Salesforce Security Basics

Phishing and Malware

Security Health Check
Auditing
Salesforce Shield
Transaction Security Policies

Elements of User Authentication

Passwords
Cookies
Single Sign-On

My Domain
Two-Factor Authentication
Network-Based Security
Device Activation
Session Security
Custom Login Flows
Connected Apps
Desktop Client Access

Restrict Where and When Configure User Authentication

Users Can Log In to Salesforce
Login Flow
Set Password Policies
Expire
High all user passwords
Assurance session
required
Login Flows
 Salesforce Security Basics
A way to get data from user like username & password.
Use
3. thisHistory
Field tool to see healrh of the org using salesforce standards. We can create own custom standards.
Tracking
4.
2. Setup
Event Audit Trail Who imported report, visit links etc.
Monitoring:
3. Field Audit
Retrieves moreTrail:
thanUpto
2,00010lead
years of data
records
Takes more than one second to complete

Elements of User Authentication

Policies, Expire password for all, Reset password, Unlock users
ToIdentity
1. seesion Providers:
Id Provide the identity
2. Service Providers: Request for the identity
Let users log in using a social account, like Google and Facebook, from the login page
Allow users to log in once to access external services
Second level of security to login, access report and connected app. User can use Salesforce Authenticator app or the Goo
Profile
4. and Orgcode
Verification wisesent
IP whitelisting
via SMS to the user’s verified mobile device
5.
You can control whethervia
Verification code sent email
your org to the user’s
stores registered
user logins email address
and whether they can appear from the Switcher with the settings E
autocomplete on login page, Enable user switching, and Remember me until logout.

Uses Oauth and SAML

Connect Offline and Connect for Office. User must have API Enabled permission to use these apps.

3. Enforce login IP ranges on every request. Configure User Authentication

4. Org-wide Trusted IP Ranges
Check Login Hours
requirement, Maximum-> 2FA -> Check
invalid loginIPs
attempts, Lockout effective period, Obscure secret answer for password resets, Re
password lifetime, Allow use of setPassword() API for self-resets
Except those users with the “Password Never Expires” permission.
Report and Connected app get 2FA
VF and Flows
Scenarios
1. Role Based Without
Sharing rule
2. Territory Based Sharing
Sharing Settings
Emely
Role: Sales Rep
Due to Role Can see his records.
Due to Territory Can see his records.

3. Sharing Rule: Manager Sharing Rule Can see Sanjay's records

Group Record Owner Is: Sanjay because we are sharing
4. Sharing Rule: Manager Sharing Rule Can see Sanjay's records
Group & Subordinates Record Owner Is: Sanjay because we are sharing
5. Sharing Rule: Role Sharing Rule Can see his records.
Record Owner Is: Sanjay
6. Sharing Rule: Role & Sharing Rule Can see Sanjay's records.
Subordinates Record Owner Is: Sanjay
7. Sharing Rule: Public Group Sharing Rule Can see Sanjay's record
(7.1) Record Owner Is: Sanjay because he is in Sales Heros
7. Sharing Rule: Public Group Sharing Rule Can see Sanjay's record
(7.2) Record Owner Is: Sanjay because he is in Sales Heros
FROM THIS POINT LETS FORGET ABOUT THE ROLES THAT WE HAVE. JUST

7. Sharing Rule: Territories Sharing Rule Can see Sanjay's records.

Record Owner Is: Sanjay Because he from Alaska
8. Sharing Rule: Territories & Sharing Rule Can see Sanjay's records.
Subordinates Record Owner Is: Sanjay Because he from Alaska
Notes:
1. If record is shared using apex and rowCause (reason) is custom then sharing is not removed when record owner ge
2. If record is shared using apex with rowCause as manual then sharing is removed when record owner get changed.
 User's Informations
Karen John Sanjay
Role: Sales Rep Role: Sales Lead Role: Marketer
Can see his records. Can see Emely and Karen's Can see his records.
records.
Can see his records. Can see Emely and Karen's Can see his records.
records because they are in
Can see his records. Can see Emely and Karen's Can see his records.
records.
Can see Sanjay's records Can see Emely and Karen's Can see his records.
because we are sharing records. Even John is in the
Can see his records. Can see Sanjay's records. + Can see his records.
Emely and Karen's records.
Can see Sanjay's records. Can see Sanjay's records. + Can see his records.
Emely and Karen's records.
Can see Sanjay's record Can see his records. Can see his records.
because he is in Sales Heros
Can see Sanjay's record Can see Sanjay's record Can see his records.
because he is in Sales Heros because Grant Access Using
OLES THAT WE HAVE. JUST CONSIDER THE TERRITORIES

Can see his records. Can see Sanjay's records. Can see his records.
Because he from US
Can see Sanjay's records. Can see Sanjay's records. Can see his records.
Because he from Alaska Because he from US

moved when record owner get changed.

n record owner get changed.
Org Configurations
OWD: Private

Roles
Sales Lead
--->Sales Rep

Public Groups
Sales Heros
Users: Emely, Karen

Territories
US (John)
---> Alaska (Emely)
Who Sees What

User Permissions and Access

Custom Permissions

Classic Encryption
Sharing Rules
Sharing Rule Types

User sharing
Metadata Access
Fields, Object
Record Access
OWD
What is not in Perm Set?
1. Page layout assignments
For Perm Set and Profiles

To view data user must have “View Encrypted Data” permission.

