Author: jamesstarsfba4377228

Winter 26

November 14, 2025

Key Updates for Permissions, Access & User Management 

The Salesforce Winter ’26 release delivers notable changes that impact how administrators govern permissions, manage access, control automation behaviour, and maintain security across their orgs. Several of these updates introduce new enforcement rules that require review before activation. Below is a clear breakdown of the most important enhancements for permissions, access and user management. 

1. Enforcement of Permissions on Built-In Apex Classes Used in Flows 

Winter ’26 introduces stricter security for flows that call built-in Apex classes such as ConnectApi or Messaging. These flows will now honour class-level permission checks. If a user lacks permission to the invoked class, the flow will fail rather than running under elevated privileges. 

Why it matters: 

  • Strengthens the security boundary between flows and Apex 
  • Prevents users from indirectly performing actions they don’t have rights for 
  • Ensures automation behaviour aligns with permission models 
  • Requires review of existing flows before enabling the update 

2. Automatic Unassignment of Permission Set Licenses 

When a permission set or permission set group is removed from a user, the associated Permission Set License (PSL) will now be automatically unassigned. Previously, licences often remained allocated even after access was removed. 

Why it matters: 

  • Reduces PSL waste and unnecessary licensing costs 
  • Aligns licence allocation with actual access 
  • Simplifies access cleanup and offboarding 
  • Helps maintain licence hygiene in larger orgs 

3. Field History Tracking for the User Object (Beta) 

Winter ’26 introduces the ability to enable Field History Tracking on the User object — allowing admins to track changes to user fields, including the old value, new value, who made the change, and when. 

Why it matters: 

  • Improves auditability for high-risk fields (e.g., profile, role, manager, email) 
  • Supports compliance and internal review requirements 
  • Enhances security investigations and audit trails 
  • Helps organisations understand how access-related fields evolve over time 

4. Updated Role Hierarchy Behaviour for Sharing References 

Salesforce is enforcing stricter behaviour for role-hierarchy references. Legacy references such as “Roles and Subordinates” may no longer behave as expected and must be updated to newer replacements such as “Role and Internal Subordinates”. 

Why it matters: 

  • Ensures consistent and secure role-based access behaviour 
  • Prevents sharing rules, flows, Apex, or metadata from failing due to outdated hierarchy tokens 
  • Forces review of older metadata and automation that depends on legacy role references 

5. Verified Email Requirement for Legacy Users 

Winter ’26 enforces verified email addresses for all users created on or before 1 November 2016. Unverified users will no longer be able to send emails from Salesforce until their email address is confirmed. 

Why it matters: 

  • Prevents unverified or legacy users from sending outbound communications 
  • Supports security best practices and trust policies 
  • Impacts organisations with older user accounts still active in the system 

6. Additional Changes Affecting Permissions, Access & Security 

Winter ’26 includes several smaller but important enhancements: 

Apex & Flow Security Updates 

Further improvements to flow behaviour, including identity checks and permission requirements for connected actions. 

Guest User & Experience Cloud Adjustments 

Updates to guest-user sharing, URL behaviour for legacy force.com sites, and Experience Cloud access may require review in organisations using external communities. 

Tab Visibility Enhancements 

Continued investment in surfacing tab-level visibility in Access Summaries, supporting more complete access reviews. 

Why it matters: 

  • Strengthens access boundaries across Experience Cloud 
  • Improves clarity for how UI-level access is granted 
  • Helps prevent accidental overexposure of data or functionality 

Final Thoughts 

Winter ’26 introduces meaningful changes that strengthen security, tighten permission boundaries, and improve auditability across the Salesforce platform. These enhancements: 

  • Protect against unintended privilege escalation through flows 
  • Reduce licence waste via automated PSL cleanup 
  • Improve access-change tracking with User-object field history 
  • Ensure consistent and modern role hierarchy behaviour 
  • Increase security for older user accounts 

For organisations using Application Perfection’s Security & Access Manager Suite — including tools for object access, permissions insights, user audits and automation governance — these Winter ’26 updates further support a secure, well-structured, and audit-ready access model. 

Spring 25

November 14, 2025

Key Updates for Permissions, Access & User Management 

The Salesforce Spring ’25 release introduces several important enhancements for administrators responsible for permissions, access, governance, and org security. Below is a clear breakdown of what’s new and why it matters. 

