How to handle Salesforce user deprovisioning securely

5 min read · By a 2x Certified Salesforce Architect · 9 years, 12+ orgs

Deprovisioning users securely isn't just a checkbox—it's a critical security and compliance requirement. I've seen healthcare orgs face HIPAA fines and financial firms get penalized for leaving terminated employees with access to sensitive data. Here’s how to do it right, based on 10+ enterprise implementations.

Step 1: Kill Access at the Source—Immediately

Never rely on HR to manually notify you. Integrate your HRIS (Workday, ADP) with Salesforce using native tools like the Identity Provider or third-party apps like Workato. When an employee leaves, the system auto-flags the user in Salesforce. In one financial client, we automated this—reducing "ghost users" by 95% in 6 months. If integration isn’t possible, use a *mandatory* 24-hour window: HR must send a deprovisioning ticket via ServiceNow *before* the employee’s last day. Delaying this risks data exfiltration—like when a departing sales rep exported 10K+ lead records via Data Loader.

Step 2: Verify Removal with SOQL (Don’t Trust "Done" Status)

Many admins assume deprovisioning is complete when the user is disabled. It’s not. Run this SOQL to check for lingering access:

SELECT Id, Name, ProfileId 
FROM User 
WHERE IsActive = false AND (Id IN (SELECT UserId FROM GroupMember) OR Id IN (SELECT UserId FROM UserRole)) 
ORDER BY Name

This finds disabled users still in groups or roles. In a manufacturing client, this revealed 17 disabled users still in a "Engineering Access" group—exposing BOM data. Always run this *before* closing the ticket.

Step 3: Reassign Critical Ownership, Not Just Delete

Deleting a user isn’t enough. Reassign records *before* disabling the account. Use these rules:

Opportunities/Accounts: Reassign to manager or team lead via Data Loader or Process Builder (never leave unowned).
Reports/Dashboards: Move to a "Shared" folder with a security group (e.g., "Finance Admins").
Custom Objects: Use "Owner Transfer" in Setup for non-Standard Objects (e.g., a sales engineer’s project records).

In healthcare, a terminated nurse’s patient records were left unassigned, causing a compliance audit failure. Now, we auto-reassign via a Flow triggered on deprovisioning.

Step 4: Audit Beyond Salesforce

Deprovisioning isn’t complete until you’ve cleared access in *all* connected systems. Example: A client used Salesforce + Service Cloud. They disabled the user in Salesforce but forgot to revoke their Service Cloud API key. The user still accessed cases via a mobile app for 3 days. Always:

Check API keys in Setup → Security → API Access.
Review SSO sessions via Identity Provider logs.
Confirm no Active Directory sync errors (e.g., via Azure AD).

Step 5: Document for Audits—No Exceptions

Compliance teams demand proof. Log *every* step in a shared ticket (e.g., ServiceNow ticket #12345):

HR notification time
SOQL verification results
Reassignment records
API key revocation timestamp

A retail client failed a SOC 2 audit because they couldn’t prove reassignment of 50+ abandoned Opportunities. Documenting this saved them $200K in remediation costs.

Secure deprovisioning isn’t complicated—it’s about process discipline. Automate where possible, verify relentlessly, and document every step. If your org still relies on manual checks, you’re a security risk waiting to happen.

Stop guessing if your deprovisioning is secure. Get a free Salesforce Health Scan—we’ll audit your user access, orphaned records, and security gaps in minutes. No sales pitch, just actionable insights.

📚 Recommended Resource: Salesforce for Dummies — great for anyone learning Salesforce.

📚 Recommended Resource: NIST Cybersecurity Framework Guide — great for anyone security frameworks.

See these issues in your org?

Free health scan. 60 seconds. Read-only. No risk.

Scan My Org — Free →