💃 Secure All The Things 🕺

Building a Salesforce security model

Author

Salesforce ChaCha
July 16, 2024 • Estimated Reading Time: 7 minutes

Good morning, Salesforce Nerds! Where does trust rank in your list of values?

We know where Salesforce stands. Trust is #1 in their book.

In trust we trust, they say. 🤝 

As we know, trust must be earned. Like Salesforce touts, this is done through transparency, security, compliance, privacy, and performance.

Today, let’s look into the pillar of security.

After all, your customer’s won’t trust you if you can’t keep their things secure.  

So read on to see how we can leverage OOTB tooling to secure our orgs.

yaaaaaaaaay

TABLE OF CONTENTS

FIRST THINGS FIRST

Security Overview

Building a tight security model on the Salesforce platform is crucial for ensuring data integrity, user access control, and overall system protection.

That’s why Salesforce offers several tools that can be leveraged to create a comprehensive security framework.

Need to protect sensitive data? 🔏 

How about ensuring the confidentiality of your data? 👍️ 

What about regulatory compliance? 🤔 

As Salesforce professionals, understanding which tools to use for what purpose will help us navigate these waters.

LET’S MEET THE PLAYERS

Understanding the Components

Remember those tools we were just talking about? There are tons, really.

We’re gonna talk about the primary four items we can use to secure our orgs. 🔒️ 

👉️ Profiles: The OG of Salesforce security …

Today it’s recommended to lock these things down. Like all the way. Define the least amount of permissions possible at this level.

Use profiles to assign things like default record types, page layouts, IP ranges, login hours, etc..

No system permission, no object/field access, no tab settings, etc.. We’ll get to these!

👉️ Permission Sets: Today’s best practice …

Use these to extend the baseline permissions granted by profiles. After you create one you just assign it to specific users. This gives that user extra permissions/access to functionality.

This is where you put system permissions, object/field access, tab settings. All that good stuff.

In the end, this gives you more granular control over user capabilities without needing to create a 💩-ton of profiles for different access requirements.

👉️ Permission Set Groups: A bucket for your Permission Sets …

These are exactly what they’re called - a way to group related permissions sets together into a logical bucket of capabilities.

These simplify the assignment of multiple permission sets to users who have similar job functions.

With these, instead of assigning each permission set individually, you can group them together and assign the entire group to users.

Must easier than doing them one by one.

👉️ Org-wide Defaults: Default record access …

We had to throw these in here.

Often overlooked, these rules define the default level of access that users have to each other's records.

And you don’t want to provide more access than you really need to.

This could be an article by itself, so let’s just say this for now:

Try to keep these Private/Controlled by Parent and use sharing rules, role hierarchy, Apex Sharing, etc. for opening up access.

PUTTING IT ALL TOGETHER

Building the Security Model

Cool, we know what tools we have. Now … how do we actually put them to use?

Well, here’s a high-level list to set you on the right path. 🏔️ 

🧑‍💻 Define Roles and Responsibilities

  • Identify Roles: Determine the different roles, responsibilities users will play within your org.

  • Group Users: Group users based on these roles and responsibilities. This will help in defining profiles, permission sets, and permission set groups later on.

✍️ Create Profiles

  • Define Profile Settings: Create profiles based on the identified roles. Remember, keep them locked down. Just the bare minimum here.

  • Assign Profiles: Assign appropriate profiles to users based on their roles. Ensure that each user has a profile that aligns with their job function.

🔒️ Configure Permission Sets

  • Identify Extra Permissions: Identify specific functionalities or data access requirements for each role. IE, which roles need to manage Leads? What about Accounts or that custom object you created?

  • Create Permission Sets: Create permission sets to give extra permissions. This is where you want to give CRUD access on objects, or FLS access to fields. Maybe even a custom app.

  • Assign Permission Sets: If it’s manageable, you can start to assign permission sets to individual users as needed. Keep in mind some users may need permissions that span multiple roles.

🪣 Implement Permission Set Groups

  • Group Related Permission Sets: Group related permission sets together based on common job functions or access requirements. Again, think about what each role needs to do within your org.

  • Create Permission Set Groups: Create permission set groups - this is just picking the permission sets you want to add to the group

  • Assign Permission Set Groups: Assign permission set groups to users to streamline access management. Again, keep in mind some users may need permissions that span multiple roles.

🙈 Define Org-wide Default Sharing Rules

  • Review Object Access Requirements: Review the access requirements for different objects (e.g., Accounts, Contacts, Opportunities).

  • Set Org-wide Defaults: Set appropriate org-wide default sharing rules for each object based on confidentiality and collaboration needs. Choose between Public Read/Write, Public Read Only, Private, or Controlled by Parent.

  • Refine Sharing Settings: Refine sharing settings for specific objects if necessary, using sharing rules or criteria-based sharing rules to grant additional access where needed.

WRAPPING THINGS UP

Takeaways

Building a security model on the Salesforce platform involves a systematic approach using:

Profiles

Permission Sets

Permission Set Groups

Org-wide defaults

Using these tools allows organizations to effectively manage user access and data security. 🔒️ 

This approach helps you to ensure that Salesforce is configured to meet the security needs of your customer’s orgs while providing a seamless user experience and protecting sensitive data. 💪 

SOUL FOOD

Today’s Principle

"There's no silver bullet with cybersecurity; a layered defense is the only viable option."

James Scott

and now....Salesforce Memes

lil bit of this, lil bit of that

look at ‘em out there

gonna be a lot of work …

What did you think about today's newsletter?

Login or Subscribe to participate in polls.