1. New “View All Fields” Permission + Renamed Object-Level Permissions 

View All Fields Permission 
Spring ’25 introduces a new permission that allows users to read every field on a standard or custom object — including fields added in the future. This makes it simpler to grant complete read visibility without exposing edit rights. 

Renaming of Existing Object-Level Permissions 
To reduce confusion, Salesforce has renamed two well-known permissions: 

  • View All → View All Records 
  • Modify All → Modify All Records 

The functionality remains the same, but the naming now better reflects that these permissions apply to records, not fields. 

Why it matters: 

  • Clarifies the difference between field- and record-level access 
  • Reduces audit and documentation confusion 
  • Supports a cleaner, more accurate permissions model 
  • Simplifies granting full field visibility where appropriate 

2. Improved Permission Set Management 

Spring ’25 includes enhancements that make permission sets easier to manage and maintain. 

  • Admins can now remove user permissions and custom permissions directly from the Permission Set Summary page 
  • Included permissions within a Permission Set Group can be viewed and more easily managed 
  • Summary pages provide clearer insight into what a permission set or group actually grants 

Why it matters: 

  • Faster cleanup of large or legacy permission sets 
  • Easier documentation and governance 
  • Fewer clicks when auditing or updating access 
  • Better alignment between assigned permissions and actual user needs 

3. Enhanced User & Role List Views 

User and Role list views have been upgraded to provide: 

  • Faster load times 
  • More supported fields 
  • Improved inline editing 
  • Better sorting and filtering options 

These improvements streamline high-volume user administration, especially for organisations with large user populations. 

Why it matters: 

  • Easier management of user access at scale 
  • Less time spent navigating to individual user pages 
  • Cleaner experience for user onboarding and offboarding 
  • More efficient access reviews 

4. Continued Enhancements to User Access Policies 

Spring ’25 continues Salesforce’s multi-release push toward simplified user access management, including: 

  • Clearer visualisation of permission-set group assignments 
  • Improved tools for assessing what access a user has and why 
  • Better support for job-function-based access models 

Why it matters: 

  • Strengthens governance and compliance documentation 
  • Helps reduce profile reliance in favour of permission sets and groups 
  • Supports a more maintainable, scalable access model 
  • Improves auditability of user permissions 

5. Security, Identity & Access Flow Updates 

A few important identity-related updates also impact access management: 

Customisable Welcome Emails 

Admins can now customise the welcome email for new users, including setting verification-link expiry (1 day, 7 days, or 180 days). 

Updated Password Reset Flow 

When users reset their password, they must now authenticate using their chosen MFA method, increasing security during the process. 

Why it matters: 

  • Strengthens identity verification 
  • Reduces risk during onboarding and password resets 
  • Supports compliance and security-first access models 

Final Thoughts 

Spring ’25 delivers practical and impactful improvements for anyone managing permissions, access, security or governance within Salesforce. These enhancements: 

  • Improve clarity around object and field access 
  • Streamline permission-set and group maintenance 
  • Modernise user and role administration 
  • Strengthen identity and authentication processes 

For teams using the Security & Access Manager Suite — including modules for object access, field access, record access and permissions management — these updates complement core capabilities and support stronger, more transparent access governance. 

Summer 25

November 14, 2025

Key Updates for Permissions, Access & User Management

The Salesforce Summer ’25 release delivers significant enhancements to how administrators manage permissions, object access, user assignments and overall org security. These updates continue Salesforce’s multi-release effort to streamline access governance and reduce manual effort for admins. Below is a clear breakdown of the most important changes. 

1. Bulk Update Object Permissions Across Profiles & Permission Sets 

Summer ’25 introduces a powerful enhancement within Object Manager: the ability to bulk-update object-level permissions across multiple permission sets and profiles directly from the Object Access Summary screen. 

Admins can now review, grant, or remove CRUD access across all relevant permission sets or profiles in a single action — dramatically reducing the time required for permission updates. 

Why it matters: 

  • Major time savings when adjusting access across many profiles or permission sets 
  • Easier object-level access governance during audits 
  • Reduces reliance on spreadsheets or manual cross-checks 
  • Supports cleaner, more consistent access patterns across the org 

2. Edit Permissions Directly from Permission Set Summary Views 

Summer ’25 expands the capabilities of the Permission Set Summary view, allowing admins to directly edit: 

  • User permissions 
  • Custom permissions 
  • Object permissions 
  • Field permissions 

This reduces the need to navigate through multiple sub-menus and improves the speed of permission maintenance. 

