What is the most important tip for working with Delegated Administration?

Use Public Group-based delegation. User-based delegation breaks on org-chart changes; Public Groups survive.

AdministrationAdvanced

Delegated Administration

Q: What does Delegated Administration enable?

Delegated Administration grants limited admin functions (like user management or custom object admin) to non-admins within a specific scope.

Q: What's a common use case?

A common pattern is delegating user management for a specific department to a department manager, scaling admin capacity without compromising governance.

Q: Are delegated admins limited in scope?

Delegated admins are strictly constrained to the roles, profiles, objects, and permission sets defined in their delegated group.

Delegated Administration in Salesforce is the feature that lets a System Administrator grant a subset of admin privileges to specific non-admin users without making them full System Administrators.

Hear it

§ 01

Definition

Delegated Administration in Salesforce is the feature that lets a System Administrator grant a subset of admin privileges to specific non-admin users without making them full System Administrators. Each Delegated Group defines which users hold the delegated privileges, which custom objects they can manage, which profiles they can assign to other users, and which permission sets they can grant. The delegated admins can create and manage users within their scope but cannot do everything a full admin can; the scope-limited model is the point.

Delegated Administration exists because giving every junior admin the full System Administrator profile is overkill and risky. A team leader who needs to create users in their region, reset passwords for their team, and assign a small set of permission sets does not need the platform-wide power to delete custom objects or change sharing rules. Delegated Administration creates a middle tier: scoped admin power for the specific tasks the role needs, without the keys-to-the-kingdom risk of full System Administrator access.

§ 02

Why Delegated Administration is the middle tier between users and System Administrators

Where Delegated Administration lives in setup

Setup, Users, Delegated Administration. The page lists every Delegated Group with its name, members (the users who hold the delegated privileges), and the scope (which profiles they can manage, which custom objects, which permission sets). Each group is independent; an org can have multiple delegated groups for different teams (Sales Ops delegated group, Service Ops delegated group). New Delegated Group walks the admin through scope configuration.

The four scope dimensions

Each Delegated Group scopes privileges across four dimensions. Delegated Administrators: the users who hold the privileges. User Administration: which profiles the delegated admin can assign to users and which users they can manage (based on profile and role). Custom Object Administration: which custom objects they can administer (create fields, edit page layouts, modify validation rules). Permission Set Assignment: which permission sets they can grant. Each scope is granular; the delegated admin can do exactly what is scoped and nothing else.

User management within delegated scope

The most common Delegated Administration use case is user provisioning. A regional team leader gets a Delegated Group that lets them create users with specific profiles in their region, reset passwords for those users, deactivate them. They cannot modify users outside their scope (cannot create System Administrators, cannot manage users in other regions). The scoping respects role hierarchy and profile assignment; the delegated admin's reach matches their actual responsibility.

Custom Object Administration and the scoped power

Delegated Administration can grant custom-object admin rights without granting platform-wide admin. The Sales Ops Delegated Group might administer the custom Forecast Configuration object and the Region Mapping object; they can create fields, modify page layouts, edit validation rules on those specific objects. They cannot touch other objects or platform-wide settings. The pattern lets domain-specific admins manage their domain's objects without becoming full admins.

What Delegated Admins cannot do

The scope limits matter. Delegated admins cannot: assign profiles they do not have permission to manage, modify objects outside their scope, change sharing rules or org-wide defaults, deploy metadata via change sets, manage Connected Apps, modify Setup Audit Trail, change company information, manage system permissions on profiles. The "cannot" list is what makes Delegated Administration safe; the delegated admin has scoped power but not the platform-wide power that produces accidental org-wide changes.

Audit and the delegated-admin trail

Every action a Delegated Administrator takes logs to the Setup Audit Trail with the actor identified. Auditors and security reviewers can see exactly which user provisioning, profile assignment, or object change came from which delegated admin. The audit trail is the accountability layer; without it, the scoping benefit is undermined by lack of attribution. Most regulated orgs treat the Delegated Administration audit as part of their quarterly compliance review.

When Delegated Administration is the right tool

Delegated Administration is the right tool when there is a specific operational role (regional team leader, domain-specific admin) that needs scoped admin power. It is the wrong tool when the role is actually full System Administrator (just call them System Administrators), when the scope is too narrow to justify the Delegated Group overhead (one or two delegated tasks per quarter), or when the role can be served by Permission Sets without admin privileges. Most orgs end up with 3 to 8 Delegated Groups across operational tiers; orgs with dozens are usually using the feature where Permission Sets would suffice.

§ 03

How to set up Delegated Administration for an operational role

The pattern: identify the role that needs scoped admin power, define the exact scope, create the Delegated Group, assign users, audit usage. The cost is low; the security and operational benefit (scoped admin without full SysAdmin risk) is meaningful.

Identify the operational role needing scoped admin power
Regional team leader, domain admin, support tier-2 lead. The role has a clear set of admin tasks that does not require full SysAdmin.
Define the exact scope
Which profiles can they assign, which custom objects can they administer, which permission sets can they grant. Document the scope before creating the Delegated Group.
Open Setup, Delegated Administration, New
Create a new Delegated Group. Name it after the role (Regional Admin - APAC, Sales Ops Delegated). The name appears in audit trails.
Configure the four scope dimensions
Delegated Administrators (the users), User Administration (profiles and users they manage), Custom Object Administration (objects they can configure), Permission Set Assignment (sets they can grant).
Add users to the Delegated Administrators list
The users who hold the delegated privileges. Add by user or by Public Group. Public Group is more flexible across org-chart changes.
Train the delegated admin on their scope
The user needs to know what they can and cannot do; without training they either underuse the privileges or hit unexpected access denials.
Schedule the quarterly Delegated Administration audit
Pull Setup Audit Trail entries from delegated admins. Confirm actions are within scope and policy. Document the review for compliance.

Key options

Delegated Administratorsremember

The users who hold the delegated privileges. By user or Public Group.

User Administration scoperemember

Which profiles and users the delegated admin can manage.

Custom Object Administration scoperemember

Which custom objects they can administer (fields, layouts, validation rules).

Permission Set Assignment scoperemember

Which permission sets they can grant to users in their scope.

Audit cadenceremember

Quarterly review of Setup Audit Trail entries from delegated admins.

Gotchas

Delegated admins cannot do everything System Administrators can. Training on the scope boundaries prevents user frustration.
Public Group-based delegation survives org-chart changes; user-based delegation breaks when users move teams.
The scope is intentionally narrow. Delegated Administration is not a replacement for proper Permission Sets when admin privileges are not actually needed.
Multiple overlapping Delegated Groups can produce confusing combined scope. Document each group's purpose and avoid overlapping scopes.
Setup Audit Trail captures delegated admin actions but the entries can be hard to filter. Build a saved report or query for the audit review.

Trust & references

Sources

Cross-checked against the following references.

Delegated Administration referenceSalesforce
Administrator overviewSalesforce

Official documentation

Straight from the source - Salesforce's reference material on Delegated Administration.

Delegated AdministrationSalesforce Help
User ManagementSalesforce Help
Permission SetsSalesforce Help

Keep learning

Hands-on resources to go deeper on Delegated Administration.

Data SecurityResource ·

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What does Delegated Administration enable?

Q2. What's a common use case?

Q3. Are delegated admins limited in scope?

Discussion

Loading…

Loading discussion…

Back to Dictionary