Users May Come and Go, But Their Records Must Live On….


These days people change jobs more than ever. And this means that your Salesforce users are constantly changing and shifting – folks leaving the company and new users being added when you add licenses or new services. As an Admin what do we do about deactivating users who leave the company?

In this moment when the user no longer works for the company, security is in your hands. Get that user deactivated as soon as possible!

Deactivate – Because You Can’t Delete

You may have wondered at some point why a user can’t be deleted from Salesforce. Think of it this way – every user creates records with everything they do in Salesforce, whether they are posting in Chatter, updating a Contact or closing an Opportunity. If a user was to be deleted, it would mean that many of the records created by that user could be orphaned. Orphaned records still exist in Salesforce, but they are not associated with an object or other records, and can only be accessed by the original owner. And that wouldn’t be good, would it?  Deactivating a user, on the other hand, allows the many records and linkages between records to remain, even without an active user associated with them. 

Here’s an example: Say a sales rep named Julie leaves the company. She owns Accounts, Leads and Groups, and she’s on various teams. Her departure affects several different processes in the Salesforce org. Of course, you no longer want Julie to access her Salesforce account, but deleting her account could result in orphaned records, and the company runs the risk of losing critical business information. Deactivation removes Julie’s login access while preserving her historical activity and records, making it easy for you to transfer ownership to other users.

The act of simply deactivating a user isn’t difficult:

From Setup, click Manage Users | Users.
Click Edit next to a user’s name.
Deselect the Active checkbox and then click Save.

Deactivation does not change ownership of Julie’s records. The records remain Julie’s records until you transfer ownership of them. For example, deactivated users continue to own Opportunities and appear in Forecasts and Territories. When users are deactivated, their opportunity forecast overrides, adjusted total overrides, and manager’s choice overrides on subordinates’ forecasts are frozen. However, the manager of a deactivated user can apply manager’s choice overrides to that user’s forecasts. 

In Chatter, Julie’s profile remains, but shows that she is inactive. She no longer appears in people’s “following” and “followers” lists. If Julie owns a Chatter group, she remains the owner. However, you can assign a new owner, because as an Administrator, you have “modify all data” permission.

Sometimes when you try to deactivate a user, you may get a pop-up message that says “You cannot deactivate this user”.  For example, this occurs when a user is a Default Lead Owner, and someone must be assigned a default for your organization. All you need to do is change the Default Lead Owner, and then you can proceed to deactivate the user. This will likely require a discussion with management about who the new lead owner should be. Other situations in which the user cannot be deactivated include:

  • Default case creator
  • Automated case user
  • Default lead creator or owner
  • Default workflow user
  • Recipient of a workflow email alert
  • User selected in a custom hierarchy field
  • Customer Portal Administrator

Best Practice: Freeze the User First

The life of an admin is full of interruptions and changed priorities. That’s why it is a good idea to freeze a user as your first step in deactivation. Freezing a user will lock their credentials while you work on deactivating the user across your company’s implementation. Freezing a user is also quick and easy to do:

Just log into the User Record and click the box “Freeze”:

The other reason that freezing a user as the first step in the deactivation process is that there are multiple processes and Chatter groups that may be impacted by the deactivation of the user. Freezing the user allows you to rework the process, assign a new owner, and be assured that the departing user cannot access her account.

Finally, if a deactivated user was an approver, the user needs to be removed from all approval processes or their approval responsibilities need to be assigned to other users.

Know your IT department’s termination process

There can be one little kink in this whole thing. The information that a user is leaving may not make it’s way over to your desk…and if it does, it may not be in a timely fashion. Here’s the good news: at many companies, the IT department is one of the first to know an employee is leaving the company. Creating a process between Salesforce administration and IT is a great opportunity to introduce yourself (if you haven’t already) and talk to them. I guarantee they will be interested in letting you know when people are leaving, once they understand the security implications. Your IT department feels this pain too, and has ultimate responsibility to shut off the employee’s access to all systems and phone service prior to the termination date.

If that doesn’t work for you, consider talking to your HR department, explain the security implications and ask to be contacted about employee termination dates. I’m sure that when these teams come to understand the real security implications, one of these teams will help.

If you are looking for step-by-step instructions, I recommend this short (4 minute) video tutorial that walks you through deactivating a user: Video Tutorial: Removing Users Access to Salesforce. Another way to learn more is to search for “Deactivating Users” in Salesforce Help.

Why Relying on “Password123” Won’t Cut It

In the wild west of Internet security, enabling two factor authentication is the closest thing you can do to making your accounts hacker proof. In this post, I will walk you through why two factor authentication (“2FA”, and also known as two-step verification) enhances security and how you can set it up to make yourself […]


More Ways to Protect your Salesforce Org

In my last post, I shared a key way to protect your Salesforce implementation and still give your users the flexibility they demand, via Login IP Range restrictions.  This important security control prevents unauthorized users from accessing your Salesforce org. If you find that Login IP ranges do not work for your org or you […]


Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?