Image with an outline of the night sky and tex that says "Secure Your Org Checklist."

5 Steps Every Admin Should Take to Secure Their Org

By

At Salesforce, we build security into our products and processes from the ground up. But our commitment to delivering secure products is only half the story because we believe security is a shared responsibility between Salesforce and our customers.

As an admin, you have a unique opportunity to become a security advocate — or champion, as we like to say — at your company. Your Salesforce org contains a large amount of valuable data, and you play a critical role in keeping that data secure. That’s why we created this checklist to give you some immediate ways to boost the security of your Salesforce org. Before we go into the details of the checklist, let’s talk about what your main security priorities are as an admin.

Your Salesforce org is home to a plethora of valuable customer and user data, and protecting that data is your #1 priority as an admin. When it comes to protecting your data from inside your org, one of the biggest challenges is understanding the type of information each user needs access to. This is where the principle of least privilege — a fundamental tenet of information security — can be very helpful. Following this principle means that users should have the least number of permissions necessary to do their job. Limiting users’ permissions prevents unauthorized access to sensitive records and information. Ultimately, following the principle of least privilege can significantly reduce the amount of risk to your org.

Let’s dive in! Here are the five steps to securing your org:

1. Evaluate permission sets

Permission sets allow you to control users’ access to records, fields, and other data without changing their profiles. They can be a powerful way to control access — and increase security — within your org. When creating permission sets, remember to always follow the principle of least privilege. First, identify the job functions, tasks, and processes critical to your users and define permission sets appropriately. Remove high-risk permissions from profiles and add them back to users as necessary through permission sets.

Before creating net new permission sets, see if you can reuse or recycle existing permission sets by adjusting them to match job function changes. You can also use permission sets to grant temporary access when users need to fill in for another user or complete short-term projects. Regularly conducting an audit of the permissions that your users have is also a great way to prepare for your multi-factor authentication (MFA) rollout!

2. Run Health Check

One of my favorite out-of-the-box security tools, Health Check gives you visibility into all of your security settings in one view. You can find and run Health Check in the Security Settings section in Setup.

Salesforce orgs have a high level of built-in security, but there are certain things left up to you, the admin, to configure based on the needs of your company. Things like setting up secure password policies and limiting session length will increase or decrease your score, depending on how you choose to configure them. We recommend running Health Check after every release (three times a year) to ensure that nothing has changed within your org and any new security settings are addressed right away.

Image showcasing the Health Check security tool. The screenshot shows an example of an org that scored a 76%.

3. Implement MFA

MFA, or multi-factor authentication, is one of the strongest security controls available to Salesforce Admins. You’ve probably been hearing this phrase a lot in the Salesforce universe lately because we’re asking all customers to implement MFA.

MFA adds an extra layer of security to your login process by requiring users to verify their identity with two or more pieces of evidence (or “factors”) to prove they are who they say they are. MFA is a great way to put additional safeguards in place against common security threats like phishing attacks. Hackers often target users’ login credentials with phishing attacks, but setting up MFA makes it extremely difficult for an attacker to get access to a user account. Enabling MFA is one of the easiest, most effective actions you can take to safeguard your business and customer data.

4. Utilize Salesforce Optimizer

Salesforce Optimizer is a powerful, free tool that takes a snapshot of your Salesforce org and looks for potential problems in your implementation. Optimizer can also help drive feature adoption with your users and is especially helpful when rolling out MFA. Admins can fine-tune their MFA implementation with Optimizer by checking if any users are still logging in with non-MFA methods.

You can also use Optimizer to strengthen your org’s overall security. For example, you can use it to find users who haven’t logged in for a while, which could mean they no longer need access to Salesforce and should be deactivated. You can also review how many users have a System Administrator profile; if there are too many, it might be time to reassess their permissions. Remember that it’s always best to limit those powerful permissions to the smallest number of people necessary (I’ll say it again: principle of least privilege!).

Screenshot of Salesforce Optimizer showcasing how you can identify potential problems in your implementation.

5. Level up your security skills with Trailhead

We’ve gone over a few actions you can take within your Salesforce org to boost the security of your data. Now, let’s talk about how to level up your skills. We like to say that security is never done, which means that staying educated about security is an ongoing project. Salesforce has amazing resources to help keep you up to date on security best practices, including Trailhead and the Admin Certification. We’re constantly updating Trailhead with new security training for new releases, so go take a look! These training resources will not only help you be the most secure admin you can be but also make you a more valuable employee and give your career a boost in the long run.

Make sure to check out the Security for Admins: Become a Security Champion episode at TrailheaDX for more info and demos of these tips!

Resources

Core responsibilities of a Salesforce Admin

Core Responsibilities of a Salesforce Admin: Your Blueprint for Success

As admins, you hold the keys to success for your users and companies to get the most out of Salesforce. You have the unique opportunity to build and manage trusted solutions that drive productivity and innovation through five core admin responsibilities: security, user management, data management, analytics, and a new core responsibility: product management.  The […]

READ MORE
User management enhancements Winter '25

User Management Enhancements | Winter ’25 Be Release Ready

Winter ’25 is almost here! Learn more about user management and check out Be Release Ready to discover more resources to help you prepare for Winter ’25. We’re continuing to innovate in Setup starting with user access and user management. We have several exciting enhancements in store for Winter ’25–many thanks to your feedback and […]

READ MORE
Troubleshoot user access with SOQL

How to Troubleshoot User Access with SOQL (Beginner Friendly)

Awesome Admins, we know that troubleshooting user access is a common task. You’re frequently asked questions like “Why can Jane access this field, but John can’t?” or “Why can John view this record when he shouldn’t be able to?” In Summer ’24, we introduced helpful summary views for users, public groups, permission sets, and permission […]

READ MORE