Salesforce’s flexible, layered data sharing model means you can dictate which data, objects, and fields users see, through Salesforce permission sets and profiles. Some companies take a blanket approach to Salesforce access – all users can see and do everything. But most financial services organizations need finer control over access due to regulatory and internal policies on accessing customer data. If any users make unauthorized changes to Salesforce permissions or profiles, it could create a security issue, giving those users more access than their job requires.
Editing Salesforce permission sets and profiles can be a highly complex calculation: After all, there are over 170 separate user permissions in Salesforce, giving users a wide spectrum of access to…
- Customer data
- Competitive positioning
- Personnel files
- Training materials
- Product blueprints
- Trade secrets.
In addition, some permissions allow users to adjust security controls. With potentially hundreds or thousands of users in a single Salesforce instance, it’s no wonder that it can be difficult for financial services organizations to grasp the full scope of what your users can do in Salesforce.
Many permissions are also found in profiles, but permission sets can help extend functional access, even if a profile remains the same. For example, every user has one profile in Salesforce, but they may have multiple permissions sets. The two are typically combined — profiles grant the minimum permissions and access settings for a specific group of users, while permission sets grant additional permissions to individual users as needed. Profiles control object, field, app, and user permissions; tab settings; Apex class and Visualforce page access; page layouts; record types; and login hours and IP ranges.
Keep in mind: Any small change within your cloud environment can give users too much access to company data, putting your organization at risk of non-compliance and breaches. So how can you ensure a change doesn’t occur without your knowledge?
Proper Monitoring of Salesforce Profiles and Permissions is Key
That’s why it’s so important to monitor for profile and permission set changes. Without monitoring, the only option is manually auditing your users’ permissions and profiles to maintain security and compliance – an error-prone task that could take months. And that only covers you once; regular audits would be necessary to reveal any unauthorized changes that might have occurred.
By logging and monitoring user access and changes to profiles and permissions, you can proactively detect changes in your cloud environment. This can help you maintain compliance with specific regulatory requirements, like FINRA, PCI DSS, FFIEC, SOX, and FCA.
Organizations that are monitoring for profiles and permissions are able to learn:
- Which permission sets have been created, assigned, or unassigned?
- Which profiles have been created?
- Who has escalated a user’s privileges (or their own privileges) to “manage” or “system administrator”?
- Which profiles or permissions have been changed?
When United Capital first began monitoring their Salesforce instance for user activity, they looked at the escalation of privileges, like the creation of administrative users.
“We had an experience where a system administrator was supposed to elevate an engineer’s permissions to an administrative role in a sandbox, but they actually did it in production,” says United Capital’s Senior Vice President of Technology, Brandon Gage. “We found it, flagged it, and were able to undo that immediately and give the person the permissions that they needed.”
Maintain a Clear Picture When it Comes to Editing Salesforce Permission Sets, Profiles
Some organizations enable advanced permissions for all users, while others adopt a conservative approach, granting only the permissions necessary for that user’s specific job roles and responsibilities. If you fall in the latter bucket, you’ll want to explore options for proactively monitoring profile and permission set changes
By keeping an eye on profiles and permission changes – whether by reviewing audit logs or implementing a proactive alert program – you can maintain a clear picture of which users have access to which information in your cloud environment. This is an essential step to ensure your sensitive data is secure and meets compliance requirements, which in turn, maintains trust in your organization.