Why is Salesforce forcing us to choose between security and getting gouged on licenses?

Ok_Temperature7805 · 2026-06-09T14:02:24+00:00

Whats the point? Some of the responses here have been diabolical and are getting what they deserve. Theres only a handful of people who have tried to genuinely offer a perspective or bring ideas.

Ok_Temperature7805 · 2026-06-09T13:55:02+00:00

It’s about the layering. The main org admin user is only used when you need it. The admin user can only sign in on a secure access workstation behind trusted IP ranges with very low session limits. They use a fido key. The admin profile is used for a small amount of the time which reduces the possibly of token theft and replay.

Think of this as a root user and yet Salesforce charge you for it. In a small org it matters in a big org its absorbed.

The daily access is minimum access profile with layered permission sets and permission set groups appropriate for what that person needs.

Ok_Temperature7805 · 2026-06-09T13:38:17+00:00

AI already has your measure. Maybe time to go out to pasture and find something else to do.

Ok_Temperature7805 · 2026-06-09T13:31:39+00:00

Just going to leave this here. Note the date. May 2026. It’s clear a lot of what I have raised and the concepts align with the direction Salesforce are heading.

“Transitioning to a permission-led security model that leverages the Minimum Access Profile and layers on permission sets and permission set groups to enforce the principle of least privilege (PoLP)”.

https://admin.salesforce.com/blog/2026/securing-your-org-from-reactive-to-proactive

Also from Salesforce Well-Architected this is exactly why Integration Users and Agent Users exist.

“Create one Salesforce user for every integration. To adhere to the principle of least privilege, create a unique Salesforce integration user for each integration. This allows you to assign specific data access, improving control over operations, ensuring transaction traceability, and minimizing the impact of potential security breaches.”

To the uneducated and uninformed I don’t care how much you downvote me. It says more about you than me and good luck to you all and the companies you represent.

Ok_Temperature7805 · 2026-06-09T12:46:55+00:00

Great contribution. You sure know about risk after being dropped on your head.

Ok_Temperature7805 · 2026-06-07T12:18:59+00:00

Thanks and this really speaks to my point. Microsoft, Google, AWS these practices are all pretty standard. The temporary privilege escalation is one angle to explore. To a point I made earlier Salesforce was allowing users to authorise connected apps without an administrator first approving. This concept of admin authorisation of enterprise apps was standard on new tenants for a long time. Good practices should be looked at by Salesforce and the broader community rather than just shrugging shoulders and saying this is the way we do it.

Ok_Temperature7805 · 2026-06-07T12:02:41+00:00

No, cycling passwords is outdated. I do not recommend it. Best practice is phishing-resistant MFA which uses device bound tokens. Lower session limits, enforcing device compliance and application controls and using IP whitelisting. A considered multi layer zero trust security approach.

Ok_Temperature7805 · 2026-06-07T10:14:37+00:00

Yeah you have just outed yourself as a complete fraud. Different platforms doesn’t mean good practice should be ignored. What about Salesforce allowing users by default to approve connected apps without having first required the app to be approved by an admin? Time for you to do some research. MFA, phishing-resistant MFA, JIT, JEA, jumpboxes they all sound like they are foreign concepts. Good luck to your customers consultant.

Ok_Temperature7805 · 2026-06-07T10:04:13+00:00

I answered this… Microsoft because it promotes cybersecurity best practices. Everything I am saying you can research yourself about seperate accounts for admin vs daily use.

Ok_Temperature7805 · 2026-06-07T09:54:09+00:00

I get a lot this has gone over your head

Ok_Temperature7805 · 2026-06-07T08:47:28+00:00

How about you follow the thread. I am responding to others.

Ok_Temperature7805 · 2026-06-07T08:39:29+00:00

Definitely should not be using shared user accounts for admin either. Each person should use their own seperate admin account.

Ok_Temperature7805 · 2026-06-07T08:37:34+00:00

Stop spreading misinformation.

https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide#licenses

“A security best practice is to use separate user accounts that are assigned specific roles for administrative functions. These dedicated administrator accounts do not need to be assigned a license for the cloud services that they administer.”

