SlideShare a Scribd company logo

Using Custom Permissions to Simplify Security

•
•
Daniel Peter
Daniel Peter

Using Custom Permissions to Simplify Security - Dreamforce 2018

Software
1 of 20
Download to read offline
Using Custom Permissions to Simplify Security Dreamforce 2018 Rod Butters, CTO and CMO at CXO Now Daniel Peter, Salesforce Practice Lead – Robots & Pencils
Rod Butters CTO and CMO at CXO Now rod@rodbutters.com, @RodBtrs Former CTO at Kenandy CTO, CMO, and COO at companies in Salesforce ecosystem since 2008
Daniel Peter Salesforce Practice Lead, Robots & Pencils dan@danpeter.com, @danieljpeter Former Lead Application Engineer at Kenandy Worked for other customers and ISVs, consulting in the past Salesforce MVP 24x certified
The Challenge: Corporate Compliance is a formal program specifying an organization's policies, procedures, and actions within a process to prevent and detect violations of regulations and laws. • Separation of Duties for checks and balances • Specific roles that are well defined • Transparency into systems that automate the processes • May go beyond financials (e.g. SaaS, Med Device) Application Security needs to align to the policies, procedures, and actions defined by corporate compliance for the business processes. • More than simply limiting visibility into confidential information • Must align to the defined roles • Must be easy to create, maintain, and verify • May require generation of audit trail, records Application Security must align with Corporate Compliance
User Mode vs System Mode User Mode System Mode
Object level CRUD and field level RU. Very granular, tedious. Permission sets help a little. Granting CRUD/FLS
Affects what records are accessible to the user With sharing / Without sharing in Apex Sharing
Platform Security: Set: Profiles, perm sets, sharing settings. Use: Detail pages, list views, reports, Visualforce with standard controllers and certain components. What most people think of when they think of Salesforce security. Application Security: Set: Custom permissions (or anything else you can dream up) Use: Apex, VF, Lightning Can be looser or tighter than platform security. However you code it. Platform vs Application Level Security
Application Security in Enterprise Processes Challenge: • Platform security is highly visible: • CRUD and FLS extensive and document the what • Permission sets, profiles, and users the who … but … • Application logic can have required “side” effects on downstream objects to complete the task Options: • Granting platform permissions for downstream objects may be too permissive • System mode can bypass controls and separation of duties on a whim Issues: • Corporate Governance will take a dim view of relaxing permissions to get processes to work • … or worse, learn later that a violation of SoD was a result of system mode use
Organization # of Roles Compliance Program Change Control Large Enterprise ($1B+, publicly held, rules/regs for reporting) 25 - 45 • Chief Compliance Officer • Formal program and dept. • Audits for compliance Formal processes in place including SoD, approvals and tools Medium Enterprise ($100M+, private / public, rules/reg for reporting) 10 – 15 • CFO • Designated controls in Acnt’g / IT • Self-assessment unless required by customers or regulations IT processes for validation of system and control over change SMB ($10M+, private, confidential information/internal controls) 5 - 10 • CEO or CFO oversight • No assessment unless required by customers or regulations Oversight by Head of IT and/or Controller “Canned” permission sets don’t meet most (if any) customer requirements. Working with Corporate Governance
Custom Permissions Define
Custom Permissions Assign
Custom Permissions Check FeatureManagement.checkPermission(apiName)
Demo
Best Practices and Lessons Learned • The journey with Salesforce Security Team: ensuring you pass security review • Security starts with being clear on your approach and ensuring consistent use is in place • Start with processes that encompass the largest number of fields: 80 / 20 rule. • Keep the simple things simple with platform security • Reserve custom permissions for processes that touch multiple objects • Example: Order Entry touches inventory, credit limits, pricing and promotions, product allocations • Keep granularity large to start, name appropriately, and document • You can always add finer granularity later based on user feedback and requirements. • Example: Create Order – creates order of standard products for approved customers with standard pricing and lead times within approved credit
The Road Ahead Not just for enterprise applications: • Communities • Einstein analytics • Mobile apps and web sites on Heroku Opportunities in the future: • Define hierarchies of custom permissions for optional finer granularity • Enables users and ISVs to dial-in right level of permissions over time What can you do with Custom Permissions?
Next Steps Additional sessions on security Tips and Tricks to Pass the Salesforce Security Review Process Friday, September 28, 11:00 AM - 11:40 AM Moscone West, Room 2011
Next Steps Trailhead modules Security Basics Data Security AppExchange Security Review Keep Data Secure in a Recruiting App Security Specialist
Next Steps Demo code on GitHub https://github.com/danieljpeter/customPermissionsDF18
Using Custom Permissions to Simplify Security

Recommended

Salesforce Security: Fully Automated
Salesforce Security: Fully AutomatedSalesforce Security: Fully Automated
Salesforce Security: Fully AutomatedSalesforce.org
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Sensibilisation à la Sécurité Salesforce
Sensibilisation à la Sécurité SalesforceSensibilisation à la Sécurité Salesforce
Sensibilisation à la Sécurité SalesforceParis Salesforce Developer Group
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Managing the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise ScaleManaging the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise ScaleSalesforce Developers
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 

Recommended

Salesforce Security: Fully Automated
Salesforce Security: Fully AutomatedSalesforce Security: Fully Automated
Salesforce Security: Fully AutomatedSalesforce.org
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
Sensibilisation à la Sécurité Salesforce
Sensibilisation à la Sécurité SalesforceSensibilisation à la Sécurité Salesforce
Sensibilisation à la Sécurité SalesforceParis Salesforce Developer Group
 
Identity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsIdentity & Access Management for Securing DevOps
Identity & Access Management for Securing DevOpsEryk Budi Pratama
 
Managing the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise ScaleManaging the Role Hierarchy at Enterprise Scale
Managing the Role Hierarchy at Enterprise ScaleSalesforce Developers
 
Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts Identity and Entitlement Management Concepts
Identity and Entitlement Management Concepts WSO2
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 
Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1OracleIDM
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
Cyber ark training
Cyber ark trainingCyber ark training
Cyber ark trainingGlobal Online Trainings
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesHitachi ID Systems, Inc.
 
Responsible User Empowerment: Enabling Privileged Access Management
Responsible User Empowerment: Enabling Privileged Access ManagementResponsible User Empowerment: Enabling Privileged Access Management
Responsible User Empowerment: Enabling Privileged Access ManagementEnterprise Management Associates
 
Ewug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelEwug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelPer Larsen
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementGovernment Technology Exhibition and Conference
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Managementsleterrier
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Scug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelScug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelPer Larsen
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
How to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile EnvironmentsHow to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile Environmentsdanb02
 
Iraje brochure v17 master
Iraje brochure v17 masterIraje brochure v17 master
Iraje brochure v17 masterMechsoft Technologies LLC
 
Keeping it Simple with Permission Sets
Keeping it Simple with Permission SetsKeeping it Simple with Permission Sets
Keeping it Simple with Permission SetsConfigero
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 

More Related Content

What's hot

Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1OracleIDM
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementBeyondTrust
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity managementNis
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...Ryan Gallavin
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manishManish Thaduri
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlAidy Tificate
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Lance Peterman
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesHitachi ID Systems, Inc.
 
Responsible User Empowerment: Enabling Privileged Access Management
Responsible User Empowerment: Enabling Privileged Access ManagementResponsible User Empowerment: Enabling Privileged Access Management
Responsible User Empowerment: Enabling Privileged Access ManagementEnterprise Management Associates
 
Ewug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelEwug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelPer Larsen
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Managementsleterrier
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Sverige
 
Scug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelScug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelPer Larsen
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management OverviewSAP Technology
 
How to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile EnvironmentsHow to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile Environmentsdanb02
 

What's hot (20)

Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1Platform approach-series-building a-roadmap-finalv1
Platform approach-series-building a-roadmap-finalv1
 
Securing DevOps through Privileged Access Management
Securing DevOps through Privileged Access ManagementSecuring DevOps through Privileged Access Management
Securing DevOps through Privileged Access Management
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
 
Identity and Access Management 101
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101
 
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
PIM, PAM, PUM: Best Practices for Unix/Linux Privileged Identity & Access Man...
 
