session-Based Permission Set Groups?
Session-Based Permission Set Groups let you bundle multiple permission sets and activate them only during a specific user session. When the session starts, the user gains access to the capabilities inside that group. When the session ends, the permissions stop.
This approach works perfectly when access must be temporary, conditional, or tied to stronger authentication, such as when a manager logs in with an added layer of security to view sensitive information for a limited time.
How do Session-Based Permission Set Groups work behind the scenes?
You create a permission set group and select Session Activation Required. After that, you assign permission sets to the group as usual.
One important thing to note: when a regular permission set is added to a permission set group, it works as session-based while it’s part of that group. However, if the user already has the same permission through another permission set assigned separately, that permission stays active even after the session ends.
Sessions are activated through either:
- A Flow, or
- The SessionPermSetActivation SOAP API (by passing the PermissionSetGroupId)
Before assigning these groups, make sure users have the authentication tools required to access the feature. Also, communicate clearly when that access is allowed and why.
Creating a Session-Based Permission Set Group
- Create a new permission set group and enable Session Activation Required.
- Add the permission sets you want included.
- Assign the permission set group to the right users.
- Activate the session through Flow or API.
Just assigning permissions doesn’t turn them on. They only work once they’re activated.
To create and assign permissions, users must have:
- Manage Profiles and Permission Sets
- Assign Permission Sets
You can also hand control to the users themselves by building a Flow. The Flow can:
- Activate a session-based permission set group
- Deactivate it when they’re done
In Flow Builder, look up the permission set group using Get Records, store the name in a variable, then use the Activate Session-Based Permission Set or Deactivate Session-Based Permission Set action.
When activated, the running user immediately receives those permissions for the duration of the session. When deactivated, access is removed.
It is important to note that the users must have Run Flows permission to use it. Also, avoid adding data-update logic in the same Flow that activates these permission sets.
Permission Set Group Considerations
Working with permission set groups comes with a few behaviours to keep in mind:
- You can include up to 100 permission sets in a group.
- You can still assign an individual permission set separately, even if it’s also in a group.
- Adding or editing custom permission sets triggers a recalculation.
- Changes to Salesforce-owned standard permission sets recalculate daily.
- Avoid recalculations during deployment. Test assignments separately.
- In Apex tests, use permission sets, not permission set groups.
- User access policies can help automate assignments.
If your org has a large number of permission sets, using permission set groups can actually improve system performance. Assigning many individual permission sets to large user volumes can lead to bottlenecks or timeouts. Groups simplify that structure.
Best Practices for Working With Permission Set Groups
- Use permission set groups rather than assigning many standalone permission sets to the same user.
- Don’t deploy changes to permission set groups during the deployment phase.
- Keep the group well organized and aligned to a logical role or function.
- Communicate access rules so users know when and why they have certain capabilities.
- For temporary or elevated access tasks, pair session-based activation with a Flow for clean control.
- Monitor recalculations and performance impact if complex permission sets are involved.
Also Read – Salesforce Spring ’26 Release Updates For Admins
FAQs
1. What problem do session-based permission set groups actually solve?
They solve the headache of giving someone access only when it’s genuinely needed. Not every user should walk around with full-time permissions. Some tasks require extra security or temporary access, and these groups make that possible without reassigning permissions every time.
2. Do users get access the moment I assign the group?
Not immediately. Think of the assignment like handing someone a keycard. They still need to tap it to open the door. In this case, activation happens through a Flow or the API. Until then, nothing changes for the user.
3. What if the group contains a standard permission set I already use?
Good question. If that standard permission set is inside the session-based group, it becomes part of the temporary access rules. But if the user also has that permission separately, outside the group, they keep that access regardless of session status.
4. How do admins usually activate the session?
Most teams use a Flow because it gives more control to the user. But if your setup is API-heavy, you can activate it through the SOAP API by passing the Permission Set Group ID.
Conclusion
Session-Based Permission Set Groups give Salesforce admins a smarter, safer way to manage access. They let you enforce strong security without slowing users down, offer flexibility without losing control, and make temporary access both simple and secure. When paired with well-designed Flow automation and a clear assignment strategy, they become a powerful addition to your overall security framework.
Get a complete Roadmap To Learn Salesforce Admin and Development👇
