User access and Salesforce Security

Salesforce Security Pillar 1: User Access

If you’ve been following along with our blog, you may have already seen our original post, The 3 Pillars of Salesforce Security.

In this post, we’re going to do a deep dive into the first pillar – User Access. And here’s the key message:

Don’t Give People Access They Don’t Need.

User Access is an essential ingredient in any successful security strategy. Here are a few things to keep in mind as you’re reviewing your own company’s approach to User Access:

1. Narrow Down Admin Access

We see it all the time. The majority of Users within a given Salesforce org have permissions far above and beyond what they actually require to do their jobs, often full admin access! Most Salesforce Users should NOT be Admins, and it has nothing to do with trusting the individual User with company data, but everything to do with decreasing your exposure to risk as an organization.

It’s important to take a step back and understand what full admin access actually entails – just because you aren’t part of the System Admin profile, doesn’t mean that you don’t have full admin access. Ask yourself if a user can:

  • Manage other users
  • Delete records
  • Reset User Passwords/unlock users
  • Login as any user
  • Create and assign new permission sets?

These types of permissions fall under a Full Admin profile, and should be audited on a very regular basis.

2. MFA and SSO

You should be enforcing Multi-Factor Authentication (MFA) not just for every User of Salesforce, but for EVERY USER OF EVERY SYSTEM THAT CONNECTS TO Salesforce. (It always surprises us how many companies have MFA enabled for SF, but not for Marketo or some other connected system.) You should also consider Single Sign-On (SSO) for your org to help ensure secure access.

A recent Forrester study concluded that post-MFA implementation, an organization could achieve a 164% return on their MFA investment over 3 years, improve security through a 50% reduction in risk of material breach, avoid additional cyber insurance premiums, improve flexibility for “work from anywhere” employees, and avoid brand and reputation damage.

3. Prevent Users from Exporting Data

Also consider that there are steps that can be taken to prevent Users from exporting data. Disabling “Print Screen”, Disabling “Export Report”, and Enabling App Allowlisting (formerly Whitelisting) are all ways to add friction to Users exporting data from Salesforce.


The important takeaway here is to be conscious of which Users (or groups of Users) have access to which types of Salesforce data, and ensure that people only have the access that they truly need to do their jobs.

Stay tuned for the next instalment where we cover System Access in more depth!

You may be interested in

Pillar 2 of Security: System Access

Salesforce Security Pillar 2: System Access

It’s time for Part 2 of our Pillars of Salesforce Security series. If you’re not caught up, take a quick look back at our Intro Blog and Part 1: User Access. This post is all about System Access, and here is the key takeaway: Don’t Give Systems Access They Don’t Need. There are a few […]

Read More

The 3 Pillars of Salesforce Security. Pillar 3: Records & Data

Salesforce Security Pillar 3: Records & Data

Now we’ve made it to the final instalment of our Pillars to Salesforce Security. If you are not caught up, we highly recommend you read through Part 1: User Access & Part 2: System Access. With that being said, here we’ll be taking a deep dive into Records and Data with the key theme: Don’t […]

Read More

Sign up for the latest tips & news from CloudKettle

Thank you for subscribing.