User Access Control in SaaS

User Access Review: UAR is a critical detective control in ITGC ensuring authorized access to systems and data. 1. Vulnerabilities in UARs Lack of Timeliness: Delays in reviews lead to unresolved unauthorized access. Ineffective Scope: Missed systems, roles, or user populations. Inadequate Mechanisms: Failure to detect orphan accounts or excessive privileges. Manual Errors & Poor Documentation: Risk of overlooked issues and insufficient audit trails. 2. Risks Associated with UARs Unauthorized Access: Data breaches or fraud risks from improper access. Data Integrity Risks: Potential malicious or inadvertent modification of critical data. Regulatory Non-Compliance: Non-adherence to compliance requirements such as SOX or GDPR. Operational & Financial Risks: Increased potential for fraud, financial loss, or business disruption. 3. Compensating Controls When UAR is ineffective or absent, compensating controls help mitigate risks: Real-Time Monitoring & Automated Access Controls Multi-Factor Authentication Periodic Access Re-Certifications Logging and Automated User Provisioning 4. UAR as a Compensating Control UAR can act as a compensating control for deficiencies in: Role-Based Access Controls (RBAC): Detect and correct misaligned access. User De-Provisioning: Identify orphan accounts for timely removal. Segregation of Duties (SoD): Detect conflicting roles during access reviews. Logging & Monitoring: Detect unauthorized access missed by logs. Privilege Escalation & MFA Absence: Identify unauthorized access and mitigate risks. 5. Key Considerations for Auditors Auditors must ensure that the UAR process is comprehensive and effective by focusing on key attributes: Reviewer Independence: The reviewer should not review their own access. Reviewer should be authorized and have appropriate knowledge of access policies and system functionality. Timeliness of Review: Reviews should be conducted on time as per the defined schedule (e.g., quarterly or annually). Senior Oversight: Reviewer’s access should be reviewed by a senior or control authority to ensure accountability and prevent conflicts of interest. Actionable Follow-Ups: Issues identified during the review must be addressed promptly. Documentation and Approval: All reviews should be properly documented, with evidence of approval and follow-up actions. 6. Important Attributes to Review User Roles & Privileges: Ensure access follows the principle of least privilege, and users only have access necessary for their role. Orphan Accounts & Excessive Privileges: Detect accounts no longer in use or access rights exceeding the user's job requirements. Segregation of Duties: Ensure there are no conflicting responsibilities that could lead to errors or fraud. 7. Segregation of Duties (SoD) Conflicts Key SoD conflicts to be aware of during access reviews: Admin vs. Security Roles Development vs. Production Access Finance Roles & Approvals Audit vs. Operational Roles

Identity issues in SaaS don’t always come from the outside. They build up over time, accounts that were never deprovisioned, roles with outdated access, logins no one tracks because they bypass the SSO. Most tools focus on access control at the point of login. SSO and IAM systems validate credentials, enforce MFA, and manage provisioning workflows. But they don’t tell you if a former employee still has access in Salesforce. They don’t show which accounts were created locally or which users have permissions far beyond their role. Reco’s Identities Agent addresses what traditional tools miss. It continuously monitors identity posture across your SaaS apps and flags: • Over-privileged users with excessive permissions • Unauthorized app access from unmanaged accounts • Stale accounts tied to former employees • Locally created identities outside of your IdP When issues are found, RECO initiates remediation, removing access, disabling accounts, or syncing identity data back to your IdP.

🔑 Managing Access in Salesforce Just Got Easier As Salesforce orgs grow, one of the trickiest parts of an admin’s job is managing who gets access to what. Relying only on profiles, permission sets, and manual updates often leads to confusion, security risks, and wasted time. That is where User Access Policies come in. Think of them as a traffic signal for access: you set the rules, and Salesforce automatically grants or revokes permissions when user attributes change. A new Sales Rep joins? They can be instantly assigned the right permission set group, public group, and licenses with no manual steps required. 😎 Why this matters: -Consistency: Every new hire gets the right access immediately -Less Admin Overhead: No more chasing down permission requests -Stronger Security: Old access is removed automatically -Audit-Friendly: You can point to clear, rules-based policies But automation is only as good as the data behind it. It's recommended to test policies in a sandbox first, so you can validate rules, check for data issues, and avoid accidental permission chaos in production. ✅ Best practices: -Start small with one team or department -Document your rules -Review quarterly to avoid permission creep -Always test in a sandbox before rollout User Access Policies do not replace everything such as profiles or complex flows, but they add a solid automation layer to keep your org secure and consistent. #SalesforceAdmins #SalesforceDevelopers #Salesforce Image credit: Salesforce Trailhead