Why it matters: 

  • Faster cleanup of overly complex permission sets 
  • Improved visibility into exactly what a permission set grants 
  • Fewer clicks and reduced admin overhead 
  • Better alignment of permission sets with business roles 

3. Enhanced Permission Set Group Management 

Permission Set Groups continue to be strengthened across releases, and Summer ’25 adds the ability to: 

  • Add permission sets directly from the summary view 
  • Remove permission sets in one click 
  • Review included permissions with greater clarity 

What was previously read-only now becomes interactive, making group-based access models easier to maintain. 

Why it matters: 

  • Encourages cleaner, role-based permission architectures 
  • Reduces “permission set group sprawl” 
  • Improves maintainability and onboarding 
  • Makes reviews and audits far more efficient 

4. Upgraded User Access Summary: Manage Assignments in One Place 

The User Access Summary continues to evolve, and Summer ’25 extends its functionality so admins can now: 

  • View all assigned permission sets 
  • View all assigned permission set groups 
  • Add or remove permission sets or groups 
  • Review queue membership 

All on one consolidated screen, reducing navigation and friction when managing individual user access. 

Why it matters: 

  • Simplifies onboarding and off-boarding 
  • Improves visibility for user access reviews 
  • Reduces the risk of permissions being overlooked 
  • Provides a single source of truth for user-level access 

5. Tab Visibility in Access Summaries 

A new “Tabs” section appears in permission set, permission set group and profile access summaries. This area is currently read-only but displays which tabs are visible or hidden for the selected access assignment. 

Why it matters: 

  • Surfaces an often overlooked aspect of access governance 
  • Helps admins quickly evaluate UI-level access for roles 
  • Improves the thoroughness of audit reviews 
  • Lays the groundwork for future editing capabilities 

6. Release Updates Impacting Permissions & Access 

Although Summer ’25 is not heavy on enforced security changes, several important release updates relate to access: 

Restricted Flow Access Enforcement Delayed 

The planned enforcement requiring explicit permissions (Run FlowsManage Flows) instead of relying on the legacy Flow User checkbox has been postponed to Winter ’26. 

Other minor updates 

Additional updates affect guest users, sharing behaviour and access boundaries. These should be reviewed within the Release Updates section of Setup. 

Why it matters: 

  • Admins gain additional time to prepare for Flow-permission enforcement 
  • Organisations relying on the Flow User checkbox should still begin migrating 
  • Helps prevent access gaps when enforcement arrives 

Final Thoughts 

Summer ’25 is a practical, productivity-focused release for permissions and access management. The new capabilities: 

  • Increase efficiency via bulk updates and summary-view editing 
  • Enhance visibility into user, object and permission-set access 
  • Strengthen the maintainability of permission set groups 
  • Support better access governance and audit readiness 

For organisations using Application Perfection’s Security & Access Manager Suite — including modules for object access, field access, record access and permissions administration — the Summer ’25 updates align well with best practices and reinforce the direction Salesforce is moving: clearer visibility, better governance and easier access management. 

Winter 25:

November 14, 2025

Key Updates for Permissions, Access & User Management

The Salesforce Winter ’25 release introduces meaningful improvements for administrators who manage permissions, troubleshoot access issues, and maintain clean org security. At Application Perfection, this is the area we focus on every day — so here’s a clear breakdown of everything that matters for permissions, access, audits, and user setup. 

1. Improved Visibility for Permission Debugging 

“Access Granted By” Insight on User Records 

Salesforce has added a new row-level action on the User Access Summary page called Access Granted By
This allows admins to instantly see exactly which profile, permission set, or permission set group grants a specific permission. 

No more guesswork, SOQL queries, or digging through layers of assignments — a direct, native way to understand why a user has access. 

Why it matters: 

  • Faster troubleshooting 
  • Clearer access mapping 
  • Better documentation for audits 
  • Stronger internal visibility for compliance teams 

2. Object Access Summary in Object Manager 

You can now view an Object Access Summary directly within Object Manager for each object. 
It displays every profile, permission set, and permission set group that grants CRUD access. 

Although currently read-only, Salesforce has indicated more enhancements are coming. 

