It’s increasingly difficult to pass a SOX audit without a thorough review of your Salesforce access controls. This may not have always been the case, but as auditors adopt stricter standards — and learn to ask more probing questions — the only way to avoid costly rework is to get your Org ready ahead of time.
In this crash course, we take a close look at some of the best practices for reviewing Salesforce profiles and permission sets — and managing them on an ongoing basis. We start with the basics, including how to use the newly introduced permission set groups, as well as some general principles that apply to setting up access controls.
Then, we get into audit prep — and introduce you to some free tools that can help you analyze permissions in your Org and build a tighter, more secure system from the ground up.
What's On The Agenda?
Introduction: The Challenge of Complexity
- Why auditors care about access controls
- How to make sure users have the right level of access
- How to balance security/audit-readiness with ease of use
Access Controls in Salesforce: Context and History
- What are profiles? What are permission sets?
- Why did Salesforce introduce permission sets and permission set groups?
- What is the relationship between permissions/permission sets and objects?
Best Practices for Ongoing Access Management in Salesforce
- Instituting the principle of least privilege
- Using Permission Sets to clean up Profiles
- Using permission set groups effectively
Auditing The Profiles and Permission Sets in Your Org
- What your auditors will want to see
- How — and why — to conduct an access control self-assessment
- How to build tighter controls from the ground up
Free Tools for Profile and Permission Set Management
- Using Workbench to compare profiles
- Using Flashlight to see which profiles/permission sets have access to which objects