In a big organization, a single admin can a big problem in terms of bandwidth issues. Normally admins are getting multiple requests like – creating users, updating profiles, resetting the password, running report etc. along with their daily meetings. So it will be really difficult for a single admin to handle all these requests by himself/herself. And that is the place where admins want to delegate some of their work to others (trusted colleagues). But trust me, it is a big decision. You should not give all the admin privilege to your colleagues even though he/she is a very trusted employee. Rather you should delegate few specific task to your colleagues. In Salesforce, we can do the same with DELEGATE ADMINISTRATION.

So basically Delegate Administrator will allow named users to manage other users within selected roles and profiles, as well as managed selected custom objects.

With Delegate Administration, you can configure named users to do the below things –

  • Role & Subordinate:  Delegate Administrator can create and edit users with specific roles and subordinates. The can’t modify the role hierarchy though.
  • Profile:  Delegate Administrator can assign users(they create or edit) to assigned profiles. They can’t modify the profile.
  • Permission Set: Delegate Administrator can add/remove selected permission sets from users(they create or edit) to assigned profiles. They can’t modify the permission set.
  • Public Group: Delegate Administrator can add/remove selected public groups from users(they create or edit) to assigned profiles. They can’t modify the public group.
  • Custom Object: Delegate Administrator can manage every aspect of the selected custom objects except object’s permission on profiles. Delegate Admin can’t create or modify relationship on the objects or set org-side sharing defaults.
  • Enable Login Access: Delegate Administrator can login in as a user belonging to the role hierarchy that they manage.
  • Unlock and Freeze User.
To make an existing user as “Delegate Administrator”, you need “Customize Application” Permission and that user need “View Setup and Configuration” permission.

Note – “View Setup and Configuration” permission is always a tricky one as it will open up many  more permissions to the users. So before giving this permission to any user, you should think multiple times and justify yourself. Giving “View Setup and Configuration” permission to a user so that you can mark that user as Delegate Admin should NOT be the correct approach. I will highly recommend you to read the post – “Become More Efficient With Delegated Administrators” from AdminHero.

Use Case:
I have two users in my Org – Administrator (Sudipta Deb) and Non-Administrator(Mario Ruiz). I want to mark Mario as Delegate Administrator so that he can take care of creating/editing users with Profile – “Recruiter” or with the role – “VP, North America Sales”. At the same time, I would like to make sure he can take some of the request related to custom objects – Position, Job Application, Employment Website, Job Posting.

Implementation:

  • Open Delegate Administration: Click on Setup | Administer | Security Controls | Delegate Administration.
  • Click on New
  • Put the below details as shown in the picture –
  • In the next page, under “User Administration“, select the role – “VP, North America Sales” like shown below – 
  • In the next page, under “Assignable Profiles“, select the profile- “Recruiter” like shown below 

     

  • In the next page, under “Custom Object Administration“, select the objects – “Position, Job Application, Employment Website, Job Posting” like shown below – 
  • Add the user “Mario Ruiz under “Delegated Administrator” 
  • Finally, it will look like – 

There are few limitations as well with Delegate Administrator which are –
  • Can’t assign profiles or permission sets with “Modify All Data” permission.
  • The -None- option will not be available when selecting roles for new users.
  • For formula fields, accessing merge fields from another object requires delegate admin’s permission on that object.
  • Can’t modify permission sets.
  • Standard Objects are excluded from Delegated Administration. We have a Salesforce Idea open for this – https://success.salesforce.com/ideaView?id=08730000000BptIAAS
  • Another Salesforce Idea worth mentioning here is – Allowing Non-Admin users to import custom objects – https://success.salesforce.com/ideaView?id=08730000000Bre6
  • For security, profiles with the “Modify All Data” permission cannot be included under “Assignable Profiles“. See the error when attempting to include the System Administrator profile. 
  • Delegate Admin can change the FLS for existing and newly created fields for those objects which are assigned to him/her. But Delegate Admin can’t change the Object Level Permission on Profile.

Are you using Delegate Administrator in your org? What use case you are handling using Delegate Administrator? What problem(if any) you faced? Please share your feedback.