Visibility
Posture
Salesforce
Salesforce Admin
See every Salesforce connected app, integration user, and the scope they hold before one goes out of control
Quick Summary: Salesforce connected apps and integration users accumulate permissions that outlast their original purpose — and most organizations have no complete picture of what scope each one holds. Oleria, an AI-native identity security & governance platform, surfaces every Salesforce connected app, integration user, and their full permission scope in one inventory.
Your Salesforce org holds your revenue data - and the connected apps and integration users that touch it are scattered across four separate admin panes, inventoried once a year if you're lucky. Attackers don't wait for your annual audit.
Salesforce's connected app and integration user model is rich and hard to navigate. Connected apps come from the AppExchange, from custom OAuth integrations, and from Salesforce-to-Salesforce trust. Each surface is governed in a different admin pane.
Most Salesforce environments accumulate hundreds of connected apps over a few years. The admin who installed the original consenting org has moved on. The integration user that the Sales Ops team set up has admin scope nobody remembers approving. The AppExchange app someone trialed in 2022 still has Read All Data scope. The Salesforce admin console gives you the raw data - the work is joining those four surfaces into one queue your team can drive to zero, and keeping it current.
One Salesforce Connected App Security Inventory across all four admin surfaces. Connected apps, integration users, named credentials, auth providers - unified into a single queryable graph instead of four separate panes.
Actual permission scope per integration user. Per integration user: which permission sets, which profiles, and what access they can actually exercise - not just what was granted at creation.
Sensitive object exposure flagged automatically. Connected apps and integration users that touch high-value objects (Account, Contact, Opportunity, custom PII objects) are surfaced by blast radius so you know where a breach would hurt most.
Last-used data to find dormant integrations. Login history surfaces integration users that haven't been active in 30, 60, or 90 days - ready for cleanup without manual cross-referencing.
The Salesforce Connected App Security Inventory unifies every connected app, integration user, and OAuth scope into one audit-ready view — no cross-referencing four admin panes.
Discover every Salesforce connected app, integration user, and OAuth scope with named owners in minutes. Oleria, an AI-native identity security & governance platform, gives your team the inventory they need to govern Salesforce at the same rigor as cloud IAM.
Yes. Connect each org you want governed. Sandbox orgs often have stale connected apps from real-world testing - worth governing.
Marketing Cloud is a separate connector with its own NHI surface.
The console shows raw components across four different panes with no cross-reference. Oleria normalizes all four into one queryable inventory, computes actual permission scope per integration user (not just what was granted), and surfaces dormancy signals the console doesn't pre-compute. The console is a reference; Oleria is the operating model.
Yes - integration users created by AppExchange installs and managed packages surface in the same inventory as manually created ones. Those are often the least-governed because nobody remembers installing the original package.
Named Credentials and auth providers are part of the Salesforce NHI surface and included in the inventory. They represent credential configuration that can be exploited without a direct login - worth governing with the same rigor as integration users.
