Salesforce – Indirect Access

indirect access

The concept of indirect access was on everyone’s lips in the past year and created a lot of confusion in the SAM market, especially after SAP’s famous court lawsuits against some of its customers who failed to comply to their contractual agreements.

Let’s have a look on Salesforce’s view on the topic and what you can do to stay safe.

According to Salesforce’s Master Subscription Agreement, a “Customer will not [..] (g) permit direct or indirect access to or use of any Services or Content in a way that circumvents a contractual usage limit [..]”. You can find this information under the Usage Restrictions terms.

The above clause is quite vague and does not clearly explain what kind of indirect access may generate a compliance issue. There are several indirect access sources that Salesforce considers:

  • generic accounts
  • using Salesforce as a database for in-house developed custom apps or websites
  • integrations with third-party applications

Generic accounts

Through a generic account, multiple individuals may be provided access to an application. For example, you may have a customer support user account registered in Salesforce under a generic name. Let’s say that two or more individuals are sharing the credentials of this generic account to access the Salesforce platform.

Though other vendors might allow such use, as long as all the individuals behind the generic account are licensed, Salesforce’s policies clearly forbid it. You are required to strictly manage users’ access by ensuring that each individual has its own account and that login credentials are not shared among multiple users.

Salesforce as a Database

Customers can use Salesforce as a database to support different custom applications or sites. Any users who are logging into the respective custom apps or sites must be licensed for Salesforce as well. Usually, it’s the case that these users must have one of the multiple Platform or Communities licenses.

Similar to the above situation, the use of generic accounts to provide access to multiple individuals to the custom apps or sites that are using the Salesforce database is also seen as a major compliance issue, which will trigger the vendor’s attention.

Salesforce integrations

When it comes to integrations with other applications, Salesforce is well-known for its technology stack which allows the integration and synchronization of multiple data sources, from both on premises and cloud applications, into one platform. Naturally, most companies will have such integrations implemented.

But how well do they manage and monitor all the users who are indirectly making use of Salesforce data? It’s very easy to lose track of all the licensing requirements if the indirect usage implications are not proactively monitored and controlled.

From a licensing perspective, any individuals making use of Salesforce through a different application should also be licensed for the Salesforce application that participates into the data transfer. Otherwise, Salesforce might apply retroactive charges to cover for the unlicensed usage generated.

Conclusion

Though Salesforce may not be very active right now in terms of audits, indirect usage is something that may quickly become a serious pain point if they decide to assess your software usage. Here are only a few questions that you may want to ask yourself:

  • Are there any generic accounts authorized to access your Salesforce applications?
  • Are there any integrations of Salesforce with third-party applications (such as SAP, Oracle, Workday, etc.)?
  • What is the purpose of the integration?
  • How is the data exchanged from Salesforce to the integrated application and vice-versa?
  • How is the Salesforce data processed into the third-party application?

If you’re not sure how to answer the questions or have any concerns related to your Salesforce usage, send us an email and we’ll take it from there.