Inside Out Security Blog   /  

How Varonis Saves Salesforce Admins Hours in Their Day

How Varonis Saves Salesforce Admins hours in their day | Varonis


    Salesforce Admins balance the constant tension of keeping pace with rapid business needs and optimizing Salesforce processes. Admins — who often manage multiple Salesforce Orgs — are responsible for assigning users’ permissions and have to ensure Salesforce is configured properly each time the software updates. It’s safe to say an admin’s work is never done, but Varonis can make each day easier.

    With Varonis for Salesforce, admins can:

    Simplify permissions management.

    • See every user’s net effective permissions, from system permissions down to the object and field level, and how they got them.
    • Compare two users’ permissions side-by-side across your different Salesforce Orgs with a click of a button.
    • Quickly compare permissions between individual Profiles, Permission Sets, and Permission Set Groups.
    • Easily see all of the Profiles, Permission Sets, and Permission Set Groups that contain a specific permission and the users assigned them.

    Reduce technical debt.  

    • Automatically identify unassigned Profiles, Permission Sets, Permission Set Groups, and Roles, and remove them from Salesforce using Varonis.

    Manage multiple Salesforce Orgs from a single interface.

    • Monitor and manage users, permissions, and activity across your production and sandbox environments from a single UI.
    • Close off-boarding gaps by identifying stale internal users and ex-contractors from all your Salesforce Orgs.

    Classify sensitive data in records, fields, and files.

    • Varonis scans Salesforce to accurately discover and classify sensitive data stored within records, fields, and attachments.


    Salesforce aggregate permissions hi-res

    See how Varonis greatly simplifies Salesforce permissions analysis.

    Analyzing permissions in Salesforce

    When analyzing what a user can do in Salesforce using only Salesforce’s native tools, CRM admins must consider the permissions a user was granted through their Profile and add up the different Permission Sets and Permission Set Groups to learn their effective permissions. 

    To add to the complexity, admins can mute (exclude) specific permissions when they assign Profiles and Permission Sets to a user, requiring them to identify if any exclusions were made when a user was initially assigned these permissions. And all of that is just so admins can understand what Salesforce objects and fields users can access. Figuring out what records a user can read and edit is a whole other can of worms. 

    system permissions hi-res

    System Permissions configuration in Salesforce

    Determining a user’s record-level permissions requires you to review your org-wide defaults (e.g., can anyone access/edit a new record, or can only the creator?) and analyze where the user sits within the organizational hierarchy.

    This may seem simple on paper, but analyzing and tracking user permissions can take Salesforce admins hours

    Now try and compare one user’s effective permissions with another user or figure out all of the users who are assigned high-risk permissions. Even if you keep this information on hand, there’s a good chance something has changed since the last time their permissions were reviewed. You’ll probably end up doing it all over again to be safe. 

    Untangle complicated system permissions with Varonis.

    Varonis radically simplifies permissions analysis, showing you not only what someone’s net effective permissions are but also how they got them — down to the object and field level.

    Now, instead of clicking into every user’s Profile and drilling into every single one of their Permission Sets and Permission Set Groups, you can see all their effective permissions from one screen. Hovering over a checkmark shows you how that user gained access, or you can add Permission Sets to the column view to see everything side-by-side.


    Varonis shows an aggregated view of effective permissions.

    In a sales organization with frequently changing territories and roles, it’s easy to see how Permission Sets can get out of hand. Varonis empowers admins to take back control of their Salesforce Orgs and enables them to quickly clean up and maintain a hygienic and secure environment, making everyone’s lives easier. 

    Understanding what entitlements are granted by each Profile and Permission Set not only lets admins clean up their existing environment but also significantly streamlines the onboarding and off-boarding processes. 

    With Varonis, you’ll be able to assign permissions confidently and correctly to new members in the Org or as existing members move to new roles within the organization. Now you won’t have to double-check every Profile, Permission Set, or Permission Set Group to make sure you didn’t just give the new sales rep a powerful or risky combination of permissions like “view all and export all.” 

    Record, field, object, and code-level permissions

    On top of system-level permissions, Varonis extends visibility to the record, field, object, and code levels. We simplify access into a simple CRUDS model (create, read, update, delete, share) and show you exactly what level of access someone has to every object and field in your environment and how they gained that access.

    Within a specific record, you can drill down into each field, quickly see the simplified CRUDS view of access, and understand which Permission Sets provide that access.


    Varonis analyzes permissions down to the record, field, object, and code level.

    Single permission tracking

    In addition to seeing what permissions a single user has, you can also see every user with a certain permission, so you can answer important questions like, “Who has export access?” 

    Varonis’ bidirectional view of permissions in Salesforce enables you to click on a single system permission, such as “export reports,” to easily review the Profiles, Permission Sets, and Permission Set Groups that contain this entitlement and show you which users are assigned this permission. With single permissions tracking, you’ll be able to better understand which users have high-powered or risky combinations of entitlements.


    Click a single entitlement to see all of the Profiles, Permission Sets, and users that it is assigned to.

    Compare permissions.

