How to Manage Salesforce Licensing in Certero
Introduction
Certero's Salesforce connector retrieves your Salesforce organisations, licence assignments, user activity, profiles, roles, objects, and Experience Cloud Sites via the Salesforce REST API. Unlike traditional on-premise software licensing where compliance is the primary concern, SaaS optimisation is the focus: you are paying for subscriptions whether they are used or not.
This guide walks through the key tasks: configuring the connector, reviewing organisations and licences, analysing user activity, understanding profiles and roles, auditing objects, reviewing Experience Cloud Sites, and building optimisation reports.
Before you start
Make sure you have:
Access to Certero with the CerteroX SaaS Management — Salesforce connector enabled
A Salesforce user account with an email address and a profile that has API Enabled
Salesforce connection credentials: client ID, client secret, Salesforce username, password, and security token
A Connected App created in Salesforce using Certero's configuration requirements
An Active Directory Connector configured (recommended, for user matching)
Familiarity with Certero Essentials concepts (dashboards, saved reports, scheduled reports, charts, trends)
1. Configure the Salesforce connector
Certero uses connectors to collect data from vendor APIs. The Salesforce connector uses a Connected App in your Salesforce environment to retrieve organisation, licence, user, profile, role, object, and Experience Cloud data.
Navigate to the Connectors area.
Create a new Salesforce connector.
The key setup steps are:
Create a Connected App in Salesforce using Certero's configuration requirements
Enter the client ID and client secret from the Connected App
Enter the Salesforce username, password, and security token
Configure scheduling for automated data collection.
Save and run the connector to perform the initial data pull.
A detailed connector setup guide is published on the Certero Customer Center.
2. Navigate the Salesforce grids
After the connector collects data, navigate to the Salesforce area via the main menu. You can type "Salesforce" in the menu search box, or use the breadcrumbs along the top of the screen to identify your current location. The Salesforce connector provides the following grids:
Grid | Purpose |
|---|
Grid | Purpose |
|---|---|
Organisations | View Salesforce orgs with data and API storage limits |
Packages | View installed packages across your Salesforce orgs |
Permission Sets | View permission set assignments |
Standard Licences | View standard licence types and consumption |
Users | View users with roles, profiles, last logon, and activity data |
Profiles | View custom and standard profiles and their access configurations |
Object Permissions | View object-level permissions assigned to profiles |
Objects | View custom and standard objects with record and size counts |
Roles | View the role hierarchy and inherited permissions |
Experience Cloud Sites | View Experience Cloud site activity and account access |
3. Review organisations
Each Salesforce org appears separately in the Organisations grid.
Navigate to the Organisations grid.
Review data and API limits for each org.
Drill down into an org to see detailed storage and limit information.
This grid helps you monitor consumption against your Salesforce data and API allowances, and identify orgs that are approaching their limits.
4. Review packages, permission sets, and standard licences
These three grids provide visibility into your Salesforce entitlements and how they are consumed.
Packages
Salesforce packages are add-on applications, typically installed from the Salesforce AppExchange marketplace. In most enterprise environments, packages accumulate over time as teams install solutions for reporting, data enrichment, document generation, e-signatures, and other business needs. Each managed package may carry its own subscription cost, and many organisations lose track of which packages are installed, who is using them, and what they cost.
Why packages matter for cost management:
Hidden recurring costs — managed packages from the AppExchange often have per-user or per-org subscription fees that renew annually. Without visibility, these costs go unreviewed at renewal time.
Licence sprawl — some packages require their own user licences in addition to your core Salesforce licences, compounding your overall Salesforce spend.
Shelfware risk — packages installed for a specific project or team may remain long after the need has passed, continuing to incur costs.
Duplication — multiple packages may provide overlapping functionality (for example, two different document generation tools installed by different teams).
Types of packages you may see:
Package Type | Description | Cost Implication |
|---|
Package Type | Description | Cost Implication |
|---|---|---|
Managed packages | Commercial apps installed from the AppExchange marketplace, distributed and maintained by the vendor | Typically carry per-user or per-org subscription fees |
Unmanaged packages | Custom or open-source packages, often deployed internally or by consultants | No vendor subscription fees, but may have internal maintenance overhead |
How to review packages in Certero:
Navigate to the Packages grid.
Review all installed packages across your Salesforce orgs.
Add unit costs to each package to build a complete picture of your Salesforce spend — not just core licences, but the full cost of your AppExchange ecosystem.
Once unit costs are populated, use Certero's reporting to see exactly how much you are spending on packages across the organisation.
Cross-reference package presence with user activity to identify packages that are installed but underutilised.
Use the cost data to evaluate whether each package justifies its ongoing subscription at renewal time.
Tip: The AppExchange marketplace lists current pricing for managed packages. Compare the listed pricing against your agreement terms to verify you are on the correct plan. Certero's unit cost data combined with utilisation visibility gives you the evidence you need to renegotiate, consolidate, or remove packages at renewal.
Permission sets
Navigate to the Permission Sets grid.
Review permission set assignments to understand which additional permissions users have beyond their profiles.
Standard licences
Navigate to the Standard Licences grid.
Review licence types and their consumption.
Use the drill-downs to see which users are consuming each licence type.
The primary optimisation scenario across these grids is identifying licences that are paid for but not actively used.
5. Analyse users
The Users grid is central to optimisation. It shows users with their roles, profiles, and intelligence about their activity.
Navigate to the Users grid.