Salesforce shield by manish
Salesforce shield by manishSalesforce shield by manish
Salesforce shield by manish
 
Dell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access ControlDell Quest TPAM Privileged Access Control
Dell Quest TPAM Privileged Access Control
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
 
Cyber ark training
Cyber ark trainingCyber ark training
Cyber ark training
 
Privileged Access Manager POC Guidelines
Privileged Access Manager POC GuidelinesPrivileged Access Manager POC Guidelines
Privileged Access Manager POC Guidelines
 
Responsible User Empowerment: Enabling Privileged Access Management
Responsible User Empowerment: Enabling Privileged Access ManagementResponsible User Empowerment: Enabling Privileged Access Management
Responsible User Empowerment: Enabling Privileged Access Management
 
Ewug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelEwug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next level
 
Building Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access Management
 
Software Asset Management
Software Asset ManagementSoftware Asset Management
Software Asset Management
 
IBM Security Identity & Access Manager
IBM Security Identity & Access ManagerIBM Security Identity & Access Manager
IBM Security Identity & Access Manager
 
Scug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelScug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next level
 
SAP Identity Management Overview
SAP Identity Management OverviewSAP Identity Management Overview
SAP Identity Management Overview
 
How to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile EnvironmentsHow to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile Environments
 
Iraje brochure v17 master
Iraje brochure v17 masterIraje brochure v17 master
Iraje brochure v17 master
 

Similar to Using Custom Permissions to Simplify Security

Keeping it Simple with Permission Sets
Keeping it Simple with Permission SetsKeeping it Simple with Permission Sets
Keeping it Simple with Permission SetsConfigero
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelSalesforce Developers
 
Bringing the Cloud Back to Earth
Bringing the Cloud Back to EarthBringing the Cloud Back to Earth
Bringing the Cloud Back to EarthSri Chalasani
 
Implement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.comImplement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.comSalesforce Developers
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 releaseDevendra Sawant
 
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Christian Buckley
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfVishnuGone
 
Introducing Express Software Manager
Introducing Express Software ManagerIntroducing Express Software Manager
Introducing Express Software ManagerCherwell Software
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded AdminSalesforce Admins
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSalesforce Developers
 
People soft risks and controls for educational institutions
People soft risks and controls for educational institutionsPeople soft risks and controls for educational institutions
People soft risks and controls for educational institutionsSmart ERP Solutions, Inc.
 
Salesforce Identity Management
Salesforce Identity ManagementSalesforce Identity Management
Salesforce Identity ManagementJayant Jindal
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTuan Phan
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015Shannon Lietz
 
3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications WebinarTodd Clayton
 
Your Secret Weapon: Top Admin Apps from the AppExchange
Your Secret Weapon: Top Admin Apps from the AppExchangeYour Secret Weapon: Top Admin Apps from the AppExchange
Your Secret Weapon: Top Admin Apps from the AppExchangeMike Gerholdt
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsOracle
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.pptVaishnavGhadge1
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce securitySalesforce Admins
 

Similar to Using Custom Permissions to Simplify Security (20)

Keeping it Simple with Permission Sets
Keeping it Simple with Permission SetsKeeping it Simple with Permission Sets
Keeping it Simple with Permission Sets
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
 
Bringing the Cloud Back to Earth
Bringing the Cloud Back to EarthBringing the Cloud Back to Earth
Bringing the Cloud Back to Earth
 
Implement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.comImplement Data Governance Around Packaged Apps in Force.com
Implement Data Governance Around Packaged Apps in Force.com
 
Salesforce shield & summer 20 release
Salesforce shield & summer 20 releaseSalesforce shield & summer 20 release
Salesforce shield & summer 20 release
 
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
Security, Administration & Governance for SharePoint On-Prem, Online, & Every...
 
SailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdfSailPoint VS CyberArk.pdf
SailPoint VS CyberArk.pdf
 
Introducing Express Software Manager
Introducing Express Software ManagerIntroducing Express Software Manager
Introducing Express Software Manager
 
How to Become a Security-Minded Admin
How to Become a Security-Minded AdminHow to Become a Security-Minded Admin
How to Become a Security-Minded Admin
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
 
People soft risks and controls for educational institutions
People soft risks and controls for educational institutionsPeople soft risks and controls for educational institutions
People soft risks and controls for educational institutions
 
Salesforce Identity Management
Salesforce Identity ManagementSalesforce Identity Management
Salesforce Identity Management
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
TrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security AuthorizationTrustedAgent FedRAMP Security Authorization
TrustedAgent FedRAMP Security Authorization
 
ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015ISACA Ireland Keynote 2015
ISACA Ireland Keynote 2015
 
3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar3 Building Blocks For Managing Cloud Applications Webinar
3 Building Blocks For Managing Cloud Applications Webinar
 
Your Secret Weapon: Top Admin Apps from the AppExchange
Your Secret Weapon: Top Admin Apps from the AppExchangeYour Secret Weapon: Top Admin Apps from the AppExchange
Your Secret Weapon: Top Admin Apps from the AppExchange
 
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & ImplementationsThousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
Thousands of Hours Saved and Risk Reduced for EBS Upgrades & Implementations
 
InsiderAttack_p3.ppt
InsiderAttack_p3.pptInsiderAttack_p3.ppt
InsiderAttack_p3.ppt
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce security
 

More from Daniel Peter

Salesforce Slack Demo Cactusforce 2022
Salesforce Slack Demo Cactusforce 2022Salesforce Slack Demo Cactusforce 2022
Salesforce Slack Demo Cactusforce 2022Daniel Peter
 
Rules-based Record Generation with Custom Metadata Types
Rules-based Record Generation with Custom Metadata Types Rules-based Record Generation with Custom Metadata Types
Rules-based Record Generation with Custom Metadata Types Daniel Peter
 
Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.
Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.
Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.Daniel Peter
 
No Refresh Needed
No Refresh NeededNo Refresh Needed
No Refresh NeededDaniel Peter
 
DF Global Gathering PuneWIT
DF Global Gathering PuneWITDF Global Gathering PuneWIT
DF Global Gathering PuneWITDaniel Peter
 
Dreamforce Global Gathering Bangaluru 2017
Dreamforce Global Gathering Bangaluru 2017Dreamforce Global Gathering Bangaluru 2017
Dreamforce Global Gathering Bangaluru 2017Daniel Peter
 
Blaze a Trail to Predictive Selling With Einstein Intent
Blaze a Trail to Predictive Selling With Einstein IntentBlaze a Trail to Predictive Selling With Einstein Intent
Blaze a Trail to Predictive Selling With Einstein IntentDaniel Peter
 
Hyperbatch (LoteRapido) - Punta Dreamin' 2017
Hyperbatch (LoteRapido) - Punta Dreamin' 2017Hyperbatch (LoteRapido) - Punta Dreamin' 2017
Hyperbatch (LoteRapido) - Punta Dreamin' 2017Daniel Peter
 
HyperBatch - Snowforce 2017
HyperBatch - Snowforce 2017HyperBatch - Snowforce 2017
HyperBatch - Snowforce 2017Daniel Peter
 
LDS salesforce saturday
LDS salesforce saturdayLDS salesforce saturday
LDS salesforce saturdayDaniel Peter
 
Tree Traversal #SalesforceSaturday
Tree Traversal #SalesforceSaturdayTree Traversal #SalesforceSaturday
Tree Traversal #SalesforceSaturdayDaniel Peter
 
Forcelandia 2016 PK Chunking
Forcelandia 2016 PK ChunkingForcelandia 2016 PK Chunking
Forcelandia 2016 PK ChunkingDaniel Peter
 
PK chunking presentation from Tahoe Dreamin' 2016
PK chunking presentation from Tahoe Dreamin' 2016PK chunking presentation from Tahoe Dreamin' 2016
PK chunking presentation from Tahoe Dreamin' 2016Daniel Peter
 
Lightning Reports - Dreamforce 2015
Lightning Reports - Dreamforce 2015Lightning Reports - Dreamforce 2015
Lightning Reports - Dreamforce 2015Daniel Peter
 
Callout architecture
Callout architectureCallout architecture
Callout architectureDaniel Peter
 

More from Daniel Peter (16)

Salesforce Slack Demo Cactusforce 2022
Salesforce Slack Demo Cactusforce 2022Salesforce Slack Demo Cactusforce 2022
Salesforce Slack Demo Cactusforce 2022
 
Rules-based Record Generation with Custom Metadata Types
Rules-based Record Generation with Custom Metadata Types Rules-based Record Generation with Custom Metadata Types
Rules-based Record Generation with Custom Metadata Types
 
Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.
Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.
Save Millions of Clicks! Easily migrate complex schemas from SQL to Salesforce.
 
No Refresh Needed
No Refresh NeededNo Refresh Needed
No Refresh Needed
 
DF Global Gathering PuneWIT
DF Global Gathering PuneWITDF Global Gathering PuneWIT
DF Global Gathering PuneWIT
 
Dreamforce Global Gathering Bangaluru 2017
Dreamforce Global Gathering Bangaluru 2017Dreamforce Global Gathering Bangaluru 2017
Dreamforce Global Gathering Bangaluru 2017
 
Blaze a Trail to Predictive Selling With Einstein Intent
Blaze a Trail to Predictive Selling With Einstein IntentBlaze a Trail to Predictive Selling With Einstein Intent
Blaze a Trail to Predictive Selling With Einstein Intent
 
Hyperbatch (LoteRapido) - Punta Dreamin' 2017
Hyperbatch (LoteRapido) - Punta Dreamin' 2017Hyperbatch (LoteRapido) - Punta Dreamin' 2017
Hyperbatch (LoteRapido) - Punta Dreamin' 2017
 
HyperBatch - Snowforce 2017
HyperBatch - Snowforce 2017HyperBatch - Snowforce 2017
HyperBatch - Snowforce 2017
 
LDS salesforce saturday
LDS salesforce saturdayLDS salesforce saturday
LDS salesforce saturday
 
Tree Traversal #SalesforceSaturday
Tree Traversal #SalesforceSaturdayTree Traversal #SalesforceSaturday
Tree Traversal #SalesforceSaturday
 
HyperBatch
HyperBatchHyperBatch
HyperBatch
 
Forcelandia 2016 PK Chunking
Forcelandia 2016 PK ChunkingForcelandia 2016 PK Chunking
Forcelandia 2016 PK Chunking
 
PK chunking presentation from Tahoe Dreamin' 2016
PK chunking presentation from Tahoe Dreamin' 2016PK chunking presentation from Tahoe Dreamin' 2016
PK chunking presentation from Tahoe Dreamin' 2016
 
Lightning Reports - Dreamforce 2015
Lightning Reports - Dreamforce 2015Lightning Reports - Dreamforce 2015
Lightning Reports - Dreamforce 2015
 
Callout architecture
Callout architectureCallout architecture
Callout architecture
 

