Connected User
A Connected User in Salesforce refers to a user whose Salesforce account is linked to an external system or identity provider through a Connected App, OAuth token, or SSO configuration.
Definition
A Connected User in Salesforce refers to a user whose Salesforce account is linked to an external system or identity provider through a Connected App, OAuth token, or SSO configuration. Connected users have an active authentication session that allows an external application to access Salesforce on their behalf. Administrators can view and manage connected user sessions and revoke access as needed.
In plain English
“A Connected User is a Salesforce user whose account is linked to an external app through OAuth or single sign-on. The external app uses that user's authenticated session to access Salesforce on their behalf. Admins can see who's connected and revoke access if something looks off.”
Worked example
Dieppe Trading's IT director audits the org's Connected Users in Setup → Connected Apps OAuth Usage - a list of every user whose Salesforce account is currently linked to at least one external app via OAuth. She sees that 240 users are connected to Outlook Plugin (expected), 180 to Slack (expected), and 12 to "Bob's Lead Scoring Tool" (an old proof-of-concept she didn't know was still active). She revokes the 12 Bob's Lead Scoring Tool connections in bulk; the Connected Users list now reflects only sanctioned integrations. The Connected User audit is how IT keeps the org's API surface clean as integrations come and go.
Why Connected User matters
A Connected User in Salesforce is a user whose Salesforce account has an active authentication connection to an external system, typically through a Connected App, OAuth flow, or single sign-on configuration. The connection means the external system holds an OAuth access token (and possibly a refresh token) tied to that user, which it uses to make API calls to Salesforce as that user. The user's record access, profile permissions, and sharing rules all apply to actions the external system takes through the connection.
Salesforce admins can view connected users and their active OAuth sessions through the Connected Apps OAuth Usage page in Setup. This page shows which Connected Apps each user has authorized, when the connection was last used, and gives admins the ability to revoke specific tokens. Token revocation is the standard response to a compromised user account or when an integration is being decommissioned. Monitoring Connected User activity is part of basic security hygiene, especially for orgs with many integrations or external-facing applications.
How organizations use Connected User
Reviews Connected User OAuth sessions monthly as part of their security audit. Any unfamiliar Connected Apps or unused tokens are revoked, and the audit findings inform whether new integrations need additional review.
Built an alert that fires when a high-privilege user authorizes a new Connected App. The alert lets the security team verify the new connection is expected before it can do significant damage.
Revoked all Connected User tokens for a former employee within minutes of their departure. The quick revocation prevented any external system from continuing to act under the departed user's identity.
Test your knowledge
Q1. What is a Connected User?
Q2. Where do admins manage Connected User sessions?
Q3. When should you revoke a Connected User's tokens?
Discussion
Loading discussion…