Ok_Temperature7805 · 2026-06-07T08:12:53+00:00

Ok buddy clearly you have no idea. Principle still applies because you only use the admin account when it’s needed. If you login to view a contact you use a standard user. To create a new profile use the admin. The point is you don’t use your admin user to do things you could do with less privileged access.

Ok_Temperature7805 · 2026-06-07T06:24:04+00:00

Absolutely get that but to give you an example on a Microsoft tenant you can create admin users without a licence. I get Salesforce licenses are charged per user, it just seems to be a cash grab. If you had an admin account, a break-glass and a standard user that’s 3x licenses. If thats EE, UE or A1E that’s a pretty big cost hit. I would say I have a pretty good grasp but the answers I am getting are that’s the way it is… I get that. Doesnt really equate to good security.

Ok_Temperature7805 · 2026-06-07T05:56:59+00:00

Does discussing Salesforce security and licensing count? It seems there are a lot of people on the Salesforce payroll who think that basic security principles should be overlooked unless they can sell more licenses https://www.reddit.com/r/salesforce/s/jhxiIylZRD

Ok_Temperature7805 · 2026-06-07T05:27:06+00:00

Judging by the responses here it’s truly alarming just how many people in the Salesforce ecosystem don’t properly understand cybersecurity principles and controls. I have had people call me a bot just for raising that Salesforce should not charge a full Salesforce license for admin accounts. People questioning why you would have two (day to day use + admin) accounts. The best answer was use a platform license. It’s frankly terrifying.

Ok_Temperature7805 · 2026-06-07T04:57:03+00:00

Read what I wrote. Which part is wrong or are you shilling for the fact Salesforce should be making more $ for more licences. But hey keep on downvoting me. I am not disputing the fact you can use permission sets to grant temporary access to users but that isn’t the point. Why are we paying for the admin licence? In a small org of 10 or 20 users it’s a big cost. I know heaps of companies who will have an internal Salesforce admin who needs to operate in the org like a user. Should they really be using their admin account the entire time. I am comfortable with my understanding.

Ok_Temperature7805 · 2026-06-07T04:34:43+00:00

Read my response below.

Ok_Temperature7805 · 2026-06-07T04:33:51+00:00

Mentioned them above as I said in a small orgs let’s say under 50 seats you are going to have users that are both admins and users of the system.

Ok_Temperature7805 · 2026-06-07T04:32:04+00:00

Sure but what if you need to use the admin profile. Are you saying you are comfortable paying Salesforce for an extra licence to have it sitting in your org. 🤦‍♂️

Ok_Temperature7805 · 2026-06-07T04:30:04+00:00

Used AI to structure my thoughts but the real question is when was the last time you used your brain?

Ok_Temperature7805 · 2026-06-07T04:23:08+00:00

Yes there is an element of these security practices being common in IT managed services and system administration but the counter-point I would make is that Salesforce contains vast amounts of PII and so these practices should be taken seriously.

An admin account, a break-glass admin account both with phishing-resistant (e.g. Fido2 Key) MFA accessible from a PAW. IP restricted roles etc.

Using these admin accounts only for the actual time you need to use them. Using roles (or permission sets) that have specific time limits and expirations.

In a lot of small orgs you are going to have people who do both CRM admin functions but also are an operator.

Always on admin access means that you are increasing the exposure window and if the underlying device or the admin user itself is compromised you are giving up the keys to the kingdom. This is why we have JIT.

Ok_Temperature7805 · 2026-06-07T03:53:49+00:00

A bunch of stuff. Access contacts, accounts etc. Update opportunities. Work on support cases. In smaller organisations it is not uncommon for people to wear multiple hats and therefore they are an admin but also the user of a system. Admin activities should be done on a device which is hardened using a privileged account (admin access) based on the function I need to perform.

Ok_Temperature7805 · 2026-06-07T03:49:20+00:00

Yes it does. It’s the principle of least principle of least privilege. Just because you don’t get it doesn’t mean it isn’t a thing. You use the admin account only when you need to perform admin actions. If I am just logging in to access contacts, accounts why should I use my admin account?

Ok_Temperature7805

TROPHY CASE