Maintaining a secure Salesforce environment that limits insider risk while ensuring that users have the appropriate levels of access to do their jobs is challenging.
Each year, businesses lose billions of dollars due to data leaks from within their own organizations, often due to over-permissioned users. Failure to detect insider risk in a timely
manner bears steep financial consequences, damages company reputations, and erodes customer trust.
To address this problem, best practice in user management encourages minimizing assignments of User Profile-based permissions in favor of utilizing leaner, more purposeful Permission Sets and Permission Set Groups.
However, identifying each user’s individual permissions becomes more time-consuming with a growing number of Permission Set assignments. For successful adoption of modern best practice, controlling the costs and time spent on user management is key.
Successful adoption becomes even more of a challenge if permission assignments are not regularly kept in check.
Internal audits of all permission assignments, if done regularly, reduce business risk by revealing potentially devastating security vulnerabilities before they have time to cause damage.
Unfortunately, out-of-the-box Salesforce functionality provides limited observability into permissions. In more complicated orgs, teams of Administrators may require days or even weeks to complete a full permissions audit for every user.
Say for instance, as part of an org-wide permissions audit, you’ve been asked by auditors to provide detailed reports of all users who have access to encrypted data. Auditors will also want to know how your organization manages their access.
If you were using out-of-the-box Salesforce technology, how long would it take you to find out which user has which permissions and how they got them?
First, you would need to identify each Profile, Permission Set, and Permission Set group that provisions the “view encrypted data” permission. Since the same permissions often come from multiple sources, you would have to look through each source individually to determine whether or not it contains “view encrypted data.”
Then, you would need to identify each user who is assigned to any of those provisioning sources before completing the assignment.
All of that work relates to one single permission. Repeating this process several times for each permission not only takes time but could eventually lead to mistakes caused by human error.
Say there are three distinct Profiles, 7 unique Permission Sets, and two Permission Set Groups all granting users the same level of access to export reports. If someone fails to correctly identify one of those seven Permission Sets as a provisioning source, any of its assigned users may go unnoticed.
When dealing with permissions, proving one's security posture can be especially difficult in Salesforce. Checking each single permission assignment from every possible provisioning source makes it challenging for many organizations to keep track of.
At LeedsSource, we understand the challenges of getting your Salesforce environment ready to move away from Profile-based permissions. We especially know how involved permissions cleanup projects can become during this transition.
Drawing from our experiences, we decided to start working on a project centered around accelerating adoption of newer best practices to make it easier to transition towards more secure user management.
The first phase of our project focuses on solving the Salesforce-specific issue of observability into permissions. We tackled this issue by building a new interface which is meant to make permissions more visible and less resource-intensive for any organization to manage.
Instead of traditional Setup navigation, consolidated views of permission assignments across all Profiles, Permission Sets, and Permission Set Groups allow for quicker and more insightful access to key details around user permissions.
Let’s revisit the example from earlier where you were asked to provide details about users in your org who are able to view encrypted data. By improving visibility, our view allows for the identification of users based on their single permissions while simultaneously making it possible t0 see how many unique sources are granting similar permissions.
Our permissions matrix gives you an understanding of the full scope of your organization’s permission assignments across all possible sources on one single screen. Making permissions accessible in such a way creates an opportunity for any org to start self-auditing their permissions on a more consistent basis.
Taking the steps to ensure that routine compliance measures such as regular internal permission audits have a place in your day-to-day operations will become increasingly more important as Salesforce moves further away from Profile-based permissions.
That’s why at LeedsSource, we’re continuing to make improvements in finding ways to make compliance more accessible to the Salesforce ecosystem as we all enter the next generation of user management.