Summary and recommendation
Salesforce user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Salesforce user management is one of the most operationally demanding in the SaaS landscape. Adding a user requires selecting a license type, assigning a Profile, and optionally layering Permission Sets on top - each controlling different dimensions of access.
Removing a user means resolving a checklist of dependencies (default owners, approval processes, dashboards, automation) before the system will let you deactivate. You cannot delete users at all; deactivated accounts accumulate indefinitely. SCIM and SSO are only available on Enterprise ($165/user/month) or Unlimited ($330/user/month) plans.
Quick facts
| Admin console path | Setup (Gear icon) > Administration > Users > Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Enterprise or Unlimited |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| System Administrator | Full access to all data, apps, customizations, user management, and security configuration | N/A - full access | All | Full Salesforce license | Org must have at least one System Admin. You cannot deactivate the last one. |
| Standard User | CRUD on most standard objects they own or have access to via sharing. Run reports, manage personal settings. | Cannot manage users, modify system settings, access Setup, or create custom objects | All | Full Salesforce license | Permissions controlled by Profile + Permission Sets. Profile alone is often too restrictive - you'll layer Permission Sets on top. |
| Read Only | View-only access across standard objects | Cannot create, edit, or delete any records | All | Full Salesforce license | Consumes a full license despite being read-only. Consider Chatter Free for users who only need collaboration. |
| Marketing User | Standard User + campaign management + lead importing | Cannot manage users or system settings | All | Full Salesforce license + Marketing User feature license | Requires a separate Marketing User feature license on top of the base license. |
| Chatter Free User | Chatter feeds, files, groups, and profiles only | Cannot access any Salesforce objects (Accounts, Contacts, Opportunities, etc.) | All | Free (up to 5,000 per org) | Cannot be upgraded to a full license without deactivating and recreating with a new license type. |
| Platform User | Access to custom apps and custom objects (10 or 110 depending on tier) | Cannot access standard CRM objects (Accounts, Contacts, Opportunities) | Platform license ($25-$100/user/month) | $25/user/month (Starter) or $100/user/month (Plus) | Different license type from Salesforce CRM. Profile availability is restricted. |
Permission model
- Model type: hybrid
- Description: Profiles set baseline permissions. Permission Sets add specific access on top. Permission Set Groups bundle Permission Sets. Roles control record visibility (not permissions). OWD sets the baseline record sharing level.
- Custom roles: Yes
- Custom roles plan: Enterprise
- Granularity: Object-level and field-level security. CRUD per object per profile. Field-level: visible/read-only/hidden per field per profile.
How to add users
- Click Gear icon (top-right) > Setup
- In Quick Find, type 'Users' and click Users under Administration
- Click 'New User' button
- Select User License (determines which Profiles are available)
- Select Profile
- Fill in required fields: Last Name, Alias, Email, Username, Time Zone, Locale, Email Encoding, Language
- Optionally check 'Generate new password and notify user immediately'
- Click Save
Required fields: LastName, Alias, Email, Username, ProfileId, TimeZoneSidKey, LocaleSidKey, EmailEncodingKey, LanguageLocaleKey
Watch out for:
- Username must be globally unique across ALL Salesforce orgs worldwide. Not just your org - every org. Use email+orgid pattern for sandboxes.
- Welcome email link expires after 24 hours. If the user misses it, you need to manually reset their password.
- The 'Add Multiple Users' button only handles up to 10 users at once.
- Data Loader CSV imports require the 18-character ProfileId, not the profile name.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | Yes | Data Loader desktop app > Insert operation on User object. Or Setup > Data Import Wizard for simpler imports. |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Enterprise |
How to remove or deactivate users
- Can delete users: No
- Delete/deactivate behavior: Salesforce does not allow deleting user records. This is by design - every user creates records, audit trails, and references throughout the system. You can only deactivate (set IsActive = false) or freeze (block login without deactivating).
- Freeze the user first: Setup > Users > find user > click 'Freeze' button
- Transfer record ownership: Setup > Data > Mass Transfer Records (handles Accounts, Leads, Cases)
- Reassign dashboards: Change the 'Running User' on dashboards they own
- Reassign scheduled reports: Transfer report ownership to active users
- Check automation: Reassign workflows, flows, or Process Builder configurations running as this user
- Clear deactivation blockers: Default Lead Owner, Default Case Owner, Default Workflow User, Assignment Rules, Approval Processes, Custom Hierarchy Fields
- Deactivate: Setup > Users > click 'Edit' on the user > uncheck 'Active' checkbox > Save
| Data impact | Behavior |
|---|---|
| Owned records | Remain owned by the deactivated user until manually transferred. Mass Transfer Records only handles a few object types - custom objects require Data Loader. |
| Shared content | Reports remain but scheduled reports stop running. Dashboards show error until Running User is reassigned. |
| Integrations | API integrations authenticated as this user stop working immediately. |
| License freed | Yes - deactivating frees the user license. Freezing does NOT. Managed Package licenses may not be automatically removed. |
Watch out for:
- Deactivated users remain in the system forever. There is no purge mechanism. Your user list grows indefinitely.
