Anyone know of a clever way to disable users who’s left the company in all Orgs? In our particular case, one Production with several Sandboxes.
The closest I can come up with is to perhaps grab their UserID and set Active to False (essentially) to each Org using Excel Connection (which I use regularly) or Data Loader (blah).
I searched around and saw nothing about this. Seems like something “everyone” would want to do at the Administration level, as people leave the company and have a valid login in one Production, seven Sandboxes, and some Admins may only disable their user in Production…
Restrict by IP
Profile restrictions can prevent the user from logging in through remote locations, and this setting copies on Sandbox refreshes. Very simple procedure to kick them off your network, and they’ll be unable to log in.
Force Single Sign On
If SSO is enabled, and forced through My Domain, you can stop them from logging in through test.salesforce.com. There’s a small amount of work required to configure ADFS and Salesforce whenever you refresh a Sandbox, but it’s only a few minutes of effort for peace of mind.
If you’re using delegated authentication, saleforce.com calls a webservice of your choosing to authenticate users. If this webservice is tied to, for example, to Active Directory, simply shutting off their network access also eliminates their salesforce.com access simultaneously– their license will be active, but they can’t actually log in.
Similarly, you could build a tool to freeze a user across many orgs all at once. For larger orgs where this may be a fairly common occurrence, it would probably be worth investing resources into, especially if it’s less expensive than the alternative (data leaks, legal liability, etc).