If you’re a Salesforce administrator — or aspiring to become one — user management in Salesforce is one of the most fundamental skills you need to master. From creating user accounts to assigning profiles, roles, licenses, and controlling data access, proper user management is the foundation of a secure and efficient Salesforce org.
In this comprehensive guide, we’ll walk you through everything you need to know about user management in Salesforce: what it is, how it works, best practices, and how it connects to the broader Salesforce security model. Whether you’re preparing for the Salesforce Admin certification exam or managing users in a live org, this guide covers it all.
What You’ll Learn in This Guide What is User Management in Salesforce | User Accounts & Key Components | Creating & Managing Users | Licenses, Profiles & Roles | Deactivating vs. Freezing Users | Access Control: Passwords, IP Restrictions & Login Hours | Permission Sets | Data Access & Sharing | Best Practices | FAQ
User management in Salesforce refers to the complete set of tasks and configurations that allow a Salesforce administrator to control who can log in to a Salesforce org, what they can see, and what they can do. It is one of the most critical responsibilities of a Salesforce Admin.
At its core, Salesforce user management involves:
- Creating and managing user accounts
- Assigning the appropriate user license, profile, and role to each user
- Controlling login access through password policies and IP/time restrictions
- Granting or restricting object, field, and record-level access
- Deactivating or freezing users when needed
Every person who logs in to Salesforce is a user, and every user must have a user account. This includes full-time employees, part-time staff, contractors, integration users (non-human), and sometimes even customers or partners accessing a community or portal.
Understanding a Salesforce User Account
When you create a new user in Salesforce, that user account acts as their digital identity within your org. Each user account controls how they log in, what they can access, and how they appear across the platform.
Every Salesforce user account contains at minimum:
| User Account Component | What It Does |
|---|---|
| Username | Unique identifier across ALL Salesforce orgs globally. Usually formatted like an email address. |
| Email Address | Used for system notifications, password resets, and communications. |
| First & Last Name | Identifies the user throughout the org in records, reports, and feeds. |
| Alias | Short name (up to 8 chars) shown on list views and reports. Defaults to first initial + first 4 of last name. |
| Nickname | Display name used in Chatter and community interactions. |
| User License | Determines which Salesforce features the user can access. |
| Profile | Controls what the user can do — object permissions, field access, app visibility. |
| Role (Optional) | Determines record visibility up and down the role hierarchy. |
A Note on Usernames
One important thing to understand: Salesforce usernames must be globally unique across every single Salesforce instance in the world — not just within your own org. This is why many organizations use a naming convention like [email protected] to avoid conflicts with other orgs, especially when you have multiple sandboxes.
User Licenses in Salesforce
A user license determines which features and applications a user can access within your Salesforce org. You must assign exactly one license to each user, and your org’s available licenses depend on your Salesforce contract.
Here are the most commonly used Salesforce user licenses:
| License Type | Best Used For |
|---|---|
| Salesforce (Lightning User) | Standard users needing full CRM access — contacts, leads, opportunities, reports. |
| Salesforce Platform | Users who only need access to custom apps, not standard CRM objects. |
| Chatter Free | Users who only need collaboration/social features without data access. |
| Chatter External | External users (partners, customers) with very limited access. |
| Identity | Single sign-on and authentication use cases only. |
| Work.com Only | For specific Work.com features and goals. |
💡 Admin Tip: Always match the license to the user’s actual needs. Over-licensing increases costs; under-licensing blocks productivity. Review your license usage regularly in Setup > Company Information.
Profiles: Controlling What Users Can Do
Profiles are one of the most important components in Salesforce user management. A profile determines what a user can do within Salesforce — which objects they can create, read, edit, or delete; which fields are visible or editable; which apps they can see; and more.
Every user must be assigned exactly one profile. Salesforce provides several standard profiles out of the box:
- System Administrator — Full access to all setup and data
- Standard User — General CRM access without admin permissions
- Read Only — Can view but not modify records
- Solution Manager — Can manage solutions in Service Cloud
- Marketing User — Can manage campaigns and import leads
- Contract Manager — Can manage contracts
You can also create custom profiles to fine-tune access for specific teams. For example, a Sales Profile might include access to Opportunities and Contacts but not Cases, while a Support Profile might have the opposite configuration.
What a Profile Controls
- Object-level permissions (Create, Read, Edit, Delete, View All, Modify All)
- Field-level security (visible or read-only on specific fields)
- Record type access
- App and tab visibility
- Page layout assignments
- Apex class and Visualforce page access
- System permissions (e.g., “Export Reports”, “Manage Users”)
Roles: Controlling What Users Can See
While profiles control what a user can do, roles in Salesforce primarily determine what records a user can see. Roles are organized in a role hierarchy that mirrors your company’s organizational structure.
