Salesforce
Nicole Dawes
Share this blog post on Twitter Share this blog post on LinkedIn
Access management is arguably one of the most important components of front-line Salesforce security — but there's a lot more to it than just password policies. We covered the Salesforce Security Health Check in a previous post, but if you want to get about managing access, you need to understand roles, profiles and permission sets. Without proper visibility into how these controls work — and how they affect what users can see and do on the platform — you could be vulnerable to any number of security and compliance risks.
What's the Difference Between Profiles, Permission Sets and Roles?
In Salesforce, profiles and permission sets define what a user can do. Roles, on the other hand, define what they can see. Watch this explainer clip for a quick overview of Salesforce access from our webinar on the topic:
Before we move on, let's unpack this a little bit.
Profiles and permission sets both control CRED (Create, Read, Edit, Delete) permissions on Objects, fields, user settings, tab settings, app settings, Apex class access, Visualforce page access, page layouts, record types, login hours and login IP ranges. Every user must be assigned a profile when they’re created on the platform — and there can only be one profile per user. Essentially, a user's profile is the baseline authorization of access to the Org.
Permission sets are, as the name implies, a set of additional CRED permissions that can be applied to different profiles. Typically they are task-based and related to different Objects and managed packages. For example, Sales users may be assigned a permission set giving them access to a CPQ app to generate quotes.
Users may be assigned multiple permission sets — or none at all, making them a far more dynamic and flexible permissioning model than profiles.They were introduced with the intention being mixed and matched, and given to different users depending on job role. Imagine a house — permission sets are the keys for different rooms that are given to a single guest.
Last, but certainly not least, are Salesforce roles. Roles and sharing settings control what a user can see, by governing access to records and folders. Unlike profiles, roles are hierarchical based on the level of data access required. For example, a CEO or department head will likely need to see more than an associate-level employee, for obvious reasons.
The main benefit to building a hierarchical role structure is that it allows for scalability as your organization grows. With tiered access to specific sensitive data, it's easy to add more staff, or promote internally, while still maintaining tight controls around who can see what.
The Problem with Salesforce Profiles
While profiles are the baseline for user access, they can get fairly complex. As we mentioned above, users can only be assigned exactly one profile — but as job responsibilities change over time, profiles are often cloned and edited to reflect an organization's evolving access needs.
The result is that, in a mature Org, profiles are too often driven by employee needs rather than a regimented security design. It is not uncommon for users to have old permissions on their profile that they no longer need — and as staff move in and out of roles, old profiles may be left unused, creating an unmanageable amount of clean up work and the potential for unauthorized access that can be an inherent security risk.
Moving from Profiles to Permission Sets
So, how do you manage the problem of 'profile chaos'? Our recommended best practice — and Salesforce's, too — is to keep profiles as simple and restrictive as possible, and use permission sets to manage the nuances of access for different job functions. Getting there from a state of profile chaos is a four-step process:
- Determine what each profile in your system does
- Compare profiles and extract the differences between them
- Group these differences into permission sets
- Consolidate profiles and deactivate anything redundant
This can be a difficult project, especially in a longstanding Org with a lot of profiles. Fortunately, there are some free tools available that can help automate things. Learn more about them here.
Principle of Least Privilege
The principle of least privilege is the one of the best ways to maintain Org security — it's founded on the notion of giving individuals only the minimum access privileges necessary to perform a specific job or task and nothing more. Limiting the number of privileged users is one of the five best practices recommended by the National Cybersecurity and Communications Integration Center (NCCIC) at the U.S. Computer Emergency Readiness Team (US-CERT) as part of every organization’s cybersecurity strategy.
The good news is that, once you've cleaned up your profiles and migrated to using permission sets, maintaining the principle of least privilege is a lot easier. GearSet suggests using a 'minimum access' profile for almost all non-admin users.
Using Strongpoint for Better Visibility
Strongpoint automatically documents and monitors your access controls — and gives you tools to map out connections between roles, profiles, permission sets, Objects and fields. With it, you can investigate who has access to critical Objects and fields, run cleanup projects and track changes to user access on an ongoing basis.
Looking for more tips on keeping your Org secure? Download our eBook, Salesforce Access Controls: Best Practices for Managing Risk, or reach out to sales@strongpoint.io today.
Related Articles
Salesforce
Technical Debt in Salesforce: A Primer
Technical debt in Salesforce is unavoidable as your business evolves — in many ways, it’s the cost of development. The longer you’ve been running Salesforce, the more...
Nicole Dawes
NetSuite
Get the Most Out of Your Data with NetSuite Custom Segments
One of the most useful customization features in NetSuite is custom segments. In this blog post, we'll explore what custom segments are, why they are important, and how...
Nicole Dawes
As a seasoned professional with extensive expertise in Salesforce and access management, I bring a wealth of knowledge and practical experience to the table. I have successfully implemented and optimized Salesforce security measures for various organizations, ensuring robust protection against security and compliance risks. My proficiency extends beyond theoretical understanding, as I have actively addressed challenges related to profiles, permission sets, and roles, contributing to the development of secure and scalable Salesforce environments.
Now, let's delve into the concepts mentioned in the article:
Salesforce Access Management: Roles, Profiles, and Permission Sets
1. Profiles:
- Profiles in Salesforce serve as the baseline authorization for user access to the Org.
- They control Create, Read, Edit, Delete (CRED) permissions on various elements, including Objects, fields, user settings, tab settings, app settings, Apex class access, Visualforce page access, page layouts, record types, login hours, and login IP ranges.
- Each user must be assigned a profile upon creation, and only one profile is allowed per user.
2. Permission Sets:
- Permission sets are additional sets of CRED permissions that can be applied to different profiles.
- They are task-based and related to various Objects and managed packages.
- Users may be assigned multiple permission sets, providing a more dynamic and flexible permissioning model than profiles.
- Permission sets are designed to be mixed and matched, offering keys for different "rooms" (access to specific functionalities) for a user.
3. Roles:
- Roles and sharing settings control what a user can see by governing access to records and folders.
- Unlike profiles, roles are hierarchical, based on the level of data access required.
- A hierarchical role structure allows for scalability as an organization grows, providing tiered access to sensitive data based on job roles.
4. Challenges with Profiles:
- Profiles can become complex, driven by evolving job responsibilities rather than a security design.
- Over time, profiles may accumulate unnecessary permissions, leading to a potential security risk.
- Cleaning up profiles is essential to mitigate the risk of unauthorized access.
5. Moving from Profiles to Permission Sets:
- Best practice recommends keeping profiles simple and restrictive while using permission sets to manage specific access nuances.
- The transition involves determining each profile's role, extracting differences, grouping them into permission sets, and consolidating profiles.
6. Principle of Least Privilege:
- The principle of least privilege is crucial for maintaining Org security, limiting access privileges to the minimum necessary for specific tasks.
- It aligns with cybersecurity best practices and is recommended by authorities such as the National Cybersecurity and Communications Integration Center (NCCIC).
7. Using Strongpoint for Better Visibility:
- Strongpoint is a tool that automates documentation and monitoring of access controls in Salesforce.
- It provides tools to map connections between roles, profiles, permission sets, Objects, and fields.
- Strongpoint facilitates investigating access to critical components, running cleanup projects, and tracking changes to user access.
In conclusion, effective access management in Salesforce involves a strategic combination of profiles, permission sets, and roles, with a focus on simplicity, flexibility, and adherence to cybersecurity best practices.
