Skip to content

hardis:org:diagnose:unusedlicenses

Description

Command Behavior

Detects and suggests the deletion of unused Permission Set License Assignments in a Salesforce org.

When a Permission Set (PS) linked to a Permission Set License (PSL) is assigned to a user, a Permission Set License Assignment (PSLA) is automatically created. However, when that PS is unassigned from the user, the PSLA is not automatically deleted. This can lead to organizations being charged for unused PSLAs, representing a hidden cost and technical debt.

This command identifies such useless PSLAs and provides options to delete them, helping to optimize license usage and reduce unnecessary expenses.

Key functionalities:

  • PSLA Detection: Queries the Salesforce org to find all active PSLAs.
  • Usage Verification: Correlates PSLAs with actual Permission Set Assignments and Permission Set Group Assignments to determine if the underlying Permission Sets are still assigned to the user.
  • Special Case Handling: Accounts for specific scenarios where profiles might implicitly assign PSLAs (e.g., Salesforce API Only profile assigning SalesforceAPIIntegrationPsl) and allows for always excluding certain PSLAs from the unused check.
  • Reporting: Generates a CSV report of all identified unused PSLAs, including the user and the associated Permission Set License.
  • Notifications: Sends notifications to configured channels (Grafana, Slack, MS Teams) with a summary of unused PSLAs.
  • Interactive Deletion: In non-CI environments, it offers an interactive prompt to bulk delete the identified unused PSLAs.

Many thanks to Vincent Finet for the inspiration during his great speaker session at French Touch Dreamin '23, and his kind agreement for reusing such inspiration in this command :)

This command is part of sfdx-hardis Monitoring and can output Grafana, Slack and MsTeams Notifications.

Technical explanations

The command's technical implementation involves extensive querying of Salesforce objects and data correlation:

  • SOQL Queries (Bulk API): It uses bulkQuery and bulkQueryChunksIn to efficiently retrieve large volumes of data from PermissionSetLicenseAssign, PermissionSetLicense, PermissionSet, PermissionSetGroupComponent, and PermissionSetAssignment objects.
  • Data Correlation: It meticulously correlates data across these objects to determine if a PermissionSetLicenseAssign record has a corresponding active assignment to a Permission Set or Permission Set Group for the same user.
  • Filtering Logic: It applies complex filtering logic to exclude PSLAs that are genuinely in use or are part of predefined exceptions (e.g., alwaysExcludeForActiveUsersPermissionSetLicenses).
  • Bulk Deletion: If the user opts to delete unused PSLAs, it uses bulkUpdate with the delete operation to efficiently remove multiple records.
  • Report Generation: It uses generateCsvFile to create the CSV report of unused PSLAs.
  • Notification Integration: It integrates with the NotifProvider to send notifications, including attachments of the generated CSV report and metrics for monitoring dashboards.
  • User Interaction: Uses prompts for interactive confirmation before performing deletion operations.

Parameters

Name Type Description Default Required Options
debug
-d
boolean Activate debug mode (more logs)
flags-dir option undefined
json boolean Format output as json.
outputfile
-f
option Force the path and name of output report file. Must end with .csv
skipauth boolean Skip authentication check when a default username is required
target-org
-o
option undefined
websocket option Websocket host:port for VsCode SFDX Hardis UI integration

Examples

$ sf hardis:org:diagnose:unusedlicenses
$ sf hardis:org:diagnose:unusedlicenses --fix