AccessOwl integrates with Salesforce to provision and deprovision user access in your Salesforce organization.Documentation Index
Fetch the complete documentation index at: https://docs.accessowl.com/llms.txt
Use this file to discover all available pages before exploring further.
Capabilities
Provisioning
AccessOwl creates user accounts with the specified roles/permissions during access requests.
Deprovisioning
AccessOwl deactivates users in Salesforce during access revocations.
Prerequisites
- System Administrator profile in your Salesforce organization, so you can create the integration account.
Setup
Add Salesforce in AccessOwl
Either add a new application or open Applications and click the +-symbol, then continue.
Create the integration account with the System Administrator profile
AccessOwl shows you the integration account’s email address. In Salesforce:
- Go to Setup.
- Search for Users in the Quick Find box and click Users.
- Click New User.
- Enter the integration account’s email as both the Email and Username.
- Select the System Administrator profile.
- Assign a user license that allows the System Administrator profile.
- Click Save.
The integration account needs the System Administrator profile because only this profile has the Manage Users and related permissions required to create users, assign profiles and permission sets, and deactivate users. Lower-scoped profiles cannot perform these operations across the organization.
FAQ
Why does my Salesforce access request need a User License, Profile, and Role?
Why does my Salesforce access request need a User License, Profile, and Role?
Salesforce requires every user to have a User License (for example Salesforce, Salesforce Platform, or Salesforce Integration) and a Profile, and optionally a Role. If an access request only specifies one of these dimensions, AccessOwl cannot complete provisioning and reassigns the request to the Application Admin. When configuring Salesforce in AccessOwl, expose all three dimensions as selectable resources so requests are complete from the start.
Why isn't my Salesforce custom profile available in the request form?
Why isn't my Salesforce custom profile available in the request form?
AccessOwl only shows the User Licenses, Profiles, and Roles that are configured in your AccessOwl Salesforce setup. If you create a new custom profile in Salesforce (for example a new Sales Cloud profile), it doesn’t automatically appear in the AccessOwl request form. In AccessOwl, you can adjust the roles and permissions for the Salesforce application and add the missing profile there. The next time a provisioning request is made, the integration automatically picks up the new profile.
Why can't AccessOwl deactivate a Salesforce user with elevated roles or record ownership?
Why can't AccessOwl deactivate a Salesforce user with elevated roles or record ownership?
Salesforce blocks deactivating users who own records, are part of approval chains, or hold elevated roles. When AccessOwl encounters this, the revocation is reassigned to the Application Admin, who can transfer record ownership or approval responsibilities to another user first. Once the user is cleared from those references, the revocation can be retried.