Managing Security for Multiple Orgs Just Got Easier


It’s becoming more important every day to ensure you’re taking every step possible to secure your applications and data – but complex enterprise software isn’t always easy to secure.  Password policies? Session Security? Clickjacking and CSRF protections? Sometimes it’s difficult to even know where to start!

… And that’s why we created Security Health Check. Security Health Check, or Health Check for short, is available on all editions of Salesforce, and is a tool designed to give administrators and security professionals an easy-to-understand view of the security posture of a Salesforce org.

What is Health Check, and how can it help me do my job?

Available in Setup, Health Check provides a bird’s-eye view of your org’s security settings. It is designed to be customizable – allowing you to create your own custom baseline security standards that reflect your company’s specific security policies.  It’s also designed to be powerful – giving you the tools to quickly and easily address any identified risks or gaps.

As we discussed in our earlier blog post, Health Check allows you to summarize and communicate your org’s security landscape to the rest of your company. The tool is especially useful if you encounter conflicting priorities from end users and policy creators about something like password policy. With access to the Salesforce baseline recommendations, implementing and enforcing the recommended security policies is easier to explain and justify to your executive sponsors.

[Image: Health Check home screen in a demo org.]


By default, Health Check uses the Salesforce baseline standard to compare the security settings in your org against our recommended security settings.  Your org will receive a Health Check grade (from 0-100%) based on how much it complies with or diverges from the baseline standard. Settings are broken up into risk categories of High-risk, Medium-risk, Low-risk and Informational. Settings in the High-risk category have a greater impact on your overall health check score, while settings in the Informational category have no impact on the overall Health Check score.

Knowing that you have settings that diverge from the baseline is important – but equally important is the ability to quickly and easily take action on identified risks.  The Fix Risks feature in Health Check allows you to quickly fix all or some of the risks identified at the same time – in just two clicks!

[Image: Health Check score and Fix Risks button.]


Recognizing that not everyone will have the same security requirements (security is not a one size fits all kind of thing), we’ve added the ability to create custom baselines. This allows you to create a baseline that exactly matches your security and compliance needs. Custom baselines are created by exporting the Salesforce standard as an XML file, modifying it to meet your specific needs, then importing the resulting baseline.  You can choose to set your custom baseline as the default for your org, ensuring that your custom baseline is loaded by default when you access Health Check.

Ok, I’m interested. But how can I use Health Check on more than one org?

When talking with customers about Health Check we often hear some version of, “Well that all sounds great, but I have multiple orgs and this seems like it only works on one org so… how do I do this across many orgs?”

It’s true – there’s no out of the box UI support for multiple orgs in Health Check. Managing the tool across multiple orgs can be time-consuming – and the more orgs you add, the more difficult it becomes. That’s precisely why the Security team at Salesforce set out to solve this conundrum and create a central place to surface Health Check data. As a result, a tool called OrgMonitor was born.

Introducing OrgMonitor!

OrgMonitor is a web application written in Node.js to monitor the size, utilization and basic security posture of multiple Salesforce orgs, in production or sandbox environments.

OrgMonitor connects to each org via API through standard Oauth authentication. Once connected, the tool runs a set of SOQL queries against all connected orgs on an hourly basis, collecting important metrics including Health Check score and other identified risks. It also stores historical results in Postgres to provide a concise but in-depth view of the security health of all your orgs.

[Image: OrgMonitor sample home screen.]

The goal of OrgMonitor is to provide a sense of size/utilization and basic security posture of multiple Salesforce Orgs. OrgMonitor is open source software, and it’s now available for download in GitHub.

OrgMonitor has many uses, including the capability to:

  • Answer questions such as how many Users, Profiles, Permission Sets, Roles, Pages, Classes, Objects your org has
  • Provide visibility into users with high-level privileges (View All Data, Modify All Data, Author Apex, etc)
  • Gather other metrics such as unused Roles and custom Profiles, Profiles without IP restrictions and Users without predefined corporate email addresses

[Image: See a snapshot of your users’ permissions in OrgMonitor.]


Ready to learn how to deploy OrgMonitor on your Salesforce instance, or practice running Security Health Check on Trailhead? Check out the following resources:


light blue background with navy text "Security Center" and underneath Astro is holding a large key

Security Center: A Single View Into Your Security Controls Across All Your Orgs

In a world with heightened security awareness and digital risks at every corner, Security Center makes it easier than ever to truly understand your Salesforce security posture. With native support for both single and multi-org environments, Security Center provides a single-pane view of the security configuration and controls in place across your entire Salesforce implementation. […]


Multi-Factor Authentication: As Easy as Washing Your Hands!

How many times a day do you wash your hands? If you think this seems like an absurd question, and totally unrelated to security, you’re wrong… kind of. How are security and health connected? Both require good personal hygiene, a concept as familiar as washing your hands or (you guessed it!) brushing your teeth. So, […]


Critical Update: Ensure Users Have Access to @AuraEnabled Methods

Winter ’21 is just around the corner and will include a critical update that could impact any page leveraging a custom component. As a Salesforce Admin, you’ve probably noticed this alert in your Security Alerts (Setup | Security | Security Alerts) and might have overlooked this. But because it involves permissions and user management, we […]


Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?