Key Security Best Practices for Salesforce Administrators

By Intellectual Clouds Team | Last Updated: June 10, 2026

Why Salesforce Security is a High-Stakes Discipline

Salesforce holds your most sensitive business assets: customer contacts, deal values, pricing strategies, and support communications. A compromised Salesforce org can result in GDPR violations, catastrophic data leaks, and significant financial damage. Security cannot be an afterthought.

The Security Checklist for Every Salesforce Admin

| Control | Priority | Setup Location | | :--- | :--- | :--- | | Multi-Factor Authentication (MFA) | Critical | Setup > Identity > MFA | | IP Restrictions (Login IP Ranges) | Critical | Profile Settings > Login IP Ranges | | Password Policies | High | Setup > Password Policies | | Session Settings (Timeout) | High | Setup > Session Settings | | Field-Level Security (FLS) | High | Object Manager > Fields > Set Field Permissions | | Sharing Rules & OWD | High | Setup > Sharing Settings | | Setup Audit Trail | Medium | Setup > Audit Trail | | Health Check | Medium | Setup > Health Check |

Step-by-Step Process: The Principle of Least Privilege

The single most impactful security policy is ensuring every user can only see and do exactly what their job requires.

1. Audit Existing Profiles: Review every Profile in your org. Eliminate profiles that grant access to "Modify All" or "View All" to non-admin users.
2. Migrate to Permission Sets: Instead of having dozens of custom profiles, move specific feature access into modular Permission Sets that can be granted or revoked instantly.
3. Review Object-Level Permissions: Ensure standard users cannot delete records. Delete permissions should only be granted to admins and record owners.
4. Configure Field-Level Security: Ensure sensitive fields (SSN, Credit Card, Salary) are hidden from all profiles except those with a legitimate business need.

Critical Security Controls Explained

Multi-Factor Authentication (MFA)

Salesforce has made MFA mandatory for all users accessing production orgs. If MFA is not enforced, users who have their password compromised will provide attackers with full, unrestricted access to your entire customer database.

Org-Wide Defaults (OWD)

OWD settings determine the baseline record visibility for all users. Start with the most restrictive setting ("Private") for sensitive objects like Opportunities and expand access using Sharing Rules and Role Hierarchy only where necessary.

Health Check Score

Salesforce's built-in Health Check tool provides a score out of 100 (100 being the most secure). Administrators should target a score above 70 and regularly review recommendations.

Real Example

During a Salesforce Consultancy engagement, we audited a client's org and found that 30 standard sales users had "Modify All Data" permission—essentially admin-level access. A single compromised account could have deleted the entire customer database.

Using our Business Process Automation framework, we built a quarterly access review workflow that automatically emails the CISO a list of all users with elevated permissions, ensuring no unauthorized permission creep.

Frequently Asked Questions

1. How often should I review user permissions?

Conduct a full permission audit at least quarterly, and immediately upon any employee departure.

2. What is Connected App security in Salesforce?

Connected Apps are third-party integrations (like Slack or DocuSign). Each has its own OAuth permission scope. Regularly audit which Connected Apps have access to your org and revoke any that are unused.

3. How do I handle a compromised user account?

Immediately freeze the user account in Salesforce (not just deactivate—freeze prevents any session from continuing), reset their password, revoke all active sessions, and review the Setup Audit Trail for any changes they made.

4. Is Salesforce Shield worth the cost?

For enterprises with strict compliance requirements (HIPAA, GDPR, PCI-DSS), Salesforce Shield's Event Monitoring, Field Audit Trail, and Platform Encryption features are extremely valuable and often necessary.

5. Can you conduct a Salesforce security audit?

Yes. Our Salesforce Consultancy team performs comprehensive security reviews and remediation across all org configurations.