Are Your Salesforce Permissions Protecting You - or Exposing You?

Tal Eisner
November 12, 2025

Key Highlights

  • Cyera Research Labs analyzed Salesforce environments and found that over 80% of access is still managed through profiles rather than permission sets - a major deviation from Salesforce’s best-practice model.

  • A quarter of users rely solely on profiles, creating rigidity, overexposure, and significant audit challenges.

  • Excessive use of high-privilege permissions (like Modify All Data and View All Data) creates potential for massive data loss and unauthorized access.

  • One environment had 30% of users with admin-level access - a clear indicator of governance breakdown.

  • Key takeaway: Salesforce security must evolve from a static configuration mindset to a living governance process that continuously adapts as teams and integrations change.

Why This Matters

Salesforce sits at the center of many organizations’ customer data ecosystems. Its layered permission model is both powerful and perilous - enabling precise access control, but also opening the door to silent overexposure when not managed correctly.

Cyera Research Labs’ analysis reveals that many organizations unintentionally grant excessive privileges, either for convenience or due to legacy configurations. When users or systems have more access than they should, data privacy, compliance, and integrity are all at risk.

Salesforce security isn’t a “set it and forget it” exercise. It’s an ongoing discipline - one that requires constant review, clear role boundaries, and visibility into who holds the digital keys to your most valuable data.

This article is the first in our Salesforce Access Control Deep Dive series. We’ll start with the foundation - how profiles, permission sets, and permission sets groups really shape what users can do - before exploring record-level access, sharing models, and data exposure in upcoming posts.

Understanding Salesforce Access Architecture

In Salesforce, everything starts with profiles. They determine what each user can do and which data they can see. Each user must be assigned a single profile upon creation in the platform, and no user can have more than one. This profile serves as the base-level permissions that determines the user’s access within the organization. Yet, when packed with too many permissions, profiles multiply and evolve into profile sprawl, creating complexity and audit challenges.

A better approach is to keep profiles minimal and manage extra privileges with permission sets which are very similar to profiles except that you can assign multiple permission sets to a user, in contrast to  a Salesforce profile. Since profile changes affect all assigned users, it is recommended to keep them lean in order to reduce risk.

To simplify administration further, permission set groups bundle multiple permission sets (e.g., reporting, management, or data access) into one logical collection, making it easier to assign and review user access.

In a well-managed Salesforce org, profiles define only basic access, while permission sets grant role-specific privileges and permission set groups bundle them by function. This creates a modular, scalable, and secure access model that’s easy to manage and audit.

In one recent analysis, a quarter of users relied solely on profiles for access - five times higher than best-practice benchmarks. This reliance signals rigid access control and a likely overexposure of data.

In addition to the high number of users relying solely on profiles, the analysis revealed that over 80% of access is managed at the profile level rather than through permission sets, a practice that goes against Salesforce’s recommended access model. Managing access primarily through profiles reduces flexibility, makes it harder to apply least-privilege principles, and complicates ongoing maintenance as business needs evolve. This indicates a strong need to shift toward a permission-set–driven approach for more granular, scalable, and secure access management.

The Nuclear Buttons: High-Privilege Permissions

Salesforce also includes a handful of permissions that override the entire sharing model. The Salesforce sharing model controls who can see or edit specific records based on their role and responsibilities. It ensures that users access only the data that’s relevant to them, maintaining both data privacy and collaboration across the organization. These are powerful tools for administrators but dangerous if misused.

  • View All Data gives a user read-only access to every record in the org, regardless of certain sharing model controls.
  • Modify All Data goes further, granting read/write/delete access to all records, essentially turning the user into a super-admin.

In many organizations, excessive administrative privileges are sometimes granted temporarily for convenience - for example, to expedite a project or resolve a technical issue. However, when permissions such as “Modify All Data” are assigned too broadly, even well-intentioned users can inadvertently cause widespread data loss or configuration errors. This risk underscores the importance of applying the principle of least privilege: restricting powerful permissions to a minimal number of vetted administrators and enforcing time-bound, auditable access for any temporary elevation of privileges.

Best practice here is straightforward: grant these permissions sparingly, monitor their usage, and review assignments regularly. If you wouldn’t hand someone the keys to your office building after hours, don’t hand them “Modify All Data.”

The analysis also showed that in most accounts, only 5% of users hold admin-level access, which aligns with typical governance standards. However, several environments showed admin assignments roughly six times higher than the typical baseline, some even stood out with around 30% of users assigned as admins, a clear sign of weak access control and lack of role management. Such a high concentration of administrative privileges suggests that permissions are not being properly managed or reviewed, increasing the risk of misconfigurations, data exposure, and compliance issues.

