Gartner estimates. In the year By 2025, 70% of enterprise applications will be built on low-code and no-code platforms like Salesforce and ServiceNow. But are these platforms giving a false sense of security?
When asked, Salesforce administrators respond that the company is responsible for security. Security is a shared responsibility across SaaS applications. Your service provider maintains the infrastructure, and your administrators and developers are responsible for ensuring minimum access rights.
Cloud misconfiguration is responsible for a three-fold increase in data breaches. Typically, misconfiguration occurs when security settings are allowed to default, inappropriate access levels are assigned, or data barriers are not created to protect sensitive information. Because configuring a low-code platform is so easy, the low-code manager often doesn’t understand the impact of checking a box.
When looking at the impact of a simple check mark, these are the top three most dangerous misconfigurations on the Salesforce platform: View All Data (MAD) and View All Data (VAD), Sharing and Sharing Groups, and running Apex code without a “runAs” method. .
Let’s take a look at each and their potential impact.
Sharing groups is powerful, but unauthorized users can open up accidental access.
Food and what
We will start with the obvious and the most dangerous. The Modify All Data and View All Data permissions do exactly what they say. These are super user permissions for Salesforce.
If a user has a VAD, they have read access to every data record in the system. MAD means you can update and delete every record. These permissions should only be given to administrators and then only to a very limited number of people.
Why are you tempted to give MAD or VAD to non-managers? A common issue is when the user cannot access the data they need to view. The administrator reviews the user’s profile and permission sets, all sharing rules and role hierarchy, and can’t figure out why the user can’t see the information. As a “temporary fix” they give the user a MAD or VAD and now the user can view the records – along with everything else in the system.
This error may occur when developers run into the same problem. To make progress on their code, they temporarily turn on MAD on the user’s profile and later forget that they turned it on.