User access and Salesforce Security

Salesforce Security Pillar 1: User Access

If you’ve been following along with our blog, you may have already seen our original post, The 3 Pillars of Salesforce Security.

In this post, we’re going to do a deep dive into the first pillar – User Access. And here’s the key message:

Don’t Give People Access They Don’t Need.

User Access is an essential ingredient in any successful security strategy. Here are a few things to keep in mind as you’re reviewing your own company’s approach to User Access:

1. Narrow Down Admin Access

We see it all the time. The majority of Users within a given Salesforce org have permissions far above and beyond what they actually require to do their jobs, often full admin access! Most Salesforce Users should NOT be Admins, and it has nothing to do with trusting the individual User with company data, but everything to do with decreasing your exposure to risk as an organization.

It’s important to take a step back and understand what full admin access actually entails – just because you aren’t part of the System Admin profile, doesn’t mean that you don’t have full admin access. Ask yourself if a user can:

  • Manage other users
  • Delete records
  • Reset User Passwords/unlock users
  • Login as any user
  • Create and assign new permission sets?

These types of permissions fall under a Full Admin profile, and should be audited on a very regular basis.

2. MFA and SSO

You should be enforcing Multi-Factor Authentication (MFA) not just for every User of Salesforce, but for EVERY USER OF EVERY SYSTEM THAT CONNECTS TO Salesforce. (It always surprises us how many companies have MFA enabled for SF, but not for Marketo or some other connected system.) You should also consider Single Sign-On (SSO) for your org to help ensure secure access.

A recent Forrester study concluded that post-MFA implementation, an organization could achieve a 164% return on their MFA investment over 3 years, improve security through a 50% reduction in risk of material breach, avoid additional cyber insurance premiums, improve flexibility for “work from anywhere” employees, and avoid brand and reputation damage.

3. Prevent Users from Exporting Data

Also consider that there are steps that can be taken to prevent Users from exporting data. Disabling “Print Screen”, Disabling “Export Report”, and Enabling App Allowlisting (formerly Whitelisting) are all ways to add friction to Users exporting data from Salesforce.


The important takeaway here is to be conscious of which Users (or groups of Users) have access to which types of Salesforce data, and ensure that people only have the access that they truly need to do their jobs.

Stay tuned for the next instalment where we cover System Access in more depth!

You may be interested in

how to stop users from exporting data from salesforce

How to Stop Users from Exporting Data from Salesforce

Restrict Employees From Exporting Salesforce Data An important part of securing your Salesforce org is making sure your Sales Cloud data is protected. To achieve that, Users (who are not supposed to) shouldn’t be able to export data from your organization. Before we begin, there is no way to completely stop employees from exporting data […]

Read More

The 3 Pillars of Salesforce security

The Three Pillars of Salesforce Security

We live in a world where data breaches are not a question of if, but a question of when. Data breaches are on the rise for the third consecutive year, and all the signs point to a continuation of this trend in 2022/2023. With this in mind, a primary goal for any Salesforce implementor is […]

Read More

Sign up for the latest tips & news from CloudKettle

Thank you for subscribing.