Top-5 Salesforce Security Best Practices


A survey of IT leaders at organisations with more than a billion dollars in revenue revealed that unauthorised user access was their #1 concern. Most organisations are often perturbed about unauthorised user access because of the deep and significant impact a breach has on an organisation’s financial health and reputation. According to IBM, the average cost of a data breach is $3.86 million.

However, unauthorised user access in Salesforce is not very common because:

  1. Salesforce is an extremely secure platform.
  2. There are a few basic steps Admins can take to thwartwicked users from gaining access to Salesforce.

The following are some of the top-5 security best practices of Salesforce:


1. Salesforce Health Check

One of the most useful tools of a Salesforce administrator is the Salesforce Health Check. This feature offers security score for specific Salesforce settings compared to a Salesforce recommended standard settings, allowing administrators to understand the strength of their configuration from a security perspective. The security score includes the following:

  • Minimum password length (Salesforce recommended: 8 characters)
  • Maximum invalid login attempts (Salesforce recommended: 3 attempts)
  • Forced logout on session timeout (Salesforce recommended:Activatethis feature)
  • Forced re-login after an administrator logs in as another user (Salesforce recommended: Activate this feature)

2. Data Sharing

Salesforce security rules doesn’t allow sharing. However, who has access to what kind of data in Salesforce is very pertinent to the data security of each instance.

What is least on the mind for most admins, when it comes to data sharing, is the complexity of hierarchical sharing, including how a user can access a record or set of records because of their location in a hierarchy. Sometimes, public groups can be a more simpler way to manage what gets shared compared to hierarchical sharing.

Another thing to keep in mind is owner sharing. Often, it can be challenging to identify records that have been shared manually in the backend of Salesforce. An Admin can take advantage of the Developer Console to locate manually shared records, however, when the owner of these records changes, the traceability will be erased. This leads to a lack of visibility into what has been manually shared. As a best practice, reduce owner sharing in Salesforce.

3. Implicit Sharing

Salesforce has an implicit sharing model for Accounts, which manyAdmins often don’t remember. Implicit sharing implies it’s built into Salesforce’s data sharing model and, hence, an Admin cannot alter it. It’s also significant to note that altering a user’s role or the position of the role in the hierarchy can alter the access to the child records a user has.

For instance, in the context of Opportunities, Cases, and Contacts and their Account, if a user has access to a child record (such as a contact), itimplies he also has read-only access to the parent account. The converse is also true, if a user has access to an account, it implieshe has some access to the child record too.However, the level of access is dependent on role, permission sets, etc.

If you wish to have more specific control over who has implicit access to Account records, then you shouldconfigure child objects to be controlled by the parent object. To do this, verify the organisation-wide sharing defaults for Opportunities, Cases, and Contacts from the ‘Sharing’settings.

With regard to‘Lightning Experience,’click on the gear icon <Setup<Security< Sharing Settings, and adjust the sharing to ‘Controlled by Parent,’ so that sharing access to Contacts is regulated by access to the related Account record.

4. External Sharing

Most Admins are nowledgeable about Internal Sharing Org Wide Defaults (OWD). However, Salesforce also allows for separate External Sharing Org Wide Defaults (OWD). This is most frequently taken advantage of in Communities.

Once this feature is activated, an Admin has the ability to allow a second set of OWDs for external users. It’s significant to observe that a user’s external OWD cannot have greater access than their internal OWD. Also, there is no concept of roles or a hierarchy for most Communities, with the exception ofpartner community. Instead, Communities take advantage of Share Groups to regulate data sharing.

5. Session Settings: Session Timeout

In Salesforce, an Admin can configure Session Settings such that if a user is not active for a certain period of time in Salesforce, they’ll be compelled to log out. Configuring Session Settings in such a way that a session times out after two hours is perfect. Two hours is somewhat unreasonable, but it doesn’t add too much conflict to a team member’s everyday activities. People start getting annoyed if the session timeout is only half an hour.

Configuring a Session Timeout

  1. Go to ‘Setup’ and search for ‘Session Settings’
  2. Set ‘Session Timeout’ for 2 hours
  3. Don’t disable the session warning pop-up (do not select)
  4. Select: Force logout on session timeout
  5. Select: Lock sessions to the domain in which they were first used

Step three is important because when a user is not warned that they are going to be kicked out of Salesforce, they’ll lose work if they’re in the middle of something. Exasperated team members will only make it tougher to install other security measures in place down the road.

About TechForce Services

TechForce Services is an Salesforce consulting company in Australia with 100+ certifications and 50,000+ hours of delivered project work. It was founded by Salesforce MVP and ‘Hall of Fame’ member, Vamsi Krishna Gosu. Our team of talented, seasoned, and interdisciplinary Salesforce professionals has a cross-functional, multi-industry experience.

We simplify Salesforce for your business by enhancing your team’s efficiency through improved experiences and practices. We work across the entire Salesforce implementation spectrum, building salesforce custom applications and integrating the platform with other on-premise or cloud-based systems. We drive innovative and transformative solutions for your business by listening to your business needs, and aligning with your short, medium, and long-term goals. Our ultimate aim is to collaborate with you and derive simplification from complexity – to make your business a smoother experience.

Table of Contents

Talk to our Salesforce Experts.