Delegated Administration

What is Delegated Administration?

Delegated administration allows named users to manage other users within selected roles and profiles, as well as manage fields on selected custom objects.

Why use Delegated Administration?

If you assign user administration privileges using profiles or permission sets, that user will gain the ability to administer most or all users and objects in your org.

Delegated administration allows you to specify which users (based on role/profile) and custom objects (standard objects excluded) a delegated administrator can manage.

[twocol_one][table id=31 /][/twocol_one] [twocol_one_last][table id=32 /][/twocol_one_last]

*A user must have the “Modify All Data” permission to manage users/profiles with the “Modify All data” permission.

Example

Jim is responsible for maintaining users for the marketing department, as well as the custom fields on the “Venue” object.  If someone in the marketing department has a problem with Salesforce, they first contact Jim to see if he can resolve the issue.  Likewise, Jim is responsible for creating new Salesforce users for the marketing team.

To meet this need, I’ve created a delegated group as follows:

1-11-2013 5-10-25 PM

Although Jim is assigned the “Standard User” profile, he can manage users within the specified roles and profiles above.  Additionally he can manage the custom fields on the Venue object.  However, he cannot perform any other administrative actions.

25 thoughts on “Delegated Administration”

    1. It seems that we need to provide “Modify all data” permission using Permission set and add that permission set to delegate admin group. Because if we give “Modify all data” permission in profile level then all the user assign to that profile have additional permission and in a particular user record we do not have that option.

      John please correct me if I am wrong or if there is any other option.

      1. Hi John,

        One more clarification needed, if a delegated admin user A wants to manage a user B (belongs to a particular profile) and user B do not have “Modify all data” permission.
        Then user A does not require “Modify All data” permission right?

        User A only requires “Modify All Data” permission when he wants to manage a user who also has “Modify All Data” permission?

        1. Right you need modify all to manage a user that has modify all-

          Typically, delegated admin is used to allow power users (or admin light) to assign non-administrative permissions (e.g. NOT modify all data).

          Examples:

          Assign a permission set to allow users to export reports.
          Create a field on a custom object that is managed by a specific business unit.
          Manage users within a specific profile.

          Etc.

          Hope that helps!

  1. Hi John,

    (1) You said, *A user must have the “Modify All Data” permission to manage users/profiles with the “Modify All data” permission.’ and I also read in SF Help that , ‘To delegate administration of particular objects, use object permissions, such as “View All” and “Modify All.”

    I am confused. So, under which profile the ‘Modify All Data’ needs to be selected? For example, let’s say, Jim from your example above is tied to a profile where other users are also assigned. We only want to allow Jim with some additional tasks so he can help out the administrator. I understand about creating the Delegated Group but what about making sure the user have ‘Modify All Data’ permission. Where do you do this?

    (2) You also said, “Delegated administration allows you to specify which users (based on role/profile) and custom objects (standard objects excluded) a delegated administrator can manage.”

    So does that mean we can not allow a delegate administrator to manage standard objects (like Account, Contact and etc.)?

    Greatly appreciate your help!!!!

    1. So does that mean we can not allow a delegate administrator to manage standard objects (like Account, Contact and etc.)?

      Correct – a delegated admin cannot manage the FIELDS on a standard object.

      If Jim does not have modify all data, then Jim cannot be a delegated administrator for a user that does have modify all data (e.g. Jim cannot be a delegated admin for a system administrator – that wouldn’t make much sense now would it!).

      Hope that helps 🙂

      1. Hi John,

        Than was actually a question I wondered about as well.
        Would I need to have a Permission Set for Jim to allow him “Modify All Data” (in the scenario that he shares a profile that is used by other people in his department)?

        Gil

        1. The biggest difference with delegated administration is that it allows the user to actually add/remove fields from the object (e.g. one specific object, not all objects), not just manipulate the data.

          If you want the user to access all records in an object, then yes modify all (under that specific object – not the modify all data permission), is a good way to do it. Modify All Data is a BIG permission (granting access to data on all object), typically reserved for system admins.

  2. Wondering aloud if this would be a good place for information on setting up/managing third party administrators (i.e. consultants working in your org) via permission sets as opposed to assigning system admin profile. Thanks for all the great content and organization!

    1. Really depends on the relationship – delegated admin is MUCH lower in function than a real system administrator. That said, if all the consultant needs to admin is a few custom objects, then this might work. However, most of the time additional access would be needed when working with a client as an SFDC consultant, for example.

  3. Can a user with a lower role hierarchy be a delegated administrator for a user who is higher on the hierarchy? Apologies, that was not clear to me.

Leave a Reply