Secure Your Data Analytics Initiative from the Start: The Power of Foundational Access Controls Enterprises embarking on a new data analytics initiative in the cloud demand a strong security foundation, especially when connecting disparate systems. Establishing robust mechanisms for identity (Authentication), user lifecycle (Provisioning), and resource access (Authorization) is critical at all times. 🔑 Single Sign-On (SSO) [Authentication]: Your Central Key to the Cloud: This enhances user experience and reduces password sprawl, a significant security risk. 👤 System for Cross-Domain Identity Management (SCIM) [Provisioning]: Automating User Lifecycle. This ensures that the right people have the right access from day one and that access is revoked promptly when needed, minimizing orphaned accounts and potential breaches. 🤝 OAuth [Authorization]: Secure Delegated Access. It's like granting a temporary "visitor pass" with limited permissions, ensuring secure communication between disparate systems without compromising user credentials. 🛡️ Role-Based Access Control (RBAC) [Authorization] & Network Policies: Defining the Fortress Walls. This limits the attack surface and prevents unauthorized lateral movement between systems. Why are these foundational for new cloud data analytics initiatives? - Enhanced Security, Simplified Management, Improved Compliance, Seamless User Experience.. Laying this robust foundation of SSO, SCIM, OAuth, and RBAC (including network considerations) from the outset is not just a good practice – it's a necessity for any enterprise building a secure and scalable data analytics environment in the cloud with interconnected systems. Level Up Your Data Fortress: Beyond Basic Access Control In the ongoing journey to secure and govern the modern data landscape, foundational concepts like SSO, SCIM, and RBAC are just the start. But the fortress walls extend further with mechanisms that elevate our data security posture: 🛡️ Attribute-Based Access Control (ABAC) 📜 Policy-Based Access Control (PBAC) ⏳ Just-In-Time (JIT) Access 🔑 Privileged Access Management (PAM) 🤫 Secrets Management 🤖 Managed Identities 🎭 Data Masking/Anonymization 🏷️ Tokenization 🔒 Data Encryption (at rest & in transit) 🗺️ Data Lineage 📚 Data Catalog ✅ Data Quality Frameworks 🏗️ IaC & Immutable Infra 🧱 Network Segmentation & Firewalls 🚨 DLP (Data Loss Prevention) 🕵️ Auditing & Logging These advanced mechanisms, layered upon the fundamentals, build a truly resilient and trustworthy data environment. Which of these are you prioritizing in your data strategy? #DataSecurity #DataGovernance #DataEngineering #CloudSecurity #ZeroTrust ✨ Secure your data journey from the ground up! 🚀 #DataFortress #CloudSecurityFirst #ModernDataStack #AccessControl #DataProtection

You can never rely on untrusted data. You should assume that anything the user provides can be malicious. Even if you use parametrized queries like below, it's still a problem. This code below shows a broken access control vulnerability. It simply trusts the user to only ask for account information they have access to. How to fix it: In many cases, what the product actually calls for is "getMyAccountInfo". If that's the case, do NOT take the account id as a query param. Instead, make sure you get the account ownership from a trusted source (ie. your database) and return the all the accounts that this user owns. Take the user's identity from the signed token (trusted info because the token is cryptographically signed) and take the account ownership information from the database. If the above is not possible, then make it possible. You do not need to reuse the endpoint for admins and regular users. That's dumb. Finally, if the above strategy is _actually_ not possible then you have to make sure that you apply an authorization strategy global to your codebase, and pull it in as a middleware to the endpoint.

