How Varonis Saves Salesforce Admins Hours in Their Day

Varonis provides industry leading Salesforce management and permission implications capabilities to help save Salesforce admins hours in their day.
Nathan Coppinger
7 min read
Last updated April 13, 2023

Salesforce Admins balance the constant tension of keeping pace with rapid business needs and optimizing Salesforce processes. Admins — who often manage multiple Salesforce Orgs — are responsible for assigning users’ permissions and have to ensure Salesforce is configured properly each time the software updates. It’s safe to say an admin’s work is never done, but Varonis can make each day easier.

With Varonis for Salesforce, admins can:

Simplify permissions management

  • See every user’s net effective permissions, from system permissions down to the object and field level, and how they got them.
  • Compare two users’ permissions side-by-side across your different Salesforce Orgs with a click of a button.
  • Quickly compare permissions between individual Profiles, Permission Sets, and Permission Set Groups.
  • Easily see all of the Profiles, Permission Sets, and Permission Set Groups that contain a specific permission and the users assigned them.

Reduce technical debt 

  • Automatically identify unassigned Profiles, Permission Sets, Permission Set Groups, and Roles, and remove them from Salesforce using Varonis.

Manage multiple Salesforce Orgs from a single interface

  • Monitor and manage users, permissions, and activity across your production and sandbox environments from a single UI.
  • Close off-boarding gaps by identifying stale internal users and ex-contractors from all your Salesforce Orgs.

Classify sensitive data in records, fields, and files

  • Varonis scans Salesforce to accurately discover and classify sensitive data stored within records, fields, and attachments.

Salesforce aggregate permissions hi-res

See how Varonis greatly simplifies Salesforce permissions analysis.

Analyzing permissions in Salesforce

When analyzing what a user can do in Salesforce using only Salesforce’s native tools, CRM admins must consider the permissions a user was granted through their Profile and add up the different Permission Sets and Permission Set Groups to learn their effective permissions. 

To add to the complexity, admins can mute (exclude) specific permissions when they assign Profiles and Permission Sets to a user, requiring them to identify if any exclusions were made when a user was initially assigned these permissions. And all of that is just so admins can understand what Salesforce objects and fields users can access. Figuring out what records a user can read and edit is a whole other can of worms. 

system permissions hi-res

System Permissions configuration in Salesforce

Determining a user’s record-level permissions requires you to review your org-wide defaults (e.g., can anyone access/edit a new record, or can only the creator?) and analyze where the user sits within the organizational hierarchy.

This may seem simple on paper, but analyzing and tracking user permissions can take Salesforce admins hours

Now try and compare one user’s effective permissions with another user or figure out all of the users who are assigned high-risk permissions. Even if you keep this information on hand, there’s a good chance something has changed since the last time their permissions were reviewed. You’ll probably end up doing it all over again to be safe. 

Untangle complicated system permissions with Varonis

Varonis radically simplifies permissions analysis, showing you not only what someone’s net effective permissions are but also how they got them — down to the object and field level.

Now, instead of clicking into every user’s Profile and drilling into every single one of their Permission Sets and Permission Set Groups, you can see all their effective permissions from one screen. Hovering over a checkmark shows you how that user gained access, or you can add Permission Sets to the column view to see everything side-by-side.


Varonis shows an aggregated view of effective permissions.

In a sales organization with frequently changing territories and roles, it’s easy to see how Permission Sets can get out of hand. Varonis empowers admins to take back control of their Salesforce Orgs and enables them to quickly clean up and maintain a hygienic and secure environment, making everyone’s lives easier. 

Understanding what entitlements are granted by each Profile and Permission Set not only lets admins clean up their existing environment but also significantly streamlines the onboarding and off-boarding processes. 

With Varonis, you’ll be able to assign permissions confidently and correctly to new members in the Org or as existing members move to new roles within the organization. Now you won’t have to double-check every Profile, Permission Set, or Permission Set Group to make sure you didn’t just give the new sales rep a powerful or risky combination of permissions like “view all and export all.” 

Record, field, object, and code-level permissions

On top of system-level permissions, Varonis extends visibility to the record, field, object, and code levels. We simplify access into a simple CRUDS model (create, read, update, delete, share) and show you exactly what level of access someone has to every object and field in your environment and how they gained that access.

Within a specific record, you can drill down into each field, quickly see the simplified CRUDS view of access, and understand which Permission Sets provide that access.


Varonis analyzes permissions down to the record, field, object, and code level.

Single permission tracking

In addition to seeing what permissions a single user has, you can also see every user with a certain permission, so you can answer important questions like, “Who has export access?” 

Varonis’ bidirectional view of permissions in Salesforce enables you to click on a single system permission, such as “export reports,” to easily review the Profiles, Permission Sets, and Permission Set Groups that contain this entitlement and show you which users are assigned this permission. With single permissions tracking, you’ll be able to better understand which users have high-powered or risky combinations of entitlements.


Click a single entitlement to see all of the Profiles, Permission Sets, and users that it is assigned to.

Compare permissions

Varonis not only makes it simple to analyze a single user's permissions in Salesforce, but also enables you to compare two users’ aggregated permissions side-by-side with the click of a button. We can even compare permissions across different Salesforce Orgs.


