Salesforce admins are constantly balancing two competing priorities: moving fast and staying secure. As orgs grow, new users are onboarded, teams shift roles, and products like Marketing Cloud Account Engagement, Data Cloud, Agentforce, and Salesforce CMS add layers of complexity to access management.
That’s where User Access Policies come in.
Introduced to reduce manual administration, User Access Policies allow Salesforce admins to automatically grant (and remove) permission sets and public group memberships based on defined criteria—such as user role, profile, department, or custom attributes. The result?
✔️ Less manual work
✔️ Fewer security gaps
✔️ Faster onboarding
✔️ Consistent, auditable access controls
Setting up User Access Policies
Step 1: As a System Admin, Enable User Access Policies from the ‘User Management Settings’ Screen.
Step 2: From the User Access Policies Menu, Create a New User Access Policy
Note: if you’re setting this up for the first time, you will likely see a screen that says ‘No User Access Policies’
It’s important to call out that multiple User Access Policies can be created. When implementing more than one User Access Policy, it will be important to consider the itinerary of Access Policies and which policies can overlap in automating access provisioning.
Step 3: From the User Access Policy configuration screen, configure your User Access Policy definition for User Criteria, and the actions that should be made for Users that meet the Criteria
Next, Let’s break down how automating user access policies saves time while enforcing security best practices—especially for some of Salesforce’s most powerful (and complex) features.
Why Automate User Access Policies?
Traditionally, admins manually assign permission sets and public groups whenever:
- A new user joins
- A user changes roles
- A team expands into new Salesforce features
This approach doesn’t scale—and it introduces risk.
User Access Policies automate these assignments, ensuring the right users get the right access automatically, and that access is removed when it’s no longer needed.
Key benefits include:
- Role-based access at scale
- Reduced human error
- Faster enablement of new Salesforce products
- Clear separation of admin vs. user capabilities
Now let’s look at how this plays out across specific Salesforce products.
Automating Access to Marketing Cloud Account Engagement (Pardot) Business Units
Managing Marketing Cloud Account Engagement (MCAE) access becomes increasingly complex as organizations expand across multiple Business Units.
We’ve created a walk-through for setting up an Automated Access Policy for your MCAE/Pardot users: https://cypresslearning.com/walkthrough-automating-pardot-mcae-business-unit-access-with-user-access-policies/
The Challenge
Without automation, admins must:
- Manually assign permission sets for each Business Unit
- Track who should (or shouldn’t) have access
- Update access when marketers move teams or regions
This often leads to:
- Over-provisioned access
- Missed assignments
- Delayed onboarding for marketing users
The Automated Solution
With User Access Policy Automation, admins can:
- Automatically assign Business Unit–specific permission sets
- Grant access based on attributes like department, region, or role
- Ensure users only see the Business Units they’re responsible for
The Result
- Marketing users get access immediately when onboarded
- Access stays aligned as users move between teams
- Admins no longer manage Business Unit access one user at a time
Time saved + security enforced—without ongoing maintenance.
Simplifying Data Cloud (Data 360) Access with Tiered Automation
Data Cloud introduces powerful capabilities—but also clear separation of responsibilities between admins and users.
The Challenge
Data Cloud access isn’t one-size-fits-all:
- Data Cloud Administrators need setup, ingestion, modeling, and governance access
- Marketing users need controlled access to activate and use data—without configuration privileges
Manually managing this split can quickly become unmanageable.
The Automated Solution
Using User Access Policies, admins can create tiered access models, such as:
Data Cloud Administrator Access
Automatically grant:
- Data Cloud setup and configuration permission sets
- Admin-only tools for ingestion, identity resolution, and governance
Marketing User Access
Automatically grant:
- Permission sets for segmentation and activation
- Read/write access only to relevant Data Cloud features
The Result
- Clear separation of duties
- Faster onboarding for both admins and marketers
- Reduced risk of unauthorized configuration changes
Admins control the platform. Marketers use the data. Automation keeps it clean.
Streamlining Agentforce Access: Users vs. Builders
Agentforce introduces AI-driven capabilities—but not every user should be building agents.
The Challenge
Organizations need to:
- Enable many users to use Agentforce features
- Restrict Agent Builder access to trained, qualified users
- Avoid accidental or unauthorized AI configuration changes
Manually managing these distinctions doesn’t scale.
The Automated Solution
With User Access Policies, admins can define two clear tiers:
Agentforce Users
Automatically grant:
- Access to use AI-powered agents
- No configuration or build permissions
Agentforce Builders
Automatically grant:
- Agent Builder permission sets
- Advanced configuration and testing tools
Criteria can be based on:
- Role
- Certification status
- Team or department
The Result
- Safe AI adoption at scale
- Faster enablement of end users
- Controlled access to powerful AI tools
Right users, right capabilities, zero manual assignment.
Governing Salesforce CMS Content with Automated Access
Salesforce CMS enables teams to create, publish, and reuse content—but unmanaged access can lead to content sprawl or publishing risks.
The Challenge
Different users need different CMS capabilities:
- Some create content
- Some approve and publish
- Others simply consume content in apps and experiences
Manually assigning CMS permissions often leads to inconsistency.
The Automated Solution
User Access Policies allow admins to automate CMS access by role:
Content Creators
- Create and edit CMS content
- No publishing rights
Publishers
- Approve and publish CMS content
- Governance and oversight access
Content Consumers
- Use CMS content in apps, flows, and experiences
- No creation or editing access
The Result
- Clear content governance
- Faster onboarding of content teams
- Reduced risk of accidental publishing
Automation enforces process without slowing creativity.
The Bigger Picture: Time Saved, Security Strengthened
Across Marketing Cloud Account Engagement, Data Cloud, Agentforce, and Salesforce CMS, the story is the same:
User Access Policy Automation transforms access management from a manual chore into a scalable system.
Admins gain:
- Fewer repetitive tasks
- Consistent access models
- Better security posture
- Faster adoption of new Salesforce features
Users gain:
- Immediate access to what they need
- Clear boundaries on what they can (and can’t) do
- Less friction during onboarding and role changes
Final Thought
If your Salesforce org is growing—or adopting advanced features like Data Cloud and Agentforce—manual access management will hold you back.
User Access Policies aren’t just a time-saver.
They’re a best practice for modern Salesforce security and scalability.
Automate the rules.
Enforce least-privilege access.
And give your admins their time back.
RESOURCES:
Learn More about User Access Policies: https://help.salesforce.com/s/articleView?id=platform.perm_user_access_policies.htm&type=5
Automating User Access Policies: https://help.salesforce.com/s/articleView?id=platform.perm_active_user_access_policy.htm&language=en_US&type=5
User Access Policy Considerations: https://help.salesforce.com/s/articleView?id=platform.perm_user_access_policy_considerations.htm&type=5