Delegated Administration

What is Delegated Administration?

Delegated administration allows named users to manage other users within selected roles and profiles, as well as manage fields on selected custom objects.

Why use Delegated Administration?

If you assign user administration privileges using profiles or permission sets, that user will gain the ability to administer most or all users and objects in your org.

Delegated administration allows you to specify which users (based on role/profile) and custom objects (standard objects excluded) a delegated administrator can manage.

Profile & Permission Sets
Login as Any User*
Manage Users Assigned Any Role
Manage Users Assigned Any Profile*
Admin None/All Objects
Delegated Administration
Login as Users - Delegated Roles Only
Manage Users - Delegated Roles Only
Manage Users - Delegated Profiles Only
Admin Delegated Custom Objects Only

*A user must have the “Modify All Data” permission to manage users/profiles with the “Modify All data” permission.

Example

Jim is responsible for maintaining users for the marketing department, as well as the custom fields on the “Venue” object.  If someone in the marketing department has a problem with Salesforce, they first contact Jim to see if he can resolve the issue.  Likewise, Jim is responsible for creating new Salesforce users for the marketing team.

To meet this need, I’ve created a delegated group as follows:

1-11-2013 5-10-25 PM

Although Jim is assigned the “Standard User” profile, he can manage users within the specified roles and profiles above.  Additionally he can manage the custom fields on the Venue object.  However, he cannot perform any other administrative actions.

29 Responses to “Delegated Administration”

  1. opaz October 4, 2017 at 6:20 am #

    Hi John,
    My Sales operation have “administrator” profile and currently, she manages some of the activities of sales group and creates formulas, Workflow, Email templates etc.

    Could I use standard user plus Delegated Administration and allow her to have the same permissions only on Sales group and some of the objects?

    • JohnCoppedge October 4, 2017 at 6:23 pm #

      Yes you could potentially do that – delegated admin won’t give workflow, email and those types of permissions, so it might not suit your exact use case. But that is the type of thing it is designed for

  2. leslie September 23, 2017 at 3:04 am #

    John,

    If I don’t have role hierarchy set up in my org, delegated Admin will not work? Is this right?

  3. trpbt November 30, 2016 at 1:50 am #

    delegated admin is allowed to create new users as well for a specific profile or role?

  4. swati.c.840 November 21, 2016 at 12:20 am #

    Hi John,

    In the example, Jim = James Smith from the screenshot right? Noob question – but just want to clarify.

    Thanks!

  5. kfir cohen August 3, 2016 at 9:53 am #

    Hi John,

    Where can I actually assign the “Modify all permission” to a user?
    Thanks!

    • sneha06 August 5, 2016 at 2:56 am #

      It seems that we need to provide “Modify all data” permission using Permission set and add that permission set to delegate admin group. Because if we give “Modify all data” permission in profile level then all the user assign to that profile have additional permission and in a particular user record we do not have that option.

      John please correct me if I am wrong or if there is any other option.

      • sneha06 August 6, 2016 at 9:00 am #

        Hi John,

        One more clarification needed, if a delegated admin user A wants to manage a user B (belongs to a particular profile) and user B do not have “Modify all data” permission.
        Then user A does not require “Modify All data” permission right?

        User A only requires “Modify All Data” permission when he wants to manage a user who also has “Modify All Data” permission?

        • JohnCoppedge August 17, 2016 at 2:41 pm #

          Right you need modify all to manage a user that has modify all-

          Typically, delegated admin is used to allow power users (or admin light) to assign non-administrative permissions (e.g. NOT modify all data).

          Examples:

          Assign a permission set to allow users to export reports.
          Create a field on a custom object that is managed by a specific business unit.
          Manage users within a specific profile.

          Etc.

          Hope that helps!

    • JohnCoppedge August 17, 2016 at 2:39 pm #

      Profile or permission set – this is typically reserved for admins

  6. richa.midha@outlook.com August 18, 2015 at 7:32 pm #

    so delegated administrator can work as an administrator for that particular delegated profiles users and objects?

