What can you do with Salesforce? These days, it seems like the answer is, ‘Just about anything.’ As the platform moves beyond that of a conventional CRM, the way businesses are using it is changing, too.
Maybe you purchased Salesforce to house your business’ marketing and sales functions. But then Revenue Cloud caught your eye, you’re integrating with an ERP, and all of a sudden things aren’t so siloed off anymore. What are the implications of this from a security and compliance perspective? And what can you do to make sure your Org remains safe, functional and auditable as the way you use it evolves?
In this post, we’ll be covering some best practices for building access controls that will allow you to scale on the platform safely and confidently — without sacrificing ease-of-use for your team.
Health Check and Password Policies
Access is an important first step in building a more secure Salesforce Org. After all, an estimated 25% of data breaches stem from malicious insiders — building more security and accountability around who can see and do what in the system is one of the best things you can do to protect your data.
The easiest way to get started is to run the Salesforce Security Health Check. It’s a free app included with almost all versions of Salesforce that will instantly review more than 100 basic security settings and give you a baseline score, as well as recommendations for improvement. The Health Check looks at things like password policies, session settings, certificate management and more — things that, for the most part, are easy to address without impacting usability.
One common recommendation almost every business should follow: turn on multi-factor authentication for all users. MFA is set to become a requirement in the new year — the earlier you get started on it, the easier it will be for your team to adapt.
Of course, password policies are only part of access in Salesforce. The more complicated piece is how access is structured — the mix of roles, profiles, permission sets and sharing settings that govern what users can do and see once they’re logged in.
There’s a lot to dive into when it comes to Salesforce access controls, but the basic rule for data security is that simpler is better. Try to avoid situations where users have more access than they need.
Start with the System Administrator profile. Only a few users should have this profile, since it gives them broad access to change how the Org is configured. Ideally, it should only be granted to users responsible for, you guessed it, administering the system. Though it may be tempting to give developers admin access for certain projects, it’s more important to maintain segregation of duties between teams working on changes in the system and administrators deploying them into production.
Roles, Profiles and Permission Sets
The problem of admin access is indicative of a larger issue — namely, that most companies don’t fully understand how profiles, permission sets, roles, etc. are structured. Again we can see this tied directly to the growth of the platform. Initially, access was governed by profiles; this quickly grew too complex and too unwieldy, leading Salesforce to introduce permission sets in 2012 and permission set groups in 2020 (we have an ebook that goes into more detail about the historical development of access in Salesforce, which you can download here.)
Salesforce’s recommended best practice is to keep profiles as restrictive as possible, and use permission sets and permission set groups to manage the nuances of access for different departments/employees, etc. If you’re still using profiles exclusively for this, or a mix of profiles and permission sets, you’ll need to run a cleanup and migration project.
Doing so is a four-step process:
- Determine what each profile in your system does
- Compare profiles and extract the differences between them
- Group these differences into permission sets
- Consolidate profiles and deactivate anything redundant
This can be done by reviewing every profile manually, but the process can be time-consuming. Head over to our website for a short demo of some free tools that automate some of the heavy lifting.
Access and Compliance Controls
After you’ve streamlined and built more effective access controls from the ground up, you’re set for anything, right? Not so fast. There will always be data in your Org that requires additional scrutiny — think pricing configuration data in a CPQ Object, to use one common example. While it doesn’t make sense to monitor everything in your Org, for security and compliance purposes, you’ll need to remain aware of who can edit these sensitive fields.
The problem is that finding this information isn’t easy. We’ve designed a suite of tools that can help streamline a user access review process and an export tool that can show you a more granular view of field-level access by Object, profile/permission set and user.
A Last Word on Access in Salesforce
The first step in scaling safely is to stay on top of who can see and do what in Salesforce. Even as you add more features and bring more business processes into your Org, tight access controls will help ensure you aren’t opening yourself up to risk.
But access is only one side of the security coin. The other is your metadata — what affects it, what it affects and how it changes over time. Stick around, because we’ll be covering that in our next blog! In the meantime, review the following access action items to start building better access controls:
- Run the Security Health Check and turn on MFA for all users
- Review and restrict admin access
- Migrate profiles to permission sets
- Review field-level permissions using Strongpoint Flashlight