This week’s blog will cover top 3 Salesforce user management tips for admins looking to get a bit more efficiency out of their Salesforce org. Whether you are are provisioning a new Salesforce org or simply looking to ensure your current users are set up right, a review of user management is a must. Salesforce admins can be dragged down by the management of your user base. Users are a critical component to your Salesforce instance and ensuring they have access to the right data and functions within the tool is always something worth re-visiting.
1. Know Your Roles
A role is within the Salesforce hierarchy set up and is critical for your users. Roles determine what the user views vs the actual page layout (profiles). A great video from Salesforce which explains how roles work can be found here. To fully understand the how roles work, you need to be familiar with the concept of organization-wide defaults and how data visibility works by default. We know that owners of records, by default can create, view, edit and delete the records that they own. If the org-wide defaults are set to private, the no one in the organization has access to those records, except through the role hierarchy. With that being said, here is where it gets interesting, by default, data flows up the hierarchy. So, in an organization where record access is set to private, managers have at least read access to the records owned by their subordinates. As an admin, make sure your roles are set up right and reflect the what is needed to be seen by your users. As organizations change (company reorgs), you may need to revisit how your role hierarchy is set up. Below is a simple screenshot of a role hierarchy set up.
2. Profile Management
Standard profiles are included with Salesforce out of the box and object-level and user permissions cannot be changed on these standard profiles. However, as an admin you know custom profiles are created and can be fully customized. Custom profiles can even be deleted while standard profiles never can be deleted. Below is a screenshot of some standard out of the box profiles that come with Salesforce.
A user Profile determines what a user can do in the system. By default, the System Administrator profile can do the most; the Read Only profile can do the least. For most users, the Standard User Profile is a good choice: it lets people create and edit most records, as well as access and run reports. Modify Profile permissions only as needed. For example, the default Standard User profile does not let the user manage Campaigns. Check the Marketing User checkbox to add this capability for a user, but only if the user actually needs regular access to campaign controls. When configuring users for your company make sure to follow the principle of least privilege: provide your people with only the Profile permissions necessary to accomplish their work, but no more. Giving everyone System Administrator privileges is not recommended, although its an easy out. Instead, match access level with organizational responsibilities. One of the most common mistakes that Salesforce administrators make is to extend Platform User status to too many people. Platform Users can access third-party applications that tie into your Salesforce database. Certain users absolutely need to access third-party Salesforce Apps; that’s why you installed the applications. That said, third-party apps can do a great deal of damage if improperly configured or utilized, and the last thing you want is a number of bored or curious account reps “playing around” with Platform apps in their spare time. That’s how widespread data corruption happens. Once someone has been properly trained on a third-party app, you can extend them Platform User privileges. Until then, keep them at Standard user or below. Remember, least privilege, not most.
One of my favorite tools to manage profiles is PermComparator. This tool is web-based and allows you to compare up to four profiles at a time and as an administrator can save you lots time. Use it to clean out and reduce your profile count if needed. In the end, you should do a complete profile review once a year to ensure your profiles are in alignment with where your company is at the given time.
3. Automate User Provisioning
One of the key learnings in my experience working with Salesforce and any system management is all about automation. If you can figure out a way to automate key aspects of the system, then do it. User management is no different and should be automated if it allows. Typically in larger organizations HR will provision new hires with a record, email address and other key identifiers for the employee. Salesforce should be a part of this on boarding and off boarding process. Work with other IT and business orgazniations to set up an automated user provisioning process for your new Saleforce users, this will save you both time and money in the long run. Remember, this should be the same for users which need to be de-activated. You certainly don’t want users to be able to access your customer data after they have left.
Good luck with your administration of users and hope this blog on the top 3 Salesforce user management tips has helped you. As always, reach out to me if you have any questions!
Hector Perez Jr