The User object in Salesforce represents an employee with a product license. This object is linked to various permissions and many other important systems inside of Salesforce. But when an employee leaves the company, there is no way to delete the User object. Users can be made inactive, but many of the connections they have to the Salesforce Org will still remain. We often see Orgs that have more inactive users than active ones. In this manner, inactive Users can haunt your Salesforce Org, cluttering up the system, and leaving optimization and security problems in their wake.

Administrators need a clear picture of the connections between active and inactive Users and their Salesforce Org. There are Permission Assignments that control what Users can see and do. Users that are a member of a Role, Group, or Queue can also have access to sensitive data. There are important Metadata Assets that are connected to individual Usernames and also store raw email addresses that are used for notifications and approvals. Users can also be the owners of both Standard and Custom Objects. Understanding the connections between Users and your Salesforce Org is a vital part of Org Management, compliance, and security.

In order to assist admins with this task, Snapshot has introduced a new report called User Connection Cleanup. This report will document all of the connections between active and inactive Users and your Salesforce Org. You can select the connection types that you want to focus on, or choose all types. This report interface can also clean up these connections. Various objects are deleted and in other situations the inactive User is replaced with an active one. Lastly, all of the objects owned by an inactive user can be transferred to another User as well.

Selecting Users

The User Connection Cleanup report is available for any Snapshot Item, look under the Optimize section of the Options Menu. In the upper left of the dialog is an option to Select Users. This will allow you to find up to 2500 Users for the report. The Users can be active or inactive and can have any Salesforce license. There are many ways to select them, including by Name, Role, Profile, Permission, or Last Login Date. To get started, look for Inactive Users in your Org with the Standard License. Move them into the list at right and click OK.

Selecting Connections

Back on the main screen you will see all of the available Connection Types. While we were building this application, we were shocked to see how many different ways a User can be connected to a Salesforce Org! There are over 40 different places for inactive Users to hide out in Salesforce.

Simply click on the connections that you want to include in the report. Like other Snapshot reports, you can see the report for the currently selected User under the Preview Tab, and if you select multiple Users with the checkboxes, a comprehensive report about all of them is available under the Display Report Tab.

Here are some of the different types of connections that the new User Connection Cleanup report can document for you:

  • User Permissions

Users are connected to a single Profile, and have junction objects for Permission Sets, Permission Set Groups, and Permission Set Licenses

  • Data Connections

User are often connected to other Users like Delegated Approvers and User Managers. Bad things happen is an active User is reporting to an inactive manager. There are also important junction objects like Package License. Did you know that an inactive User can be assigned a license to a partner product? Lastly, User membership in Groups, Roles, and Queues can control record visibility among other things.

  • Metadata Links

There are dozens of Metadata Assets that include a username. There are Running Users for Analytic Snapshots and Dashboards. There are named approvers for Approval Processes, Assigned Users for Escalation Rules, and Administrators for Portals. The list goes on and on. In some cases, the Metadata Asset will stop working when the User becomes inactive. A famous example of this is the Running User for a Dashboard.

  • Email Addresses

If that weren’t bad enough, in other cases the raw email address belonging to an inactive User is left lurking in your Org. You can make the User inactive, but if you don’t turn off their corporate email then they will still get email messages from the Org! And of course, if they are a consult or you do not have control of the email address then there is no way to stop sending emails to an inactive User. Examples include Apex Error Notifications, Auto Response Messages, Case Routing, Connected App Contacts, Escalation Actions, and Workflow Emails.

  • Team Members

Inactive Users can be assigned to Account, Case, and Opportunity Teams. In most cases this is historical information and may not require cleanup but we recommend removing inactive Users from open Opportunity Teams. At any rate, these connections are useful for reporting purposes.

Cloning Users

Anywhere in the report interface you can right-click a User and Edit their information, Edit the active and inactive status of Multiple Users, or select an option to Clone the currently selected User.

Anywhere in the report interface you can right-click a User and Edit their information, Edit the active and inactive status of Multiple Users, or select an option to Clone the currently selected User.

User Cleanup

The second Tab provides an interface to clean up the selected connections of the currently selected Users. Normally you will want to use this capability to clean up inactive Users, but you can also use this with active Users as well. In any case, you will need to select one active replacement User. Their Username and email address will be used to replace the inactive Users in some situations. In other situations, junction objects will be deleted.

At upper left you can choose Test Run Only, Stop After Error and Continue After Error. This lets you see everything that is going to happen before changes are made to a live Salesforce Org. All of the information is printed out in the report window at right.

Owner Cleanup

The third Tab provides an interface to transfer the Ownership of the currently selected Users to the replacement User. Normally you will want to use this capability to clean up inactive Users, but you can also use this with active Users as well. The report will show you how many Objects are Owned by each User in the list. Then you can choose to transfer ownership for any number of objects as needed.

User Management Suite

The new User Connection Cleanup report joins a host of other User Management capabilities in Snapshot. Other reports include User Activity Timeline, User Permission Assignment, and the Relationship Hierarchies report. The capability for User Connection Cleanup is the first time that an admin can get a comprehensive view of all of the hidden ways that Users are connected to an Org. The ability to finally clean up all of this clutter is a nice step towards better compliance and security. Let us know if the new User Connection Cleanup report is working for you, and how we can help.

Join our User Connection Cleanup webinar on September 15th to learn more!


Bill Appleton

CTO Metazoa