Why it matters: 

  • Unifies object-level access information 
  • Helps admins quickly assess who can create, read, update, or delete records 
  • Reduces reliance on spreadsheets and manual audits 
  • Great for access reviews and permission rationalisation 

3. Enhanced User List Views 

Salesforce continues improving user administration by expanding the Enhanced User List View experience. Admins now benefit from: 

  • Better performance for large user populations 
  • Inline editing for certain user fields 
  • Faster filtering and data handling 

Why it matters: 

  • Quicker user updates 
  • Better management of profile or permission set assignments 
  • A more modern, efficient user administration workspace 

4. Improvements to Public Groups & Queues 

Public Groups and Queues finally get long-requested enhancements: 

Descriptions Now Supported 

Admins can now add descriptions to groups and queues to document their purpose — essential for keeping orgs clean and understandable. 

Easier Group Membership Management 

The updated group interface allows: 

  • Searching for members 
  • Bulk adding or removing up to 100 users 
  • Faster updates to complex sharing models 

Why it matters: 

  • Better clarity for sharing rules 
  • Easier audits of group-based access 
  • Less time spent managing team-based permissions 

5. Key Winter ’25 Release Updates That Affect Access 

Several Winter ’25 release updates directly impact how permissions and access operate. These are changes you should review and prepare for: 

❗ 5.1 Restricted Flow Access 

The old Flow User checkbox is being phased out. 
Users now require explicit permissions such as: 

  • Run Flows 
  • Manage Flows 

Impact: 
Flows may stop working for users who currently rely on the old checkbox. Review and update permission assignments early. 

❗ 5.2 Role-Based List View Sharing Requires Additional Permission 

Users who edit list view sharing and share via roles will now need: 

  • View Roles and Role Hierarchy 

Impact: 
Without it, they won’t be able to configure list view visibility using roles. This may affect sales teams and admins who maintain public list views. 

❗ 5.3 Guest User Restrictions on Approval Requests 

Guest Users will no longer be able to: 

  • Edit 
  • Delete 
  • Reassign 
    approval requests. 

They can still submit and respond to approvals. 

Impact: 
Experience Cloud orgs should test guest-user flows and approval processes to prevent unexpected failures. 

Final Thoughts 

Salesforce Winter ’25 makes meaningful progress toward improving how administrators understand and manage access across their orgs. These updates: 

  • Increase transparency 
  • Reduce troubleshooting time 
  • Strengthen security 
  • Support better audit readiness 
  • Align with the direction Salesforce is pushing: permission sets, clarity, and manageable access models 

For teams using Application Perfection’s Security & Access Manager Suite — especially Object Access, Record Access, and Permissions Management tools — these Winter ’25 enhancements complement and extend your capabilities. 

If you’d like help reviewing your org’s permission model or seeing how our suite can simplify Salesforce access management even further, get in touch — we’d be happy to walk you through a demo. 

Shield Platform Encryption

June 12, 2024

Encrypt more Grantmaking Compliant Data Sharing records data. Gather statistics and apply active keys to data with fewer timeouts. Bring Your Own Key pages are compatible with assistive technologies. .

  • Encrypt Search Index Keys with Manageable Root Keys
    Improvements to the Shield Platform Encryption architecture give you more ways to control the key material that encrypt search indexes. Salesforce has always used envelope encryption to secure your tenant secrets and customer-supplied keys. Now you can control the root key that generates and encrypts a data encryption key (DEKs) for your search indexes.
  • Encrypt Grantmaking Compliant Data Sharing Comments
    Grantmaking Compliant Data Sharing records sometimes contain sensitive or personally identifiable information (PII). You can now encrypt the Comments field on the Individual Application Task Participant object.
  • See Fewer Encryption Statistics and Sync Timeouts
    Gather encryption statistics and sync historical data with your active Shield Platform Encryption key faster. Improved indexing now handles large volumes of data more efficiently, resulting in fewer timeouts and faster processing times. Spend less time waiting for key management tasks to complete and more time working through your to-do list.
  • Access the Bring Your Own Key Pages with Assistive Technologies
    The Bring Your Own Key pages in Setup now use Lightning Experience styling. Better contrast makes the page easier to read, and users can navigate tables and interactive page elements more easily with keyboard controls. These pages also now include clearer labels and language support for screen readers.
  • Encrypt Application Form Seller Item Fields
    Client application form and a seller product sometimes contain sensitive or personally identifiable information (PII). On the Application Form Seller Item object, you can now encrypt the Vehicle Identification Number, Engine Number, Vehicle Registration Number, Property Address, Scheduled Delivery Date, Property Unit Identifier, Make, Model, and Trim fields.
  • Encrypt Party Income and Party Expense Fields
    Client expense and income records sometimes contain sensitive or personally identifiable information (PII). On the Party Income object, you can now encrypt the Income As Of Date field. On the Party Expense object, encrypt the Expenses As Of Date field.
  • Encrypt Party Financial Liability, Party Financial Asset, and Party Financial Asset Lien Fields
    Client financial, asset, and lien records sometimes contain sensitive or personally identifiable information (PII). On the Party Financial Liability object, you can now encrypt the Start Date, Term, Lender, and Liability Account Identifier fields. On the Party Financial Asset object, encrypt the OwnershipStartDateTime, ValuationDateTime, Description, SerialNumber, MakeName, ModelName, and ModelYear fields. On the Party Financial Asset Lien object, encrypt the Lien Holder and Maturity Date fields.

