You are here:
Permission Sets Control
To enforce the principle of least privilege and simplify user management, Salesforce administrators should assign users the "Minimum Access" profile as a baseline.
Control Name
Permission Set Management
Recommended Configuration
Define the settings and permissions that give users access to various tools and functions:
Standard Permission Sets | Custom Permission Sets | Integration Permission Sets | Session-Based Permission Sets.
Control Overview
To enforce the principle of least privilege and simplify user management, Salesforce administrators should assign users the "Minimum Access" profile as a baseline and grant all additional functional permissions through modular, task-based Permission Sets.
These sets should be bundled into Permission Set Groups aligned with specific business personas, using expiration dates and muting sets where necessary to maintain granular control and prevent unauthorized access.
Security Risk If Not Configured
Ineffective management of Salesforce Permission Sets leads to "permission creep," where users accumulate legacy access that bypasses the principle of least privilege and creates broad, unmonitored security gaps. This lack of governance turns your security model into a "black box," significantly increasing the risk of unauthorized data exfiltration and making successful compliance audits nearly impossible to achieve.
Threat Scenarios
An attacker compromises a standard user's credentials and discovers that the account has "orphaned" administrative permissions like "Modify All Data" due to a project assignment from years prior that was never revoked. Using this undetected "privilege creep," the attacker silently exfiltrates the entire customer database through a legacy API, bypassing standard role-based restrictions the company falsely assumed were still in place.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Increased risk depending on the number of users, roles, and settings defined in the permissions sets.
Higher Risk When
The risk is significantly amplified by the absence of Multi-Factor Authentication (MFA) and Real-Time Event Monitoring, which allows compromised accounts to exploit excessive permissions without triggering an alert.
Furthermore, a lack of automated access reviews and a failure to enforce zero-baseline profiles ensures that "privilege creep" remains hidden and persistent, leaving high-risk administrative gaps wide open long after a user’s business needs have changed.
Low or No Risk When
Implementing Salesforce Shield Event Monitoring and Transaction Security Policies helps detect and block high-risk actions, such as bulk data exports, regardless of a user's assigned permissions.
Additionally, enforcing MFA and using Session-Based Permission Sets ensures that elevated privileges are only active when strictly necessary and under a verified identity, effectively neutralizing the threat of static "orphaned" access.
Business and Integration Considerations
Admins should review their permission set assignments to align with their company structure defined in the instance.
Recommended Remediation
Implement periodic access review, and perform review of permission sets that align with the principle of least privilege.
Security Health Review Guidance
N/A - Currently not inspected by the Security Health Review tool.
