Key Updates for Permissions, Access & User Management 

The Salesforce Winter ’26 release delivers notable changes that impact how administrators govern permissions, manage access, control automation behaviour, and maintain security across their orgs. Several of these updates introduce new enforcement rules that require review before activation. Below is a clear breakdown of the most important enhancements for permissions, access and user management. 

1. Enforcement of Permissions on Built-In Apex Classes Used in Flows 

Winter ’26 introduces stricter security for flows that call built-in Apex classes such as ConnectApi or Messaging. These flows will now honour class-level permission checks. If a user lacks permission to the invoked class, the flow will fail rather than running under elevated privileges. 

Why it matters: 

• Strengthens the security boundary between flows and Apex 

• Prevents users from indirectly performing actions they don’t have rights for 

• Ensures automation behaviour aligns with permission models 

• Requires review of existing flows before enabling the update 

2. Automatic Unassignment of Permission Set Licenses 

When a permission set or permission set group is removed from a user, the associated Permission Set License (PSL) will now be automatically unassigned. Previously, licences often remained allocated even after access was removed. 

Why it matters: 

• Reduces PSL waste and unnecessary licensing costs 

• Aligns licence allocation with actual access 

• Simplifies access cleanup and offboarding 

• Helps maintain licence hygiene in larger orgs 

3. Field History Tracking for the User Object (Beta) 

Winter ’26 introduces the ability to enable Field History Tracking on the User object — allowing admins to track changes to user fields, including the old value, new value, who made the change, and when. 

Why it matters: 

• Improves auditability for high-risk fields (e.g., profile, role, manager, email) 

• Supports compliance and internal review requirements 

• Enhances security investigations and audit trails 

• Helps organisations understand how access-related fields evolve over time 

4. Updated Role Hierarchy Behaviour for Sharing References 

Salesforce is enforcing stricter behaviour for role-hierarchy references. Legacy references such as “Roles and Subordinates” may no longer behave as expected and must be updated to newer replacements such as “Role and Internal Subordinates”. 

Why it matters: 

• Ensures consistent and secure role-based access behaviour 

• Prevents sharing rules, flows, Apex, or metadata from failing due to outdated hierarchy tokens 

• Forces review of older metadata and automation that depends on legacy role references 

5. Verified Email Requirement for Legacy Users 

Winter ’26 enforces verified email addresses for all users created on or before 1 November 2016. Unverified users will no longer be able to send emails from Salesforce until their email address is confirmed. 

Why it matters: 

• Prevents unverified or legacy users from sending outbound communications 

• Supports security best practices and trust policies 

• Impacts organisations with older user accounts still active in the system 

6. Additional Changes Affecting Permissions, Access & Security 

Winter ’26 includes several smaller but important enhancements: 

Apex & Flow Security Updates 

Further improvements to flow behaviour, including identity checks and permission requirements for connected actions. 

Guest User & Experience Cloud Adjustments 

Updates to guest-user sharing, URL behaviour for legacy force.com sites, and Experience Cloud access may require review in organisations using external communities. 

Tab Visibility Enhancements 

Continued investment in surfacing tab-level visibility in Access Summaries, supporting more complete access reviews. 

Why it matters: 

• Strengthens access boundaries across Experience Cloud 

• Improves clarity for how UI-level access is granted 

• Helps prevent accidental overexposure of data or functionality 

Final Thoughts 

Winter ’26 introduces meaningful changes that strengthen security, tighten permission boundaries, and improve auditability across the Salesforce platform. These enhancements: 

• Protect against unintended privilege escalation through flows 

• Reduce licence waste via automated PSL cleanup 

• Improve access-change tracking with User-object field history 

• Ensure consistent and modern role hierarchy behaviour 

• Increase security for older user accounts 

For organisations using Application Perfection’s Security & Access Manager Suite — including tools for object access, permissions insights, user audits and automation governance — these Winter ’26 updates further support a secure, well-structured, and audit-ready access model.