For any modern enterprise, Salesforce is more than just a CRM; it’s a critical hub for customer data and business operations. Managing user access for such a vital system at scale presents a significant challenge.
Ensuring the right people have the right access at the right time is a cornerstone of security and productivity. That’s why we recently undertook a major initiative: completely automating our Salesforce user lifecycle with Okta Identity Governance.
Moving beyond manual processes
Our previous process for managing Salesforce access involved multiple systems and manual steps. One team initiated requests in one system, and another team handled provisioning. This process caused several challenges:
- Inefficiency: The process was slow for users, who had to wait for access, and it created a significant time commitment for our IT and application support teams.
- Security gaps: Manual deprovisioning could cause delays, leaving standing access open longer than necessary when an employee changes roles or leaves the company.
- Lack of scalability: As the organization grew, the volume of manual requests became unsustainable.
Our goal: To create a secure, efficient, and scalable end-to-end automated process for Salesforce access, from onboarding to offboarding.
Automation transformation in four acts
We approached this project not as a single "flip the switch" event, but as an evolution. The journey was about progressively layering automation to build a comprehensive and intelligent system.
Our initial step was to connect Salesforce to our central identity platform. From there, we evolved the integration:
- Automated provisioning: We started by automating user account creation.
- Birthright access: We then implemented "birthright" policies, meaning the system automatically grants a baseline set of permissions based on a user's role and attributes from our HRIS system.
For example, a new sales team member automatically gets the standard sales profile on day one without filing a ticket. - Self-service and bundles: We moved access requests from a legacy ticketing system into the Okta Access Requests catalog. We grouped common permissions into "bundles," allowing users to request a specific set of entitlements for a project, which are then routed for approval.
- Intelligent license management: A key evolution was tackling license costs. We built a workflow that identifies users who haven't logged in to Salesforce for 90 days and automatically deactivates their accounts, freeing up expensive licenses while maintaining their data.
Under the hood: How our automation works
We built this powerful automation on the core features of Okta Identity Governance:
- Policy-based automation: We defined clear policies that dictate who gets access to what. For instance, a policy might state, "All full-time employees in the Marketing department get access to Salesforce with the 'Marketing User' profile."
- Entitlement bundles: Instead of users requesting individual, granular permissions, they can request a "Project Analyst" bundle that contains all the necessary access for that role. This simplifies the process for users and approvers.
- Automated workflows for deprovisioning: When a user's status changes in our HR system (e.g., termination), a workflow deactivates the user's Salesforce account automatically and revokes their access, ensuring no security gaps.
Automation advantage
Shifting from a manual to an automated model has delivered significant benefits:
- Enhanced security: By tightly coupling access to the user's status in our HR system, we ensure instant access removal when it's no longer needed. This drastically reduces the risk associated with standing privileges.
- Operational efficiency: Our IT and business application teams have been freed from the high volume of manual provisioning and deprovisioning tasks, allowing them to focus on more strategic initiatives.
- Improved user experience: Employees get the access they need faster, often on their first day, without lengthy ticket queues.
- Clear audit trails and compliance: Every access grant, modification, and revocation is automated and logged, providing a clear, auditable trail for our compliance and security teams.
What's next?
This project has built a strong foundation for identity governance. Our next step: layering on Okta Access Certifications. This will allow us to schedule periodic campaigns where managers and application owners can review and recertify their team's access to Salesforce, ensuring the principle of least privilege is maintained throughout the entire user lifecycle.
Take the next step toward a fully automated and secure future with OIG Access Certifications. Connect with a Sales expert today to discuss transforming your organization's processes
Access more Okta-on-Okta content below:
Transforming onboarding with passwordless security
Our proactive security journey: Adopting Okta Identity Threat Protection
Enhancing security: Identity proofing for new hires
The fast lane to access: Bulk provisioning with Okta Workflows
