The User object in Salesforce represents an employee with a product license. This object is linked to various permissions and many other important systems inside of Salesforce. But when an employee leaves the company, there is no way to delete the User object. Users can be made inactive, but many of the connections they have to the Salesforce Org will still remain. We often see Orgs that have more inactive users than active ones. In this manner, inactive Users can haunt your Salesforce Org, cluttering up the system, and leaving optimization and security problems in their wake.
Administrators need a clear picture of the connections between active and inactive Users and their Salesforce Org. There are Permission Assignments that control what Users can see and do. Users that are a member of a Role, Group, or Queue can also have access to sensitive data. There are important Metadata Assets that are connected to individual Usernames and also store raw email addresses that are used for notifications and approvals. Users can also be the owners of both Standard and Custom Objects. Understanding the connections between Users and your Salesforce Org is a vital part of Org Management, compliance, and security.
In order to assist admins with this task, Snapshot has introduced a new report called User Connection Cleanup. This report will document all of the connections between active and inactive Users and your Salesforce Org. You can select the connection types that you want to focus on, or choose all types. This report interface can also clean up these connections. Various objects are deleted and in other situations the inactive User is replaced with an active one. Lastly, all of the objects owned by an inactive user can be transferred to another User as well.
Selecting Users
The User Connection Cleanup report is available for any Snapshot Item, look under the Optimize section of the Options Menu. In the upper left of the dialog is an option to Select Users. This will allow you to find up to 2500 Users for the report. The Users can be active or inactive and can have any Salesforce license. There are many ways to select them, including by Name, Role, Profile, Permission, or Last Login Date. To get started, look for active or inactive Users in your Org with the Standard License. Move them into the list at right and click OK.
Selecting Connections
Back on the main screen you will see all of the available Connection Types. While we were building this application, we were shocked to see how many different ways a User can be connected to a Salesforce Org! There are over 50 different places for inactive Users to hide out in Salesforce.
Simply click on the connections that you want to include in the report. Like other Snapshot reports, you can see the report for the currently selected User under the Preview Tab, and if you select multiple Users with the checkboxes, a comprehensive report about all of them is available under the Display Report Tab.
Here are some of the different types of connections that the new User Connection Cleanup report can document for you:
- User Permissions
Users are connected to a single Profile, and have junction objects for Permission Sets, Permission Set Groups, and Permission Set Licenses. Check these boxes to include information about Permissions in the report.
- User Licenses
Users are connected to various licenses, including the Org License, Package Licenses, and Permission Set Licenses. Check these boxes to include information about Licenses in the report. By the way, inactive User can be assigned an active license to a partner product.
- Data Connections
User are often connected to other Users. An example of this is Delegated Approvers and User Managers. Bad things happen is an active User is reporting to an inactive manager. Lastly, User membership in Groups, Roles, and Queues can control record visibility among other things.
- Metadata Links
There are dozens of Metadata Assets that include a username. There are Running Users for Analytic Snapshots and Dashboards. There are named approvers for Approval Processes, Assigned Users for Escalation Rules, and Administrators for Portals. The list goes on and on. In some cases, the Metadata Asset will stop working when the User becomes inactive. A famous example of this is the Running User for a Dashboard.
- Email Addresses
If that weren’t bad enough, in other cases the raw email address belonging to an inactive User is left lurking in your Org. You can make the User inactive, but if you don’t turn off their corporate email then they will still get email messages from the Org! And of course, if they are a consultant or you do not have control of the email address then there is no way to cut off the email for this User. Examples of this problem include Apex Error Notifications, Auto Response Messages, Case Routing, Connected App Contacts, Escalation Actions, and Workflow Emails.
- Team Members
Inactive Users can be assigned to Account, Case, and Opportunity Teams. In most cases this is historical information and may not require cleanup but we recommend removing inactive Users from open Opportunity Teams. At any rate, these connections are useful for reporting purposes.
Cloning Users
Anywhere in the report interface you can right-click a User and Edit their information, Edit the active and inactive status of Multiple Users, or select an option to Clone the currently selected User.
The clone user capability is very powerful and allows you to make a new User look like an existing one. This interface can clone the Permission Set, Permission Set Group, Permission Set License, and Package License Assignments. You can also clone the Group, Queue, and Team Membership Assignments.
User Cleanup
The second Tab provides an interface to clean up the connections for the currently selected Users. Normally you will want to use this capability to clean up inactive Users, but you can also use this interface with active Users as well. In any case, you will need to select one active replacement User. Their Username and email address will be used to replace the inactive Users in some situations. In other situations, junction objects will be deleted. Some of the connections allow you to choose to either delete the junction object or transfer the connection to the replacement user.
At upper left you can choose Test Run Only, Stop After Error and Continue After Error. This lets you see everything that is going to happen before changes are made to a live Salesforce Org. All of the information is printed out in the report window at right.
Owner Cleanup
The third Tab provides an interface to transfer Record Ownership from the currently selected Users to the replacement User. Normally you will want to use this capability to clean up inactive Users, but you can also use this interface with active Users as well. The report will show you how many Objects are Owned by each User in the list. Then you can choose to transfer ownership for any number of objects as needed. There is a “Search Objects” button at the bottom of the middle list that will scan all objects for User references. This takes a few minutes, but after the scan is completed there will be many more objects shown in the center list, and at that point any User connection to any object can be selected for replacement.
User Management Suite
The new User Connection Cleanup report joins a host of other User Management capabilities in Snapshot. Other reports include User Activity Timeline, User Permission Assignment, and the Relationship Hierarchies report. The capability for User Connection Cleanup is the first time that an admin can get a comprehensive view of all of the hidden ways that Users are connected to an Org. The ability to finally clean up all of this clutter is a nice step towards better compliance and security. Let us know if the new User Connection Cleanup report is working for you, and how we can help.
Join our User Connection Cleanup webinar on September 15th to learn more!
Bill Appleton
CTO Metazoa