Authorization is a where we control the access, deciding what a person can or cannot do. Below are the various kinds of authorization : 𝟭. 𝗥𝗼𝗹𝗲-𝗕𝗮𝘀𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗥𝗕𝗔𝗖) Definition: Assigns permissions to roles, and users are assigned to these roles. Use Cases: Enterprise systems, where job functions determine access. Example: A “Manager” role has access to financial reports, and employees in that role inherit those permissions. 𝟮. 𝗔𝘁𝘁𝗿𝗶𝗯𝘂𝘁𝗲-𝗕𝗮𝘀𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗔𝗕𝗔𝗖) Definition: Access is granted based on attributes of the user, resource, environment, or action. Attributes: User’s department, resource sensitivity, time of access, etc. Example: A user can only access documents tagged with “Confidential” if their “clearance level” is “High.” 𝟯. 𝗗𝗶𝘀𝗰𝗿𝗲𝘁𝗶𝗼𝗻𝗮𝗿𝘆 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗗𝗔𝗖) Definition: The resource owner decides who can access their resources. Example: A file owner can grant read/write access to specific users. 𝟰. 𝗠𝗮𝗻𝗱𝗮𝘁𝗼𝗿𝘆 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗠𝗔𝗖) Definition: Access is determined by a central authority based on classification levels. Example: A “Top Secret” document can only be accessed by individuals with “Top Secret” clearance. 𝟱. 𝗣𝗼𝗹𝗶𝗰𝘆-𝗕𝗮𝘀𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗣𝗕𝗔𝗖) Definition: Decisions are made based on policies defined by administrators. Example: Access is allowed if the user’s location is “USA” and their subscription level is “Premium.” 𝟲. 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆-𝗕𝗮𝘀𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗜𝗕𝗔𝗖) Definition: Access is granted directly to an individual identity rather than roles or attributes. Example: Granting a specific user access to a single resource. 𝟳. 𝗙𝗶𝗻𝗲-𝗚𝗿𝗮𝗶𝗻𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 Definition: Granular access decisions based on detailed criteria, often a combination of ABAC and PBAC. Example: A user can only edit specific sections of a document during work hours. 𝟴. 𝗖𝗼𝗻𝘁𝗲𝘅𝘁-𝗔𝘄𝗮𝗿𝗲 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 Definition: Considers context, such as device, location, or behavior patterns, to decide access. Example: Allow access only if the user is on a trusted device within a specific location. 𝟵. 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 Definition: “Never trust, always verify.” Access is continuously evaluated, even after initial authentication. Example: A user is required to re-authenticate when accessing a sensitive resource, even within a trusted session. 𝟭𝟬. 𝗨𝘀𝗮𝗴𝗲-𝗕𝗮𝘀𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗨𝗕𝗔𝗖) Definition: Access is based on resource usage patterns and quotas. Example: A user can upload files up to a 10GB limit per month. 𝟭𝟭. 𝗧𝗮𝘀𝗸-𝗕𝗮𝘀𝗲𝗱 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 (𝗧𝗕𝗔𝗖) Definition: Access is granted based on tasks the user needs to perform. Example: A user can approve a document only if they are part of the approval task chain.

Access Governance ⬇️ Here are some of the key capabilities and use cases: Identity Management Access governance solutions can connect to your IDM, providing a centralized repository for user identities and attributes. These solutions support federation protocols and streamlined authentication across various applications. Automating identity provisioning/de-provisioning using cross-domain identity management to synchronize user accounts between your IDM system and target applications. Granular Access Control The most effective access governance solutions enable the implementation of policy-based access control at the lowest attribute level. They can assign permissions based on predefined roles or dynamic attributes, ensuring that access rights are aligned with user roles and responsibilities. These solutions support policy engines to define and enforce complex access policies across different systems and applications. Privileged Access Management These solutions can enforce Just-In-Time access, session recording, and MFA for privileged users. They can also integrate with existing PAM solutions allowing you to manage and monitor privileged access across your environment centrally. Fine-Grained Access Reviews Automate access reviews to regularly validate user permissions and identify anomalies or excessive access rights. These solutions offer automated workflows to trigger reviews, track progress, and document outcomes. Monitoring and Auditing Integrate with tools like Splunk to collect and analyze security logs from various sources. With this capability, you configure alerts for suspicious access activities, such as failed login attempts, privilege escalations, or access to sensitive data outside of normal working hours. Role Management Manage roles and permissions effectively, giving you control to protect your critical business applications. By centralizing role management, you create a single source of truth for security and access control, making it easier to maintain compliance. Lifecycle Request Management Access Governance solutions provide a self-service workflow that enables you to manage and fulfill user access requests. Create approval workflows that allow the right people to review and act on access requests. It should also include the ability to track the status of requests, automatically provision access upon approval, and integrate with existing identity management systems.