Easily compare two users’ permissions side-by-side.

If you come across duplicate Profiles or Permission Sets but are unsure which one is the correct one to use, Varonis is here to help. Varonis extends its permission comparison capabilities to enable you to compare Profiles, Permission Sets, and Permission Set Groups side-by-side. This helps make it simple to understand what permissions they contain so that you can quickly eliminate duplicate and redundant entitlements.

Identify and remove unassigned Profiles and Permission Sets

Over time as your Salesforce Orgs grow and evolve, you may find that you have Profiles and Permission Sets that you no longer need or use, significantly increasing your technical debt and risk. 

Best practice dictates having the least amount of Profiles and Permission Sets possible in your environment. The more you have, the harder it is to manage entitlements, and the greater the risk is that you may assign a user outdated permissions.

Whether they are duplicates, contain risky combinations, or are simply no longer useful, you’ll want to identify and remove these unassigned entitlements to make your environment easier to manage and maintain going forward. 

With Varonis, you’ll get an out-of-the-box report that shows you every Profile, Permission Set, Permission Set Group, and Role in your environment. The report enables you to easily drill down into each one to see which entitlements they grant and if they are assigned to any users. 

Use this report to filter for all unassigned entitlements in your Salesforce Org and permanently delete them from your system directly from the Varonis interface. 


Automatically identify and remove unassigned Profiles and Permission Sets in Salesforce.

With Varonis’ unassigned entitlement remediation capabilities, admins can better manage the health of their environment and quickly reduce their technical debt without hours of work. These actions can even be configured to run on a set schedule so that clean-up happens automatically.

Prevent any Profiles or Permission Sets that have been removed from users because they were over-permissive or contained a risky combination of entitlements from being accidentally re-assigned or abused by a rogue or compromised admin. Work toward a least privilege model in Salesforce; your security admins will thank you.

Manage all of your Salesforce Orgs from one interface

It’s rare these days to only have a single Salesforce instance. Most organizations have multiple Salesforce Orgs within their environment, whether they know about them or not. Along with your production environment, sandboxes and other Salesforce Orgs often contain sensitive data or copies of your production data.

It’s just as important to monitor and maintain these different Orgs and ensure that the users within have the correct level of permissions. With Salesforce alone, you’re going to have to go through the whole permissions analysis process over again because many users will have different entitlements depending on the Org. 

With Varonis, you’ll get a full view of your different Salesforce Orgs, the users within, and their assigned permissions. We aggregate activity streams into a single view and extend our permission analysis capabilities to all your Salesforce Orgs so you can quickly switch from a user’s production account to their sandbox. 

Close off-boarding gaps

When someone leaves the company, you want to make sure they can’t access your corporate data anymore. Shockingly, three out of four ex-contractors can still access sensitive data after they’ve left the company.

If you have multiple Salesforce Orgs in your environment (and you probably do), it is easy to remove a user from one instance but miss their account in another. Varonis identifies everyone with access to your different Salesforce Orgs, including personal accounts and external users like contractors, and ties identities together across platforms to help you easily spot these off-boarding gaps and ensure you remove their access to all your Salesforce Orgs.   

Cross-cloud identities Hi-res

Varonis ties related identities together automatically.

Identify sensitive data and who has access

If your compliance officer or security team asks you where you have sensitive data across your Salesforce Orgs, could you confidently give them an answer? 

Without Salesforce Shield, Salesforce provides limited out-of-the-box classification capabilities. For any fields beyond the basic ones, such as the email or address fields, you’ll need to go through and manually configure each field’s sensitivity value, classification tags, and relevant regulation tags. This process can be an enormous undertaking depending on how many different types of fields you have configured. 

It’s easy to assume you know where PII lives within your Salesforce records and fields. Phone numbers are in the phone field, addresses are in the address field, email addresses are in the email field, and so on, but that’s not always the case. 

Often, marketing or sales employees may enter sensitive or even regulated data into another field, like the notes field, which you may not immediately think to check. But not to worry — if sensitive data is stored in Salesforce, Varonis will surface and protect it.

Record and field classification

Discover sensitive data stored in records and fields.

Varonis discovers and classifies sensitive and regulated data across your Salesforce environment automatically, showing you who has access to this data and what they can do with it. We identify where sensitive data lives in each object’s records and fields — including any file or attachment!

SFDC classification Hi-res 3

Quickly see where sensitive data lives across your Salesforce Org without configuring any rules.

Work smarter, not harder

Want to see how Varonis could save you hours in your day? Request a demo here.

P.S. Make your security teams’ lives easier and tell them about Varonis too!

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Varonis Announces Salesforce Shield Integration
Varonis now integrates with Salesforce Shield to provide deep visibility into Salesforce and help organizations secure their mission-critical data.
Salesforce Security: 5 Ways Your Data Could be Exposed
Salesforce is the lifeblood of many organizations - Here are five things you should know about your Salesforce security and how to effectively reduce risk
Speed Data: The (Non)Malicious Insider With Rachel Beard
Salesforce's Rachel Beard discusses why insider threats may not always have ill intentions and why security in the CRM is crucial.
How to Deal With Sensitive Data in Salesforce: A Guide to Data Classification
Salesforce Ben and the Varonis team up to discuss Salesforce data classification best practices.