The concept of indirect access was on everyone’s lips in the past year and created a lot of confusion in the SAM market, especially after SAP’s famous court lawsuits against some of its customers who failed to comply to their contractual agreements.
Let’s have a look on Salesforce’s view on the topic and what you can do to stay safe.
According to Salesforce’s Master Subscription Agreement, a
“Customer will not [..] (g) permit direct or indirect access to or use of any Services or Content in a way that circumvents a contractual usage limit [..]”.
You can find this information under the Usage Restrictions terms.
The above clause is quite vague and does not clearly explain what kind of indirect access may generate a compliance issue. There are several indirect access sources that Salesforce considers:
using Salesforce as a database for in-house developed custom apps or websites
integrations with third-party applications
Through a generic account, multiple individuals may be provided access to an application. For example, you may have a customer support user account registered in Salesforce under a generic name. Let’s say that two or more individuals are sharing the credentials of this generic account to access the Salesforce platform.
Though other vendors might allow such use, as long as all the individuals behind the generic account are licensed, Salesforce’s policies clearly forbid it. You are required to strictly manage users’ access by ensuring that each individual has its own account and that login credentials are not shared among multiple users.
Salesforce as a Database
Customers can use Salesforce as a database to support different custom applications or sites. Any users who are logging into the respective custom apps or sites must be licensed for Salesforce as well. Usually, it’s the case that these users must have one of the multiple Platform or Communities licenses.
Similar to the above situation, the use of generic accounts to provide access to multiple individuals to the custom apps or sites that are using the Salesforce database is also seen as a major compliance issue, which will trigger the vendor’s attention.
When it comes to integrations with other applications, Salesforce is well-known for its technology stack which allows the integration and synchronization of multiple data sources, from both on premises and cloud applications, into one platform. Naturally, most companies will have such integrations implemented.
But how well do they manage and monitor all the users who are indirectly making use of Salesforce data? It’s very easy to lose track of all the licensing requirements if the indirect usage implications are not proactively monitored and controlled.
From a licensing perspective, any individuals making use of Salesforce through a different application should also be licensed for the Salesforce application that participates into the data transfer. Otherwise, Salesforce might apply retroactive charges to cover for the unlicensed usage generated.
Though Salesforce may not be very active right now in terms of audits, indirect usage is something that may quickly become a serious pain point if they decide to assess your software usage. Here are only a few questions that you may want to ask yourself:
Are there any generic accounts authorized to access your Salesforce applications?
Are there any integrations of Salesforce with third-party applications (such as SAP, Oracle, Workday, etc.)?
What is the purpose of the integration?
How is the data exchanged from Salesforce to the integrated application and vice-versa?
How is the Salesforce data processed into the third-party application?
If you’re not sure how to answer the questions or have any concerns related to your Salesforce usage, get in touch and we’ll help you with it!