User
A User in Salesforce is a standard object that represents an individual login account in the org - every person who signs into Salesforce has exactly one User record.
Definition
A User in Salesforce is a standard object that represents an individual login account in the org - every person who signs into Salesforce has exactly one User record. The User object stores authentication and profile data including username, email, name, alias, time zone, locale, federation ID, and the assigned Profile that controls baseline permissions. Each User is also associated with a Role (for record sharing), one or more Permission Sets and Permission Set Groups (for additive access), a User License (which determines available features and pricing), and a manager (for hierarchy-based reporting and approvals). Users own records - almost every standard and custom object has an OwnerId field that references a User. Beyond standard logins, the User object also represents Customer Community Users, Partner Users, Guest Users, Site Users, Integration Users, and Automated Process Users, each tied to a specific User License type. Active User counts directly drive Salesforce billing, so admins must deactivate (not delete) departed users to free up licenses while preserving historical record ownership.
In plain English
“Every person who logs into Salesforce is a User - a record in the database with their name, email, login credentials, and what they're allowed to see and do. When a Salesforce admin "creates a new user," they're creating a User record. When someone leaves the company, the admin deactivates that User to free the license without losing their historical work.”
Worked example
A new sales rep, Maya, joins a company on her first Monday. The Salesforce admin opens Setup > Users > New User and creates Maya's record with username 'maya@acme.com', profile "Sales User", role "Western Region Rep", and permission set "Pardot User" added on top. Maya gets a welcome email with a one-time password link. After login, she sees the Sales Console app, can edit her own Accounts and Opportunities (per her profile), but can't see the European pipeline (per her role). Three years later when Maya transfers to marketing, the admin doesn't create a new User - they update her profile, role, and permission sets, preserving every Opportunity she ever owned and every email she ever logged.
Why User matters
The User object is unusual because it's both a standard sObject (queryable via SOQL, updatable via API, capable of having custom fields) and a security primitive that the platform itself depends on. Updates to User records run through extensive backend validation - license assignment, sharing recalculation, profile permission propagation - meaning bulk operations on Users are slow and have stricter governor limits than most objects. Apex code that needs to run as another user often uses System.runAs() in tests or sets a record's OwnerId rather than directly impersonating.
Deactivating a User (IsActive = false) is the correct way to remove access - Salesforce blocks hard deletion of User records that own data, since OwnerId references would break referential integrity. Deactivated Users free their license seat for reassignment, but their historical record ownership remains intact. Reactivating a User restores access without recreating the account. For role changes or department transfers, edit the existing User rather than creating a new one - this preserves the audit trail of every Activity, Case, and Opportunity they touched.
Beyond internal employees, the User object also represents external personas through different License types: Customer Community Plus Users, Partner Community Users, Guest Site Users (used by unauthenticated public visitors to Experience Cloud sites), Integration Users (typically a single dedicated User per external system), and Automated Process Users (system identity for Flow, Process Builder, and platform background jobs). Each carries different sharing implications, costs, and feature access - choosing the wrong license type for a use case is one of the most expensive misconfigurations in Salesforce.
How to create User
Creating Users is the most common admin task in any new Salesforce org. The form is short but the choices on it (License, Profile, Role) gate everything that user can do — get them right at create time and the rest is easy.
- Open Setup → Users → Users
Setup gear → in Quick Find type "Users" → Users (the second "Users" leaf, not Roles).
- Click New User
Top-right of the user list. To create more than one at once, use Add Multiple Users (limited to 10 at a time).
- Fill name, email, alias, username
Username must be unique across every Salesforce org in the world — convention is name@yourcompany.salesforce. Email is where the welcome and password-reset messages go.
- Pick a User License
Salesforce, Salesforce Platform, Identity, etc. License is locked once saved and dictates which Profiles are available. Pick before Profile.
- Pick a Profile (and optionally a Role)
Profile is the floor of permissions and tab access. Role drives the role-hierarchy sharing tree — optional, but required if you use Sharing Rules or Forecasting.
- Set Locale, Time Zone, Language, Email Encoding
These default to org defaults but each user can have their own. Wrong locale = wrong currency formatting and wrong fiscal-year reports.
- Save
On Save the user is created and a welcome email goes out (unless you unticked "Generate new password and notify user immediately"). The user must verify their identity on first login.
Required by the platform.
Required, 8 characters max. Auto-derived from First/Last — usually fine to leave.
Required and used for the welcome message. Username and Email are different fields.
Required and globally unique across all Salesforce orgs. Cannot be changed without freezing/replaying the user.
Required. Locked after Save.
Required. Drives permissions and tab access.
- Username must be globally unique across every Salesforce org. The convention is firstname.lastname@yourcompany.salesforce so you don't collide with someone else's org.
- License is locked after Save. To switch a user from Salesforce Platform to Salesforce, you have to deactivate them and recreate.
- Users can never be deleted — only deactivated. Deactivation frees up the license; the user record and all their data stay for audit.
How organizations use User
Provisions new employees through an SCIM/SAML integration with Okta - when HR adds someone to a Salesforce-eligible AD group, a User record is auto-created with the right profile, role, and permission sets. Termination flips IsActive to false within minutes of departure.
Maintains tens of thousands of Customer Community Plus Users for a self-service knowledge base - each portal login is a User record with a Customer Community license, contact-based sharing, and far lower per-seat cost than internal Salesforce licenses.
Runs a dedicated Integration User with a Salesforce Integration license whose connected app has API-only access. All ETL jobs, middleware calls, and outbound webhooks authenticate as this User, making API-driven changes easy to filter out of activity logs and audit reports.
Trust & references
Straight from the source - Salesforce's reference material on User.
- Users in Salesforce HelpSalesforce
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Discussion
Loading discussion…