Salesforce Security 101 - Part II

Any enterprise implementation of Salesforce, especially in an institution of our size, requires establishing a process that defines how a user is provisioned an account in the system and how their rights will evolve over time, and in some cases, how a user is ultimately removed from the system. A collaborative group of developers, business system analysts and security experts have been working to define these processes. Their strategy is below:

Develop a Security Workbook:

  • What: A matrix of CRM Profiles and CRM Objects that lists the type of access for each Profile/Object combination. In addition, it lists Record Types/Page Layouts per Object and the Org Wide Default (OWD) setting for each Object.
  • Why: Used by IS Security to review security requests, allowing them to manage profiles, prevent duplication of profiles, and troubleshoot access issues.
  • Next Steps: The first draft was manually created; the next step is to develop a way to automatically generate this information. Then the team will identify default Object permissions.

Develop a Salesforce New Profile Request:

  • What: Used when requesting the creation of a new profile. It includes questions about Objects, Base Permissions, Advanced Permissions, Salesforce Mobile, Field Level Security, and App Access.
  • Why: To enable IS to follow best practices in profile creation and management.

Develop a Permission Set Workbook:

  • What: Lists all Administrative and General User Permissions and identifies which permissions can be “bundled” into sets, making them easier to update and assign. The workbook also identifies permissions that should be enabled by default on all profiles, which permissions should be enabled for IS Developers, and which ones should be enabled for Functional Administrators.
  • Why: Since Permission Sets are add-ons to a Profile, this will be used by IS Security and by CRM Project Teams to efficiently and appropriately expand access for a user.

Develop a Salesforce New User/Update User Request:

  • What: Used when requesting a new user/account or adding/removing permissions from an existing account.


Coming in Part III:

  • Develop a Method for Documenting Field Level Security.
  • Determine if Role Hierarchy will be used.
  • Develop Standard Naming Convention for Profiles and Permission Sets.
  • Review all existing Profiles, Permission Sets, and User Settings and standardize and/or consolidate where possible.