Large companies have established policies for corporate governance, and many others follow security policies to safeguard consumer or financial information. Companies in the financial and health sectors are regulated by state, federal, and foreign governments. These various regulations include SOX, PCI-DSS, GLBA, HIPAA, HCQIA, CHIP, HRRP, PSQIA, ACA, FISMA, PCI-DSS, FERPA, and most recently GDPR. Regulatory compliance requires careful documentation of corporate activities and information handling practices. Can you pinpoint the measures your organization has in place on this front?
This blog discusses 6 essential documents that can help companies achieve better compliance, governance, and security. In most cases, these reports can be assembled with information available from the Salesforce Data, Metadata, and Tooling API. In the last section, you will learn about new sources of information available with Salesforce Shield, including the Event Log File and Field Audit Trail services.
1. Data Dictionary
Custom Objects and Fields are a central focus for any Salesforce account. Between the Data and the Metadata API, there are 70 properties that describe Custom Objects, and a further 80 properties that document Custom Fields. These properties cover everything you can imagine, such as field labels, numeric precision, formula fields, date formats, picklist values, child relationships, and help text.
A Data Dictionary can be used to document the current properties for each Custom Object and Field in a Salesforce account. This is a key compliance report for use by business analysts and application developers interested in documenting the current state of the org. The report could be used by a development team to track project progress, or by a System Integrator before and after a job is completed.
2. Combined Permissions Report
Every user has a Profile that defines what they can see and do. Profile permissions include Application and Tab Visibility, Apex Class and Page Access, Object and Field Permissions, User and Custom Permissions, and Layout Assignments.
An administrator can also assign any number of Permission Sets to a user. Permission Sets are similar to Profiles, but are used to grant additional permissions for special situations.
A Combined Permissions Report shows how the base Profile and each assigned Permission Set contribute to the actual security permissions for a specific user. This is a key report for security and compliance. For example, a company could document which users have been granted access to fields that contain customer information. In the table below, Permission Sets that changed the base Profile are shown in green, Permission Sets that were not effective are shown in red. This report can be challenging to generate because information from the Data and the Metadata API must be cross-referenced.
3. Record Level Security Report
Profiles and Permission Sets control which objects and fields a user can see. But when it comes to specific records, additional rules apply.
Salesforce administrators can set up complex record level security rules.
- Every record is owned by a user or a queue. The owner has full access to the record.
- There are organization-wide sharing settings for each object.
- Users higher up in the Role hierarchy have access to the same data as people lower in their hierarchy.
- Manual and programmatic sharing rules create exceptions for particular sets of users.
There is some information on record level access in the Salesforce HTML interface, but only for one record at a time. An effective Record Level Security Report would allow the selection of multiple records and provide detailed information about who has access to each record, what kind of access they have, and why they have the access. This report can help administrators manage sharing rules and document data security.
4. Asset History Report
Think for a second about your production Salesforce account. Most orgs will have Custom Tabs, Page Layouts, Custom Objects, Profiles, Visualforce Pages, and many other configurations. The Metadata API currently supports about 150 different types, and for each type, there are many individual assets. An Unlimited Edition org can have up to 2000 Custom Objects, each with a maximum of 500 fields. There can be hundreds or even thousands of Roles, Profiles, Dashboards, and other assets.
Now think about this. Where did all those configurations come from? Who deployed them in the org? Did they flow through the testing Sandbox? Were they modified with the Setup Menu? What was the chain of custody from the developer who created the asset down through various Sandboxes and other staging orgs before it ended up in your production account?
An Asset History Report should be able to answer these questions. Some of this information is tracked by Salesforce, but for the most part this “meta metadata” must be carefully recorded by the change and release management tool that the development team and org administrators are using. This is an essential report for compliance and corporate governance.
5. Metadata Differences Report
An Asset History Report looks at how a Salesforce org was assembled, but additional insights can be gathered by watching how the org has changed over time. Administrators can take periodic metadata snapshots of the org and commit them to a version control system. Then by examining the time-series differences, many interesting questions can be answered. Have Profiles or Permission Sets changed? What new Custom Fields have been added? Did the security configuration change? Have new packages been installed? What Apex Scripts were changed? The Metadata Differences Report provides valuable information for security audits and compliance.
Salesforce Shield adds an additional layer of security to your Salesforce org to help meet complex internal and regulatory compliance requirements. Shield provides some native capabilities, but also some new services that can be used to construct custom reports. The three core services offered by Salesforce Shield are Event Log Files, Field Audit Trail, and Platform Encryption.
The Event Log File custom object provides low-level event logs with all kinds of information relevant to privacy concerns, security situations, and data exfiltration. For example, you can see when Reports are run, Documents are downloaded, Packages are installed, or the Bulk Data API is used. With Field Audit Trail you can specify a retention policy for field history and retain archived data for up to 10 years. Lastly, Platform Encryption can be used to further safeguard data at rest.
6. Activity Timeline Report
This leads on smoothly to finish up with Activity Timeline reporting. The Event Log File and the Field Audit Trail information contains the specific dates of different user activities, along with additional fields that describe the event in more detail. There are other Salesforce objects such as the Setup Audit Trail and Login History that provide related information. Filtering these records by date, an Activity Timeline Report can be constructed that shows every interaction that a user had with Salesforce over a given timeframe.
In the event of a credential-based attack, this report can provide a roadmap of the activities carried out by the attacker. In a data exfiltration event, this report can be used to document the extent of the damage. Rogue administrative actions or accidents can be placed on a timeline. Different activities can be filtered by risk level. The Activity Timeline Report can be used to forensically examine events in the past, or proactively safeguard against future security risks.
Companies can use the Salesforce Data, Metadata, and Tooling API to generate powerful reports that help achieve better compliance, governance, and security. Salesforce Shield provides additional native capabilities and other useful services. If you see a gap in your compliance and security reporting after reading this post, our Snapshot product can create many of the reports described above and provides additional tools for Change and Release Management. Let us know if we can help you improve compliance, governance, and security at your company!
Metazoa was founded in 2018 by key members of DreamFactory Software. Metazoa purchased the rights to the original Snapshot product from DreamFactory, and subsequently released a major upgrade. Our team is pleased to continue working together and taking care of the customers we love, both old and new.
Designed for Salesforce administrators, Snapshot is the ultimate tool for org cleanup, reporting, auditing, comparison and lifecycle management. Features include metadata migration from sandbox to production, reporting on compliance and security, and Salesforce DX compatibility. Snapshot is available as a managed package on the AppExchange.