安全职位

安全宣传

企业安全性

信任

事件响应

网络弹性

合规

网络安全学习中心

领导力

新闻和事件

Salesforce 管理员

检测和响应

数据科学

权限管理

未来的工作

数字转型

安全小窍门

风险管理

安全保证

云安全

零信任

多重身份验证

用户身份验证

Dreamforce

密码学

数据安全性

加密

Trailhead

工程

GovCloud

公共部门

Hyperforce

数据管理

分析

程序管理

项目管理

FedRAMP

持续监控

HITRUST

最佳安全实践

漏洞扫描

Shared Responsibility

Privacy

Mobile Security

Open Source

Throughout the last few decades, cybersecurity best practices have gone through many iterations. With the evolution of supply chain threats and bad actors, traditional network security (e.g., perimeter defense, trusted networks) is no longer a viable solution. Instead, organizations are adopting a <a href="https://cdn.buttercms.com/YpgvcCkTT56VxuHFdpUK">Zero Trust</a> security strategy, built on the <a href="https://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP" rel="follow noopener" target="_blank">principle of least privilege</a> (PLP), to protect valuable data.
<h3 dir="ltr">Zero Trust and The Principle of Least Privilege</h3>
Think about it like your house. A traditional perimeter defense means if someone has the key or alarm code they can enter your home and have access to your kitchen pantry and bathroom cabinet. Using a Zero Trust framework means the key or alarm code only gets you in the front door; you&rsquo;ll need to continuously prove your identity to gain access to individual rooms and cabinets. So what does that mean for information security?&nbsp;
Zero Trust takes a least privilege approach &mdash; only granting users, devices, applications, and systems the minimum privilege level they need to do their job. A user only has access to specific things (applications, services, etc.) through a predefined pathway, thus preventing a hacker from doing a lot of damage in the event they are even able to gain access to the network.

A Zero Trust strategy is the next evolution of how we’re moving our trust-first culture forward — for our customers and ourselves. Check out the Salesforce Zero Trust e-book to learn how to secure your business for tomorrow.

Secure Your Business For Tomorrow

<h3 dir="ltr">Applying the Principle of Least Privilege to Your Salesforce Org</h3>
A Salesforce Org is home to a plethora of valuable customer and user data, and protecting that data is the #1 priority. When it comes to protecting data from inside the org, one of the biggest challenges is understanding the type of information each user needs access to. This is where the PLP &mdash; a fundamental tenet of information security &mdash; can be very helpful. Following this principle means that users should have the least number of permissions necessary to do their job. Limiting users&rsquo; permissions prevents unauthorized access to sensitive records and information, and ultimately, following the principle of least privilege can significantly reduce the amount of security risk an organization faces.
The same principles can also be applied to limiting access within a Salesforce Org. Salesforce administrators have the ability to apply the PLP to their users by configuring Permissions Sets to grant minimal access, but it&rsquo;s easy to accidentally over-grant permissions and common to inherit an org with over-privileged users. We recently announced the<a href="https://admin.salesforce.com/blog/2023/permissions-updates-learn-moar-spring-23" rel="follow noopener" target="_blank"> end of life (EOL) of permissions on profiles</a> to help admins manage users with the PLP in mind, which will go live in the Spring &rsquo;26 release.
There are a couple things admins can do to prepare for this change:
<ol>
<li dir="ltr" aria-level="1">
Conduct a<a href="https://youtu.be/JM1GeGKWZE8" rel="follow noopener" target="_blank"> privilege audit</a> by reviewing all existing accounts and permissions to ensure there is no privilege creep
</li>
<li dir="ltr" aria-level="1">
Assign Salesforce&rsquo;s least privilege profile (the<a href="https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_new_profile.htm&amp;release=226&amp;type=5" rel="follow noopener" target="_blank"> Minimum Access User Profile</a>) to users, and layer on permissions using Permission Sets and Permission Set Groups according to the access required
</li>
</ol>

Salesforce provides a rich set of tools to ensure users and processes can only access the data and resources that are essential to their duties. Watch the TrailblazerDX 2023 Well-Architected presentation to learn more about implementing the principle of least privilege.

Architect’s Review of the Principle of Least Privilege

<h3 dir="ltr">Setting Yourself Up for Success</h3>
Whether you&rsquo;re new to Salesforce or you just finished conducting an audit to get a better understanding of what permissions your users currently have, here are some questions to ask yourself when assigning user permissions moving forward:
<ul>
<li dir="ltr" aria-level="1">
Does this user absolutely require this/this level of permission to do their job?
</li>
<li dir="ltr" aria-level="1">
Can it be further limited or reduced in any way?
</li>
<li dir="ltr" aria-level="1">
Can the permission be further restricted by time/session?
</li>
<li dir="ltr" aria-level="1">
Will they still be able to do their job if it&rsquo;s further limited?
</li>
</ul>
Remember that according to the PLP, a user should be able to perform their regular job functions, but not have any additional or unnecessary privileges. Learn more about how<a href="https://admin.salesforce.com/blog/2023/permissions-updates-learn-moar-spring-23" rel="follow noopener" target="_blank"> end of life (EOL) of permissions on profiles</a> will help limit user privileges in Salesforce, and stay tuned for more information on how to prepare for that release update. To learn more about how to further strengthen the security of your Salesforce instance, check out our <a href="/security-best-practices" rel="follow">security best practices page</a>.&nbsp;
<h3 dir="ltr">Additional Resources</h3>
Check out the resources below to learn more about the principle of least privilege.
<ul>
<li><a href="https://admin.salesforce.com/blog/2023/who-sees-what-data-visibility-and-access" rel="follow noopener" target="_blank">Learn About Data Visibility and Access with the Updated Who Sees What Video Series</a> (Admin Blog)</li>
<li><a href="https://admin.salesforce.com/blog/2022/the-future-of-user-management" rel="follow noopener" target="_blank">The Future of User Management</a> (Admin Blog)</li>
<li><a href="https://medium.com/salesforce-architects/how-to-implement-the-principle-of-least-privilege-in-salesforce-59d3dbab9908" rel="follow noopener" target="_blank">How to Implement the Principle of Least Privilege in Salesforce</a> (Architect Blog)</li>
<li><a href="https://medium.com/salesforce-architects/how-to-build-a-user-security-model-12db130b3182" rel="follow noopener" target="_blank">How to Build a User Security Model</a> (Architect Blog)</li>
</ul>
Continue your learning on Trailhead to learn even more about the principle of least privilege.
<ul>
<li>Take the <a href="https://trailhead.salesforce.com/content/learn/modules/data_security" rel="follow noopener" target="_blank">Data Security module</a> to learn how to control access using point-and-click security tools.</li>
<li>Take the <a href="https://trailhead.salesforce.com/content/learn/modules/permission-set-groups" rel="follow noopener" target="_blank">Permission Set Groups trail</a> to learn how permission set groups can make your job easier and help you to enforce assignments based on least privilege.</li>
<li>Take the <a href="https://trailhead.salesforce.com/content/learn/superbadges/superbadge_user_access_specialist" rel="follow noopener" target="_blank">User Access Specialist superbadge</a> to learn how to lock record access, build effective sharing solutions, and troubleshoot user access issues.</li>
</ul>

Zero Trust

Security Best Practices

Traditional network security is no longer a viable solution to stay ahead of today's threats. Learn how implementing the principle of least privilege can help protect your valuable data.

Protecting Data with the Principle of Least Privilege

Discover the latest thought leadership and best practices for cybersecurity.

Salesforce Security Blog