The pattern: identify the role that needs scoped admin power, define the exact scope, create the Delegated Group, assign users, audit usage. The cost is low; the security and operational benefit (scoped admin without full SysAdmin risk) is meaningful.
- Identify the operational role needing scoped admin power
Regional team leader, domain admin, support tier-2 lead. The role has a clear set of admin tasks that does not require full SysAdmin.
- Define the exact scope
Which profiles can they assign, which custom objects can they administer, which permission sets can they grant. Document the scope before creating the Delegated Group.
- Open Setup, Delegated Administration, New
Create a new Delegated Group. Name it after the role (Regional Admin - APAC, Sales Ops Delegated). The name appears in audit trails.
- Configure the four scope dimensions
Delegated Administrators (the users), User Administration (profiles and users they manage), Custom Object Administration (objects they can configure), Permission Set Assignment (sets they can grant).
- Add users to the Delegated Administrators list
The users who hold the delegated privileges. Add by user or by Public Group. Public Group is more flexible across org-chart changes.
- Train the delegated admin on their scope
The user needs to know what they can and cannot do; without training they either underuse the privileges or hit unexpected access denials.
- Schedule the quarterly Delegated Administration audit
Pull Setup Audit Trail entries from delegated admins. Confirm actions are within scope and policy. Document the review for compliance.
The users who hold the delegated privileges. By user or Public Group.
Which profiles and users the delegated admin can manage.
Which custom objects they can administer (fields, layouts, validation rules).
Which permission sets they can grant to users in their scope.
Quarterly review of Setup Audit Trail entries from delegated admins.
- Delegated admins cannot do everything System Administrators can. Training on the scope boundaries prevents user frustration.
- Public Group-based delegation survives org-chart changes; user-based delegation breaks when users move teams.
- The scope is intentionally narrow. Delegated Administration is not a replacement for proper Permission Sets when admin privileges are not actually needed.
- Multiple overlapping Delegated Groups can produce confusing combined scope. Document each group's purpose and avoid overlapping scopes.
- Setup Audit Trail captures delegated admin actions but the entries can be hard to filter. Build a saved report or query for the audit review.