A Salesforce admin, Jane, gets a request one afternoon about a new employee starting tomorrow. The new hire needs the same access as her colleague John, except she doesn’t need access to the custom object Candidates, which John can access. But she will also need the access rights to a different custom object set—Invoices and Inventory—that Sally can access. And, of course, Jane gets the request about an hour before the end of her workday.

Jane has been an administrator for a while and knows she could use certain Permission Sets for this request, but she hasn’t had the chance to sit down, plot out, and define these security features appropriately. So she does what many Salesforce administrators are still doing—she creates a new custom profile cloned from John and removes the field and object access from the Candidates object while granting access to the Invoices and Inventory custom object.

I’m sure you’ve heard of or been in a similar situation. 

Profiles have been a staple of controlling access since Salesforce was released. They allow a user to be associated with one profile, which defines the settings, permissions, and access rights for anyone associated with that profile. This made sense when Salesforce was only focused on Sales Force Automation, but Salesforce has grown into so much more than a CRM. 

So how do you or your Salesforce admins become more proficient? Today we’re introducing the Minimum Access profile and how you can start planning for implementation now! 

What is Minimum Access Profile?

In Summer 2020, the Minimum Access Profile was released as a standard profile, allowing administrators to grant users the most basic functions on the platform when logging in. This included: 

  • Access Activities
  • Chatter Internal User
  • Lightning Console User
  • View Help Link 

That’s it. I admit, even as an experienced Salesforce user, admin, and consultant, I didn’t pay much attention to this profile. When first introduced, it was simply a replacement for the Read Only profile, which Salesforce bid adieu to with the release of the Minimum Access Profile. 

So why did Salesforce add this profile? 

As I mentioned, the scope of Salesforce as a business application has increased greatly since its inception in 1999. Salesforce’s goal was to become the best sales force automation (SFA) company, focusing exclusively on what we now know as Sales Cloud. There was no AppExchange, Apex, Service Cloud, or Experience Cloud. And at this time, you controlled all your access and privilege configuration through profiles.  

Since then, the Salesforce platform has blossomed into the Customer 360 platform, a technical solution portfolio including Service Cloud, Experience Cloud, CPQ, Pardot, Analytics, 15 industry-specific cloud solutions, and AppExchange products such as FinancialForce. With each addition, controlling security and privacy through a profile has become near impossible.

To go along with this platform, though, we need to focus on the security of data within the application even more. This is where the Minimum Access profile can help.

When looking at security in Salesforce and technology, there is a best practice known as the Principle of Least Privilege. This principle states that an application provides a user only the minimum set of rights required to perform an assigned job or function. In Salesforce talk, if a user only needs access to the account, contact, and opportunity objects, then that is all they should be able to access. 

As an administrator, the Minimum Access Profile gives you a running start on properly assigning security permissions and settings for your organization to meet the Principle of Least Privilege. But does this mean you can just go into your Salesforce and set all your users to this new profile? Well, no. (Although I do think it would be an amazing April Fools’ Day joke for the start of the day!) 

As with most things related to security and privacy, the new profile will go hand in hand with another security feature available to Salesforce administrators—the Permission Set and Permission Set Groups.

How Do I Start Implementing the Minimum Access Profile?

To get started implementing the Minimum Access Profile, here are three things you can do right now to start learning, planning, and testing its capabilities in your Salesforce.   

1. Get Reading and Learning!

Trailhead is a great tool to help you learn—or brush up on— all things Salesforce and security, including how Profiles and Permission sets work, are covered through Trailhead’s Protect Your Salesforce Data trail. This gives a good overview of the fundamentals you should use when planning your new security processes using the Minimum Access Profile.

Once you’ve completed the trail, you may want to dig even deeper into Salesforce’s security; the Salesforce Security Guide has you covered and can be found on the Salesforce developer site.

2. Get Documenting!

Before you start changing the key security parameters for your users and instance, you need to identify and document the security requirements. To do this, you should define each business function your users need to complete to fulfill their day-to-day work—their Salesforce use journey. This document will be important as it will serve as the definition for each permission set and permission set group needed for use with the Minimum Access Profile. 

Each key step in this journey should include:

  • What the Key Step action is
  • What object and field access is required
  • What access level (create, read, edit, delete) is required
  • Why this is needed and what risks are involved in granting access

3. Get Playing!

As with all new features in Salesforce, you need to familiarize yourself with the Minimum Access Profile, what it allows users to complete, and start building Permission Sets and Groups. 

To do this, use one of your instance’s sandboxes to have a safe testing environment to learn, play, and create. You can use your sandbox to test what it looks like with the new profile and how the permission sets created from your Salesforce use journey allows your users to complete their work.

In a later blog post, we’ll delve further into documenting business functions and architecting permission sets and groups. But before that, we’d love to hear from you. Has your organization begun using the Minimum Access Profile? If so, what has been your experience? 

OpMentors is passionate about helping business leaders like you maximize Salesforce and FinancialForce, including features like standard profiles and their permission sets. Schedule a call today to tell us more about your organization’s goals, and we’ll share how we can work together to achieve them. 

Nik Panter