Salesforce Access Controls: Best Practices for Managing Risk
The first step in managing security risks in Salesforce is to control who has access to what.
Unfortunately, access in Salesforce is complex — who can see and do what is governed by a mix of profiles, permission sets, roles and sharing settings. Organizations that experience rapid growth or change are likely to have security weaknesses they're not aware of.
Fortunately, there are several free and low-cost tools for auditing access in Salesforce. Start with our ebook on the best practices for managing risk around Salesforce access controls. Then, start exploring some of the free, easy ways to perform a self-serve access audit, or reach out to our team to explore our enterprise-grade solutions.
Free, Easy Ways to Audit Access in Salesforce
What do you want to do?
In a mature Org, there can be thousands of potential combinations of roles, permission sets, profiles and related settings governing access to critical data. Flashlight, a free download, gives you out-of-the-box reporting that shows how your access controls are configured today — and alerting you to things that can be deprecated, or that could pose a security risk.
Watch a demo, then download Flashlight here:
Access in Salesforce is so customizable that in order to get a full assessment of where data security risks lie, you may need to drill down to the field level. A permission set that looks harmless may inadvertently permit a user to view sensitive financial data, for example. Flashlight includes a handy export tool for getting granular and checking existing profiles, permission sets and users for any red flags.
Salesforce's recommended best practice is to use permission sets and permission set groups to grant access to various tasks, Objects, managed packages, etc. Compared to using profiles — the old way of doing this — this approach makes managing data security around user access much simpler. Getting there, however, requires some work. We've put together a short guide to doing this efficiently, with links to some free resources that can help.
Salesforce Access Controls
What Should You Be Concerned About?
How many users in your Org have Admin privileges? What controls are in place for tracking Admin assignments? Are there other profiles that grant similar access?
The Admin profile comes with broad powers to create and update users, profiles and permissions; to ‘Modify All’ Objects; and to export all Salesforce data. It should be used only a select group of users who are known and trusted to set up your Org. Be on the lookout, also, for 'Phantom Admins' — users who've been granted ModifyAll privileges via a permission set or permission set group.
Permission Set Groups
How do you organize and manage permissions for different users/roles? How do you make sure users have access to the data they need — and nothing they don't or shouldn't see.
Salesforce recommends maintaining a small, manageable number of profiles, giving users broad, but limited, access, and using permission sets to expand and customize what different employees can do and see. From there, organizing permission sets into groups will simplify user onboarding, reduce technical debt and ensure new hires have the appropriate privileges necessary to do their jobs.
What are your default internal sharing settings for sensitive records? Do you have Are role hierarchies and sharing settings inadvertently giving users access to data they shouldn't be able to see?
CPQ and Revenue Cloud
Who has access to quoting and billing functions? How are you tracking this access? Who has the authority to make changes that could affect financial forecasting?
Salesforces uses profiles and permissions sets to manage what users can do, and roles and sharing settings to manage what users can see. Out of the box data record sharing settings are restrictive, but role hierarchies and sharing rules can circumvent these defaults — while this feature is incredibly useful, it can introduce vulnerability if it isn't set up properly.
CPQ and Revenue Cloud are unique among Salesforce apps in that changes to them can affect revenue recognition and financial reporting. For this reason, access should be more tightly restricted — particularly the ability to edit pricing, discount and similar fields, which play a critical role in the order to cash process.
Tracking and Approvals
Who signs off on high-risk permission changes? Can you look back and see how access has changed in your Org over time? What are your first steps for investigating problems when they arise?
Having an in-the-moment snapshot of your access controls is important — but it's even more important to see how things change over time. Building out a system for reviewing and approving changes — especially for high-risk permissions like Admin access — will make your Org more secure, and give you a system for troubleshooting access issues more effectively.
What processes do you have in place to offboard former users/staff? How do you ensure that employees who are no longer with the organization can't access their old account?
It's very easy to forget to de-provision access when responsibilities change. This isn't limited to people leaving the company — an employee may need temporary access to fill in for a sick co-worker, for example. Having a process in place for offboarding is critical to making sure everyone has the access they need, and not more.