You are here:
Compliant Data Sharing Control
This control enforces the immediate removal of user participant records within the Compliant Data Sharing (CDS) framework whenever a user is deactivated or transitions to a role no longer requiring access.
Control Name
Compliant Data Sharing
Recommended Configuration
Delete Participant Records Before Deactivating a User - Deactivate a Salesforce user who has Compliant Data Sharing participant records.
Control Overview
This control enforces the immediate removal of user participant records within the Compliant Data Sharing (CDS) framework whenever a user is deactivated or transitions to a role no longer requiring access. By systematically clearing these granular sharing assignments, this makes sure sensitive record access is fully revoked, preventing unauthorized data exposure and maintaining strict regulatory compliance.
Security Risk If Not Configured
The lack of systematic removal of access through Compliant Data Sharing creates a significant risk of data overexposure, where users who have been deactivated or transitioned to new roles retain unauthorized visibility into sensitive financial records. This persistence of "stale" permissions increases the likelihood of internal data breaches and can lead to severe regulatory non-compliance with data privacy mandates such as GDPR or GLBA.
Threat Scenarios
An employee transitions to a new role or department but retains "stale" participant records in Compliant Data Sharing because the administrator enabled the setting to retain records upon deactivation rather than purging them. A threat actor—or a malicious insider—who then compromises this account, exploits these lingering idle permissions to silently exfiltrate sensitive financial deals and private client data that the user is no longer authorized to access.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Increase risk dependent upon scope of user access permission.
Higher Risk When
The risk is significantly heightened by a lack of automated de-provisioning workflows, which leaves the cleanup of granular participant records to error-prone manual processes during user offboarding or role changes.
Additionally, the absence of periodic access certification reviews for Compliant Data Sharing makes sure that invalid permissions remain undetected, allowing internal transfers to retain visibility into sensitive financial records long after their "need-to-know" has expired.
Low or No Risk When
To minimize the risk of residual access in Compliant Data Sharing, companies should enforce the mandatory deletion of participant and participant group records before user deactivation, which can be strictly governed by enabling the "Delete participant records before deactivating a user" setting in Salesforce General Settings.
Business and Integration Considerations
User roles and permission.
Recommended Remediation
Implement a Compliant Data Sharing framework when removing users.
Security Health Review Guidance
N/A - Currently not inspected by the Security Health Review tool.
