To create contracts or service contracts from an opportunity or order, users now require Create access on assets in addition to the existing Read and Edit asset requirements.

Where: This change applies to Salesforce Lightning and Salesforce Classic in Salesforce CPQ and Service Cloud for Salesforce CPQ.

New Permissions for Creating Contracts and Service Contracts (salesforce.com)

Ensure that users have secure and appropriate levels of access to objects and fields. Assign the new Salesforce CPQ Admin User Access and Salesforce CPQ Partner User Access permission sets to your Salesforce CPQ admins and partner users. Review the new permissions added to the Salesforce CPQ Customer User Access permission set. Then use a CPQ package setting to test the permission sets before they’re enforced in Spring ’22.

Where: This change applies to Lightning Experience and Salesforce Classic in Salesforce CPQ.

When: Salesforce enforces this update in Spring ’22. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

Why: A series of four Access permission sets and requirements contain data security–related permissions. In Summer ’21, we added the permission sets User Access and Customer User Access. In Winter ’22, we added permission requirements to the Customer User Access set, and we added two more sets, Partner User Access and Admin User Access. We also introduced the same data-security permissions to standard CPQ permission sets.

As permission requirements are added in future releases, two methods help ensure that your users never risk missing important data security updates.

• If you cloned or created custom permission sets for admins, users, partners, or customers, assign the appropriate Access set. We designed Access sets for assignment directly to your users, without cloning or editing.
• If you don’t clone or use custom permission sets, you can use the standard sets alone, without assigning Access sets,

For example, let’s say you assign a customized admin permission set to admins and the standard Customer User set to customers. In this case, assign the Admin User Access permission set to your admins. Your customers can continue using the Customer User set without changes.

For a complete list of new permissions in each Access permission set, review New and Changed Objects, Fields, and Permissions in Salesforce CPQ and Billing Winter ’22.

How: To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates.

Data restrictions for the Access permission sets are enforced in Salesforce CPQ Spring ’22. Until then, you have some options for testing them in your org. When the CPQ package setting Perform Enhanced Data Access Checks is active, Salesforce CPQ enforces data restrictions for the Access permission sets. When Perform Enhanced Data Checks is inactive, the Access permission set restrictions aren’t enforced.

To start testing, assign the Salesforce CPQ User Access set to your users. Then assign the Salesforce CPQ Customer User Access set to your customer users. Next, from Setup, in the Quick Find box, enter Installed Packages, and then click Installed Packages. Go to Salesforce CPQ and click Configure. In the Additional Settings tab, select Perform Enhanced Data Access Checks.

You can turn Perform Enhanced Data Access Checks on and off as needed before Spring ’22. In Spring ’22, we’ll remove the Perform Enhanced Data Access Checks setting and enforce data restrictions for the Access permission sets.

Assign New Access Permission Sets and Review New Permissions (Release Update) (salesforce.com)

Permissions were added to standard permission sets, and Access permission sets were updated.

• Assign New Access Permission Sets and Review New Permissions (Release Update)
  Ensure that users have secure and appropriate levels of access to objects and fields. Assign the new Salesforce CPQ Admin User Access and Salesforce CPQ Partner User Access permission sets to your Salesforce CPQ admins and partner users. Review the new permissions added to the Salesforce CPQ Customer User Access permission set. Then use a CPQ package setting to test the permission sets before they’re enforced in Spring ’22.
• New Permissions for Creating Contracts and Service Contracts
  To create contracts or service contracts from an opportunity or order, users now require Create access on assets in addition to the existing Read and Edit asset requirements.

Salesforce CPQ

To make sure that recognition badges aren’t visible to guest users unintentionally, the default rules now allow only authenticated users to see them. But you can turn off the default setting if you prefer. This update was first made available in Winter ’22 and is enforced in Winter ’22.

Where: This change applies to Aura sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

When: This update was first available in Winter ’22 and is enforced in Winter ’22. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

How: To turn off Hide badges from guest users in Experience Builder sites, go to Setup>Feature Settings>Digital Experiences>Settings.

Removal of Guest User Access to Recognition Badges in Experience Builder Sites (Release Update) (salesforce.com)

The Run Flows permission for the Guest User and Experience Cloud External User profiles is no longer available in new orgs, starting in Winter ’22. Without the Run Flows permission, you’re free to use the more granular permission structure embedded in Flows and give your users the detailed access they need. Run Flows will be removed from all orgs in the Summer ’22 release. To avoid future access issues, we recommend updating your existing sites to the new permission structure before the Summer ’22 release.

Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Bid Farewell to Run Flows for Guest Users (salesforce.com)

To better protect your Salesforce data, this update changes how unauthenticated guest access to product records is controlled. To prevent guest users from losing access to products, create and test guest user sharing rules. The Product org-wide sharing default for external users is no longer applied to guest users, and guest user access is set to Private. This setting can’t be changed. This update was first made available in Winter ’22.

Where: This change applies to Lightning Experience and Salesforce Classic in Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.

When: The setting Secure guest user record access isn’t applied to products in Winter ’22. Salesforce will enforce this update in Spring ’22.

Create Sharing Rules to Retain and Control Guest Users’ Product Access (Release Update) (salesforce.com)

Prevent external users, such as portal or partner users, from viewing personal information in your user records. Now when you apply the Enhanced Personal Information Management setting, Salesforce blocks view access to 20 fields that are considered personal information. This setting is also more flexible than the Hide Personal Information setting. To implement this setting, in User Management Settings, add or remove the PersonalInfo compliance category for any field.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions.

Hide More Personal Information Fields (salesforce.com)

Hide more personal information fields with a new user setting, retain guest users’ access to products, and give more granular access to flows.

• Hide More Personal Information Fields
  Prevent external users, such as portal or partner users, from viewing personal information in your user records. Now when you apply the Enhanced Personal Information Management setting, Salesforce blocks view access to 20 fields that are considered personal information. This setting is also more flexible than the Hide Personal Information setting. To implement this setting, in User Management Settings, add or remove the PersonalInfo compliance category for any field.
• Create Sharing Rules to Retain and Control Guest Users’ Product Access (Release Update)
  To better protect your Salesforce data, this update changes how unauthenticated guest access to product records is controlled. To prevent guest users from losing access to products, create and test guest user sharing rules. The Product org-wide sharing default for external users is no longer applied to guest users, and guest user access is set to Private. This setting can’t be changed. This update was first made available in Winter ’22.
• Bid Farewell to Run Flows for Guest Users
  The Run Flows permission for the Guest User and Experience Cloud External User profiles is no longer available in new orgs, starting in Winter ’22. Without the Run Flows permission, you’re free to use the more granular permission structure embedded in Flows and give your users the detailed access they need. Run Flows will be removed from all orgs in the Summer ’22 release. To avoid future access issues, we recommend updating your existing sites to the new permission structure before the Summer ’22 release.
• Removal of Guest User Access to Recognition Badges in Experience Builder Sites (Release Update)
  To make sure that recognition badges aren’t visible to guest users unintentionally, the default rules now allow only authenticated users to see them. But you can turn off the default setting if you prefer. This update was first made available in Winter ’22 and is enforced in Winter ’22.

Security and Sharing (salesforce.com)

The DeveloperName field has new permission requirements for multiple Salesforce objects and types across various APIs. Following the Winter ’22 release, some users can lose access to the DeveloperName field on objects that they typically interact with. To view, group, sort, or filter the DeveloperName field on affected API objects, you must have View Setup and Configuration OR View DeveloperName permission.

Where: This change applies to all editions.

How: Restore access by giving users the View Setup and Configuration OR View DeveloperName permission via a profile or permission set. For a list of affected objects and types, see the related knowledge article.

Grant Access to the DeveloperName Field to Users Who Require It (salesforce.com)

You can now view and update current assignment expirations for your permission sets and your permission set groups. Previously, to update assignment expirations, you recreated them with the correct expiration date.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

Why: Suppose a sales manager wants consultants to evaluate the language used in sales contracts. You give the consultants access to the contracts object and other permissions via a permission set group so that they can perform their work. The project has an end date, so you don’t want contractors to access sales contracts after that date. Set the expiration date for the permission set group when you assign it to users. If the project end is extended, edit the expiration date for the permission set group to the new date.

How: Enable Permission Set Group Assignments with Expiration Dates (Beta) in User Management Settings. Then from either the Permission Set Group or Permission Set page, click Manage Assignment Expiration. On the Current Assignments page, you can view a list of the users that are assigned to the permission set or the permission set group. To create a user assignment, click Add Assignment. To modify the expiration date of existing assignments, click . To remove an assignment, click .

Manage Assignment Expiration in Permission Sets and Permission Set Groups (Beta) (salesforce.com)