Admins / Architects / Developers / Platform

Salesforce User Provisioning: 5 Ways to Add and Update Users

By Tom Bassett

When it comes to Salesforce User Provisioning, you may already have a process for using this. Whether it’s manually adding users or letting these sync from another system, there are many different ways to set up users with the right permissions. 

In this article, we will explore five different ways to make User Provisioning a breeze, no matter what method you choose. 

Key Terms

During this article, I’ll be using some technical terms and phrases which I’ve defined below. 

  • SCIM (System for Cross-domain Identity Management): In simple terms it provides a schema for users and groups that is accessible via an API. 
  • JIT (Just-in-Time): Users are created just in time when they log in for the first time. 
  • SSO (Single Sign On): Enables users to sign in to Salesforce with something like a Google or OneLogin account. 
  • Identity Connect: An add-on from Salesforce that creates or updates users from Active Directory and can also provide single sign-on. This is currently in phased retirement. 
  • SAML (Security Assertion Markup Language): A common standard that is usually coupled with SSO to exchange user information in a structured way. 

The Challenge 

Setting up Users in Salesforce has many layers. As well as defining attributes like first name and email address, you need to consider Profiles, Permission Sets, Permission Set Groups, Roles, Public Groups, Permission Set Licenses, and more! 

This is a little like layers of an onion – what you assign a user impacts what they can or can not do in the system.  If you have complex business logic for designing who gets what, you can easily create an overhead of managing user setup and keeping your system secure. 

1. Manual Provisioning

If you have a small pool of users, it may be fine to set up users manually and adjust permissions as required. If you have batches of users to insert at a time, you can use a tool such as Data Loader or Add Multiple Users to get the job done quicker.

For this method of User Provisioning, you’d need to consider a notification mechanism to either freeze or deactivate users when they no longer need access to the org. As this process is typically manual, it’s more prone to errors. As a result, users could end up with too much or too little access. 

Interface of Add Multiple Users from Salesforce Setup

2. User Access Policies

User Access Policies allow you to automatically add or remove permissions based on certain criteria. Using clicks-not-code, you can automate the allocation of Permission Sets, Permission Set Groups, Permission Set Licenses, Queues, Groups and more. 

Policies are initially set to draft while you configure criteria and actions. Once you are ready, you can then activate a policy so that it applies to new or edited users (or both). From the policy itself, you can also apply the policy as a one-time action against users who currently meet the criteria. 

3. SCIM API

Salesforce has a SCIM API which can be used to create or update users.

While you can also update user roles, assign permission sets, and update public group membership, this option is limited as it doesn’t support all user attributes (e.g. Marketing User). Realistically, you’d need to use multiple calls as this relies heavily on Salesforce IDs.

4. JIT Provisioning

Using the power of Apex, when a user logs in for the first time via SSO, you can automatically create a user record at the same time and perform other logic too. The purpose of this functionality is to create users just in time which will help to only assign licenses when they are needed. 

This can be implemented for Salesforce, Experience Cloud, and Portals. As this uses Apex, you’ll need a Developer skill set to customize the standard logic for your exact business processes while also considering error handling.

5. Third-Party Tools

As well as native features and APIs, third-party tools can also help with user provisioning. 

OKTA, Microsoft Entra, and Sailpoint are among the tools that can be used to automate the setup of users, ensuring they have the necessary level of access.

The advantage of these tools is that if user information is mastered elsewhere, such as Active Directory, these can push updates into Salesforce automatically from the source of truth. The nature of these tools means that they will often come with license costs of their own.

Summary

User provisioning can be a minefield, so hopefully this article goes some way to help define the options available. 

Below is a menu of different options available at your disposal depending on your exact use case or business processes. 

Resources

The Author

Tom Bassett

#AllStarArchitect working in the UK as a Solution Architect. 30x Trailhead Certified, 11x Accredited Professional, 2x Slack Certified with 6+ years experience of working on the platform.

Leave a Reply