featured image with security astro

Be a Security-Minded Admin


Understanding the basics of security is critically important to being an #AwesomeAdmin. As a steward of valuable data, you have the opportunity to be an important asset to your company by managing it with security in mind. Increasing your own cybersecurity knowledge allows you to play a role in not only safeguarding your company’s data but also helping your company meet security compliance requirements like the GDPR and CCPA. As an admin, you should work closely with IT to understand and maintain your company’s security standards.

The security-minded admin understands that security is “never done.” A security-minded Salesforce Admin knows that locking down user access with Multi-Factor Authentication (MFA) is the best way to safeguard their data from unauthorized account access. These admins also know what to do in the event of suspicious activity in their Salesforce implementation (knowing the internal procedure for escalating suspicious activity, emails, etc. and also understanding that this can be escalated to security@salesforce.com).

Being a security-minded admin is not as hard as it may seem. It means understanding the key principles of security and being able to apply them to your Salesforce implementation.

Know the basics of org security

1. Set up Multi-Factor Authentication (MFA) to protect access to your org.

MFA, also known as two-factor authentication, is the most effective way to protect your users’ accounts from common security threats like phishing, account takeover, and credential stuffing. As a security-minded admin, you can amplify your org’s security by requiring a second level of authentication for every user login. You can also require MFA when a user meets certain criteria, such as attempting to view reports or access a connected app. MFA verifies that a user is who they say they are, before they gain access to your Salesforce data.

2. Set login IP ranges and trusted IP ranges to protect where users can access your org.

Admins can control login access at the profile level by specifying a range of allowed IP addresses. If a user from an unidentified IP tries to log in, they will be denied. To control access at the org level, set trusted IP ranges. Unknown users logging in from non-trusted IPs are challenged to verify their identity — this is also commonly known as IP “whitelisting.” These restrictions help protect your Salesforce data from unauthorized access and phishing attacks.

3. Use permission sets to increase security inside your org.

Following the Principle of Least Privilege, give users the lowest level of user rights (access to read/write data) that they need to do their job. Salesforce helps you implement this with permission set groups so that you can easily customize the access given to users.

For additional security, you can activate session-based permission sets. This allows the user to have certain permissions only during a predefined session type (like when a user authenticates into your environment, for example).

4. Run Salesforce Health Check after every release.

Measure the security health of your org with Health Check. Admins can even create custom baselines to align security settings with the unique needs of the business. Be sure to run Health Check after every release to ensure your security score hasn’t changed.

5. Stay up-to-date on security.

Find the most up-to-date security resources and information on Salesforce’s security site.

Find more admin-related security resources available to you

Check out our resource page: admin.salesforce.com/security

Blaze and Astro standing on a field holding a security shield.

Get Ready for Multi-Factor Authentication: Plan for Auto-Enablement

Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect user accounts against cybersecurity threats. It’s such an important safeguard that Salesforce made it a contractual requirement to use MFA when accessing Salesforce products. That requirement went into effect on February 1, 2022. And now? MFA auto-enablement for Salesforce orgs is […]

Trees and greenery next to Cloudy holding a megaphone.

The Future of User Management

This post is a follow-up to a packed session we held at #DF22 called “The Future of User Management.” We want to provide a summary of the session for those of you who weren’t able to get into the session due to room capacity or weren’t able to attend Dreamforce in person. Our session at […]


Have an Idea for a Story?

We are all about the community and sharing ideas.
Do you have an interesting idea or useful tip that you want to share?