Salesforce license sprawl and offboarding gaps: what IAM teams need

TL;DR: Salesforce usage visibility, subscription optimisation, onboarding, and offboarding automation are the main themes in Zluri’s guide, with the strongest governance message centring on role-based access, timely revocation, and reducing manual license waste. The security issue is not just efficiency: access that outlives employment or role need creates avoidable exposure in identity programmes.

NHIMG editorial — based on content published by Zluri: Automation guide for getting more out of Salesforce by integrating with Zluri

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern Salesforce access across the employee lifecycle?

A: Security teams should connect Salesforce provisioning and revocation to joiner, mover, and leaver events so access follows role and status changes.

Q: When does Salesforce access become a security risk rather than an admin task?

A: It becomes a security risk when licences, groups, or permissions remain assigned after the business need has changed.

Q: What do teams get wrong about least privilege in SaaS apps like Salesforce?

A: Teams often treat least privilege as a one-time provisioning rule instead of an ongoing entitlement decision.

Practitioner guidance

• Inventory active Salesforce access Track licence holders, last access time, and feature usage in a single view so renewal decisions are based on evidence rather than assumed need.
• Automate joiner assignments by role Map departments, divisions, groups, and permission sets to approved job functions and use workflow rules to apply them consistently at onboarding.
• Tie offboarding to identity events Trigger Salesforce revocation when employment status changes and remove users from all related groups, divisions, and permissions in the same workflow.

What's in the full article

Zluri's full post covers the operational detail this post intentionally leaves for the source:

• Step-by-step Salesforce integration setup, including the credentials and fields required for the connection.
• Workflow examples for onboarding and offboarding users across departments, groups, and divisions.
• The specific in-app actions available for licence management and permission removal.
• Implementation notes on where the integration does not apply to certain Salesforce editions.

👉 Read Zluri's guide to Salesforce automation and access governance →

Salesforce license sprawl and offboarding gaps: what IAM teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →