Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Salesforce license sprawl and offboarding gaps: what IAM teams need


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Salesforce usage visibility, subscription optimisation, onboarding, and offboarding automation are the main themes in Zluri’s guide, with the strongest governance message centring on role-based access, timely revocation, and reducing manual license waste. The security issue is not just efficiency: access that outlives employment or role need creates avoidable exposure in identity programmes.

NHIMG editorial — based on content published by Zluri: Automation guide for getting more out of Salesforce by integrating with Zluri

By the numbers:

Questions worth separating out

Q: How should security teams govern Salesforce access across the employee lifecycle?

A: Security teams should connect Salesforce provisioning and revocation to joiner, mover, and leaver events so access follows role and status changes.

Q: When does Salesforce access become a security risk rather than an admin task?

A: It becomes a security risk when licences, groups, or permissions remain assigned after the business need has changed.

Q: What do teams get wrong about least privilege in SaaS apps like Salesforce?

A: Teams often treat least privilege as a one-time provisioning rule instead of an ongoing entitlement decision.

Practitioner guidance

  • Inventory active Salesforce access Track licence holders, last access time, and feature usage in a single view so renewal decisions are based on evidence rather than assumed need.
  • Automate joiner assignments by role Map departments, divisions, groups, and permission sets to approved job functions and use workflow rules to apply them consistently at onboarding.
  • Tie offboarding to identity events Trigger Salesforce revocation when employment status changes and remove users from all related groups, divisions, and permissions in the same workflow.

What's in the full article

Zluri's full post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step Salesforce integration setup, including the credentials and fields required for the connection.
  • Workflow examples for onboarding and offboarding users across departments, groups, and divisions.
  • The specific in-app actions available for licence management and permission removal.
  • Implementation notes on where the integration does not apply to certain Salesforce editions.

👉 Read Zluri's guide to Salesforce automation and access governance →

Salesforce license sprawl and offboarding gaps: what IAM teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Salesforce governance fails when lifecycle management is treated as an administrative task instead of an access control. The article shows the same pattern across onboarding, subscription management, and deprovisioning: access is assigned, used, and removed through manual effort rather than governed by a reliable lifecycle. That creates the conditions for entitlement drift, over-allocation, and delayed revocation. Practitioners should treat Salesforce as an identity surface, not just a SaaS app.

A few things that frame the scale:

  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who should own Salesforce offboarding controls?

A: Ownership should sit with the identity or IGA function, working from authoritative identity events and business rules. If offboarding is left entirely to application admins, revocation becomes inconsistent and dependent on local process quality. The control must be central enough to ensure removal is complete and timely.

👉 Read our full editorial: Salesforce access governance and lifecycle control with Zluri



   
ReplyQuote
Share: