Pillar 2 of Security: System Access

Salesforce Security Pillar 2: System Access

It’s time for Part 2 of our Pillars of Salesforce Security series.

If you’re not caught up, take a quick look back at our Intro Blog and Part 1: User Access.

This post is all about System Access, and here is the key takeaway:

Don’t Give Systems Access They Don’t Need.

There are a few key topics that you should keep in mind here. 

Third Party Apps

Third party apps can be extremely useful and provide you with a level of convenience across a variety of areas. However, you should ensure that the third party apps that you use do not have the ability to: 

  • Delete records 
  • Update Salesforce user information
  • Update transactional records 
  • Access PII 

It is crucial to ensure high-level safety measures while using third party apps. While these apps may provide you with less of a need to purchase additional costly software packages, they are not worth putting your Salesforce org at risk of security breaches.


Healthy Access Practices

It can be difficult to manage the access that different systems within your org have. Many companies have overlapping software within their orgs, so it can be easy for preferences to become tangled and hard to keep track of. This is why we have developed a checklist to help ensure that you have healthy access practices: 

  1. Enable App AllowListing (More details on App AllowListing can be found over here on this blog.)
  2. Remove unused integrations and limit data access 
  3. Uninstall expired managed packages 
  4. Create a dedicated integration user profile 
  5. Utilize API Only User

Following each practice in this checklist will provide your Salesforce org with more security to ensure your users’ information and your org’s data is safe. 


Removing Integrations and Limiting Access 

As part of our business, we regularly conduct Audits of large Salesforce orgs.  In our experience, we often see that 30-50% of integrations that exist within the org are not active or not vetted by Salesforce. Not removing inactive users from your systems can lead to security inconsistencies (and risks) that can be easily avoided. 

You can further the security of your systems by removing inactive integrations and limiting access of active users. Essentially, the main goal you should pursue is to prevent unauthorized users from installing packages and downloading Salesforce data. This can be achieved in several ways, however, we have found that the following practices yield the best results: 

  • Specify which apps users have access to 
  • Ensure that authorization of users can be managed at an org-wide level or for specific users
  • Implement a scalable solution that applies the same limitation to new users while also creating a centralized location to manage existing user authorization



In short, your systems contain extremely valuable information that can be viewed and downloaded by unnecessary (or unwanted!) users if you don’t implement strong security practices. Use the resources and checklists we provided to maintain a healthy and safe approach to system authorization.

Stay tuned for the next instalment where we will cover the impact that Records and Data can have on your overall org security!

You may be interested in

Approaches for Salesforce Org Mergers. Image of three consoles merging into one

Approaches for Salesforce Org Mergers

Imagine this scenario: Two separate companies have heavily customized Salesforce orgs that work perfectly for their own respective business needs. Then, one company acquires the other company.  Overview The Two Approaches Lift-and-Shift Move-and-Improve (Optimization) The Third Rail It Isn’t Just Salesforce How CloudKettle Can Help What happens next? That’s a great question – and a […]

Read More

The Impact of Scheduling Policies on Territories. Clipboard with user, lock and clock icons

Impact of Scheduling Policies on Territories in Salesforce Field Service

Within Salesforce Field Service, the proper configuration of territories is an essential component of the success of any organization’s service delivery. Defining a territory in itself doesn’t make an agent bound to that territory. However, the associated scheduling policy, work rules, and service objectives within will dictate the appointment booking process. The following are some […]

Read More

Sign up for the latest tips & news from CloudKettle

Thank you for subscribing.