> For the complete documentation index, see [llms.txt](https://docs.balkan.id/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-salesforce.md). # IAM Risk Analysis - Salesforce ### Overview This section outlines how Segregation of Duties (SoD) policies across Salesforce are implemented, configured, validated, and operationalized within BalkanID IAM Risk Analyzer. The objective is to transition from static access reviews and permission audits to a continuous, measurable governance program that integrates risk detection, access certification, and remediation into the organization’s Salesforce access lifecycle. Salesforce access risks commonly arise from combinations of: * Profiles * Permission Sets * Permission Set Groups * System Permissions * Administrative Privileges * API / Integration Access When these privileges are combined improperly, they may allow a single user to create, approve, modify, and audit the same transaction, violating segregation of duties principles. BalkanID IAM Risk Analyzer continuously evaluates these combinations to detect toxic access patterns, excessive privileges, and governance violations. ### Implementation **Phase 1:** Policy Definition & Baseline Establishment Objective: Define and validate SoD policy scope across Salesforce modules, administrative functions, and operational processes. Activities include: * Identify Salesforce clouds and operational areas in scope: * Sales Cloud * Service Cloud * Platform / Custom Objects * User & Role Administration * Profiles and Permission Sets * Integrations and Connected Applications * Define baseline toxic permission combinations aligned to governance best practices. * Categorize SoD rules based on risk severity: LOW, MEDIUM, HIGH, CRITICAL * Validate rule logic against: * Profiles * Permission Sets * Permission Set Groups * Object-level permissions * Integration identities Outcome: A formally approved Salesforce SoD policy library ready for configuration within BalkanID IAM Risk Analyzer. **Phase 2:** Rule Configuration in BalkanID IAM Risk Analyzer - Finding Rule for SoD detection \ \ User-Generated Insights can be used for writing SoD Rules and can be aggregated into a finding for actionable risk alerts. Findings provide a broader risk context and are used to trigger automated workflows.
Example: ***Use Case 1*****:** User Administration vs Security Configuration Salesforce allows certain users to both manage identities and configure security policies, including profiles and permission sets. This creates a risk where a single user can create accounts and grant privileged access without oversight. Risk Impact * Unauthorized privilege escalation * Weak governance over privileged access * Increased insider threat exposure Violation triggered when a user can: * Create or manage users * Modify profiles, permission sets, or security policies
SoD Detection:
***Use Case 2:*** Sales Operations Vs Credit/Refund Processing Users involved in sales transaction management may also possess authority to issue customer credits or refunds. Without proper segregation, a single user could manipulate both revenue transactions and financial adjustments. Risk Impact * Improper revenue adjustments * Fraud risk through unauthorized credits * Financial reporting inaccuracies
SoD detection:
### Baseline SoD Rule Library | **Rules** | **Category** | | ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | SoD System Administrator vs Data Export |

| | SoD - User Administration vs Security Config |

| | SoD- Sales Operations vs Credit/Refund Processing |

| ### Control Mapping | Framework | Control ID | Control Title | | -------------- | ---------- | ---------------------------------------------- | | SOC 2 | CC6 | Logical Access Controls | | SOX | SOX 404 | Financial access control and revenue integrity | | ISO 27001 | A.9 | Access Control | | ISO 27001 | A.6 | Segregation of Duties | | ISO/IEC 27001 | A.5.18 | Access Rights | | NIST SP 800-53 | AC-5 | Separation of Duties | | NIST SP 800-53 | AC-6 | Least Privilege | | NIST SP 800-53 | AC-2 | Account Management | ## Conclusion Salesforce’s flexible permission architecture enables powerful operational capabilities but requires strong governance controls to prevent privilege sprawl and access conflicts. The findings identified highlight areas where: * Access privileges exceed operational requirements * Segregation between administrative and transactional functions is insufficient * Identity lifecycle controls may not be consistently enforced Implementing continuous SoD monitoring through BalkanID IAM Risk Analyzer enables organizations to detect, review, and remediate these risks as part of a sustainable access governance program. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.balkan.id/iam-risk-analyzer/segregation-of-duties-iam-risk-analyzer/iam-risk-analysis-salesforce.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.