Last week, our resident Salesforce expert, Rick Roesler, hosted a crash course on auditing profiles and permission sets in your Org. If you missed the webinar, you can check it out here.
In this post, we’re sharing a short video from the session demoing some of the ways you can dig deeper into your access controls — and prove compliance to auditors.
With Flashlight
When Salesforce comes into the scope of an audit, your auditors will want to know who has the ability to view or edit what. Just as importantly, they will want to see that you know this. Fortunately, our free tool, Flashlight for Salesforce, includes an out-of-the-box report that does just that.
The “Object Permissions Grouped by Object” report is available for all Standard and Custom Objects in your Org. It breaks down every Profile and Permission Set that has access to that Object, so you can see which users can create, read, edit or delete it.
You can also find this information in Flashlight's Customization Records. For example, in the video below, Rick pulls up the Customization Record for Account (StandardObject), and shows you where to find a list of all Profiles and Permission Sets with access to it.
Then, we look at a CustomField — in this case, the CurrentGenerator(s) field, where we can see all profiles and permission sets with Read or Edit access.
Flashlight’s automatic documentation makes this information easily accessible, giving you an audit-ready record of how your access controls are set up.
With Workbench
Workbench, a free tool available here, gives you another way of visualizing this data.
For one of our customers, Rick created a Workbook showing you all Profiles and Permission Sets in your Org, and allowing you to cross reference them with all available User Permissions.
Here’s a screenshot of the report, which you can download instructions for generating here:
What Else Can You Do?
One great thing about getting your profiles and permission sets audit-ready is that the information your auditors will want to see can also help you run consolidation projects — and make your next access review even faster and simpler.
As Rick explains, one great way to start this process is to look for Profiles and Permission Sets that have read access to the same Object. Another option is to identify Profiles with identical user permissions. Typically, these are both candidates for consolidation.
Digging Deeper
In highly regulated industries, such as pharma and finance, auditors may want to see Permission Set assignments at the field level. This may be necessary to demonstrate that personal information covered by HIPAA or PII regulations is only accessible to a small audience of users.
Fortunately, Flashlight’s Export tool makes it possible to perform this highly granular level of analysis. The Export tool can produce detailed documentation for every Profile or Permission set, showing you all CRED permissions, field permissions and user permissions, broken down by Standard and Custom Object.
If that wasn’t enough, you can also use the Export tool to see APEX class permissions and VisualForce page permissions — which can be helpful when troubleshooting user access issues.
