How to Manage Salesforce Licensing in Certero
Introduction
Certero's Salesforce connector retrieves your Salesforce organizations, license assignments, user activity, profiles, roles, objects, and Experience Cloud Sites via the Salesforce REST API. Unlike traditional on-premise software licensing where compliance is the primary concern, SaaS optimization is the focus: you are paying for subscriptions whether they are used or not.
This guide walks through the key tasks: configuring the connector, reviewing organizations and licenses, analyzing user activity, understanding profiles and roles, auditing objects, reviewing Experience Cloud Sites, and building optimization reports.
Before you start
Make sure you have:
Access to the Certero Unified Platform with the Salesforce module
A Salesforce user account with an email address and a profile that has API Enabled
Salesforce connection credentials: client ID, client secret, Salesforce username, password, and security token
A Connected App created in Salesforce using Certero's configuration requirements
An Active Directory Connector configured (recommended, for user matching)
Familiarity with Certero Essentials training concepts (dashboards, saved reports, scheduled reports, charts, trends)
1. Configure the Salesforce connector
Certero uses connectors to collect data from vendor APIs. The Salesforce connector uses a Connected App in your Salesforce environment to retrieve organization, license, user, profile, role, object, and Experience Cloud data.
Navigate to the Connectors area of the platform.
Create a new Salesforce connector.
The key setup steps are:
Create a Connected App in Salesforce using Certero's configuration requirements
Enter the client ID and client secret from the Connected App
Enter the Salesforce username, password, and security token
Configure scheduling for automated data collection using the platform's standard scheduling approach.
Save and run the connector to perform the initial data pull.
A detailed connector setup guide is published on the Certero Customer Center.
2. Navigate the Salesforce grids
After the connector collects data, navigate to the Salesforce area via the main menu. You can type "Salesforce" in the menu search box, or use the breadcrumbs along the top of the screen to identify your current location. The Salesforce module provides the following grids:
Grid | Purpose |
|---|
Grid | Purpose |
|---|---|
Organizations | View Salesforce orgs with data and API storage limits |
Packages | View installed packages across your Salesforce orgs |
Permission Sets | View permission set assignments |
Standard Licenses | View standard license types and consumption |
Users | View users with roles, profiles, last logon, and activity data |
Profiles | View custom and standard profiles and their access configurations |
Object Permissions | View object-level permissions assigned to profiles |
Objects | View custom and standard objects with record and size counts |
Roles | View the role hierarchy and inherited permissions |
Experience Cloud Sites | View Experience Cloud site activity and account access |
3. Review organizations
Each Salesforce org appears separately in the Organizations grid.
Navigate to the Organizations grid.
Review data and API limits for each org.
Drill down into an org to see detailed storage and limit information.
This grid helps you monitor consumption against your Salesforce data and API allowances, and identify orgs that are approaching their limits.
4. Review packages, permission sets, and standard licenses
These three grids provide visibility into your Salesforce entitlements and how they are consumed.
Packages
Salesforce packages are add-on applications, typically installed from the Salesforce AppExchange marketplace. In most enterprise environments, packages accumulate over time as teams install solutions for reporting, data enrichment, document generation, e-signatures, and other business needs. Each managed package may carry its own subscription cost, and many organizations lose track of which packages are installed, who is using them, and what they cost.
Why packages matter for cost management:
Hidden recurring costs — Managed packages from the AppExchange often have per-user or per-org subscription fees that renew annually. Without visibility, these costs go unreviewed at renewal time.
License sprawl — Some packages require their own user licenses in addition to your core Salesforce licenses, compounding your overall Salesforce spend.
Shelfware risk — Packages installed for a specific project or team may remain long after the need has passed, continuing to incur costs.
Duplication — Multiple packages may provide overlapping functionality (for example, two different document generation tools installed by different teams).
Types of packages you may see:
Package Type | Description | Cost Implication |
|---|
Package Type | Description | Cost Implication |
|---|---|---|
Managed packages | Commercial apps installed from the AppExchange marketplace, distributed and maintained by the vendor | Typically carry per-user or per-org subscription fees |
Unmanaged packages | Custom or open-source packages, often deployed internally or by consultants | No vendor subscription fees, but may have internal maintenance overhead |
How to review packages in Certero:
Navigate to the Packages grid.
Review all installed packages across your Salesforce orgs.
Add unit costs to each package to build a complete picture of your Salesforce spend — not just core licenses, but the full cost of your AppExchange ecosystem.
Once unit costs are populated, use Certero's reporting to see exactly how much you are spending on packages across the organization.
Cross-reference package presence with user activity to identify packages that are installed but underutilized.
Use the cost data to evaluate whether each package justifies its ongoing subscription at renewal time.
Tip: The AppExchange marketplace lists current pricing for managed packages. Compare the listed pricing against your agreement terms to verify you are on the correct plan. Certero's unit cost data combined with utilization visibility gives you the evidence you need to renegotiate, consolidate, or remove packages at renewal.
Permission sets
Navigate to the Permission Sets grid.
Review permission set assignments to understand which additional permissions users have beyond their profiles.
Standard licenses
Navigate to the Standard Licenses grid.
Review license types and their consumption.
Use the drill-downs to see which users are consuming each license type.
The primary optimization scenario across these grids is identifying licenses that are paid for but not actively used.
5. Analyze users
The Users grid is central to optimization. It shows users with their roles, profiles, and intelligence about their activity.
Navigate to the Users grid.
