Throughout my B2B marketing career, many things have changed, especially digital marketing. Monitoring what solutions have been installed in Salesforce is necessary
To manage which Users in Salesforce can install which solutions, an Admin will have to enable App Allowlisting (formerly Whitelisting). To learn more about how to enable App Allowlisting in Salesforce, check out tip number four in this post: Top Five Salesforce Security Tips to Make Your Instance More Secure.
Admin Permissions
Everyone knows that protecting Salesforce data is important. However, understanding how to configure roles and permission sets to make sure only the right people have access to the right data can be complex.
As mentioned above, only a handful of Users should be Salesforce System Administrators within your Org. Salesforce Admins have “God-like” powers and the more Admins you have, the more liability you’re introducing into your Org. Below is a rough guideline of the Salesforce Users vs Admin acceptable ratio:
| Number of Salesforce Users | Number of Admins |
| 1 – 50 | 2 |
| 50 – 100 | 4 |
| 100 – 1,000 | 6 |
| 1,000+ | 10 |
Another term I wasn’t familiar with as an Accidental Admin is the concept of a “Ghost Admin”. A Ghost Admin is a User in Salesforce that has one or more of the following permissions:
1) Manage All Users
2) Modify All Data
3) Export Weekly Data
Giving a User one (or more) of the permissions above is essentially a workaround for giving that User a similar level of access to Salesforce System Administrator, without giving them the Profile. Ghost Admins make your Org unstable and less secure. They are especially problematic because generally, they are not Users who are well versed in the Setup area of Salesforce (relative to a certified Admin).
We recommend no Ghost Admins exist within your Org (stay tuned for a blog post on how to spot Ghost Admins and what to do).
Rolling 24-hour API Limit
Another item I wasn’t aware of as an Accidental Admin, is the rolling 24-hour API limit. Every Salesforce Org has a certain number of API calls it can make within 24 hours.
Monitoring your API call level throughout the day is critical. Once this limit is reached, a “cooling-down” period is enforced by Salesforce. This means every integration that relies on API calls to pass information back and forth stops syncing until this period has passed.
Continuously monitoring these limits allows for a proactive plan to be created before the cooling down period sets in. A Salesforce monitoring tool can be customized to alert you when your Org has hit certain API thresholds. That way, as usage rises, a plan can be actioned to reduce API calls to keep systems up and running.
Wrap Up
I hope you found this post helpful and are walking away with actionable insights on how to manage a more secure instance of Salesforce. Have questions about Salesforce best practices? Sign up for our newsletter! We send out a monthly recap of our latest Salesforce content, including articles on security best practices, actionable insight on Salesforce optimization for enterprises, and more.
