> ## Documentation Index
> Fetch the complete documentation index at: https://docs.accessowl.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Salesforce

AccessOwl integrates with Salesforce to provision and deprovision user access in your Salesforce organization.

## Capabilities

<CardGroup cols={2}>
  <Card title="Provisioning" icon="user-plus">
    AccessOwl creates user accounts with the specified roles/permissions during access requests.
  </Card>

  <Card title="Deprovisioning" icon="user-minus">
    AccessOwl deactivates users in Salesforce during access revocations.
  </Card>
</CardGroup>

## Prerequisites

* **System Administrator** profile in your Salesforce organization, so you can create the integration account.

## Setup

<Steps>
  <Step title="Add Salesforce in AccessOwl">
    Either add a new application or open Applications and click the +-symbol, then continue.
  </Step>

  <Step title="Create the integration account with the System Administrator profile">
    AccessOwl shows you the integration account's email address. In Salesforce:

    * Go to **Setup**.
    * Search for **Users** in the Quick Find box and click **Users**.
    * Click **New User**.
    * Enter the integration account's email as both the **Email** and **Username**.
    * Select the **System Administrator** profile.
    * Assign a user license that allows the System Administrator profile.
    * Click **Save**.

    Once the user is created, follow the AccessOwl setup assistant to share the integration account's credentials with AccessOwl.

    <Note>
      The integration account needs the System Administrator profile because only this profile has the Manage Users and related permissions required to create users, assign profiles and permission sets, and deactivate users. Lower-scoped profiles cannot perform these operations across the organization.
    </Note>
  </Step>
</Steps>

## FAQ

<AccordionGroup>
  <Accordion title="Why does my Salesforce access request need a User License, Profile, and Role?">
    Salesforce requires every user to have a **User License** (for example Salesforce, Salesforce Platform, or Salesforce Integration) and a **Profile**, and optionally a **Role**. If an access request only specifies one of these dimensions, AccessOwl cannot complete provisioning and reassigns the request to the [Application Admin](/guides/applications/admins-owners). When configuring Salesforce in AccessOwl, expose all three dimensions as selectable resources so requests are complete from the start.
  </Accordion>

  <Accordion title="Why isn't my Salesforce custom profile available in the request form?">
    AccessOwl only shows the User Licenses, Profiles, and Roles that are configured in your AccessOwl Salesforce setup. If you create a new custom profile in Salesforce (for example a new Sales Cloud profile), it doesn't automatically appear in the AccessOwl request form. In AccessOwl, you can adjust the [roles and permissions](/guides/applications/roles-permissions) for the Salesforce application and add the missing profile there. The next time a provisioning request is made, the integration automatically picks up the new profile.
  </Accordion>

  <Accordion title="Why can't AccessOwl deactivate a Salesforce user with elevated roles or record ownership?">
    Salesforce blocks deactivating users who own records, are part of approval chains, or hold elevated roles. When AccessOwl encounters this, the revocation is reassigned to the [Application Admin](/guides/applications/admins-owners), who can transfer record ownership or approval responsibilities to another user first. Once the user is cleared from those references, the revocation can be retried.
  </Accordion>
</AccordionGroup>