Admins

Salesforce Profile Permissions: The Danger Zone

By Stacy O’Leary

One of the biggest mistakes admins see – in nearly every org – is that there are too many users with a System Administrator profile. Unfortunately, this is a common practice and quite pervasive in some industries (I’m looking directly at you, tech startups!).

Having too many admins in your org can be dangerous. People can unintentionally (or intentionally) cause harm to your org, expose, steal, or delete your data – or even cause mischief for other users.

Preventing excessive admin access is the very first step in securing your Salesforce org. However, it’s not enough just to exclude users from a System Admin profile. A thorough review of all your profiles, and what permissions they include, is a crucial step that every Salesforce Admin should know how to do.

The scariest part about this is that it’s not just the System Administrator profile that has expansive permissions. Any custom profile can have excessive permissions. Especially profiles that were originally cloned from a System Administrator profile or were created without caution as to which permissions they contained.

Remember, a profile’s name (especially a custom profile) does not indicate what permissions are included in that profile! So, even if a profile is named “Benign Friendly User Profile”, it could include all sorts of permissions that you don’t want your users to have!

The easiest way to check what is included in a profile, while in Salesforce, is to create a list view that includes the permissions you are concerned about.

Review Profiles

In Setup, navigate to the User Management Settings section. From there, make sure that Enhanced Profile List Views has been enabled.

Create Profile List View

Next, navigate to Profiles. The process for creating a Profile List View is slightly different than building a traditional list view. You can filter this list just like a regular list view; however, during your initial review, it’s best to just review all the profiles you have.

You will also need to select the columns, aka permissions, that you want to see in the list view. This is where it gets interesting. Which permissions are dangerous? Which should you be aware of?

This list below includes some of the highest levels of permissions that a user can have:

  • Customize Application: Allows the user into Setup, as well as create fields, objects, change picklist values and validation rules, etc.
  • Modify All Data: Allows the user to edit any field on any object. This includes “Read-Only” fields, or fields on records that belong to any user – even if not shared.
  • View All Data: Allows the user to see all data in all fields – even fields that have been removed from page layouts, “Read-Only” fields, or records that are not shared with them.
  • View Setup & Configuration: Allows the user into the Setup area.
  • Password Never Expires: Allows the user to have a password that never expires. This permission may even put the company in violation of PCI or SOC compliance rules.
  • Bulk API Hard Delete: Allows the user to delete a record and skip the recycle bin.
  • Assign Permission Sets: Allows the user to assign a permission set to a user, thereby granting everything included in that permission set to that user.
  • Manage Custom Permission Sets: Allows the user to change the contents of a custom permission set, which could grant users additional permissions.
  • Edit Read Only Fields: Allows the user to change the value of a “Read-Only” field.
  • Manage Internal Users: Allows the user to change, activate, or deactivate any internal user.

Now that we have a list of the permissions we are looking for, it’s time to customize the list view.

Once you hit save, you can navigate to your new list view and see if you find anything surprising (Don’t forget to scroll right to see all of your columns!).

Report on Users Per Profile

Now, this might not be a scene from a blockbuster horror movie, but this setup is still a nightmare!

Essentially, everyone is an admin – even the people on the “Benign Friendly User Profile” can make metadata system changes in Salesforce. And while the BDR profile doesn’t allow people to edit anything in Setup, they can still view everything and browse around to their heart’s content.

When we combine this with a user report, we can see just how bad the problem really is:

If you do the math here, 85 people in this org have free reign to essentially do anything they want with no limitations. A true nightmare, indeed. The immediate need would be to remove all these users to a profile more suited to their actual needs in Salesforce.

Situations like this are all too common in orgs that rush to get started, without basic considerations for security. Unfortunately, some orgs don’t even know they have this problem until someone makes a change that is noticed by users.

Enhanced Profile List Views make it fast and easy for even a beginner admin to review all the existing profiles, and what permissions they contain.

Additional Permissions to Watch For

The ten permissions listed above are some of the most important ones to check, but there are a few other non-admin level permissions that people can cause mischief with. Those are typically ones that include the word “manage” and potentially the word “public”, like these:

  • Manage Public List Views
  • Manage Reports in Public Folders
  • Manage Dashboards in Public Folders

My personal pet peeve is “View and Edit Converted Leads” – nobody should ever have this permission unless you know exactly what you’re doing. I don’t even use this permission myself, unless I’m doing a very specific project and for a short amount of time (via permission set).

Summary

Speaking of permission sets – we haven’t covered them in this post, but they can add on all of the same permissions to your users. You’ll need to be aware of all of your permission sets, what they include, and who is assigned to them.

I hope that this list of permissions and guidance on how to check them helps you go forward and improve the privacy and security of your org. Let me know in the comments if there are any other permissions you always watch out for!

The Author

Stacy O'Leary

Stacy is a 5x Certified Salesforce Consultant & Full Time Mom.

Comments:

    Hugues
    April 05, 2023 2:39 pm
    Hi Stacy Very good article Can you explain : “View and Edit Converted Leads” – nobody should ever have this permission Thx
    Morino
    April 12, 2023 11:30 pm
    Thanks for sharing. Great article
    Kasi Jangiti
    April 22, 2023 4:36 pm
    Thanks for sharing this type of content

Leave a Reply