1. Using Custom Permissions to
Simplify Security
Dreamforce 2018
Rod Butters, CTO and CMO at CXO Now
Daniel Peter, Salesforce Practice Lead – Robots & Pencils
2. Rod Butters
CTO and CMO at CXO Now
rod@rodbutters.com, @RodBtrs
Former CTO at Kenandy
CTO, CMO, and COO at companies in Salesforce ecosystem since 2008
3. Daniel Peter
Salesforce Practice Lead, Robots & Pencils
dan@danpeter.com, @danieljpeter
Former Lead Application Engineer at Kenandy
Worked for other customers and ISVs, consulting in the past
Salesforce MVP
24x certified
4. The Challenge:
Corporate Compliance is a formal program
specifying an organization's policies, procedures,
and actions within a process to prevent and detect
violations of regulations and laws.
• Separation of Duties for checks and balances
• Specific roles that are well defined
• Transparency into systems that automate the
processes
• May go beyond financials (e.g. SaaS, Med
Device)
Application Security needs to align to the policies,
procedures, and actions defined by corporate
compliance for the business processes.
• More than simply limiting visibility into
confidential information
• Must align to the defined roles
• Must be easy to create, maintain, and verify
• May require generation of audit trail, records
Application Security must align with Corporate Compliance
6. Object level CRUD and field level RU.
Very granular, tedious.
Permission sets help a little.
Granting CRUD/FLS
7. Affects what records are accessible to the user
With sharing / Without sharing in Apex
Sharing
8. Platform Security:
Set: Profiles, perm sets, sharing settings.
Use: Detail pages, list views, reports, Visualforce with standard controllers and certain components.
What most people think of when they think of Salesforce security.
Application Security:
Set: Custom permissions (or anything else you can dream up)
Use: Apex, VF, Lightning
Can be looser or tighter than platform security. However you code it.
Platform vs Application Level Security
9. Application Security in Enterprise Processes
Challenge:
• Platform security is highly
visible:
• CRUD and FLS extensive and
document the what
• Permission sets, profiles, and
users the who
… but …
• Application logic can have
required “side” effects on
downstream objects to
complete the task
Options:
• Granting platform
permissions for downstream
objects may be too
permissive
• System mode can bypass
controls and separation of
duties on a whim
Issues:
• Corporate Governance will
take a dim view of relaxing
permissions to get processes
to work
• … or worse, learn later that a
violation of SoD was a result
of system mode use
10. Organization # of Roles Compliance Program Change Control
Large Enterprise
($1B+, publicly held, rules/regs
for reporting)
25 - 45
• Chief Compliance Officer
• Formal program and dept.
• Audits for compliance
Formal processes in place
including SoD, approvals and
tools
Medium Enterprise
($100M+, private / public,
rules/reg for reporting)
10 – 15
• CFO
• Designated controls in Acnt’g / IT
• Self-assessment unless required by
customers or regulations
IT processes for validation of
system and control over
change
SMB
($10M+, private, confidential
information/internal controls)
5 - 10
• CEO or CFO oversight
• No assessment unless required by
customers or regulations
Oversight by Head of IT
and/or Controller
“Canned” permission sets don’t meet most (if any) customer requirements.
Working with Corporate Governance
15. Best Practices and Lessons Learned
• The journey with Salesforce Security Team: ensuring you pass security review
• Security starts with being clear on your approach and ensuring consistent use is in place
• Start with processes that encompass the largest number of fields: 80 / 20 rule.
• Keep the simple things simple with platform security
• Reserve custom permissions for processes that touch multiple objects
• Example: Order Entry touches inventory, credit limits, pricing and promotions, product allocations
• Keep granularity large to start, name appropriately, and document
• You can always add finer granularity later based on user feedback and requirements.
• Example: Create Order – creates order of standard products for approved customers with standard pricing and
lead times within approved credit
16. The Road Ahead
Not just for enterprise applications:
• Communities
• Einstein analytics
• Mobile apps and web sites on Heroku
Opportunities in the future:
• Define hierarchies of custom permissions for optional finer granularity
• Enables users and ISVs to dial-in right level of permissions over time
What can you do with Custom Permissions?
17. Next Steps
Additional sessions on security
Tips and Tricks to Pass the Salesforce Security Review Process
Friday, September 28, 11:00 AM - 11:40 AM
Moscone West, Room 2011