05 August 2013

Reduce Users with Too Many Administrative Rights



Giving out Modify All Data, Customize App, or Manage Users to other users is like giving the ultimate power in the salesforce.com universe.  And with total power comes... a lot of risk.

Ultimately, as organizations segment and divide into multiple organizations housed in a single org, the need to grant more delegated administrative rights grows exponentially.

There are options that you can explore:

  1. Modify All Records or View All Records instead of Modify All Data or View All Data
  2. Sharing instead of Modify All Data or View All Data
  3. Delegated Administration instead of Manage Users for specific roles or Customize Application for Custom Objects

The best way to proceed is to take away any of these administrative permissions from your users and let them try to perform their daily tasks.  You will quickly find where these permissions were needed and where you can compensate by providing alternative permissions or configurations.

For instance, one customer I worked with recently removed Modify All Data from a group of delegated admins.

One issue that came up was the need to use the data loader.  They solved this by downloading the client to a shared directory.

Another instance came up where delegated administrators needed to login as end-users; however, these admins could not have the Manage Users permission.  Using Delegated Administration groups, these admins were able to login and manage users for a role and the role's subordinates without requiring Manage Users (only View Setup and Configuration was required).

Ultimately, some tasks must still be performed by a System Administrator, but at least you can begin to whittle down the number of administrators who have too much access.

3 comments:

  1. Okay, I'm late to the party, but the data loader issue is one I've been trying to find a workaround for for years (there are some 3rd party tools, but they're buggy and require you uploading your data into them, which raises security issues).

    So if user can access the APEX data loader through a shared directory (i.e. don't need to access the internal parts of Salesforce to download it), they can then log into it directly and use it with their standard credentials without having Mod All?

    What kind of permissions does that require? (I assume Mod All on the particular object? Or can any user do this without any particular permissions?)

    ReplyDelete
    Replies
    1. API Enabled is all that's required to access the API. From there it follows the standard permission model - to query accounts you need read on accounts, to insert an account you need create on accounts, etc...

      Delete
  2. Hi, I'm Alice T. As a Staging Design Professional, I realized first hand the importance of building a strong foundation for your business to allow you to pursue your passions as a designer. Turn your expensive hobby into a profitable expression of your talent.

    The Microsoft wireless mobile mouse 3500 is specially designed for mobile computing users who might always be on the go. This is why it uses the nano transceiver for connectivity; just have it plugged into your laptop and you can just forget about it. The mouse has its own on/off switch and so there's no need to have it removed.. (tags: Jordan Shoes For Sale Cheap, 2020 Jordan Release Dates, Ray Ban Sunglasses Outlet)

    At the launch of the 2017 splash, headspace centre manager Karina Kerr said counselling services had been boosted thanks to last year's event. Read more. James Fairfax, the former chairman of publisher John Fairfax Ltd, died on Wednesday at his home at Retford Park in Bowral. (tags: Coach Outlet Store Online , Michael Kors Bags Sale, Coach Outlet Store, MK Outlet)

    Think of it as platonic rock 'n' roll. What makes it work so well is that it all feels so unintentional. Where a lesser band would couch such atavistic music in knowing irony, Black Lips play it straight. In the 4600 block of Terrace S. Hilson was standing outside when four men in an early model white Acura drove up. One of the passengers got out with an assault rife and opened fire (tags: Cheap Real Yeezys, Discount Jordan Shoes Wholesale, Cheap Yeezys).

    ReplyDelete