Access Governance Superbadge Unit
Monitor your org for access-related security vulnerabilities.
Access Governance Superbadge Unit
Ce que vous devez accomplir pour gagner ce superbadge
- Audit privileged users and adjust permissions appropriately.
- Monitor changes to key data and mitigate exposure of sensitive data.
- Describe best practices in monitoring connected app access.
Concepts testés avec ce Superbadge
- Access Governance
Prework and Notes
Sign Up for a Developer Edition Org with Special Configuration
To complete this superbadge unit, you need a special Developer Edition org that contains special configuration and sample data. Note that this Developer Edition org is designed to work with the challenges in this superbadge unit.
-
Sign up for a free Developer Edition org with special configuration.
Fill out the form. For Email address, enter an active email address.
- After you fill out the form, click Sign me up.
When you receive the activation email (this might take a few minutes), open it and click Verify Account.
Complete your registration by setting your password and challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.
You are logged in to your superbadge Developer Edition org.
Now, connect your new Developer Edition org to Trailhead.
Make sure you’re logged in to your Trailhead account.
In the Challenge section at the bottom of this page, select Connect Org from the picklist.
On the login screen, enter the username and password for the Developer Edition org you just set up.
On the Allow Access? page, click Allow.
On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge.
Now that you have a Salesforce org with special configuration for this superbadge unit, you’re good to go.
Use Case
Strato-Form Generators has implemented security policies that include quarterly monitoring and auditing activities. While security is always top-of-mind for the org’s administrators, regular scans for potential security vulnerabilities help them keep the org in tip-top shape.
The Salesforce admins at Strato-Form Generators use a team approach to ensure adequate security monitoring. As an admin, you’ve been tasked with auditing users with privileged access and monitoring key data changes on opportunity records.
Business Requirements
This section represents the requirements for your quarterly monitoring responsibilities and the actions you must take to make the org compliant with company policies.
Audit Privileged Users
Strato-Form Generators adheres to the principle of least privilege to maintain a secure Salesforce org. This means that all users should only be given the minimum level of access required to do their jobs—nothing more. When it comes to elevated access and administrative privileges, it’s even more important to make sure access is granted to the right users and for the right amount of time.
But with many layers of permissions and org settings, it's possible to unintentionally grant privileged access or to allow continued access beyond the timeframe required.
Review the privileged access types and company policies below to remind yourself who should be granted certain access levels.
Privileged Access Type | Company Policy |
---|---|
Modify All Data | Only system administrators |
View All Data |
|
Customize Application |
|
Manage Users | Only system administrators |
Delete Opportunities | Sales representatives: NOT authorized to delete opportunity records |
Now, scan your org to see who has privileged access and identify users who may need their access levels adjusted. For the purposes of this superbadge unit, your org has a couple of tools that may be helpful. The actions you take to identify users with privileged permissions will not be checked.
- Cases - Salesforce Ticket record type: The admin team uses the Salesforce Ticket record type on the Case object to manage requests, including onboarding new users and changing access levels. The Closed Salesforce Tickets list view tracks past confirmation of approvals (if applicable) and the actions taken to complete the request.
- User Access and Permissions Assistant (Salesforce Labs package): This AppExchange app has been installed in your org. It gives admins the ability to analyze permissions and permission assignments.
Note: Strato-Form Generators’ policy is to assign permissions in permission sets and permission set groups rather than at the profile level.
Once you’ve identified the two users whose permissions need adjusting, make the necessary changes to bring the user permissions back into compliance with company standards.
Monitor Data Changes
A number of users at Strato-Form Generators have approached the admin team with questions about changes to opportunity records. Since the nature of the inquiries are generally centered around the same fields, you’ve recommended utilizing field history tracking for the following fields.
- Close Date
- Opportunity Owner
- Stage
- Amount
Make sure changes to these fields are tracked, and add the Opportunity Field History related list to the page for the Opportunity Layout.
Then, create a report to track recent changes to all opportunity records with the following requirements. Note: The User Access and Permissions Assistant app includes a Report tab that is different from the standard Reports object.
Field/Filter | Value |
---|---|
Report Name | Opp Field History - Last 7 Days |
Report Unique Name | Opp_Field_History_Last_7_Days |
Folder | Compliance Reports |
Show Me | All Opportunities |
Edit Date | Last 7 Days |
Include | Any |
Great work, your users love you! As you wrap up this field history activity, another high-priority field history task has landed on your desk.
A Strato-Form Generators user accidentally entered a client credit card number in the Preferred Payment Method field on the Grand Hotels & Resorts Ltd account. This field is not encrypted or protected appropriately to store sensitive account data. Luckily, the user realized their error quickly and deleted the number from the field. Phew! But you, the great admin that you are, know that field history tracking is enabled for that field, which means this sensitive data is still exposed.
You’re well aware that deleting field history is an action that shouldn’t be taken lightly. Your organization relies on field history to track important changes for auditing and compliance purposes. However, you also know that Strato-Form Generators has an obligation to its customers to protect their data. You notify your manager of the incident and you have received authorization to only delete the account history records that contain this sensitive information.
To complete this task, enable the deletion of field history for your org and assign yourself a temporary permission set that grants this authority to you. Make sure this permission is labeled Delete Field History
with the API Name Delete_Field_History
and a 1 day expiration date.
Then, use a data import tool, like Data Loader or the free version of dataloader.io, to delete the records that contain the credit card number while maintaining all other account history records. We will not check the method you use to delete these records.
Note: While it is a best practice to convert the Preferred Payment Method field from a text field to a picklist, that’s a task for another day. Take the rest of the day off, you #AwesomeAdmin you—you’ve earned it!