Users higher up in the role hierarchy can typically view and report on records owned by users below them — giving managers visibility into their team’s data without admin-level permissions.
Important things to know about roles:
- Roles are optional — not every user needs one
- A user can only have one role at a time
- Roles work in conjunction with Organization-Wide Defaults (OWD) and Sharing Rules
- The role hierarchy is separate from the manager hierarchy in user records
Key Concept: Roles control record access (visibility), while Profiles control object/field access (permissions). Both work together to define the full scope of what a user can access in your org.
How to Create a User in Salesforce
Creating a new user in Salesforce is straightforward. Here is the step-by-step process:
- Go to Setup by clicking the gear icon in the top right
- In the Quick Find box, type “Users” and click Users under Manage Users
- Click the New User button
- Fill in the required fields: First Name, Last Name, Email, Username, Alias, and Nickname
- Select the appropriate User License
- Assign a Profile
- Optionally assign a Role
- Click Save — Salesforce will send the user a login email automatically
Adding Multiple Users at Once
If you need to onboard many users, Salesforce gives you two options:
- Add Multiple Users button — Adds up to 10 users at once using a multi-row form
- Data Loader — For bulk user creation (more than 10), import users from a CSV file
Deactivating vs. Freezing a User
A critical concept in Salesforce user management is the difference between deactivating and freezing a user. Since Salesforce users cannot be deleted, these are the two ways to prevent someone from accessing your org.
| Freeze a User | Deactivate a User |
|---|---|
| Immediately prevents login | Permanently removes login access |
| License is NOT released | License IS released for reuse |
| Temporary measure — quick to apply | Permanent measure — requires more steps |
| User record remains exactly as-is | User removed from active team counts |
| Use when you need to act fast (e.g., security issue) | Use when an employee leaves the company |
When You Cannot Immediately Deactivate a User
There are situations where Salesforce will not let you deactivate a user right away. This happens when the user is referenced in automation or business logic configurations. Common blockers include:
In these situations, the recommended approach is to first freeze the user to prevent login access, then work through each configuration to reassign responsibilities before completing the deactivation.
User is the default owner of Leads
- User is the default or automated Case owner
- User is the default Lead creator or owner
- User is set as the default Workflow user
- User is a recipient in a Workflow email alert
- User is selected in a custom hierarchy field
Controlling Login Access to Your Salesforce Org
User management in Salesforce extends beyond creating accounts. A full access control strategy includes four key mechanisms:
1. User Authentication — Who Can Log In
Only authorized users with valid credentials should access your org. Beyond username and password, Salesforce supports Multi-Factor Authentication (MFA), which adds an extra layer of security by requiring users to verify their identity with a second factor. MFA is now contractually required by Salesforce for all users.
2. Password Policies
Salesforce allows admins to configure org-wide password policies that govern:
- Minimum password length and complexity requirements
- How often users must change their passwords
- How many failed login attempts trigger an account lockout
These can be configured in Setup > Password Policies.
3. IP Address Restrictions
You can restrict which IP addresses are allowed to log in to Salesforce. This is particularly useful for preventing unauthorized access from outside your corporate network. IP restrictions can be applied at the profile level to target specific user groups.
4. Login Hour Restrictions
Salesforce also lets you control when users are allowed to log in. Login hours are configured per profile, ensuring users can only access the system during defined business hours. This reduces the attack surface outside working hours.
Permission Sets: Extending Access Beyond Profiles
Permission sets are a powerful complement to profiles in Salesforce user management. While a profile defines the baseline permissions for a group of users, a permission set can extend access for individual users without creating a new profile.
Think of permission sets as an additive layer on top of a profile. If most of your sales team uses the Standard User profile but a few specific reps need access to a special object or custom app, you can create a permission set and assign it only to those users — without touching anyone’s profile.
Key benefits of permission sets:
- More granular access control without profile proliferation
- Easily assignable to individual users or groups of users
- Can be combined — a user can have multiple permission sets
- Reduces the number of custom profiles you need to maintain
Permission Set Groups: Salesforce supports Permission Set Groups, which let you bundle multiple permission sets together and assign them as a single unit. This is best practice for larger orgs with complex access requirements.
