Are you accidentally giving away too much user access to your Salesforce data?
Ever run across one of these scenarios?
- “Joe” needs to be able to access these reports right away, we don’t have time to figure out why he can’t see them – “Just give him the Admin profile for now”.
- “Sara” can’t access this related object to update fields that she needs to review and update – “Just give her the Modify All permission for now”
- Some of the profiles don’t have access to certain objects, “Just give all the new hires this one profile that we know provides access”.
These are all very common situations that many folks setting up new or accommodating existing users run into, usually thinking they will follow up later and straighten out any permissions issues at a later less hectic time.
How many people actually do follow up and “clean up” the permissions “temporarily” assigned?
Chances are very good it is hardly ever on the radar unless an issue comes up and someone inadvertently:
- Changes critical data values
- Creates new fields for personal use (without team or Admin input)
- Makes a setting change in setup trying to “make things better” that cripples the org functionality
Or in a much worse case scenario:
- Poaches a Lead or Account
- Changes data values with a negative intent
- Steals company data when moving on
- Cripples the org with intent via settings in Setup
Whether this has happened to you, or you’ve heard an anecdotal story from a colleague, the issues are very real, time consuming and costly if the mistakes are made and not rectified quickly. How can you head off these issues?
There are the old fashioned options of creating:
- A spreadsheet and manually notating each profile’s access, which users are assigned to the profiles and their individual permission sets or groups
- A custom report type reporting on permission sets and permission set groups to aid in manual review
But neither of these options allow you to make the updates easily, you will still need to drill down into each profile or permission set one by one and make updates at this level.
There are always folks looking for the functionality to be able to mass review, update and document profiles and permission sets as can be seen on the IdeaExchange:
- From 2011
https://ideas.salesforce.com/s/idea/a0B8W00000Gdly8UAB/need-an-audit-report-that-shows-permissions-by-profile-by-object-by-field - From 2007
https://ideas.salesforce.com/s/idea/a0B8W00000GdifmUAB/reporting-on-user-profiles
But as you review the dates and points accrued it is obvious the requests for this native built function in Salesforce has not gained much traction.
The one option that provides functionality to both mass review and mass update objects, permission sets and profiles on one easy grid is provided by our company and is called Security + Access Rights Manager.
Below you can see how easily Field Level Security across mutiple Profiles is updated all in one space.
Learn more about the app here on the AppExchange:
https://bit.ly/48mfoxA
Or here on our website:
https://bit.ly/3vdWfzs
If you would be interested in a demo on the app, please feel free to reach out:
info@applicationperfection.com
https://applicationperfection.com/contact
Is there an easy and affordable way to audit and update Salesforce Profiles and Permissions?
Need to clean up permissions but not sure where to start?
We’ve all seen the cries for help from Admins over the years who are looking for an efficient and relatively pain free method to review and update Profiles and Permission Sets for audit. Profiles and Permission Sets which have undergone so many changes over the years it is almost impossible to identify what kinds of access are hidden in their depths.
Example IdeaExchange Request from 2011 (there are also earlier versions):
https://ideas.salesforce.com/s/idea/a0B8W00000Gdly8UAB/need-an-audit-report-that-shows-permissions-by-profile-by-object-by-field
And Salesforce itself promotes securing data access by using the principle of least privilege as can be seen in the Salesforce Trust Security article:
https://security.salesforce.com/blog/protecting-data-with-the-principle-of-least-privilege
So where does that leave the regular Salesforce Admin who is trying to pull together an audit via a patchwork of templates, reports and spreadsheets which still either leave them off in the end manually updating each of the Profiles and Permission Sets one by one? Like the Salesforce Ben article from 2021:
https://www.salesforceben.com/clean-up-profiles-and-permission-sets-in-salesforce/
Or investing in an app (search “permissions help” on AppExchange) that either only allows for:
- a slightly better than native salesforce reporting feature for review
- with updates being administered by downloading, manipulating and re-uploading
- or the rare app that offers update capabilities on less-than-Ideal interfaces and with a high price tag
Which brings us to Security + Access Manager which:
- Has a built in audit template feature to
- preliminarily analyze the org
- and organize the process
- Allows Admins to review, update and document for stakeholders and audit – all on easy grids
- Has many more features to manage and reduce tech debt
You can learn more about the app here on the AppExchange:
https://bit.ly/48mfoxA
Or here on our website:
https://bit.ly/3vdWfzs
If you would be interested in a demo on the app, please feel free to reach out:
info@applicationperfection.com
https://applicationperfection.com/contact
Not sure where to begin with a Salesforce Permissions Audit?
Need to perform an audit and not sure how to start?
Has your Salesforce org been up and running for a while now, without enough attention being given to user access and security? It is not uncommon for Admins to come to the realization (or be tasked by management’s realization) that profiles and permission sets (along with other ways to access data) need to be reviewed, possibly updated and definitely documented. Where to start?
Let’s take a look at some references regarding native options for finding unused Profiles, which is a good example of a typical first step in a permissions audit:
Citing a 2021 article from Salesforce Ben (also mentioned in the prior post)
https://www.salesforceben.com/clean-up-profiles-and-permission-sets-in-salesforce/
- One basic way to find unused Profiles:
- Create a User report to review Profiles
- Review for inactive vs active Users
- Continue with clean up as needed
- In this same article Salesforce Ben touches on the Salesforce Optimizer:
- which reports on how many users are assigned to each Profile
- but notes it is not able to distinguish between active or inactive users (please see screenshot below)
- The Optimizer:
- provides a series of reports to aid in review
- and is also covered in more depth with a video on the the Salesforce Admin blog post: https://admin.salesforce.com/blog/2021/remove-security-risks-from-your-org-with-a-user-audit)
But what if you were hoping for a bit more help and guidance? Something more than reports?