Encrypted with 128-bit
1. You can define master
up to 300 keysrules
sharing and use the Advanced
for each Encryption
object, including Standard
up to (AES) algorithm
50 criteria-based sharing rules, if available
for the object.
Owner-Based Sharing Rules
Criteria-Based Sharing Rules
Enable portal account user access.
On the Sharings Settings page, select the Portal User Visibility checkbox. This option enables customer portal users to
 Monitoring Your Organization’s Security
Monitor Login History
Field History Tracking
Monitor Setup Changes
Transaction Security Policies

Security Guidelines for Apex and Visualforce Developm

Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
SOQL Injection
Data Access Control
 Monitoring Your Organization’s Security
20,000 records of user logins for the past six months
1. 20 standard and custom fields per object.
2.
ToIfdownload
you disable field
your history
org’s tracking
full setup on afor
history standard object,
the past you can
180 days, clickstill report onAfter
Download. its history datasetup
180 days, up toentity
the date and time
records are
Create your own policies to prevent user from doing some operations like login in an another session. Downloading larg

Security Guidelines for Apex and Visualforce Development

Ex: <apex:includeScript value="{!$CurrentPage.parameters.userInput}" />
Ex: <apex:page controller="myClass" action="{!init}"</apex:page>
Ex: String qryString = 'SELECT Id FROM Contact WHERE ' +
'(IsDeleted
Ex: public = falseclass
with sharing and customController
Name like \'%' + name
{ + '%\')';
Role
Public Groups
Ownership-based Sharing Rules
Criteria-based Sharing Rules
Manual Sharing
Teams
Territory Hierarchy
Account Territory Sharing Rules
Programmatic Sharing
Implicit Sharing
1. An organization is allowed 500 roles; however, this number can be increased by Salesforce. As a best
practice,
Groups cankeep the number
be nested (GroupofAnon-portal
nested intoroles to B),
Group 25,000 and the
however number
don't of portal
nest more roleslevels.
than five to 100,000.
Nesting has an
impact
As a best practice, keep the number of ownership-based sharing rules per object to 1,000. best practice, keep
on group maintenance and performance due to group membership calculation. As a
As a best practice, keep the number of criteria-sharing rules per object to 50
Using sharing button
A team is a group of users that work together on an account, sales opportunity, or case.
-
Original territory management
-
-
 Who Can See My Fil
Private The file is private. It hasn't been shared with anyone else besides
Privately Shared the
The owner.
file has The
only file
beenowner
sharedand
withusers withpeople,
specific “Modify All Data”
groups, or via link.
Your Company It's not available to all users in your company. Only
All users in your company can find and view this file. the file owner,

ACTION FILE OWNER

View or Preview Yes
Download Yes
Share Yes
Attach a File to a Post Yes
Upload New Version Yes
Edit Details Yes
Change Permission Yes
Make a File Private Yes
Restrict Access Yes
Delete Yes

Notes:
1. Users with “Modify All Data” permission can view, preview, download, share, attach, make private, restrict access

Custom List View

Visible only to me Private
Visible to all users (Includes All users
partner and
Visible to customer
certain groups of Selected Public Group, Role, Role & S, Territory , Territory & S
users
Share a Report or Dashboa
Viewer View access is useful in a case such as the following. Samir is a sales rep who likes to start h
Editor dashboard. Heishas
Editor access to refresh
useful thesuch
in a case dashboard to get theAllison,
as the following. latest standings, so he needs
a sales manager, toto
wants view
pro
Manager contains the Master Sales dashboard allows her to move the underlying reports into the
Manager access is useful in a case such as the following. Alan is a sales administrator who cor
m
Regional Reports. As the creator, he has Manage rights to the folder. He gives Sales Reps, a p
NOTE
You can’t give Manager access to standard report folders. By default, all users get Viewer access to these folders.
 Who Can See My File?
A file is private when you:
Upload
A file isitprivately
in Files home
sharedPublish it to your private library Stop sharing it with
when it's:
Only
A fileshared with
is shared specific
with people or when
your company a private group Posted
it's posted to that
to a feed a private group
all users can
see, a profile, a record, or a public group.

FILE COLLABORATOR
Yes
Yes
Yes
Yes
Yes
Yes
Yes

ach, make private, restrict access, edit, upload new versions, and delete files they don't own. However, if the file is in a

Custom List View

Share a Report or Dashboard Folder

r is a sales rep who likes to start his day by checking his position on the sales leader board, which appears on the Master Sales
est
son,standings, so he needs
a sales manager, wantstoto
view the data
provide in the underlying
a different reports.
sales dashboard forBut heof
each doesn’t want
the three to edit teams.
regional the reports oraccess
Editor the dashboard. All he
to the folder th
the underlying reports into the correct folders and then modify them to show the appropriate data.
Alan is a sales administrator who manages too many reports to pay attention to them all individually. He creates a report folder calle
the folder. He gives Sales Reps, a public group, Viewer access. And he makes Allison, the sales manager, another Manager on the

wer access to these folders.

 FILE VIEWER
Yes
Yes
Yes
Yes

s they don't own. However, if the file is in a private

eader board, which appears on the Master Sales

esn’t want
he three to edit teams.
regional the reports oraccess
Editor the dashboard. All he
to the folder that
he appropriate data.
them all individually. He creates a report folder called
lison, the sales manager, another Manager on the