    Varonis not only makes it simple to analyze a single user's permissions in Salesforce, but also enables you to compare two users’ aggregated permissions side-by-side with the click of a button. We can even compare permissions across different Salesforce Orgs.


    Easily compare two users’ permissions side-by-side.

    If you come across duplicate Profiles or Permission Sets but are unsure which one is the correct one to use, Varonis is here to help. Varonis extends its permission comparison capabilities to enable you to compare Profiles, Permission Sets, and Permission Set Groups side-by-side. This helps make it simple to understand what permissions they contain so that you can quickly eliminate duplicate and redundant entitlements.

    Identify and remove unassigned Profiles and Permission Sets.

    Over time as your Salesforce Orgs grow and evolve, you may find that you have Profiles and Permission Sets that you no longer need or use, significantly increasing your technical debt and risk. 

    Best practice dictates having the least amount of Profiles and Permission Sets possible in your environment. The more you have, the harder it is to manage entitlements, and the greater the risk is that you may assign a user outdated permissions.

    Whether they are duplicates, contain risky combinations, or are simply no longer useful, you’ll want to identify and remove these unassigned entitlements to make your environment easier to manage and maintain going forward. 

    With Varonis, you’ll get an out-of-the-box report that shows you every Profile, Permission Set, Permission Set Group, and Role in your environment. The report enables you to easily drill down into each one to see which entitlements they grant and if they are assigned to any users. 

    Use this report to filter for all unassigned entitlements in your Salesforce Org and permanently delete them from your system directly from the Varonis interface. 


    Automatically identify and remove unassigned Profiles and Permission Sets in Salesforce.

    With Varonis’ unassigned entitlement remediation capabilities, admins can better manage the health of their environment and quickly reduce their technical debt without hours of work. These actions can even be configured to run on a set schedule so that clean-up happens automatically.

    Prevent any Profiles or Permission Sets that have been removed from users because they were over-permissive or contained a risky combination of entitlements from being accidentally re-assigned or abused by a rogue or compromised admin. Work toward a least privilege model in Salesforce; your security admins will thank you.

    Manage all of your Salesforce Orgs from one interface.

    It’s rare these days to only have a single Salesforce instance. Most organizations have multiple Salesforce Orgs within their environment, whether they know about them or not. Along with your production environment, sandboxes and other Salesforce Orgs often contain sensitive data or copies of your production data.

    It’s just as important to monitor and maintain these different Orgs and ensure that the users within have the correct level of permissions. With Salesforce alone, you’re going to have to go through the whole permissions analysis process over again because many users will have different entitlements depending on the Org. 

    With Varonis, you’ll get a full view of your different Salesforce Orgs, the users within, and their assigned permissions. We aggregate activity streams into a single view and extend our permission analysis capabilities to all your Salesforce Orgs so you can quickly switch from a user’s production account to their sandbox. 

    Close off-boarding gaps.

    When someone leaves the company, you want to make sure they can’t access your corporate data anymore. Shockingly, three out of four ex-contractors can still access sensitive data after they’ve left the company.

    If you have multiple Salesforce Orgs in your environment (and you probably do), it is easy to remove a user from one instance but miss their account in another. Varonis identifies everyone with access to your different Salesforce Orgs, including personal accounts and external users like contractors, and ties identities together across platforms to help you easily spot these off-boarding gaps and ensure you remove their access to all your Salesforce Orgs.   

    Cross-cloud identities Hi-res

    Varonis ties related identities together automatically.

    Identify Sensitive data and who has access.

    If your compliance officer or security team asks you where you have sensitive data across your Salesforce Orgs, could you confidently give them an answer? 

    Without Salesforce Shield, Salesforce provides limited out-of-the-box classification capabilities. For any fields beyond the basic ones, such as the email or address fields, you’ll need to go through and manually configure each field’s sensitivity value, classification tags, and relevant regulation tags. This process can be an enormous undertaking depending on how many different types of fields you have configured. 

    It’s easy to assume you know where PII lives within your Salesforce records and fields. Phone numbers are in the phone field, addresses are in the address field, email addresses are in the email field, and so on, but that’s not always the case. 

    Often, marketing or sales employees may enter sensitive or even regulated data into another field, like the notes field, which you may not immediately think to check. But not to worry — if sensitive data is stored in Salesforce, Varonis will surface and protect it.

    Record and field classification

    Discover sensitive data stored in records and fields.

    Varonis discovers and classifies sensitive and regulated data across your Salesforce environment automatically, showing you who has access to this data and what they can do with it. We identify where sensitive data lives in each object’s records and fields — including any file or attachment!

    SFDC classification Hi-res 3

    Quickly see where sensitive data lives across your Salesforce Org without configuring any rules.

    Work smarter, not harder.

    Want to see how Varonis could save you hours in your day? Request a demo here.

    P.S. Make your security teams’ lives easier and tell them about Varonis too!

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Get a free Risk Assessment

    You can't protect what you don't know is vulnerable.

    Give us 90-minutes of your time, and we'll create a Free Risk Assessment that will open your eyes to your unknown weak spots—fast, and without adding work to your plate.

    Start Your Risk Assessment