Identify Instanced Hostname Redirections

June 12, 2024

To help you identify hard-coded instanced URLs, the SOURCE_HOSTNAME field on the Hostname Redirects event type now tracks redirections for these URLs. For example, if your Salesforce instance is IND76, legacy instanced hostnames include ind76.salesforce.comind76.lightning.force.com, and MyDomainName--c.ind76.content.force.com. Redirections for legacy My Domain hostnames stop in Winter ’25. Previously, the HOSTNAME_REDIRECT field only tracked redirections from My Domain hostnames that didn’t contain an instance name.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions. The Hostname Redirects event is available in the API but not in the Event Monitoring Analytics app. This event is free for all customers with a 24-hour data retention period.

How: First, enable redirection logging. From Setup, in the Quick Find box, enter My Domain, and then select My Domain. In the Redirections section, click Edit. Select Log Redirections, and save your changes.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_em_log_instanced_redirections.htm&release=250&type=5

Track Network Performance Metrics

June 12, 2024

To maximize the efficiency of your applications, capture detailed network performance metrics with the new UI Telemetry Timing events. Use the Resource Timing event log file type to measure how long a browser takes to load specific application resources from a remote server. Use the Navigation Timing event log file type to track metrics related to page navigation, such as how long a browser takes to construct a page’s Document Object Model (DOM).

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions where Event Monitoring is enabled. The events are available in the API and in the Event Log Browser, but not in the Event Monitoring Analytics app.

Who: This change is available to customers who purchased Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_em_ui_telemetry_timing.htm&release=250&type=5

Download Up to 1 Year of Event Log Files

June 12, 2024

Adjust your event log file data retention period and download up to 1 year of event log file data in case of a security incident.

Where: This change applies to Lightning Experience and Salesforce Classic (not available in all orgs) in Enterprise, Performance, and Unlimited editions where Event Monitoring is enabled.

Who: This change is available to customers who purchased Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

How: From Setup, in the Quick Find box, enter Event Monitoring Settings and then select Event Monitoring Settings. Enable the Retain event log files setting. Then, to specify the number of days to retain your data, use the eventLogRetentionDuration field on the EventSettings Metadata API type.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_em_download_elf.htm&release=250&type=5

Access and Download Event Log File Data with the Event Log File Browser (Generally Available)

June 12, 2024

Get easy access to all of your Event Log File data by using the Event Log File Browser directly in Setup without the need for third-party tools.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions where Event Monitoring is enabled.

How: From Setup, in the Quick Find box, enter Event Log File Browser and then select Event Log File Browser. To download event log file data, select a date range and, from the dropdown list next to the event log file, select Download as CSV File.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_em_elf_browser.htm&release=250&type=5

Query Low-Latency Event Data with Event Log Objects (Beta)

June 12, 2024

Store and query all of your event data via the API with the new event log object framework (beta) that captures event data in standard objects.

Where: This change applies to Lightning Experience and Salesforce Classic (not available in all orgs) in Enterprise, Performance, and Unlimited editions where Event Monitoring is enabled.

When: Event log objects (beta) won’t be functional for US East Hyperforce customers until at least June 2024.

Who: This change is only available to a subset of US East Hyperforce customers who purchased the Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

How: Access Event Log Objects via the API or through CRM Analytics.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_em_event_log_objects.htm&release=250&type=5