Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            User Provisioning for Connected Apps: Enable User Provisioning Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            User Provisioning for Connected Apps: Enable User Provisioning Control

            This security setting automates the exchange of user identity information between Salesforce and external applications.

            Control Name

            Connected Apps: User Provisioning for Connected Apps: Enable User Provisioning

            Recommended Configuration

            Enable User Provisioning.

            Control Overview

            This security setting automates the exchange of user identity information between Salesforce and external applications, allowing for the programmatic creation, update, and deactivation of accounts based on Salesforce user records.

            Security Risk If Not Configured

            A lack of central user provisioning for connected apps leads to a significant risk where terminated users retain active credentials and access to external service providers due to manual offboarding gaps.

            Threat Scenarios

            A former employee whose Salesforce account was deactivated continues to log into a sensitive integrated cloud storage platform using local credentials because the downstream account was never programmatically revoked.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to synchronize user status across the application ecosystem facilitates unauthorized data access by non-employees and complicates org compliance with data privacy regulations regarding credential revocation.

            Higher Risk When

            The risk is significantly higher when the connected application does not support single-sign-on or when the org lacks an automated identity reconciliation process to identify orphaned accounts.

            Low Risk When

            If the org uses a unified identity provider that enforces just-in-time provisioning and global session termination for all integrated endpoints.

            Business and Integration Considerations

            Automated provisioning is the secure standard for large-scale enterprise deployments to reduce administrative overhead, whereas manual account management may be acceptable for small-scale tools with limited user counts.

            Recommended Remediation

            Go to the User Provisioning section of the Connected App, run the User Provisioning Wizard, and configure the mapping and flow directions for the target external application.

            Security Health Review Guidance

            Security Health Review identifies automated user provisioning as a strongly recommended standard to ensure the integrity of the offboarding process and to prevent the persistence of unauthorized access to external corporate resources.

            See Also

             
            Loading
            Salesforce Help | Article