  7. Christine Wong March 28, 2015 at 11:15 am #

    Hi John, is this covered in 2015 Spring Mar? cos’ don’t seem to see this in the Study Guide for this season.

    • JohnCoppedge March 30, 2015 at 2:53 pm #

      It may not be specifically addressed in the outline, but it is something you should be aware of.

  8. Rosalin Charath September 30, 2014 at 3:32 pm #

    Hi John,

    (1) You said, *A user must have the “Modify All Data” permission to manage users/profiles with the “Modify All data” permission.’ and I also read in SF Help that , ‘To delegate administration of particular objects, use object permissions, such as “View All” and “Modify All.”

    I am confused. So, under which profile the ‘Modify All Data’ needs to be selected? For example, let’s say, Jim from your example above is tied to a profile where other users are also assigned. We only want to allow Jim with some additional tasks so he can help out the administrator. I understand about creating the Delegated Group but what about making sure the user have ‘Modify All Data’ permission. Where do you do this?

    (2) You also said, “Delegated administration allows you to specify which users (based on role/profile) and custom objects (standard objects excluded) a delegated administrator can manage.”

    So does that mean we can not allow a delegate administrator to manage standard objects (like Account, Contact and etc.)?

    Greatly appreciate your help!!!!

    • JohnCoppedge September 30, 2014 at 9:53 pm #

      So does that mean we can not allow a delegate administrator to manage standard objects (like Account, Contact and etc.)?

      Correct – a delegated admin cannot manage the FIELDS on a standard object.

      If Jim does not have modify all data, then Jim cannot be a delegated administrator for a user that does have modify all data (e.g. Jim cannot be a delegated admin for a system administrator – that wouldn’t make much sense now would it!).

      Hope that helps 🙂

      • g.levy@mamacash.org February 6, 2016 at 3:31 pm #

        Hi John,

        Than was actually a question I wondered about as well.
        Would I need to have a Permission Set for Jim to allow him “Modify All Data” (in the scenario that he shares a profile that is used by other people in his department)?

        Gil

        • JohnCoppedge February 8, 2016 at 2:45 pm #

          The biggest difference with delegated administration is that it allows the user to actually add/remove fields from the object (e.g. one specific object, not all objects), not just manipulate the data.

          If you want the user to access all records in an object, then yes modify all (under that specific object – not the modify all data permission), is a good way to do it. Modify All Data is a BIG permission (granting access to data on all object), typically reserved for system admins.

  9. Aaron Howerton June 6, 2014 at 8:18 pm #

    Wondering aloud if this would be a good place for information on setting up/managing third party administrators (i.e. consultants working in your org) via permission sets as opposed to assigning system admin profile. Thanks for all the great content and organization!

    • JohnCoppedge June 12, 2014 at 2:20 am #

      Really depends on the relationship – delegated admin is MUCH lower in function than a real system administrator. That said, if all the consultant needs to admin is a few custom objects, then this might work. However, most of the time additional access would be needed when working with a client as an SFDC consultant, for example.

  10. Matthew English January 13, 2014 at 5:32 pm #

    Can a user with a lower role hierarchy be a delegated administrator for a user who is higher on the hierarchy? Apologies, that was not clear to me.

    • JohnCoppedge January 14, 2014 at 12:23 am #

      Good question Matthew. I suspect that the answer is yes – but I don’t have a good way to test this to verify (would need 3 user licenses, only 2 are included in a dev org).

  11. Swanand patil December 31, 2013 at 2:40 pm #

    Is there any information on what are the limitations for the delegated administration compared to system administration?
    Thanks,

  12. Swanand patil December 31, 2013 at 2:39 pm #

    Is there any information no what are the limitations for the delegated administration compared to system administration?

  13. Daniel Sokolowski November 5, 2013 at 4:55 pm #

    Jim is short for James; yep had to look that up.

Leave a Reply