What is the right way to manage Salesforce Access + Summary

Effective access management in Salesforce should be built on the principle of least privilege, giving users only the access they need to perform their roles, and nothing more. The foundation of this model starts with profiles defining baseline access, while permission sets and permission set groups are used to grant additional access as needed. This modular approach allows administrators to maintain consistency and control while supporting flexibility as users’ responsibilities evolve.

Instead of relying heavily on profiles, which can quickly become rigid and difficult to scale, organizations should aim to manage the majority of access through permission sets.

For example, rather than creating multiple profiles for slightly different roles, a single profile can serve as a base, and additional access can be layered through reusable permission sets - simplifying governance and reducing administrative overhead

Finally, admins should periodically analyze who has elevated privileges, ensure that admin access is limited to a small percentage of trusted users, and validate that permission assignments align with actual job needs

A strategic pillar of data governance

Salesforce access management isn’t a technical chore - it’s a strategic pillar of data governance. By minimizing profiles, modularizing privilege with permission sets, and restricting high-impact permissions, organizations can achieve both agility and control.

In the next part of this series, we’ll go deeper into Record-Level Access, Public Data Exposure, and Elevated Privileges, showing how to design an access model that scales securely with your business.

Download Report

Research Type

Research Blog

Share

Are Your Salesforce Permissions Protecting You - or Exposing You?

Tal Eisner
November 12, 2025

Key Highlights

  • Cyera Research Labs analyzed Salesforce environments and found that over 80% of access is still managed through profiles rather than permission sets - a major deviation from Salesforce’s best-practice model.

  • A quarter of users rely solely on profiles, creating rigidity, overexposure, and significant audit challenges.

  • Excessive use of high-privilege permissions (like Modify All Data and View All Data) creates potential for massive data loss and unauthorized access.

  • One environment had 30% of users with admin-level access - a clear indicator of governance breakdown.

  • Key takeaway: Salesforce security must evolve from a static configuration mindset to a living governance process that continuously adapts as teams and integrations change.

Why This Matters

Salesforce sits at the center of many organizations’ customer data ecosystems. Its layered permission model is both powerful and perilous - enabling precise access control, but also opening the door to silent overexposure when not managed correctly.

Cyera Research Labs’ analysis reveals that many organizations unintentionally grant excessive privileges, either for convenience or due to legacy configurations. When users or systems have more access than they should, data privacy, compliance, and integrity are all at risk.

Salesforce security isn’t a “set it and forget it” exercise. It’s an ongoing discipline - one that requires constant review, clear role boundaries, and visibility into who holds the digital keys to your most valuable data.

This article is the first in our Salesforce Access Control Deep Dive series. We’ll start with the foundation - how profiles, permission sets, and permission sets groups really shape what users can do - before exploring record-level access, sharing models, and data exposure in upcoming posts.

Understanding Salesforce Access Architecture

In Salesforce, everything starts with profiles. They determine what each user can do and which data they can see. Each user must be assigned a single profile upon creation in the platform, and no user can have more than one. This profile serves as the base-level permissions that determines the user’s access within the organization. Yet, when packed with too many permissions, profiles multiply and evolve into profile sprawl, creating complexity and audit challenges.

A better approach is to keep profiles minimal and manage extra privileges with permission sets which are very similar to profiles except that you can assign multiple permission sets to a user, in contrast to  a Salesforce profile. Since profile changes affect all assigned users, it is recommended to keep them lean in order to reduce risk.

To simplify administration further, permission set groups bundle multiple permission sets (e.g., reporting, management, or data access) into one logical collection, making it easier to assign and review user access.

In a well-managed Salesforce org, profiles define only basic access, while permission sets grant role-specific privileges and permission set groups bundle them by function. This creates a modular, scalable, and secure access model that’s easy to manage and audit.

In one recent analysis, a quarter of users relied solely on profiles for access - five times higher than best-practice benchmarks. This reliance signals rigid access control and a likely overexposure of data.

In addition to the high number of users relying solely on profiles, the analysis revealed that over 80% of access is managed at the profile level rather than through permission sets, a practice that goes against Salesforce’s recommended access model. Managing access primarily through profiles reduces flexibility, makes it harder to apply least-privilege principles, and complicates ongoing maintenance as business needs evolve. This indicates a strong need to shift toward a permission-set–driven approach for more granular, scalable, and secure access management.

The Nuclear Buttons: High-Privilege Permissions

Salesforce also includes a handful of permissions that override the entire sharing model. The Salesforce sharing model controls who can see or edit specific records based on their role and responsibilities. It ensures that users access only the data that’s relevant to them, maintaining both data privacy and collaboration across the organization. These are powerful tools for administrators but dangerous if misused.

  • View All Data gives a user read-only access to every record in the org, regardless of certain sharing model controls.
  • Modify All Data goes further, granting read/write/delete access to all records, essentially turning the user into a super-admin.

In many organizations, excessive administrative privileges are sometimes granted temporarily for convenience - for example, to expedite a project or resolve a technical issue. However, when permissions such as “Modify All Data” are assigned too broadly, even well-intentioned users can inadvertently cause widespread data loss or configuration errors. This risk underscores the importance of applying the principle of least privilege: restricting powerful permissions to a minimal number of vetted administrators and enforcing time-bound, auditable access for any temporary elevation of privileges.

Best practice here is straightforward: grant these permissions sparingly, monitor their usage, and review assignments regularly. If you wouldn’t hand someone the keys to your office building after hours, don’t hand them “Modify All Data.”

The analysis also showed that in most accounts, only 5% of users hold admin-level access, which aligns with typical governance standards. However, several environments showed admin assignments roughly six times higher than the typical baseline, some even stood out with around 30% of users assigned as admins, a clear sign of weak access control and lack of role management. Such a high concentration of administrative privileges suggests that permissions are not being properly managed or reviewed, increasing the risk of misconfigurations, data exposure, and compliance issues.

What is the right way to manage Salesforce Access + Summary

Effective access management in Salesforce should be built on the principle of least privilege, giving users only the access they need to perform their roles, and nothing more. The foundation of this model starts with profiles defining baseline access, while permission sets and permission set groups are used to grant additional access as needed. This modular approach allows administrators to maintain consistency and control while supporting flexibility as users’ responsibilities evolve.

Instead of relying heavily on profiles, which can quickly become rigid and difficult to scale, organizations should aim to manage the majority of access through permission sets.

For example, rather than creating multiple profiles for slightly different roles, a single profile can serve as a base, and additional access can be layered through reusable permission sets - simplifying governance and reducing administrative overhead

Finally, admins should periodically analyze who has elevated privileges, ensure that admin access is limited to a small percentage of trusted users, and validate that permission assignments align with actual job needs

A strategic pillar of data governance

Salesforce access management isn’t a technical chore - it’s a strategic pillar of data governance. By minimizing profiles, modularizing privilege with permission sets, and restricting high-impact permissions, organizations can achieve both agility and control.

In the next part of this series, we’ll go deeper into Record-Level Access, Public Data Exposure, and Elevated Privileges, showing how to design an access model that scales securely with your business.

Download Report

Research Type

Research Blog

Share

Related Resources

Research Report 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

The 2025 State of AI Data Security Report

Research Blog

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

83% Use AI; Only 13% Have Visibility - Cyera’s 2025 State of AI Data Security Report

Research Report 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Top 10 Data Security Risks in Microsoft 365

Experience Cyera

To protect your dataverse, you first need to discover what’s in it. Let us help.

Get a demo  →
Decorative
Cyera DSPM for Dummies Book

CYERA US INC

1375 Broadway, 11th Floor
New York, NY 10018


CYERA TLV OFFICE

Landmark Tower
Arania Osvaldo St 24
Tel Aviv-Yafo, Israel

Get a Demo
Platform
Platform OverviewLatest Innovations

Modules

DSPMAI GuardianData Loss PreventionAccess TrailIdentityData Subject RequestsPrivacy

Services

Data Risk AssessmentDataWatcher
Solutions

Use cases

Use Case OverviewCompliance ReadinessM&A and DivestituresSecurely Enable AIAssess Data RiskM365 AttackOn-Prem SupportData VisibilityData MinimizationData SprawlPublic Exposure

Industry

FinanceTechnologyManufacturingRetail & TravelHealth
Why Cyera
Why Choose Cyera
Company
About UsCareersPartnerships & IntegrationsCSO TeamNewsroomTrust CenterContact
Resources
Resource CenterBlogEventsWebinarsVulnerability DisclosureDSPM GuidesResearch LabsAI Data Security Assessment
Cyera Careers We're Hiring
We’re Hiring
Find Out More

Copyright © 2025 Cyera. All rights reserved.

Privacy PolicyCookie Policy
Decorative