Delegated Administration lets non-admins perform a constrained subset of admin tasks — "the team lead can reset team members' passwords and create users in the Sales role hierarchy, but can't see other teams' data." Useful for distributing routine admin work without giving away the System Administrator profile.
- Open Setup → Delegated Administration
Setup gear → Quick Find: Delegated Administration → Delegated Administration.
- Click New
Top-right of the list. Each Delegated Group is a scoped admin role.
- Set Group Name and Description
Convention: "<Team> - Delegated Admin" — e.g. "Sales East - Delegated Admin."
- Pick Delegated Administrators
Add Users who should have these elevated permissions. Multi-user groups are common.
- Pick User Administration scope
Which Roles + Profiles + Permission Sets the delegated admin can manage. Limits which users they can create / edit / reset passwords for.
- Pick Custom Object Administration scope
Which custom objects the delegated admin can configure (fields, layouts, validation rules) — limited list.
- Save
Delegated admins can now self-serve their scoped tasks via the User detail page.
Roles + Profiles + Permission Sets. The delegated admin can manage users in those scopes.
Which custom objects they can edit. Limited subset.
Whether the delegated admin can grant Login As to other admins.
Whether the delegated admin can assign Permission Sets to users in their scope.
- Delegated Administrators can't impersonate users (Login As) by default — granting that requires a separate setting and is rarely safe to delegate.
- Scope is by Role + Profile, not by record. A delegated admin for "Sales East" Role can edit ANY user in Sales East — even the VP of Sales. Plan scoping carefully.
- Custom Object Administration is limited to a small subset of operations. Field creation works, but trigger / Apex deployment requires full admin — don't expect this to fully replace System Administrator.