After years of implementing Salesforce packages, here's a crucial security tip that could save your org from unnecessary risks: Stop Using "Install for All Users" Access for Package Installation! 💡 Best Practice Alert: Never use "Install for All Users" or "Install for Specific Profiles (Full Access)" when installing packages. Here's the secure way and better way: 1️⃣ Always install packages with "Install for Admins Only" access first 2️⃣ Use the package's Permission Set (base on role) if any 3️⃣ Create your own custom Permission Sets for granular control 4️⃣ Create Automation to assign/remove Permission Set 🛡️ Why This Matters: Better security governance Precise access control Prevents accidental exposure Easier maintenance and auditing 🎯 Real-World Impact: I've seen organizations struggle with overexposed package features simply because they chose "Install for All Users" during installation. Don't make this common mistake! Got questions about secure package implementation? Drop a comment or message me! ✨ Remember: Good security is about controlled access, not open access! ✨ #SalesforceAdmin #Salesforce #CRM #CloudSecurity #SalesforceImplementation

There are four ways to control access in software, and most engineers only know one. Access Control Lists (ACL): "Alice can read document.pdf." Explicit permissions per resource. Simple for small systems, but doesn't scale when you have thousands of users and resources. Role-Based Access Control (RBAC): "Editors can write posts." Users assigned to roles, roles have permissions. Works well for most systems. Users grok it fairly easily. Breaks down when you need context—like "only the author can delete their own post." Attribute-Based Access Control (ABAC): "Allow if user.department == resource.department AND time < 5pm." Policies evaluate attributes from user, resource, and environment. Extremely flexible. Also extremely complex to debug and maintain. Relationship-Based Access Control (ReBAC): "Members of a team can view documents shared with that team" Authorization based on relationship graphs. Requires traversing user → team → document relationships. Google's Zanzibar popularized this approach for fine-grained authorization at scale. tl;dr: most systems do fine with RBAC; it's popular for a reason. Reach for the others only when you actually need them.

Security teams are expected to keep their SaaS environment secure, but the reality is that applications, identities, and integrations are constantly shifting in ways that are difficult to track. Misconfigurations pile up, permissions become excessive, and sensitive data moves through unmonitored connections. The only way to stay in control is with security that provides continuous visibility, automatic enforcement, and clear insights. Dynamic SaaS Security ensures that security moves as fast as SaaS itself. Here’s how it works: • App Discovery - Identifies every application in your environment, including Shadow SaaS, AI-powered tools, and SaaS-to-SaaS connections that form outside IT’s control. • App Factory™ - A proprietary no-code/low-code engine that enables security teams to add support for new applications in days, not quarters. • Knowledge Graph - Analyzes vast amounts of SaaS data and transforms it into actionable business context, ensuring security insights align with real-world risks. This foundation supports key security functions that mitigate risk at scale: - Configuration management enforces security policies and prevents settings from drifting out of alignment. - Data exposure management detects and mitigates unauthorized data sharing across SaaS platforms. - Identities & access governance ensures least privilege access is maintained while eliminating excessive permissions. - Detection & response identifies risks in real time, enabling automated remediation before threats escalate. Security teams need more than just alerts. They need clear visibility, automatic enforcement, and a way to take action before threats become incidents. We at Reco provide the tools to make that happen.