Salesforce permission sprawl is exposing customer data

At a glance

What this is: Cyera’s analysis shows that Salesforce access is still managed too heavily through profiles, leaving many organisations with rigid permissions and avoidable overexposure.

Why it matters: IAM teams should treat Salesforce as a living entitlement environment, because profile-heavy access, excessive admin rights, and weak review hygiene affect human, NHI, and delegated access patterns alike.

By the numbers:

• 80% of access is still managed through profiles, files rather than permission sets.
• One environment had 30% of users with admin-level access.

👉 Read Cyera's analysis of Salesforce permission sprawl and admin overexposure

Context

Salesforce permission governance is the discipline of controlling what users can do and what data they can see as business roles change. The problem in this article is not that Salesforce permissions are complex, but that many organisations still treat access as a static setup exercise rather than an ongoing governance process.

That matters because profile-heavy access makes privilege hard to segment, hard to review, and easy to overextend. For identity teams, Salesforce sits in the same control plane as other high-value systems: when access is too coarse, least privilege becomes an aspiration instead of an operational state.

Key questions

Q: How should security teams reduce profile sprawl in Salesforce?

A: Start by making profiles the smallest possible baseline and move functional differences into permission sets and permission set groups. That keeps access changes targeted, avoids broad side effects, and makes entitlement review more practical. The goal is not more configuration objects, but cleaner separation between baseline access and role-specific privilege.

Q: Why do admin-heavy Salesforce environments create governance risk?

A: Admin-heavy environments blur the line between ordinary work and unrestricted access. When too many users can see, change, or delete everything, sharing controls lose value and audit signals become weak. The result is higher blast radius, more misconfiguration risk, and a governance model that no longer reflects real privilege boundaries.

Q: What do security teams get wrong about Salesforce permission reviews?

A: They often review access as if profiles were stable job roles, when in reality business needs and integrations change continuously. If reviews focus only on whether an entitlement exists, they miss whether the access model still fits current work. Effective reviews check both necessity and composition of access.

Q: Who should own elevated access decisions in Salesforce?

A: Elevated access should have a named business and technical owner, with clear justification and a review cycle tied to operational need. Without accountable ownership, admin rights become ambient risk instead of controlled exception. That ownership model is what keeps high-impact permissions from turning into permanent privilege.

Technical breakdown

Profiles versus permission sets in Salesforce access architecture

Salesforce profiles define baseline access for every user, and each user can have only one profile. Permission sets add extra entitlements on top of that base, which is why they are the better mechanism for granular privilege. When organisations push too much into profiles, they create rigid role bundles that are hard to change without unintended side effects. Permission set groups then become the control layer for bundling related entitlements without turning the profile into a dumping ground for exceptions.

Practical implication: keep profiles minimal and move role-specific access into permission sets and groups.

High-privilege Salesforce permissions and sharing model overrides

View All Data and Modify All Data are override-style permissions that can bypass normal sharing boundaries. View All Data gives org-wide read access, while Modify All Data extends to write and delete actions, which effectively creates super-admin behaviour if granted too broadly. These permissions are not dangerous because they exist, but because they collapse the distinction between normal operational access and unrestricted organisational visibility. Once these entitlements spread, sharing rules stop being a meaningful containment layer.

Practical implication: treat override permissions as tightly scoped exceptions with explicit ownership and regular review.

Profile sprawl, admin sprawl, and governance drift

Profile sprawl happens when organisations create too many profile variants to satisfy minor role differences, which makes access governance brittle and audit-heavy. Admin sprawl is the more serious condition: elevated access becomes normalized, temporary exceptions become permanent, and review processes lose the ability to separate legitimate privilege from convenience-based access. In practice, the result is not just excess permission but governance drift, where the access model no longer reflects real business need.

Practical implication: measure how much access is assigned through exceptions, then reduce the number of permanent high-privilege accounts.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Salesforce permission sprawl is a governance failure, not just an administration issue. When over 80% of access sits in profiles, the organisation has collapsed fine-grained entitlement design into a coarse legacy model. That makes least privilege hard to sustain, because every change to a profile affects a broad user population. The practical conclusion is that access design has drifted away from role precision and into structural overexposure.

