Salesforce permissions and admin sprawl: what IAM teams need to know

TL;DR: Over 80% of Salesforce access is still managed through profiles, a quarter of users rely only on profiles, and some environments have 30% admin-level access, creating rigidity, overexposure, and audit problems according to Cyera Research Labs. Static access models are failing because Salesforce governance must behave like a living control process, not a one-time configuration.

NHIMG editorial — based on content published by Cyera: Are Your Salesforce Permissions Protecting You, or Exposing You?

By the numbers:

• 80% of access is still managed through profiles, files rather than permission sets.
• One environment had 30% of users with admin-level access.

Questions worth separating out

Q: How should security teams reduce profile sprawl in Salesforce?

A: Start by making profiles the smallest possible baseline and move functional differences into permission sets and permission set groups.

Q: Why do admin-heavy Salesforce environments create governance risk?

A: Admin-heavy environments blur the line between ordinary work and unrestricted access.

Q: What do security teams get wrong about Salesforce permission reviews?

A: They often review access as if profiles were stable job roles, when in reality business needs and integrations change continuously.

Practitioner guidance

• Minimise profile scope Reduce profiles to baseline access only, then move differentiated permissions into permission sets and permission set groups so changes do not ripple across entire user populations.
• Inventory all override permissions List every user with View All Data, Modify All Data, or equivalent super-user access, then require a named business justification and an explicit owner for each entitlement.
• Review admin concentration regularly Track the percentage of users with admin-level access and investigate any environment where elevated access moves far beyond a small trusted control group.

What's in the full article

Cyera's full analysis covers the operational detail this post intentionally leaves for the source:

• Exact breakdown of how profiles, permission sets, and permission set groups were observed across the analysed Salesforce environments
• The permission combinations that most often created excessive access, including the high-impact admin-style settings
• The article's follow-on series topics on record-level access, sharing models, and data exposure
• Examples of how profile-heavy access complicates audit and ongoing maintenance in real deployments

👉 Read Cyera's analysis of Salesforce permission sprawl and admin overexposure →

Salesforce permissions and admin sprawl: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →