Salesforce Developers, profile picture
Uploaded bySalesforce Developers
PDF, PPTX24,901 views

Introduction to the Salesforce Security Model

The document presents an overview of Salesforce's security model, focusing on various authentication and authorization mechanisms including single sign-on (SSO), OAuth, and application security features such as profiles and permission sets. It outlines the roles of identity providers and service providers in federated authentication and discusses record visibility controls like organization-wide defaults and sharing rules. A demonstration of federated authentication setup and a quiz on security concepts are also included.

Embed presentation

Download as PDF, PPTX
Introduction to the Salesforce Security Model Sridhar Palakurthy, Salesforce.com, Senior Technical Solution Architect Vydianath Iyer, Salesforce.com, Senior Technical Solution Architect
Safe harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Sridhar Palakurthy Senior Technical Solution Architect Salesforce.com
Vydianath Iyer Senior Technical Solution Architect Salesforce.com
Agenda Systems Level Security ▪ Authentication • Single Sign-ON ▪ Authorization • OAuth Application Level Security ▪ Profile ▪ Permission Set ▪ Role ▪ Sharing • Owner ▪ Social Sign-On Q&A • Role Hierarchy • Org Wide Defaults • Sharing Rules
Single Sign-On: Federated Authentication SAML is The standard for Federated Single Sign-On Identity Store is the master of ‘User’ identity. Identity Provider (IdP) is the Identity Assertion Provider Service Provider (SP) is the provider of enterprise services Typical setup consists of One IdP and several SPs. Summer 13 supports multiple IdPs Identity Provider 1. Generate SAML and send to salesforce.com 2. Validate SAML and generate session
SSO Basics: IdP Initiated SAML 2 Identity Provider 1 3 4 • User authenticates at Customer IDP • User is directed to Salesforce (SP) using a link or button • When a link or button is pressed, IDP posts SAML to Salesforce • Salesforce validates SAML and a user session is generated
SSO Basics: SP Initiated SAML Identity Provider MyDomain: A sub-domain used to access a specific Salesforce Organization. Example: https://sp-developer.my. salesforce.com • Request Resource. • Redirect to IDP • User accesses IDP and sends SAML Request • IDP Authenticates. Send SAML Response • Salesforce validates SAML and generates session 1 3 4 2 5
Demo - How to setup Federated Authentication Axiom (Identity Provider) • • • • Configure Service Provider Configure Identity Provider Test Login Examine SAML Token/Assertion Service Provider
What is Delegated Authentication? ProvidesSalesforce. com WSDL • • • Download WSDL from Salesforce.com Implement and Host WSDL Test Login Client Hosts Salesforce.com WSDL
One Time Passwords / 2 Factor Authentication Identity Provider + 2 Factor 2 3 1 4
What is OAuth? An open protocol to authorize secure API access for desktop/mobile client applications Integrates with previous authentication mechanisms • OAuth Authorization 4 2 1Server 3 OAuth Client OAuth client makes a authorization request • The Authorization Server authenticates the user • The user authorizes the application • The application is issued an OAuth token.
When Do I Use What? Userid/Password ▪ When you just want the basics SAML ▪ Single Sign-On for the web applications with commercial support ▪ SAML provides re-use across other Cloud services Delegated Auth ▪ Mobile CRM and older API clients with your own credentials OAuth ▪ Building an API client or mobile application
Social Sign-On ▪ Automatically create and update users and contacts ▪ Single Sign-On makes it easy and keeps them coming back ▪ Deliver applications and services to deepen your relationship
So what’s under the covers? The Auth Providers Framework ▪ Pre-integrated Single Sign-On from branded Identity Services ▪ Automatically create and update Contacts and Users ▪ Full control post authentication data processing ▪ Works for both internal and external users Out of the box support ▪ Facebook: B2C ▪ Salesforce: B2B http://www.janrain.com/salesforce
Application Security
Application Security ▪ Organization Wide Defaults – Record Visibility ▪ Role Herirarchy – Record Visibility by hierarchy ▪ Profiles & Permission Sets – What objects can I access ? ▪ Team Sharing • Account Teams • Sales Teams ▪ Sharing Rules • Manual Sharing • Criteria Based Sharing • Apex Managed Sharing
Data access components
Record Level Security
OP EN UP VI SI BI LIT Y Data(Record) Visibility
Locking Down Data (Record) Access What are your Organization Wide Defaults ? • Baseline level access that all users have for each other’s data • Feature to restrict access (visibility) to records of data Private implies only record owner and roles higher can see the record
Opening Up Record Access - Role Hierarchy Dr. Evil Scott Evil Mini Me Fat B JURGEN RITA NO. 2 FRAU ONE ROLE PER USER Manager has automatic access* to records owned by their subordinates
Opening up access - Team Sharing Account Team – Team of users working together on an account Sales Team - Team of users working together on an opportunity Setting up an Account Team
Opening up Record Access - Sharing Rules Extends access beyond baseline level Share records owned by a role/group with another roles or groups Applied in real time when a record is created or ownership is transferred
Opening up record access - Manual Sharing •A user with owner-like access to a record (the owner, his managers, and administrators have owner-like access) can share it with another user, group, role or role and all subordinate roles •In the case of manual account sharing, access to child opportunities and cases can be granted, too
Opening up Record Access Criteria Based Sharing Rules • Criteria Based Sharing rules open up access to sets of users, groups, roles based on the field values in the data record ID 1 Name Industry Cyber Inc. Federal 2 Universal 3 BizPhone Airline Wireless FEDER AL GROU P
Profiles
What are Profiles ? Defines a user's permission to perform different functions within salesforce.com. • • • • • • • What objects (accounts, leads, contacts etc.) can I access ? What page layouts can I see ? What fields can I access ? Which tabs can I view ? Which record types can I see ? Which Apex Classes are accessible for me ? Which Visualforce Pages can I access ?
Permission Sets
What’s a permission set? A collection of CRUD permissions and settings Extends user’s access without creating a new profile User access controlled by Profile + Permission Sets
Some settings are in profiles but not in permission sets (yet) PROFILES Profile Only: ▪Page Layout Assignments PERMISSION SETS ▪Login IP ranges ▪Login hours ▪Desktop client access Page Layouts IP Ranges Login Hours Desktop Client Access App Permissions Record Types Tab Settings Assigned Apps Object Permissions Field Level Security Apex Classes VisualForce Pages
Demo
Summary
Authentication and Authorization Federated Authentication •Uses SAML •IdP authenticates user and generates an XML “Assertion” •Identity Provider initiated •Service Provider initiated Delegated Authentication •Custom web service which authenticates and returns a true/false OAuth •Token based authorization for an authorized user •“Valet” key to applications •Typical use case - Mobile applications or desktop client applications Social Sign-On Authentication Providers
Roles and Profiles Role controls Data (Record) Visibility What records can John Sales see ? Profile Profile controls Object/Field permissions What CRUD permissions does John have on objects and fields ? Can I access the Account Object (Table) ? Account Id City State 001U000000B.. John Sales Name ABC Corp Spokane WA 001U000000V.. Acme Atlanta GA 001U000000X.. X Net San Francisco CA 001U000000Y.. Universal Air Dallas TX Profile Role Can I access the City Field in the Account Object Can I see the ACME record ?
Quiz Q: A company wants to restrict access to opportunities by owner but open up access to his/her management hierarchy A.Set the organization wide default for opportunities to private Q: John is a chatter only user and needs read access to a custom object , a visual force page and an apex class A.Create a permission set to provide access to the visual force page and apex class and assign John to the permission set Q. Can federated authentication in Salesforce co-exist with delegated authentication? A. Yes Q. Does user need to authenticate during OAuth handshake between a client application and Salesforce? A.Yes
Links & References ▪ Salesforce.com Security Guide • http://www.salesforce.com/us/developer/docs/securityImplGuide/index.htm ▪ Axiom SSO Play Area • https://axiomsso.herokuapp.com/Home.action ▪ JanRain Social Sign-On Providers • http://www.janrain.com/salesforce
Sridhar Palakurthy Vydianath Iyer Senior Technical Solution Architect, Salesforce.com Senior Technical Solution Architect, Salesforce.com
Introduction to the Salesforce Security Model

More Related Content

PPTX
Salesforce data model
byJean Brenda
 
PDF
Getting started with Salesforce security
bySalesforce Admins
 
PPTX
Sharing and security in Salesforce
bySaurabh Kulkarni
 
PPTX
Introduction to Apex for Developers
bySalesforce Developers
 
PPTX
Real Time Integration with Salesforce Platform Events
bySalesforce Developers
 
PDF
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
byParis Salesforce Developer Group
 
PDF
Manage Development in Your Org with Salesforce Governance Framework
bySalesforce Developers
 
PPTX
Top Benefits of Salesforce in Business
byFexle Services Pvt. Ltd.
 
Salesforce data model
byJean Brenda
 
Getting started with Salesforce security
bySalesforce Admins
 
Sharing and security in Salesforce
bySaurabh Kulkarni
 
Introduction to Apex for Developers
bySalesforce Developers
 
Real Time Integration with Salesforce Platform Events
bySalesforce Developers
 
Introducing salesforce shield - Paris Salesforce Developer Group - Oct 15
byParis Salesforce Developer Group
 
Manage Development in Your Org with Salesforce Governance Framework
bySalesforce Developers
 
Top Benefits of Salesforce in Business
byFexle Services Pvt. Ltd.
 

What's hot

PPTX
Salesforce integration best practices columbus meetup
byMuleSoft Meetup
 
PPTX
Integrating with salesforce
byMark Adcock
 
PPT
Salesforce Integration
byJoshua Hoskins
 
PPTX
Salesforce Integration Patterns
byusolutions
 
PPT
Salesforce Presentation
byChetna Purohit
 
PDF
Two-Way Integration with Writable External Objects
bySalesforce Developers
 
PPTX
Data model in salesforce
byChamil Madusanka
 
PPTX
Introduction to Salesforce Platform - Basic
bysanskriti agarwal
 
PPT
Security and Your Salesforce Org
bySalesforce Admins
 
PPTX
What Is Salesforce? | Salesforce Training - What Does Salesforce Do? | Salesf...
byEdureka!
 
PPTX
Salesforce administrator training presentation slides
bySalesforce Associates
 
PDF
Setting up Security in Your Salesforce Instance
bySalesforce Developers
 
PPT
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
byYury Bondarau
 
PPTX
Salesforce PPT.pptx
byShaikAllabakshu5
 
PPTX
Salesforce Integration Pattern Overview
byDhanik Sahni
 
PPTX
OAuth with Salesforce - Demystified
byCalvin Noronha
 
PDF
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
bySam Garforth
 
PDF
Salesforce Admin 201-certification Notes
byAslam Tayyab
 
PPTX
Salesforce Streaming event - PushTopic and Generic Events
byDhanik Sahni
 
PDF
Managing the Role Hierarchy at Enterprise Scale
bySalesforce Developers
 
Salesforce integration best practices columbus meetup
byMuleSoft Meetup
 
Integrating with salesforce
byMark Adcock
 
Salesforce Integration
byJoshua Hoskins
 
Salesforce Integration Patterns
byusolutions
 
Salesforce Presentation
byChetna Purohit
 
Two-Way Integration with Writable External Objects
bySalesforce Developers
 
Data model in salesforce
byChamil Madusanka
 
Introduction to Salesforce Platform - Basic
bysanskriti agarwal
 
Security and Your Salesforce Org
bySalesforce Admins
 
What Is Salesforce? | Salesforce Training - What Does Salesforce Do? | Salesf...
byEdureka!
 
Salesforce administrator training presentation slides
bySalesforce Associates
 
Setting up Security in Your Salesforce Instance
bySalesforce Developers
 
Salesforce Security Model (Dmitry Goshko, Igor Haritonovich)
byYury Bondarau
 
Salesforce PPT.pptx
byShaikAllabakshu5
 
Salesforce Integration Pattern Overview
byDhanik Sahni
 
OAuth with Salesforce - Demystified
byCalvin Noronha
 
Salesforce Application Lifecycle Management presented to EA Forum by Sam Garf...
bySam Garforth
 
Salesforce Admin 201-certification Notes
byAslam Tayyab
 
Salesforce Streaming event - PushTopic and Generic Events
byDhanik Sahni
 
Managing the Role Hierarchy at Enterprise Scale
bySalesforce Developers
 

Similar to Introduction to the Salesforce Security Model

PPTX
Salesforce Identity Management
byJayant Jindal
 
PDF
ABCs of Security in the Cloud Webinar
bySalesforce Developers
 
PDF
Taking a Pragmatic Look at the Salesforce Security Model
bySalesforce Developers
 
PDF
What’s new in summer’15 release - Security & Compliance
byShesh Kondi
 
PDF
What’s new in summer’15 release - Security & Compliance
byShesh Kondi
 
PPTX
Salesforce Campus Tour - Developer Intro
byJames Ward
 
PPTX
Top 5 User Problems Admins Solve by Colleen Burnsed & Meagan Diegalman
bySalesforce Admins
 
PPTX
Salesforce Campus Tour - Declarative
byJames Ward
 
PDF
Social Sign-On with Authentication Providers
byDeveloper Force - Force.com Community
 
PDF
Social Sign-On with Authentication Providers Webinar
bySalesforce Developers
 
PDF
ISVs & Salesforce: How to be compliant with GDPR
byHemang Patel
 
PPTX
Finding Security Issues Fast!
bySalesforce Engineering
 
PDF
How to Become a Security-Minded Admin
bySalesforce Admins
 
PDF
Innovation day Oslo FSI breakout
bySalesforce - Sweden, Denmark, Norway
 
PDF
Introduction to Database.com
bySalesforce Developers
 
PDF
How to be a SalesFIERCE Admin - Jared Miller & Davina Hanchuck
bySalesforce Admins
 
PPTX
How to be a SalesFIERCE Salesforce Admin
byJared Miller
 
PPTX
Secure Development on the Salesforce Platform - Part I
bySalesforce Developers
 
PPTX
Admin Webinar—An Admin's Guide to Profiles & Permissions
bySalesforce Admins
 
PDF
Just-In-Time Sharing Using Apex
bySalesforce Developers
 
Salesforce Identity Management
byJayant Jindal
 
ABCs of Security in the Cloud Webinar
bySalesforce Developers
 
Taking a Pragmatic Look at the Salesforce Security Model
bySalesforce Developers
 
What’s new in summer’15 release - Security & Compliance
byShesh Kondi
 
What’s new in summer’15 release - Security & Compliance
byShesh Kondi
 
Salesforce Campus Tour - Developer Intro
byJames Ward
 
Top 5 User Problems Admins Solve by Colleen Burnsed & Meagan Diegalman
bySalesforce Admins
 
Salesforce Campus Tour - Declarative
byJames Ward
 
Social Sign-On with Authentication Providers
byDeveloper Force - Force.com Community
 
Social Sign-On with Authentication Providers Webinar
bySalesforce Developers
 
ISVs & Salesforce: How to be compliant with GDPR
byHemang Patel
 
Finding Security Issues Fast!
bySalesforce Engineering
 
How to Become a Security-Minded Admin
bySalesforce Admins
 
Innovation day Oslo FSI breakout
bySalesforce - Sweden, Denmark, Norway
 
Introduction to Database.com
bySalesforce Developers
 
How to be a SalesFIERCE Admin - Jared Miller & Davina Hanchuck
bySalesforce Admins
 
How to be a SalesFIERCE Salesforce Admin
byJared Miller
 
Secure Development on the Salesforce Platform - Part I
bySalesforce Developers
 
Admin Webinar—An Admin's Guide to Profiles & Permissions
bySalesforce Admins
 
Just-In-Time Sharing Using Apex
bySalesforce Developers
 

More from Salesforce Developers

PDF
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
bySalesforce Developers
 
PDF
Maximizing Salesforce Lightning Experience and Lightning Component Performance
bySalesforce Developers
 
PDF
Local development with Open Source Base Components
bySalesforce Developers
 
PPTX
TrailheaDX India : Developer Highlights
bySalesforce Developers
 
PDF
Why developers shouldn’t miss TrailheaDX India
bySalesforce Developers
 
PPTX
CodeLive: Build Lightning Web Components faster with Local Development
bySalesforce Developers
 
PPTX
CodeLive: Converting Aura Components to Lightning Web Components
bySalesforce Developers
 
PPTX
Enterprise-grade UI with open source Lightning Web Components
bySalesforce Developers
 
PPTX
TrailheaDX and Summer '19: Developer Highlights
bySalesforce Developers
 
PDF
Live coding with LWC
bySalesforce Developers
 
PDF
Lightning web components - Episode 4 : Security and Testing
bySalesforce Developers
 
PDF
LWC Episode 3- Component Communication and Aura Interoperability
bySalesforce Developers
 
PDF
Lightning web components episode 2- work with salesforce data
bySalesforce Developers
 
PDF
Lightning web components - Episode 1 - An Introduction
bySalesforce Developers
 
PDF
Migrating CPQ to Advanced Calculator and JSQCP
bySalesforce Developers
 
PDF
Scale with Large Data Volumes and Big Objects in Salesforce
bySalesforce Developers
 
PDF
Replicate Salesforce Data in Real Time with Change Data Capture
bySalesforce Developers
 
PDF
Modern Development with Salesforce DX
bySalesforce Developers
 
PDF
Get Into Lightning Flow Development
bySalesforce Developers
 
PDF
Integrate CMS Content Into Lightning Communities with CMS Connect
bySalesforce Developers
 
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
bySalesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
bySalesforce Developers
 
Local development with Open Source Base Components
bySalesforce Developers
 
TrailheaDX India : Developer Highlights
bySalesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
bySalesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
bySalesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
bySalesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
bySalesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
bySalesforce Developers
 
Live coding with LWC
bySalesforce Developers
 
Lightning web components - Episode 4 : Security and Testing
bySalesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
bySalesforce Developers
 
Lightning web components episode 2- work with salesforce data
bySalesforce Developers
 
Lightning web components - Episode 1 - An Introduction
bySalesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
bySalesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
bySalesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
bySalesforce Developers
 
Modern Development with Salesforce DX
bySalesforce Developers
 
Get Into Lightning Flow Development
bySalesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
bySalesforce Developers
 

Recently uploaded

PDF
Manage Network Security (Firewall) in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Run Containers in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Schedule Future Tasks - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Manage Basic Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Create or Remove files and directories - RHCE.pdf
byLinuxCert Guru
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PDF
FastTrack CISSP Reference By Jobyer Ahmed
bysocial72
 
PDF
Agile Trailblazers (Scrum Masters, Product Owners, Coaches, Project Managers,...
byScott M. Graffius
 
PPTX
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
PDF
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
PPTX
Discover - Assemble - and Gain Insights into your Content with SharePoint Con...
byDrew Madelung
 
PPTX
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
PDF
Why B2B SaaS Firms Should Invest in Data Appending for Marketing List Upgrades
byAndrew Leo
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
Manage Network Security (Firewall) in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Run Containers in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Schedule Future Tasks - RHCSA (RH134).pdf
byLinuxCert Guru
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Manage Basic Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Create or Remove files and directories - RHCE.pdf
byLinuxCert Guru
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
FastTrack CISSP Reference By Jobyer Ahmed
bysocial72
 
Agile Trailblazers (Scrum Masters, Product Owners, Coaches, Project Managers,...
byScott M. Graffius
 
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
Discover - Assemble - and Gain Insights into your Content with SharePoint Con...
byDrew Madelung
 
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
Why B2B SaaS Firms Should Invest in Data Appending for Marketing List Upgrades
byAndrew Leo
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 

Introduction to the Salesforce Security Model

  • 1.
    Introduction to theSalesforce Security Model Sridhar Palakurthy, Salesforce.com, Senior Technical Solution Architect Vydianath Iyer, Salesforce.com, Senior Technical Solution Architect
  • 2.
    Safe harbor Safe harborstatement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3.
    Sridhar Palakurthy Senior TechnicalSolution Architect Salesforce.com
  • 4.
    Vydianath Iyer Senior TechnicalSolution Architect Salesforce.com
  • 5.
    Agenda Systems Level Security ▪Authentication • Single Sign-ON ▪ Authorization • OAuth Application Level Security ▪ Profile ▪ Permission Set ▪ Role ▪ Sharing • Owner ▪ Social Sign-On Q&A • Role Hierarchy • Org Wide Defaults • Sharing Rules
  • 6.
    Single Sign-On: FederatedAuthentication SAML is The standard for Federated Single Sign-On Identity Store is the master of ‘User’ identity. Identity Provider (IdP) is the Identity Assertion Provider Service Provider (SP) is the provider of enterprise services Typical setup consists of One IdP and several SPs. Summer 13 supports multiple IdPs Identity Provider 1. Generate SAML and send to salesforce.com 2. Validate SAML and generate session
  • 7.
    SSO Basics: IdPInitiated SAML 2 Identity Provider 1 3 4 • User authenticates at Customer IDP • User is directed to Salesforce (SP) using a link or button • When a link or button is pressed, IDP posts SAML to Salesforce • Salesforce validates SAML and a user session is generated
  • 8.
    SSO Basics: SPInitiated SAML Identity Provider MyDomain: A sub-domain used to access a specific Salesforce Organization. Example: https://sp-developer.my. salesforce.com • Request Resource. • Redirect to IDP • User accesses IDP and sends SAML Request • IDP Authenticates. Send SAML Response • Salesforce validates SAML and generates session 1 3 4 2 5
  • 9.
    Demo - Howto setup Federated Authentication Axiom (Identity Provider) • • • • Configure Service Provider Configure Identity Provider Test Login Examine SAML Token/Assertion Service Provider
  • 10.
    What is DelegatedAuthentication? ProvidesSalesforce. com WSDL • • • Download WSDL from Salesforce.com Implement and Host WSDL Test Login Client Hosts Salesforce.com WSDL
  • 11.
    One Time Passwords/ 2 Factor Authentication Identity Provider + 2 Factor 2 3 1 4
  • 12.
    What is OAuth? Anopen protocol to authorize secure API access for desktop/mobile client applications Integrates with previous authentication mechanisms • OAuth Authorization 4 2 1Server 3 OAuth Client OAuth client makes a authorization request • The Authorization Server authenticates the user • The user authorizes the application • The application is issued an OAuth token.
  • 13.
    When Do IUse What? Userid/Password ▪ When you just want the basics SAML ▪ Single Sign-On for the web applications with commercial support ▪ SAML provides re-use across other Cloud services Delegated Auth ▪ Mobile CRM and older API clients with your own credentials OAuth ▪ Building an API client or mobile application
  • 14.
    Social Sign-On ▪ Automaticallycreate and update users and contacts ▪ Single Sign-On makes it easy and keeps them coming back ▪ Deliver applications and services to deepen your relationship
  • 15.
    So what’s underthe covers? The Auth Providers Framework ▪ Pre-integrated Single Sign-On from branded Identity Services ▪ Automatically create and update Contacts and Users ▪ Full control post authentication data processing ▪ Works for both internal and external users Out of the box support ▪ Facebook: B2C ▪ Salesforce: B2B http://www.janrain.com/salesforce
  • 16.
  • 17.
    Application Security ▪ OrganizationWide Defaults – Record Visibility ▪ Role Herirarchy – Record Visibility by hierarchy ▪ Profiles & Permission Sets – What objects can I access ? ▪ Team Sharing • Account Teams • Sales Teams ▪ Sharing Rules • Manual Sharing • Criteria Based Sharing • Apex Managed Sharing
  • 18.
  • 19.
  • 20.
  • 21.
    Locking Down Data(Record) Access What are your Organization Wide Defaults ? • Baseline level access that all users have for each other’s data • Feature to restrict access (visibility) to records of data Private implies only record owner and roles higher can see the record
  • 22.
    Opening Up RecordAccess - Role Hierarchy Dr. Evil Scott Evil Mini Me Fat B JURGEN RITA NO. 2 FRAU ONE ROLE PER USER Manager has automatic access* to records owned by their subordinates
  • 23.
    Opening up access- Team Sharing Account Team – Team of users working together on an account Sales Team - Team of users working together on an opportunity Setting up an Account Team
  • 24.
    Opening up RecordAccess - Sharing Rules Extends access beyond baseline level Share records owned by a role/group with another roles or groups Applied in real time when a record is created or ownership is transferred
  • 25.
    Opening up recordaccess - Manual Sharing •A user with owner-like access to a record (the owner, his managers, and administrators have owner-like access) can share it with another user, group, role or role and all subordinate roles •In the case of manual account sharing, access to child opportunities and cases can be granted, too
  • 26.
    Opening up RecordAccess Criteria Based Sharing Rules • Criteria Based Sharing rules open up access to sets of users, groups, roles based on the field values in the data record ID 1 Name Industry Cyber Inc. Federal 2 Universal 3 BizPhone Airline Wireless FEDER AL GROU P
  • 27.
  • 28.
    What are Profiles? Defines a user's permission to perform different functions within salesforce.com. • • • • • • • What objects (accounts, leads, contacts etc.) can I access ? What page layouts can I see ? What fields can I access ? Which tabs can I view ? Which record types can I see ? Which Apex Classes are accessible for me ? Which Visualforce Pages can I access ?
  • 29.
  • 30.
    What’s a permissionset? A collection of CRUD permissions and settings Extends user’s access without creating a new profile User access controlled by Profile + Permission Sets
  • 31.
    Some settings arein profiles but not in permission sets (yet) PROFILES Profile Only: ▪Page Layout Assignments PERMISSION SETS ▪Login IP ranges ▪Login hours ▪Desktop client access Page Layouts IP Ranges Login Hours Desktop Client Access App Permissions Record Types Tab Settings Assigned Apps Object Permissions Field Level Security Apex Classes VisualForce Pages
  • 32.
  • 33.
  • 34.
    Authentication and Authorization FederatedAuthentication •Uses SAML •IdP authenticates user and generates an XML “Assertion” •Identity Provider initiated •Service Provider initiated Delegated Authentication •Custom web service which authenticates and returns a true/false OAuth •Token based authorization for an authorized user •“Valet” key to applications •Typical use case - Mobile applications or desktop client applications Social Sign-On Authentication Providers
  • 35.
    Roles and Profiles Rolecontrols Data (Record) Visibility What records can John Sales see ? Profile Profile controls Object/Field permissions What CRUD permissions does John have on objects and fields ? Can I access the Account Object (Table) ? Account Id City State 001U000000B.. John Sales Name ABC Corp Spokane WA 001U000000V.. Acme Atlanta GA 001U000000X.. X Net San Francisco CA 001U000000Y.. Universal Air Dallas TX Profile Role Can I access the City Field in the Account Object Can I see the ACME record ?
  • 36.
    Quiz Q: A company wantsto restrict access to opportunities by owner but open up access to his/her management hierarchy A.Set the organization wide default for opportunities to private Q: John is a chatter only user and needs read access to a custom object , a visual force page and an apex class A.Create a permission set to provide access to the visual force page and apex class and assign John to the permission set Q. Can federated authentication in Salesforce co-exist with delegated authentication? A. Yes Q. Does user need to authenticate during OAuth handshake between a client application and Salesforce? A.Yes
  • 37.
    Links & References ▪Salesforce.com Security Guide • http://www.salesforce.com/us/developer/docs/securityImplGuide/index.htm ▪ Axiom SSO Play Area • https://axiomsso.herokuapp.com/Home.action ▪ JanRain Social Sign-On Providers • http://www.janrain.com/salesforce
  • 38.
    Sridhar Palakurthy Vydianath Iyer SeniorTechnical Solution Architect, Salesforce.com Senior Technical Solution Architect, Salesforce.com