Security teams should connect Salesforce provisioning and revocation to joiner, mover, and leaver events so access follows role and status changes. The practical goal is to reduce manual drift, avoid lingering entitlements, and ensure that departments, groups, and permissions are removed together when access is no longer justified.
Why This Matters for Security Teams
Salesforce is rarely just a CRM. It often becomes a system of record for customer data, workflows, approvals, integrations, and exported reports, which means access decisions can create outsized business and security impact. If joiner, mover, and leaver events are not tied to Salesforce entitlements, teams end up with inactive users, stale permission sets, and department-level access that no longer matches job function. That is a common path to overexposure in platforms that support broad sharing and delegated administration.
Current guidance from NIST Cybersecurity Framework 2.0 emphasizes access governance as an operational control, not a one-time onboarding task. For SaaS platforms like Salesforce, that means access reviews, revocation, and exception handling must be continuous. NHIMG research on NHI Lifecycle Management Guide also shows that lifecycle drift is a recurring pattern when identity changes are treated as isolated tickets instead of a synchronized control process. In practice, many security teams discover Salesforce privilege creep only after an offboarding delay, not through a deliberate entitlement design.
How It Works in Practice
Effective governance starts with defining Salesforce access as an identity lifecycle workflow, not a help desk request. Joiner, mover, and leaver events should trigger provisioning, reclassification, or revocation based on role, department, region, and business need. The practical objective is to ensure the user account, permission sets, public group membership, role hierarchy placement, and connected app access all change together.
A workable model usually combines HR signals, identity governance, and Salesforce-specific controls:
- Map HR status changes to Salesforce entitlements through automated workflows.
- Use role-based baselines for standard access, then add exceptions only for approved business needs.
- Review permission sets separately from profiles because additive privileges often hide excessive access.
- Remove or suspend access immediately on termination, then complete cleanup of groups, delegated admin rights, and API-related entitlements.
- Log every entitlement change so audit teams can verify who approved access, when it changed, and why.
That approach aligns with OWASP Non-Human Identity Top 10 thinking about lifecycle control and privilege minimisation, even though Salesforce here is a human-access use case. It also complements NHIMG guidance in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, which treats lifecycle enforcement as the main defence against access drift. Where Salesforce is integrated with automation or service accounts, teams should also verify that access reviews cover non-human credentials connected to the same tenant.
Security teams should also watch for offboarding lag. A direct indicator from NHIMG research in The 2025 State of NHIs and Secrets in Cybersecurity is that 91% of former employee tokens remain active after offboarding, which is a reminder that revocation often fails at the operational layer, not the policy layer. These controls tend to break down in highly customized Salesforce orgs because role hierarchy, manual sharing rules, and integration accounts create overlapping access paths that automation does not always resolve cleanly.
Common Variations and Edge Cases
Tighter lifecycle control often increases administrative overhead, so organisations must balance speed of access against revocation assurance. That tradeoff becomes visible in Sales-led environments where temporary access, contractor support, and rapid territory changes are common.
There is no universal standard for this yet, but current guidance suggests a few patterns. First, temporary access should be time-bound and automatically expired instead of left to manual cleanup. Second, movers should not receive cumulative access by default, because role changes often add privileges faster than they remove them. Third, leavers should be handled as a two-step event: immediate disablement followed by a controlled entitlement purge after business verification.
Two edge cases deserve special attention. Shared admin accounts can mask individual accountability, so they should be replaced with named identities and strong audit logging wherever possible. Integration users are another blind spot because they are often exempted from normal offboarding workflows; if their permissions are tied to employee ownership, they should be revalidated whenever the owning team changes. NHIMG’s Top 10 NHI Issues and Guide to the Secret Sprawl Challenge both reinforce the broader lesson that lifecycle failures and access sprawl usually appear together. In Salesforce, the hardest failures happen when org complexity and manual exception handling are both high.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Joiner-mover-leaver governance directly supports managing identities and access rights. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Lifecycle drift and stale entitlements mirror non-human identity access persistence risks. |
| NIST AI RMF | Lifecycle governance supports accountability and risk management for identity-dependent systems. |
Define ownership, review cadence, and revocation triggers as part of identity risk governance.
Related resources from NHI Mgmt Group
- How should security teams govern access when lifecycle changes move faster than the platform can update?
- How should teams keep SaaS access audit-ready across the employee lifecycle?
- How should security teams govern access when users move across devices and cloud apps?
- How should security teams govern non-human identities in Salesforce?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
