Permissions Explorer
Overview and How It Works
The Permissions Explorer feature in AutoRABIT Guard is designed to simplify Salesforce permissions analysis by categorizing permissions into familiar IT security categories. This enables security professionals to easily evaluate Salesforce-specific permissions in the context of their organization’s security policies and better understand “who can do what” within the Salesforce org.
Features of Permissions Explorer
Category-Based Permissions Classification
Permissions are grouped into traditional IT security categories, such as data access, privilege escalation, and system modification. This categorization bridges the gap between Salesforce’s unique permissions structure and traditional security practices, making it easier to understand the implications of each permission.
Org-Level Permissions Insights
Select any Salesforce org and a specific set of permissions to analyze. The tool will immediately identify all users who have access to those permissions, helping you locate overprivileged accounts that might pose a security risk.
Permissions Path Visualization
For each permission, the Permissions Explorer displays a complete path of access, including:
Direct assignments through profiles and permission sets.
Indirect assignments through permission set groups.
Interactive and Intuitive Interface
The tool offers two viewing modes:
Diagram View: Provides a visual representation of permissions.
Tree View: Presents a more structured and organized layout.
Both formats provide clear, actionable insights into how permissions are assigned and who has access.
How the Permissions Explorer Works
Step 1: Choose Your Salesforce Org
From the dropdown menu, select the Salesforce org you want to analyze.
Step 2: Select Permissions to Inspect
Choose one or more permissions from the predefined list to investigate. This list currently includes the most common Salesforce user permissions. If you need to inspect permissions not listed, please log a support ticket.
Step 3: View the Results
The Permissions Explorer will display a list of users who match the selected permissions.
Use Diagram View or Tree View to explore how each user gained access to the permissions, including any intermediate assignments (e.g., profiles, permission sets).
Step 4: Take Action
Use the insights provided to adjust profiles and permission sets directly in Salesforce to reduce overprivileged access and enforce the principle of least privilege.
How We Determine Which Users Have Selected Permissions
To find users with specific permissions, we run complex SOQL queries (Salesforce Object Query Language) to the Salesforce org.
The queries retrieve users who are active and not frozen. The results will only show users who have the selected permissions, including those granted via profiles, permission sets, or permission set groups.
Which Permissions Can Be Inspected?
The list of permissions available for analysis is predefined and includes the most common permissions. Some examples might include permissions like Modify All Data, Export Reports, and Author Apex.
Permissions not on the list: Currently, customers cannot inspect permissions outside the predefined list. However, if there’s demand for a specific permission, AutoRABIT’s product team can consider adding it in future releases.
Does Guard Support Permissions Granted via Profiles or Permission Sets?
Yes! The Permissions Explorer displays permissions granted through the following mechanisms:
Profiles: Direct assignment of permissions to users via their profile.
Permission Sets: Additional permissions granted to users via permission sets.
Permission Set Groups: Permissions granted via group permission sets.
Why Use the Permissions Explorer?
Identify Overprivileged Users: Quickly locate users who have excessive or unnecessary permissions, helping to enforce the principle of least privilege.
Simplify Permission Audits: Gain a clear understanding of who has access to critical permissions and how they were granted, making compliance audits more efficient.
Enhance Security Posture: By classifying permissions into familiar security categories, security teams can more easily identify and mitigate potential risks, aligning Salesforce permissions with traditional security policies.
Last updated
Was this helpful?