Admin sprawl turns convenience into standing risk. A 30% admin population is not a normal maturity problem, it is a sign that high-impact permissions are being used as a substitute for proper role engineering and time-bound elevation. Once that happens, audit evidence becomes less meaningful because elevated access no longer signals exceptional need. Practitioners should treat elevated access concentration as a control failure, not an inevitable by-product of scale.

Profile-only access creates an identity governance blind spot. The article’s finding that a quarter of users rely solely on profiles shows how quickly a static model becomes the default operating model. That is a named failure mode we can call profile-bound entitlement rigidity: access becomes locked into a base configuration that is too broad for precision and too rigid for change. The implication is that identity teams need to rethink how access is composed, reviewed, and changed over time.

Salesforce permissions should be governed as living entitlements, not one-off setup work. The article reinforces a broader control truth across identity programmes: static configuration assumptions break when business teams, integrations, and data flows keep changing. In NIST CSF terms, access governance belongs in an ongoing protect and govern cycle, not in occasional clean-up. The practical conclusion is that entitlement review must become continuous operational work, not an annual audit event.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which shows how often entitlement inventory remains incomplete even before review begins.
• For the broader lifecycle context, see NHI Lifecycle Management Guide for the operational link between provisioning, review, and offboarding.

What this signals

The immediate signal for IAM leaders is that Salesforce access governance should be treated as entitlement engineering, not administrative cleanup. Once permission design becomes profile-heavy, every future change becomes more expensive and more brittle. That is why a documented access model and review cadence matter more than one-off remediation.

Profile-bound entitlement rigidity: When base profiles carry too much business logic, organisations lose the ability to adapt access without creating hidden exceptions. That pattern often surfaces first in CRM environments, then spreads into adjacent systems when teams reuse the same governance shortcuts.

The broader lesson is that identity governance needs to follow the data, not just the directory. When a platform like Salesforce holds customer data, permission drift becomes a business-risk issue that should be handled alongside control mapping in the NIST Cybersecurity Framework 2.0.

For practitioners

• Minimise profile scope Reduce profiles to baseline access only, then move differentiated permissions into permission sets and permission set groups so changes do not ripple across entire user populations.
• Inventory all override permissions List every user with View All Data, Modify All Data, or equivalent super-user access, then require a named business justification and an explicit owner for each entitlement.
• Review admin concentration regularly Track the percentage of users with admin-level access and investigate any environment where elevated access moves far beyond a small trusted control group.
• Convert exceptions into timed access Replace convenience-based permanent elevation with auditable, time-bound assignments so temporary operational need does not become standing privilege.

Key takeaways

• Salesforce access becomes risky when organisations use profiles as the main vehicle for privilege instead of keeping them as a minimal base layer.
• Cyera’s analysis shows that excessive admin access and profile-only access are not edge cases, but indicators of governance drift and overexposure.
• Teams should respond by shrinking profile scope, moving privilege into permission sets, and reviewing high-impact access as a living control.

Key terms

• Permission Set: A permission set is an additive access package in Salesforce that grants extra privileges without changing the base profile. It is the preferred way to extend access because it keeps the underlying role definition small and makes review and reuse easier across different users and functions.
• Profile Sprawl: Profile sprawl is the accumulation of too many profile variants to handle small access differences. It makes governance brittle because access logic gets buried in duplicated base configurations, which increases review effort and makes it harder to understand who can do what.
• Standing Privilege: Standing privilege is access that remains in place by default instead of being granted only when needed. In identity governance, it increases risk because broad or permanent entitlement is easier to misuse, harder to justify, and more likely to outlive the role or task it was meant to support.

Deepen your knowledge

Salesforce permission governance, entitlement review, and least-privilege design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are formalising access governance in a platform like Salesforce, the course is a practical place to start.

This post draws on content published by Cyera: Are Your Salesforce Permissions Protecting You, or Exposing You? Read the original.