Recently uploaded

chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 

Recently uploaded (20)

chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

Using Custom Permissions to Simplify Security

  • 1. Using Custom Permissions to Simplify Security Dreamforce 2018 Rod Butters, CTO and CMO at CXO Now Daniel Peter, Salesforce Practice Lead – Robots & Pencils
  • 2. Rod Butters CTO and CMO at CXO Now rod@rodbutters.com, @RodBtrs Former CTO at Kenandy CTO, CMO, and COO at companies in Salesforce ecosystem since 2008
  • 3. Daniel Peter Salesforce Practice Lead, Robots & Pencils dan@danpeter.com, @danieljpeter Former Lead Application Engineer at Kenandy Worked for other customers and ISVs, consulting in the past Salesforce MVP 24x certified
  • 4. The Challenge: Corporate Compliance is a formal program specifying an organization's policies, procedures, and actions within a process to prevent and detect violations of regulations and laws. • Separation of Duties for checks and balances • Specific roles that are well defined • Transparency into systems that automate the processes • May go beyond financials (e.g. SaaS, Med Device) Application Security needs to align to the policies, procedures, and actions defined by corporate compliance for the business processes. • More than simply limiting visibility into confidential information • Must align to the defined roles • Must be easy to create, maintain, and verify • May require generation of audit trail, records Application Security must align with Corporate Compliance
  • 5. User Mode vs System Mode User Mode System Mode
  • 6. Object level CRUD and field level RU. Very granular, tedious. Permission sets help a little. Granting CRUD/FLS
  • 7. Affects what records are accessible to the user With sharing / Without sharing in Apex Sharing
  • 8. Platform Security: Set: Profiles, perm sets, sharing settings. Use: Detail pages, list views, reports, Visualforce with standard controllers and certain components. What most people think of when they think of Salesforce security. Application Security: Set: Custom permissions (or anything else you can dream up) Use: Apex, VF, Lightning Can be looser or tighter than platform security. However you code it. Platform vs Application Level Security
  • 9. Application Security in Enterprise Processes Challenge: • Platform security is highly visible: • CRUD and FLS extensive and document the what • Permission sets, profiles, and users the who … but … • Application logic can have required “side” effects on downstream objects to complete the task Options: • Granting platform permissions for downstream objects may be too permissive • System mode can bypass controls and separation of duties on a whim Issues: • Corporate Governance will take a dim view of relaxing permissions to get processes to work • … or worse, learn later that a violation of SoD was a result of system mode use
  • 10. Organization # of Roles Compliance Program Change Control Large Enterprise ($1B+, publicly held, rules/regs for reporting) 25 - 45 • Chief Compliance Officer • Formal program and dept. • Audits for compliance Formal processes in place including SoD, approvals and tools Medium Enterprise ($100M+, private / public, rules/reg for reporting) 10 – 15 • CFO • Designated controls in Acnt’g / IT • Self-assessment unless required by customers or regulations IT processes for validation of system and control over change SMB ($10M+, private, confidential information/internal controls) 5 - 10 • CEO or CFO oversight • No assessment unless required by customers or regulations Oversight by Head of IT and/or Controller “Canned” permission sets don’t meet most (if any) customer requirements. Working with Corporate Governance
  • 14. Demo
  • 15. Best Practices and Lessons Learned • The journey with Salesforce Security Team: ensuring you pass security review • Security starts with being clear on your approach and ensuring consistent use is in place • Start with processes that encompass the largest number of fields: 80 / 20 rule. • Keep the simple things simple with platform security • Reserve custom permissions for processes that touch multiple objects • Example: Order Entry touches inventory, credit limits, pricing and promotions, product allocations • Keep granularity large to start, name appropriately, and document • You can always add finer granularity later based on user feedback and requirements. • Example: Create Order – creates order of standard products for approved customers with standard pricing and lead times within approved credit
  • 16. The Road Ahead Not just for enterprise applications: • Communities • Einstein analytics • Mobile apps and web sites on Heroku Opportunities in the future: • Define hierarchies of custom permissions for optional finer granularity • Enables users and ISVs to dial-in right level of permissions over time What can you do with Custom Permissions?
  • 17. Next Steps Additional sessions on security Tips and Tricks to Pass the Salesforce Security Review Process Friday, September 28, 11:00 AM - 11:40 AM Moscone West, Room 2011
  • 18. Next Steps Trailhead modules Security Basics Data Security AppExchange Security Review Keep Data Secure in a Recruiting App Security Specialist
  • 19. Next Steps Demo code on GitHub https://github.com/danieljpeter/customPermissionsDF18