Review key user data including:
Role and profile assignments
Last Logon date — when the user last accessed Salesforce
Activity data — usage patterns and frequency
Filter to identify:
Users who have not logged in recently (candidates for license reclamation)
Users with non-utilization of Salesforce
Disabled or inactive users who still have licenses assigned
Cross-reference user activity with Active Directory data (if an AD Connector is configured) for a more complete picture of user status.
6. Review profiles and roles
Profiles
Navigate to the Profiles grid.
Track custom profiles and check they are correctly configured with the access permissions they need.
Use the filters to assess specific profile configurations.
Custom profiles are common in Salesforce environments. This grid helps you audit whether profiles have been created appropriately and are still in active use.
Roles
Navigate to the Roles grid.
Review the inherited permissions flow through the role hierarchy.
Understand which roles grant access to which data and records.
7. Review objects and object permissions
Objects
Navigate to the Objects grid.
Use the filters to distinguish between custom and standard objects.
Review record counts and size for each object.
Track custom-created objects to understand the extent of customization in your Salesforce environment.
Object permissions
Navigate to the Object Permissions grid.
Use the filters to assess specific object permissions assigned to profiles.
Review which profiles have create, read, update, and delete access to which objects.
This data is useful for Salesforce system administrators who need to audit and govern access across the environment.
8. Review Experience Cloud Sites
Experience Cloud Sites (formerly Community Cloud) are Salesforce's collaboration tool for external users and partners.
Navigate to the Experience Cloud Sites grid.
Review a high-level view of which accounts have been accessed the most.
Use the filters to view activity and last-viewed dates.
Establish which accounts are most active and which are legacy.
This grid is valuable for identifying legacy data — accounts and sites that are no longer actively used but may still be consuming licenses or resources.
9. Identify optimization opportunities
Based on the data across the Salesforce grids, focus on these key optimization scenarios:
Opportunity | Where to find it | Action |
|---|
Opportunity | Where to find it | Action |
|---|---|---|
Unused licenses | Standard Licenses grid > consumption data | Avoid purchasing more until surplus is consumed |
Inactive users | Users grid > Last Logon column | Investigate and reclaim licenses from users not logging in |
Non-utilization | Users grid > Activity data | Review users with no Salesforce activity |
Overspend on licenses | Standard Licenses grid > drill-down | Quantify waste and prioritize reclamation |
AppExchange package sprawl | Packages grid > unit costs | Review installed packages, add unit costs, and remove or consolidate packages that are unused, duplicated, or no longer justified |
Redundant custom profiles | Profiles grid > usage data | Consolidate profiles that serve the same purpose |
Legacy Experience Cloud accounts | Experience Cloud Sites grid > last-viewed dates | Decommission unused sites and accounts |
Data storage approaching limits | Organizations grid > data limits | Plan storage management before limits are reached |
Unused custom objects | Objects grid > record counts | Identify custom objects with zero or minimal records |
Every opportunity is a possibility until you have investigated and confirmed it based on your own organizational requirements and conditions.
10. Build reports and dashboards
Use the Certero platform's reporting capabilities to surface and track Salesforce optimization over time.
Dashboard ideas
Summary tiles: total users, license counts, organizations, Experience Cloud Sites
Optimization opportunity tiles: inactive users with active licenses, non-utilization counts, overspend amounts
Package cost tiles: total AppExchange spend, packages with highest unit costs, packages with lowest utilization
Charts: license consumption by type, user activity distribution, storage utilization by org
Trend charts showing growth of waste over time and remediation progress
Scheduled reports
Use the platform's scheduled report feature to email grid reports (filtered or unfiltered) as spreadsheet attachments on a recurring basis — for example, a monthly list of users who have not logged into Salesforce in the last 90 days.
Custom reports
Use the custom report builder to access related data types. Combine Salesforce data with Active Directory user data, installed software, and other Certero inventory for a complete view of user activity and entitlement.
Sharing dashboards
Save reports for key items and place them on an optimization dashboard. Dashboards can be exported as JSON files and imported into other environments.
Tips and common pitfalls
Focus on optimization, not compliance. SaaS subscriptions prevent over-consumption by design, but they do not prevent over-spending.
Do not forget AppExchange packages. Core Salesforce license costs are visible, but package subscription fees are often overlooked. Add unit costs to every package in Certero so your total Salesforce spend is accurate and reportable.
The Salesforce API requires a user with an email address and a profile that has API Enabled. Ensure this is configured before setting up the connector.
A Connected App must be created in Salesforce using Certero's specific configuration requirements. Follow the guide on the Certero Customer Center.
The Salesforce module provides much more than license counts. Use the Profiles, Roles, Objects, and Object Permissions grids to give Salesforce administrators governance visibility they may not have natively.
Review Experience Cloud Sites regularly. Legacy sites and accounts can accumulate over time and may still be consuming resources.
Combine multiple data points before reclaiming licenses. A user with no recent logon activity and a disabled AD account is a stronger signal than either data point alone.
Schedule regular reviews. SaaS waste accumulates over time as employees leave, change roles, or stop using Salesforce.
Review packages before each renewal cycle. Use Certero's unit cost data alongside the AppExchange marketplace pricing to ensure you are not overpaying or maintaining packages you no longer need.
Version History
Version | Date | Changes |
|---|
Version | Date | Changes |
|---|---|---|
1.1 | 2026-02-10 | Expanded packages section with AppExchange context, unit costs, and optimization guidance |
1.0 | 2026-02-10 | Initial version based on Certero for Cloud: Salesforce Training v4 |