1-949-407-5125

Best Practices for Managing Risk

Download Free Netwrix eBook
We care about security of your data.
Privacy Policy

Salesforce Access Controls:

The first step in managing security risks in Salesforce is to control who has access to what.

Access in Salesforce is complex — who can see and do what is governed by a mix of profiles, permission sets, roles and sharing settings. Organizations that experience rapid growth or change are likely to have security weaknesses they're not aware of.

Fortunately, there are several free and low-cost tools for auditing access in Salesforce. Start with our eBook on the best practices for managing risk around Salesforce access controls. Then, start exploring some of the free, easy ways to perform a self-serve access audit, or reach out to our team to explore our enterprise-grade solutions. 

Three Easy Ways to Audit Salesforce Access

What do you want to do?

Get a high-level overview of who has access to what

In a mature Org, there can be thousands of potential combinations of roles, permission sets, profiles and related settings governing access to critical data. Netwrix's Flashlight, a free download, gives you out-of-the-box reporting that shows how your access controls are configured today — and alerting you to things that can be deprecated, or that could pose a security risk. 


Watch the demo to learn more.

Drill down field-level permissions

Access in Salesforce is so customizable that in order to get a full assessment of where data security risks lie, you may need to drill down to the field level. A permission set that looks harmless may inadvertently permit a user to view sensitive financial data, for example. Flashlight includes a handy export tool for getting granular and checking existing profiles, permission sets and users for any red flags. 

Migrate profiles to permission sets

Salesforce's recommended best practice is to use permission sets and permission set groups to grant access to various tasks, Objects, managed packages, etc. Compared to using profiles — the old way of doing this — this approach makes managing data security around user access much simpler. Getting there, however, requires some work. We've put together a short guide to doing this efficiently, with links to some free resources that can help.

Salesforce Access Controls:

What should you be concerned about?

Admin Access

Role Hierarchies

Permission Sets Groups

CPQ and Cloud Revenue

How many users in your Org have Admin privileges? What controls are in place for tracking Admin assignments? Are there other profiles that grant similar access?


The Admin profile comes with broad powers to create and update users, profiles and permissions; to ‘Modify All’ Objects; and to export all Salesforce data. It should be used only a select group of users who are known and trusted to set up your Org. Be on the lookout, also, for 'Phantom Admins' — users who've been granted ModifyAll privileges via a permission set or permission set group

How do you organize and manage permissions for different users/roles? How do you make sure users have access to the data they need — and nothing they don't or shouldn't see.


Salesforce recommends maintaining a small, manageable number of profiles, giving users broad, but limited, access, and using permission sets to expand and customize what different employees can do and see. From there, organizing permission sets into groups will simplify user onboarding, reduce technical debt and ensure new hires have the appropriate privileges necessary to do their jobs.  

What are your default internal sharing settings for sensitive records? Do you have Are role hierarchies and sharing settings inadvertently giving users access to data they shouldn't be able to see? 


Salesforces uses profiles and permissions sets to manage what users can do, and roles and sharing settings to manage what users can see. Out of the box data record sharing settings are restrictive, but role hierarchies and sharing rules can circumvent these defaults — while this feature is incredibly useful, it can introduce vulnerability if it isn't set up properly.

Who has access to quoting and billing functions? How are you tracking this access? Who has the authority to make changes that could affect financial forecasting?


CPQ and Revenue Cloud are unique among Salesforce apps in that changes to them can affect revenue recognition and financial reporting. For this reason, access should be more tightly restricted — particularly the ability to edit pricing, discount and similar fields, which play a critical role in the order to cash process. 

Tracking and Approvals

Who signs off on high-risk permission changes? Can you look back and see how access has changed in your Org over time? What are your first steps for investigating problems when they arise?


Having an in-the-moment snapshot of your access controls is important — but it's even more important to see how things change over time. Building out a system for reviewing and approving changes — especially for high-risk permissions like Admin access — will make your Org more secure, and give you a system for troubleshooting access issues more effectively. 