Below please find a short demo video using some of the features on the Audit and Intel tabs for Security + Access Manager app to begin an audit for Profile permissions. The same functions can be applied for permissions as well:
Security + Access Manager is an app which:
- Has a built in audit template feature to
- preliminarily analyze the org
- and organize the process
- Allows Admins to review, update and document for stakeholders and audit – all on easy grids
- Has many more features to manage and reduce tech debt
You can learn more about the app here on the AppExchange:
https://bit.ly/48mfoxA
Or here on our website:
https://bit.ly/3vdWfzs
If you would be interested in a demo on the app, please feel free to reach out:
info@applicationperfection.com
https://applicationperfection.com/contact
Struggling with permissions review and maintenance in Salesforce?
Need to figure out and update permissions that are causing access issues?
We all know Salesforce has a complex system of access that allows for great flexibility when building a security model – but with great flexibility can come great headaches. And the headache spreads to the frustrated users on the sideline waiting for an Admin to resolve the access issue so that they can move on with their day.
In a larger, older and fairly complicated org this can become almost a ritual, taking away from other tasks Admins also need to be working on that add value for stakeholders.
When researching permissions issues, a common theme seems to be that Salesforce Help articles center mainly around setting up and granting permissions access. The articles do give generic ways to assist in reviewing issues with access, but there is not much offered insofar as options to then easily update and maintain the access over time. Some of the recommendations may even have less than easy solutions or less than optimal outcomes.
This can be seen in few Help page examples:
- Resolving Insufficient Privileges Errors:
- Users can resolve access issues by using the Sharing Record button (which can lead to inadvertent access to records not in line with Admin protocol)
- Or Admins can use the API to query the UserRecordAccess (if the typical or newer Admins are familiar with this feature and it’s set up)
- Resolve Permission and Object-Level Access Errors
- The Admin can manually review and update- which can be very time intensive depending on the issue
- Or use the Analyzer tool to aid in review:
- Analyze User Permissions
- allows analysis of each user, one by one
- no update feature for permissions
- Analyze Object Permissions
- reviews objects one by one for permissions
- no update feature for permissions
- Analyze Permission Set Groups
- reviews
- permissions in a group in various ways
- assigned users to a permission group
- no update feature for permissions or groups
- reviews
- Analyze User Permissions
- And even the Manually Grant or revoke Access with a User Access Policy
- centers on setting up the functionality,
- but not how to go about maintaining the permissions on an ongoing basis:
There are other apps which which also mimic the analysis of Salesforce permissions in various ways, but short of downloading and then re-uploading the permissions in some format, they do not allow an Admin to easily update the permissions all in one place.
But what if you were looking for a way to more easily keep up with permissions maintenance?
Below please find a short demo video using some of the basic features of the Security + Access Manager app Object and Field tab for to review and update field level permissions on one easy grid (in this example reviewing across several Profiles, removing edit access for certain fields in the HR and Marketing Profiles Contract object):
You can learn more about the app here on the AppExchange:
https://bit.ly/48mfoxA
Or here on our website:
https://bit.ly/3vdWfzs
If you would be interested in a demo on the app, please feel free to reach out:
info@applicationperfection.com
https://applicationperfection.com/contact
Is your Salesforce system access ready for disaster relief deployment?
Need to prepare your user and customer access in case of large scale disaster events?
We’ve all seen the very agonizing scenes from various disasters playing out worldwide – has your company gone through the planning process to ensure that all the necessary players would have access to key data during crisis relief?
Several Salesforce clouds can play a crucial role in disaster planning and relief efforts, if your Salesforce org and data is a part of this scenario, ask yourself the following questions:
- Do you have the documentation and a permissions plan in place to rapidly review and update data access structure for users in an evolving situation?
- Is your permissions model readily flexible in times of reallocating access needs?
- How long would it take you to review current user access to data? Or to find the correct permissions that need to be applied in different use case scenarios?
A quick AI search can help to bring you a tailored basic outline/sample of data or system features that may need updated access in a Salesforce org. For this article we added more context and information to the samples below:
Community Cloud
- Storing disaster planning documents such as contact lists, organization mobilization plans and procedures to follow
- Creating a community portal for affected individuals and organizations to share information, resources, and support
- Facilitating collaboration and resource sharing among volunteers and aid organizations
Service Cloud
- Managing customer service inquiries and supporting requests before, during and post disaster
- Creating a centralized communication hub for tracking issues and resolutions
- Ensuring timely assistance reaching affected individuals or organizations.
Marketing Cloud
- Communicating critical information to stakeholders, aid groups and the larger community
- Using email, social media, and SMS for sending alerts, updates, and instructions related to disaster response efforts
Nonprofit Cloud
- Managing donations, volunteer efforts, and relationships with donors and partners who are involved in disaster relief
- Tracking contributions and allocating resources effectively in supporting recovery initiatives
Analytics Cloud
- Analyzing data related to the disaster including affected areas, resourcing needs, and response effectiveness
- Using visualizations to identify trends and make informed decisions for resource needs
Field Service Cloud
- Coordinating field operations and deploying resources to affected areas
- Managing logistics, tracking service requests and optimizing routes for response teams
Health Cloud
- Managing patient information and coordinating healthcare services
- Communicating health-related updates to the community
By being able to quickly adjust user access through permissions in all of the various Salesforce clouds, organizations can enhance their disaster planning and response efforts, ensuring better coordination, communication, and resource management during crises. If you find you will need to be able to rapidly assess and update your user data access permissions, Security + Access Manager offers secure and native built features to allow you to meet these requirements. Please see a very brief demo example of using an intel report for license access below.
You can learn more about the app here on the AppExchange:
https://bit.ly/48mfoxA
Or here on our website:
https://bit.ly/3vdWfzs