Review key user data including:
Role and profile assignments
Last Logon date — when the user last accessed Salesforce
Activity data — usage patterns and frequency
Filter to identify:
Users who have not logged in recently (candidates for licence reclamation)
Users with non-utilisation of Salesforce
Disabled or inactive users who still have licences assigned
Cross-reference user activity with Active Directory data (if an AD Connector is configured) for a more complete picture of user status.
6. Review profiles and roles
Profiles
Navigate to the Profiles grid.
Track custom profiles and check they are correctly configured with the access permissions they need.
Use the filters to assess specific profile configurations.
Custom profiles are common in Salesforce environments. This grid helps you audit whether profiles have been created appropriately and are still in active use.
Roles
Navigate to the Roles grid.
Review the inherited permissions flow through the role hierarchy.
Understand which roles grant access to which data and records.
7. Review objects and object permissions
Objects
Navigate to the Objects grid.
Use the filters to distinguish between custom and standard objects.
Review record counts and size for each object.
Track custom-created objects to understand the extent of customisation in your Salesforce environment.
Object permissions
Navigate to the Object Permissions grid.
Use the filters to assess specific object permissions assigned to profiles.
Review which profiles have create, read, update, and delete access to which objects.
This data is useful for Salesforce system administrators who need to audit and govern access across the environment.
8. Review Experience Cloud Sites
Experience Cloud Sites (formerly Community Cloud) are Salesforce's collaboration tool for external users and partners.
Navigate to the Experience Cloud Sites grid.
Review a high-level view of which accounts have been accessed the most.
Use the filters to view activity and last-viewed dates.
Establish which accounts are most active and which are legacy.
This grid is valuable for identifying legacy data — accounts and sites that are no longer actively used but may still be consuming licences or resources.
9. Identify optimisation opportunities
Based on the data across the Salesforce grids, focus on these key optimisation scenarios:
Opportunity | Where to find it | Action |
|---|
Opportunity | Where to find it | Action |
|---|---|---|
Unused licences | Standard Licences grid > consumption data | Avoid purchasing more until surplus is consumed |
Inactive users | Users grid > Last Logon column | Investigate and reclaim licences from users not logging in |
Non-utilisation | Users grid > Activity data | Review users with no Salesforce activity |
Overspend on licences | Standard Licences grid > drill-down | Quantify waste and prioritise reclamation |
AppExchange package sprawl | Packages grid > unit costs | Review installed packages, add unit costs, and remove or consolidate packages that are unused, duplicated, or no longer justified |
Redundant custom profiles | Profiles grid > usage data | Consolidate profiles that serve the same purpose |
Legacy Experience Cloud accounts | Experience Cloud Sites grid > last-viewed dates | Decommission unused sites and accounts |
Data storage approaching limits | Organisations grid > data limits | Plan storage management before limits are reached |
Unused custom objects | Objects grid > record counts | Identify custom objects with zero or minimal records |
Every opportunity is a possibility until you have investigated and confirmed it based on your own organisational requirements and conditions.
10. Build reports and dashboards
Use Certero's reporting capabilities to surface and track Salesforce optimisation over time.
Dashboard ideas
Summary tiles: total users, licence counts, organisations, Experience Cloud Sites
Optimisation opportunity tiles: inactive users with active licences, non-utilisation counts, overspend amounts
Package cost tiles: total AppExchange spend, packages with highest unit costs, packages with lowest utilisation
Charts: licence consumption by type, user activity distribution, storage utilisation by org
Trend charts showing growth of waste over time and remediation progress
Scheduled reports
Use the scheduled-report feature to email grid reports (filtered or unfiltered) as spreadsheet attachments on a recurring basis — for example, a monthly list of users who have not logged into Salesforce in the last 90 days.
Custom reports
Use the custom report builder to access related data types. Combine Salesforce data with Active Directory user data, installed software, and other Certero inventory for a complete view of user activity and entitlement.
Sharing dashboards
Save reports for key items and place them on an optimisation dashboard. Dashboards can be exported as JSON files and imported into other environments.
Tips and common pitfalls
Focus on optimisation, not compliance. SaaS subscriptions prevent over-consumption by design, but they do not prevent over-spending.
Do not forget AppExchange packages. Core Salesforce licence costs are visible, but package subscription fees are often overlooked. Add unit costs to every package in Certero so your total Salesforce spend is accurate and reportable.
The Salesforce API requires a user with an email address and a profile that has API Enabled. Ensure this is configured before setting up the connector.
A Connected App must be created in Salesforce using Certero's specific configuration requirements. Follow the guide on the Certero Customer Center.
The Salesforce connector provides much more than licence counts. Use the Profiles, Roles, Objects, and Object Permissions grids to give Salesforce administrators governance visibility they may not have natively.
Review Experience Cloud Sites regularly. Legacy sites and accounts can accumulate over time and may still be consuming resources.
Combine multiple data points before reclaiming licences. A user with no recent logon activity and a disabled AD account is a stronger signal than either data point alone.
Schedule regular reviews. SaaS waste accumulates over time as employees leave, change roles, or stop using Salesforce.
Review packages before each renewal cycle. Use Certero's unit cost data alongside the AppExchange marketplace pricing to ensure you are not overpaying or maintaining packages you no longer need.
Version History
Version | Date | Changes |
|---|
Version | Date | Changes |
|---|---|---|
3.0 | 2026-04-21 | Retired "Certero Unified Platform" framing; "Certero for Cloud: Salesforce" replaced with CerteroX SaaS Management — Salesforce; "module" language updated to "connector" |
1.1 | 2026-02-10 | Expanded packages section with AppExchange context, unit costs, and optimisation guidance |
1.0 | 2026-02-10 | Initial version based on internal Salesforce training |