- Frozen users still consume a license. Freeze is a temporary lockout, not a cost-saving measure.
- You must resolve ALL deactivation blockers before the system lets you deactivate. There's no 'force deactivate.'
- Record ownership transfer is painful. Mass Transfer Records only handles a few object types. Everything else is manual.
- Permission sets are automatically removed on deactivation. Feature licenses are released. Managed package licenses may stick.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| Salesforce (Full CRM) | Full CRM access - Accounts, Contacts, Opportunities, Cases, Reports, Dashboards | Varies by edition ($25-$330/user/month) |
| Salesforce Platform | Custom apps and objects only. No standard CRM objects. | $25/user/month (Starter) or $100/user/month (Plus) |
| Chatter Free | Chatter feeds, files, groups, profiles only | Free (up to 5,000 per org) |
| Chatter External | External users invited to specific Chatter groups | Free |
| Identity Only | SSO login capability without CRM access | Varies |
| Customer Community | Portal access for customers | $2/login or $5/member/month |
| Partner Community | Portal access for partners | $10/login or $25/member/month |
- Where to check usage: Setup > Company Settings > Company Information. Shows User Licenses, Permission Set Licenses, and Feature Licenses with Total/Used/Remaining counts.
- How to identify unused seats: Setup > Users > Users > sort by Last Login column. Or SOQL: SELECT Id, Username, LastLoginDate FROM User WHERE IsActive = true AND LastLoginDate < LAST_N_DAYS:90
- Billing notes: Annual billing. Seats committed at contract signing. Removing a user mid-cycle frees the license for reassignment but does not reduce your bill. License counts can take up to 24 hours to refresh.
The cost of manual management
Every app has an offboarding checklist, but Salesforce's is unusually long. Deactivating a single user can require transferring record ownership across multiple object types, reassigning dashboard running users, updating approval processes, clearing default owner fields in assignment rules, and resolving any automation running as that user - all before Salesforce will accept the deactivation.
There is no single offboard button. Frozen users still consume a paid license, so admins who freeze during offboarding and move on are paying for access that no longer exists.
The permission model - License Type → Profile → Permission Sets → Permission Set Groups → Roles → OWD → Sharing Rules - is difficult to audit manually, and Salesforce is deprecating Profiles for permission management (target: Spring 2026), which means existing configurations will need migration.
What IT admins are saying
The recurring themes: deactivation blockers that surface mid-process, frozen users silently consuming licenses, and a permission model too layered to audit without dedicated tooling.
Common complaints:
- Cannot delete users - only deactivate. User list grows forever with no purge mechanism.
- Deactivation requires resolving 10+ dependencies manually. No single 'offboard this user' button exists.
- Record ownership transfer is manual and painful. Mass Transfer Records handles only a few object types.
- Permission model is impossibly complex to audit. Profiles + Permission Sets + Permission Set Groups + Roles + OWD + Sharing Rules.
- Frozen users still consume licenses. Admins freeze during offboarding and forget the license is still billed.
- Username must be globally unique across all Salesforce orgs. Causes constant conflicts in sandbox refreshes.
- No built-in offboarding workflow. You check 10+ places manually or build custom automation.
- License count discrepancies - Company Information can take 24 hours to update after changes.
- SCIM only available on Enterprise ($165/user/month). Pricing gate for basic automation.
- Profile deprecation (Spring 2026) forces massive migration effort to Permission Sets.
The decision
If your org is on Enterprise or Unlimited, SCIM provisioning is available and eliminates most of the manual add/remove burden. The deactivation dependency checklist still applies - SCIM handles provisioning, not record ownership transfer or automation reassignment.
If you're on Starter or Pro Suite, SCIM and SSO are not available; every user change is manual through Setup. For orgs with frequent headcount changes or a growing list of deactivated users, the operational cost of manual management compounds quickly.
The upcoming Profile deprecation (Spring 2026) adds urgency to auditing your current permission model regardless of plan.
Bottom line
Salesforce user management is technically functional but operationally expensive at scale. Adding users requires selecting from multiple license types and layering permissions across Profiles and Permission Sets.
Removing users requires resolving a dependency checklist that varies per user and has no shortcut. You cannot delete users - only deactivate - so your user list grows without bound.
SCIM is available on Enterprise and Unlimited plans and handles provisioning, but does not eliminate the offboarding dependency work. If your team is managing Salesforce access manually across more than a handful of users, the time cost is real and recurring.
Automate Salesforce workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
