Throughout my B2B marketing career, many things have changed, especially digital marketing. Eight years ago, 150 companies made up the marketing technology landscape. Today, that number is in the thousands.
As the business world continues to evolve with new technologies, the dependency on CRM systems, with Salesforce most notably leading the charge, has grown substantially over the last ten years.
How I Became the “Salesforce Guy”
In 2010, I joined Radian6 (acquired by Salesforce), and it was there I first started using Salesforce. As an analytical and performance driven person, I immediately fell in love with Salesforce.
With a passion and familiarity of the Salesforce platform, as I joined other tech companies post-Radian6/Salesforce, I became the default “Salesforce guy”. However, without any Salesforce training beyond real-life experience, problems would continually creep up in our Salesforce Org. Most of these issues would inevitably affect the productivity of my fellow team members.
I joined CloudKettle in 2018. I was quickly trained and then certified as a Salesforce Administrator. Now, I look back at those incidents and realize some of my mistakes. Most importantly, I realize the importance of proactively monitoring Salesforce to enable solving problems before they impact productivity. The following are three important lessons I learned during my time as an Accidental Admin.
Integrations
Salesforce is the most powerful CRM in the world. In large part because of the diverse ecosystem of tools that can be integrated with it. For that reason, most organizations are expanding the value they get out of Salesforce by integrating it with other tools, like their marketing automation, data enrichment, collaboration tools, etc.
However, tying all these external tools into your Salesforce instance and providing them access to your (increasingly sensitive in today’s GDPR world) data comes with its own set of challenges.
What most Accidental Admins don’t realize is, something as simple as a person updating their password can break an integration. Previously, I’d run into problems when which Users in Salesforce could install solutions was not managed and/or monitored. This often meant that multiple Users were making decisions independent of each other. It also meant security vulnerabilities weren’t considered before solutions were installed.
Here are three best practices for managing integrations in Salesforce I wish I had known:
- Only a handful of people within your organization should be able to install solutions in Salesforce.
- Ideally, only a Dedicated Integration User(s) is used for integrations (read more about what a Salesforce Dedicated Integration User is here).
- Monitoring what solutions have been installed in Salesforce is necessary
To manage which Users in Salesforce can install which solutions, an Admin will have to enable App Allowlisting (formerly Whitelisting). To learn more about how to enable App Allowlisting in Salesforce, check out tip number four in this post: Top Five Salesforce Security Tips to Make Your Instance More Secure.
Admin Permissions
Everyone knows that protecting Salesforce data is important. However, understanding how to configure roles and permission sets to make sure only the right people have access to the right data can be complex.
As mentioned above, only a handful of Users should be Salesforce System Administrators within your Org. Salesforce Admins have “God-like” powers and the more Admins you have, the more liability you’re introducing into your Org. Below is a rough guideline of the Salesforce Users vs Admin acceptable ratio:
| Number of Salesforce Users | Number of Admins |
| 1 – 50 | 2 |
| 50 – 100 | 4 |
| 100 – 1,000 | 6 |
| 1,000+ | 10 |
Another term I wasn’t familiar with as an Accidental Admin is the concept of a “Ghost Admin”. A Ghost Admin is a User in Salesforce that has one or more of the following permissions:
1) Manage All Users
2) Modify All Data
3) Export Weekly Data
Giving a User one (or more) of the permissions above is essentially a workaround for giving that User a similar level of access to Salesforce System Administrator, without giving them the Profile. Ghost Admins make your Org unstable and less secure. They are especially problematic because generally, they are not Users who are well versed in the Setup area of Salesforce (relative to a certified Admin).
We recommend no Ghost Admins exist within your Org (stay tuned for a blog post on how to spot Ghost Admins and what to do).
Rolling 24-hour API Limit
Another item I wasn’t aware of as an Accidental Admin, is the rolling 24-hour API limit. Every Salesforce Org has a certain number of API calls it can make within 24 hours.
Monitoring your API call level throughout the day is critical. Once this limit is reached, a “cooling-down” period is enforced by Salesforce. This means every integration that relies on API calls to pass information back and forth stops syncing until this period has passed.
Continuously monitoring these limits allows for a proactive plan to be created before the cooling down period sets in. A Salesforce monitoring tool can be customized to alert you when your Org has hit certain API thresholds. That way, as usage rises, a plan can be actioned to reduce API calls to keep systems up and running.
Wrap Up
I hope you found this post helpful and are walking away with actionable insights on how to manage a more secure instance of Salesforce. Have questions about Salesforce best practices? Sign up for our newsletter! We send out a monthly recap of our latest Salesforce content, including articles on security best practices, actionable insight on Salesforce optimization for enterprises, and more.