What processes do you have in place to offboard former users/staff? How do you ensure that employees who are no longer with the organization can't access their old account? 


It's very easy to forget to de-provision access when responsibilities change. This isn't limited to people leaving the company — an employee may need temporary access to fill in for a sick co-worker, for example. Having a process in place for offboarding is critical to making sure everyone has the access they need, and not more. 

Offboarding

Get to know Netwrix Strongpoint

Find Out Why Organizations Like Yours Trust Our Solutions

Start using Netwrix Strongpoint for Salesforce
We care about security of your data.
Privacy Policy

Make Access Management in Salesforce Easy

We'd be happy to provide a quick consultation and give you a sense of the overall security and effectiveness of your access controls. Get in touch to book time with a member of our team at your convenience. 

© 2024 Netwrix Corporation

Privacy Policy | EU Privacy Policy | EULA

Corporate Headquarters : 6160 Warren Parkway, Suite 100 Frisco, TX, US 75034 | France : +33 9 75 18 11 19

© 2024 Netwrix Corporation

Privacy Policy | EU Privacy Policy | EULA

Corporate Headquarters : 6160 Warren Parkway, Suite 100 Frisco, TX, US 75034 | France : +33 9 75 18 11 19

1-949-407-5125

Salesforce Access Controls:

The first step in managing security risks in Salesforce is to control who has access to what.

We care about security of your data. Privacy Policy

Best Practices for Managing Risk

Access in Salesforce is complex — who can see and do what is governed by a mix of profiles, permission sets, roles and sharing settings. Organizations that experience rapid growth or change are likely to have security weaknesses they're not aware of.


Fortunately, there are several free and low-cost tools for auditing access in Salesforce. Start with our eBook on the best practices for managing risk around Salesforce access controls. Then, start exploring some of the free, easy ways to perform a self-serve access audit, or reach out to our team to explore our enterprise-grade solutions. 

Three Easy Ways to Audit Salesforce Access

What do you want to do?

Get a high-level overview of who has access to what

In a mature Org, there can be thousands of potential combinations of roles, permission sets, profiles and related settings governing access to critical data. Flashlight, a free download, gives you out-of-the-box reporting that shows how your access controls are configured today — and alerting you to things that can be deprecated, or that could pose a security risk. 


Watch the demo to learn more.

Drill down field-level permissions

Access in Salesforce is so customizable that in order to get a full assessment of where data security risks lie, you may need to drill down to the field level. A permission set that looks harmless may inadvertently permit a user to view sensitive financial data, for example. Netwrix Flashlight includes a handy export tool for getting granular and checking existing profiles, permission sets and users for any red flags. 


Watch the demo to learn more.

Migrate profiles to permissions sets

Salesforce's recommended best practice is to use permission sets and permission set groups to grant access to various tasks, Objects, managed packages, etc. Compared to using profiles — the old way of doing this — this approach makes managing data security around user access much simpler. Getting there, however, requires some work. We've put together a short guide to doing this efficiently, with links to some free resources that can help.

Watch the demo to learn more.

Salesforce Access Controls:

What should you be concerned about?

Admin Access

Permission Sets Groups

Role Hierarchies

Tracking and Approvals

CPQ and Cloud Revenue

Offboarding

Get To Know Netwrix Strongpoint

Find Out Why Organizations Like Yours Trust Our Solutions

Make Access Management in Salesforce Easy

We care about security of your data. Privacy Policy

We'd be happy to provide a quick consultation and give you a sense of the overall security and effectiveness of your access controls. Get in touch to book time with a member of our team at your convenience. 

© 2024 Netwrix Corporation

Privacy Policy | EU Privacy Policy | EULA

Corporate Headquarters : 6160 Warren Parkway, Suite 100 Frisco, TX, US 75034 | France : +33 9 75 18 11 19

© 2024 Netwrix Corporation

Privacy Policy | EU Privacy Policy | EULA

Corporate Headquarters : 6160 Warren Parkway, Suite 100 Frisco, TX, US 75034 | France : +33 9 75 18 11 19