Understanding the Salesforce Data Security Model
User management operates within Salesforce’s layered Data security model. Understanding all these layers is essential for every Salesforce admin:
| Security Layer | Controls |
|---|---|
| Organization-Wide Defaults (OWD) | Sets the baseline sharing for all records — Public Read/Write, Public Read Only, or Private. |
| Role Hierarchy | Users above in the hierarchy can view records of users below them. |
| Sharing Rules | Extend record access to specific groups beyond OWD and role hierarchy. |
| Manual Sharing | Allows record owners or admins to share individual records with specific users. |
| Profiles & Permission Sets | Control object-level and field-level permissions. |
| Field-Level Security | Restricts visibility or editability of specific fields. |
When configuring user management in Salesforce, always consider all these layers together. A user’s effective access is the combination of their profile, permission sets, role, and the sharing settings on the records they interact with.
Best Practices for User Management in Salesforce
Following these best practices ensures your Salesforce org remains secure, scalable, and maintainable as your organization grows:
- Plan your profile strategy before creating users. Use as few profiles as necessary and leverage permission sets for exceptions.
- Use a consistent username naming convention — e.g.,
[email protected]— to avoid confusion across sandbox and production orgs. - Enable Multi-Factor Authentication (MFA) for all users. This is now required by Salesforce contractually.
- Review inactive users regularly and deactivate those who no longer need access. This frees up licenses and improves security.
- Check Login History first when troubleshooting user access issues. It is the fastest path to diagnosing login problems.
- Use Permission Set Groups to simplify complex access configurations instead of creating overly specialized profiles.
- Document your user management strategy, including what each profile and permission set is used for, so future admins can maintain the org effectively.
- Restrict login hours and IP addresses for sensitive roles to reduce your org’s attack surface.
- Never share login credentials. Each user must have their own individual account.
- Audit user access periodically, especially after organizational changes, role transitions, or when employees leave.
Using Login History to Troubleshoot Access Issues
Login History is one of the most useful but underutilized tools for Salesforce admins. It logs every login attempt — successful or not — along with the date, time, IP address, browser, and outcome.
When a user reports they cannot log in, Login History should be your first stop. Common things to check:
- Is the user’s account active (not deactivated or frozen)?
- Is the user’s IP address within the allowed range?
- Is the login attempt within the allowed login hours?
- Did the login fail due to too many incorrect password attempts?
You can access Login History by going to Setup > Login History. You can also export up to 6 months of login history for security auditing purposes.
Frequently Asked Questions
Can you delete a user in Salesforce?
No. Salesforce does not allow you to delete user records. This is by design to maintain data integrity and audit history. Instead, you can deactivate a user (which prevents login and frees the license) or freeze a user (which prevents login but retains the license).
What is the difference between a profile and a permission set?
A profile is mandatory — every user must have exactly one — and it sets the baseline permissions. A permission set is optional and additive, extending access beyond what the profile allows. Permission sets are ideal for giving specific users extra capabilities without creating new profiles for minor differences
How many permission sets can a user have?
A single Salesforce user can have multiple permission sets assigned to them. There is no hard limit, though best practice is to organize them using Permission Set Groups to keep things manageable.
What happens to records when a user is deactivated?
Existing records remain in Salesforce and are not affected. They continue to show the deactivated user as the owner. You should reassign these records to an active user using tools like Mass Transfer Records in Setup.
Is user management tested on the Salesforce Admin certification exam?
Absolutely. User management in Salesforce is a significant topic in the Salesforce Administrator (ADM 201) certification exam. Expect questions on profiles, permission sets, roles, licenses, login access controls, the deactivate vs. freeze distinction, and the overall data security model.
Conclusion
User management in Salesforce is much more than just creating login accounts. It is the foundation of your org’s security architecture, data governance, and overall usability. When done right, it ensures that every team member has exactly the access they need — no more, no less — enabling your business to operate efficiently while keeping sensitive data safe.
From understanding user licenses and profiles, to configuring roles and sharing rules, to enforcing login access controls and password policies, every element of Salesforce user management contributes to a well-governed, secure, and scalable org.
Mastering user management is also a core requirement for passing the Salesforce Administrator certification exam. The concepts covered in this guide — profiles, permission sets, roles, licenses, login access, and deactivate vs. freeze — are all heavily tested topics.
Ready to Master Salesforce Administration?
User management in Salesforce is just one of many powerful skills you’ll gain in our comprehensive Salesforce Admin Certification Course. Whether you’re starting your Salesforce journey or preparing for your ADM 201 exam, this course covers everything you need to succeed.
- Complete User Management & Security Model
- Profiles, Roles, Permission Sets & Sharing Rules
- Automation, Reports, Dashboards & More
- Full Preparation for the Salesforce Admin Certification Exam
Have questions about user management in Salesforce? Drop them in the comments below! Share this post with anyone preparing for their Salesforce Admin certification.
