How to Manage User Access in Salesforce Sandboxes: Best Practices for Admins

As a Salesforce Administrator overseeing an organization with multiple sandboxes, you’ve likely encountered scenarios where developers, administrators, or business analysts request access to specific sandboxes for development purposes. While granting access is routine, challenges often arise when those individuals leave the company, switch projects, or transition to new roles. This leaves their sandbox access lingering unnecessarily, which can create security risks and inefficiencies.

So, how can you effectively manage and maintain user access in such cases?

Centralized Access Management Systems: A Streamlined Solution

Many companies utilize centralized access management systems integrated with Salesforce to handle user access. Here’s how this typically works:

1. Access Change Requests: A request to deactivate a user or update their role is submitted to the centralized system.

2. Synchronization Across Environments: Once the request is processed, the system synchronizes the changes with the Salesforce Production org and any integrated sandboxes.

   
   

This setup ensures that user access remains up-to-date and aligned with organizational policies, reducing the risk of unauthorized access.

The Sandbox Synchronization Gap

However, it’s common for some sandboxes not to be included in the user synchronization process. This creates a problem:

• Sandboxes may retain active users who should have been deactivated or had their roles updated.

• Over time, these outdated user accounts accumulate, increasing the potential for security breaches and unnecessary licensing costs.

A Custom Python Solution for Synchronizing User Access

To bridge this gap, you can use a custom Python script leveraging the Simple Salesforce library. This script connects to the Salesforce Production org and sandboxes, compares active users, and ensures their status aligns across environments.

Here’s how the solution works:

1. Fetch Active Users: The script connects to the Production org and retrieves a list of active users.

2. Compare with Sandboxes: It connects to each sandbox, compares the active users (matching by username, excluding sandbox prefixes), and updates the IsActive status in the sandbox to match the Production org.

3. Run Anywhere: This script can be executed from a local machine or integrated into CI/CD pipelines on platforms like GitHub, GitLab, or Bitbucket.

Python Code Example

from simple_salesforce import Salesforce
import json


# Configuration: Define your credentials and sandbox prefixes
orgs = {

    "Production": {

        "username": "prod_user@example.com",

        "password": "prod_password",

        "security_token": "prod_token"

    },

    "Sandboxes": [

        {

            "name": "Sandbox1",

            "username": "sandbox1_user@example.com.sandbox",

            "password": "sandbox1_password",

            "security_token": "sandbox1_token"

        },

        {

            "name": "Sandbox2",

            "username": "sandbox2_user@example.com.sandbox",

            "password": "sandbox2_password",

            "security_token": "sandbox2_token"

        }

    ]

}



# Fetch active users from Production

def get_active_users_from_production(production_conn):

    query = "SELECT Username, IsActive FROM User WHERE IsActive = TRUE"

    result = production_conn.query_all(query)

    return {record["Username"]: record["IsActive"] for record in result["records"]}



# Synchronize users with sandboxes

def sync_users_with_sandboxes(prod_users, sandbox_name, sandbox_conn):

    query = "SELECT Username, IsActive FROM User"

    result = sandbox_conn.query_all(query)



    sandbox_users = result["records"]

    for user in sandbox_users:

        base_username = user["Username"].split('.')[0]  # Exclude sandbox prefix

        if base_username in prod_users:

            if user["IsActive"] != prod_users[base_username]:

                # Update user status to match Production

                sandbox_conn.User.update(user["Id"], {"IsActive": prod_users[base_username]})

                print(f"{user['Username']} updated in {sandbox_name} to IsActive = {prod_users[base_username]}")



# Main function

def main():

    # Connect to Production

    prod_conn = Salesforce(

        username=orgs["Production"]["username"],

        password=orgs["Production"]["password"],

        security_token=orgs["Production"]["security_token"]

    )

    prod_users = get_active_users_from_production(prod_conn)



    # Connect to Sandboxes and sync users

    for sandbox in orgs["Sandboxes"]:

        sandbox_conn = Salesforce(

            username=sandbox["username"],

            password=sandbox["password"],

            security_token=sandbox["security_token"]

        )

        sync_users_with_sandboxes(prod_users, sandbox["name"], sandbox_conn)



if __name__ == "__main__":

    main()

Benefits of This Approach

• Automated Synchronization: Ensures user access is consistent across Production and all sandboxes.

• Customizable: Easily scalable to include more sandboxes or custom logic.

• CI/CD Integration: Can be connected to pipelines on platforms like GitHub, GitLab, or Bitbucket for scheduled or on-demand execution.

Conclusion

Proactively managing user access in Salesforce sandboxes is critical for maintaining security and operational efficiency. While centralized access management systems can address this issue, a custom Python script offers a flexible and automated solution for environments lacking full synchronization.

By implementing this solution, you can ensure your sandboxes remain secure and free from outdated user access. Ready to streamline your Salesforce user management? Try the Python script today!

If you need assistance customizing this script for your organization or integrating it into your workflows, our team is here to help! Contact us today to discuss your specific requirements and let us streamline your Salesforce user management process.