Salesforce security settings are layered across identity management, record access control, field-level visibility, and audit logging – and the default configuration is rarely production-ready without deliberate hardening. A misconfigured Salesforce org represents one of the highest-risk data exposure points in a company’s technology stack, given that Salesforce typically stores the organisation’s complete customer and revenue data. This guide covers the core security layers every Salesforce admin must configure: organisation-wide defaults, profiles and permission sets, multi-factor authentication, session settings, Health Check, and the Salesforce Shield capabilities for organisations with enhanced security requirements.
The best guide is the one that makes security feel manageable.
A useful explanation should help the reader understand the role of configuration in protection.
That means the guide should focus on practical administration rather than abstract security theory.
For many teams, the goal is to keep the CRM safe without making it frustrating to use.
It should also show how security decisions affect both risk and usability.
A good guide should explain why access control, sharing, and system settings need to be considered together.
That makes security a core admin responsibility, not a background task.
Salesforce security settings best practices matter because every CRM contains customer information that should only be visible to the right people. Good security settings protect data while still allowing the team to do its work.
The Salesforce Security Model: Understanding the Layers
Salesforce security operates across four distinct layers that build on each other:
- Organisation access: who can log into Salesforce (authentication – MFA, SSO, IP restrictions)
- Object and field access: what objects and fields each user can see and edit (profiles, permission sets, field-level security)
- Record access: which specific records each user can access within the objects they have access to (org-wide defaults, roles, sharing rules)
- Data protection: how data is stored and monitored (Shield Encryption, Event Monitoring, audit logs)
Security configuration must address all four layers. A common admin mistake is configuring object-level access (profiles) without properly configuring record-level access (OWD and sharing rules), resulting in users seeing records from other teams or territories they should not access.
Multi-Factor Authentication (MFA)
Salesforce made MFA mandatory for all users in 2023. Every user logging into Salesforce must verify their identity with a second factor – Salesforce Authenticator app, TOTP authenticator (Google Authenticator, Authy), hardware security key (FIDO2), or built-in authenticator. MFA is enforced at the organisation level: Setup ? Identity ? MFA and Login Policies ? Require MFA for All Users.
Admin best practices for MFA:
- Use Salesforce Authenticator for internal users – it supports push notification approval with location context, and admins can view connected devices in Setup
- Enable MFA for Connected Apps: if users access Salesforce through connected apps (mobile app, Outlook integration, third-party tools), MFA must be enforced on the connected app OAuth policy as well as the direct login
- Configure MFA bypass for service accounts cautiously: integration users and API-only users that connect other systems to Salesforce should use API token authentication with IP restrictions, not MFA bypass – MFA bypass policies create exceptions that reduce overall security posture
- Audit MFA registration status: Setup ? Users ? Users, filter by MFA-registered status to identify users who have not yet registered their second factor
Single Sign-On (SSO)
For organisations with an existing identity provider (Okta, Azure Active Directory, Google Workspace, Ping Identity), configure SAML 2.0 SSO to Salesforce. SSO benefits for security:
- Centralised identity lifecycle management – when an employee is offboarded in your IdP, their Salesforce access is revoked automatically at next login attempt (rather than requiring a separate Salesforce admin deactivation step)
- Corporate password policies enforced by the IdP apply to Salesforce access without separate Salesforce password policy configuration
- MFA enforced by the IdP (Okta MFA, Azure Conditional Access MFA) satisfies Salesforce’s MFA requirement when using SSO – no separate Salesforce MFA layer required
Configure SSO at Setup ? Identity ? Single Sign-On Settings. Salesforce supports both IdP-initiated and SP-initiated SSO. After enabling SSO, retain at least one System Administrator account with native Salesforce credentials (not SSO) – this break-glass account allows admin access if the IdP has an outage.
Password Policies
For users authenticating directly to Salesforce (not via SSO), configure password policies at Setup ? Security ? Password Policies:
- Minimum length: 12 characters minimum (current NIST guidance recommends length over complexity)
- Complexity: require at least one letter and one number – excessive complexity requirements (special characters required) increase password reuse behaviour
- Password history: prevent last 10 passwords from being reused
- Maximum password age: Salesforce default is 90 days – current NIST SP 800-63B guidance recommends against mandatory password rotation unless there is evidence of compromise. Set to 180 days or “Never expires” if MFA is enforced (MFA substantially reduces credential compromise risk)
- Login lockout: lock account after 5 failed login attempts
IP Restrictions and Login Hours
Restrict Salesforce access to known IP ranges and business hours at the Profile level:
- Login IP Ranges (Profile-level): Setup ? Profiles ? [Profile] ? Login IP Ranges – add your office IP ranges and VPN exit IP ranges. Users on that profile cannot log in from IPs outside these ranges.
- Login Hours (Profile-level): restrict when users on a profile can log in – useful for contractor or offshore team profiles where access should only occur during business hours
- Org-level IP restriction: Setup ? Security ? Network Access – add trusted IP ranges that bypass the email verification step when a user logs in from a new device or location
Note: IP restrictions on profiles are bypassed by SSO login in some configurations – verify that SSO-authenticated users are also subject to your IP restriction policies via your IdP’s Conditional Access policies.
Profiles and Permission Sets
Profiles define the baseline of what a user can do in Salesforce – object-level CRUD permissions, field-level visibility, tab access, and app access. Best practice is to maintain a minimal set of standard profiles (Minimum Access User, Standard User, System Administrator) and use Permission Sets to layer additional access on top.
Permission Set best practices:
- Create granular, purpose-specific permission sets rather than cloning profiles with minor variations – e.g., “Campaign Manager Permissions” (create/edit Campaign records), “Report Builder” (create and edit reports), “Data Export Access” (weekly data export capability)
- Use Permission Set Groups to bundle related permission sets – assign the group to users rather than multiple individual permission sets. When access requirements change, update the group definition rather than individual user assignments.
- Audit permission set assignments quarterly – use Setup ? Permission Sets ? [Permission Set] ? Manage Assignments to see all users currently assigned
- Never grant “Modify All Data” or “View All Data” to standard users – these permissions bypass all record-level security and are appropriate only for System Administrator profiles
Organisation-Wide Defaults and Record Access
Organisation-Wide Defaults (OWD) set the baseline access level for all records when no other sharing rule applies. Configure OWDs at Setup ? Sharing Settings:
- Private: users can only access records they own (most restrictive baseline – recommended for multi-team orgs where territory separation is required)
- Public Read Only: all users can view all records, but only owners can edit
- Public Read/Write: all users can view and edit all records (least restrictive – appropriate only for single-team orgs with no data separation requirements)
Start with OWD set to Private and open access up via sharing rules and role hierarchy – this is the secure default. Opening access is safer to add than retract; admins who start with Public Read/Write and try to lock down access later face complex remediation.
The role hierarchy controls vertical sharing – managers above a user in the hierarchy can access their subordinates’ records. Configure the role hierarchy to match your actual reporting structure. Roles should reflect reporting lines, not job titles – an “AE” role and a “Senior AE” role with the same manager role above both is correct if they have the same manager. Horizontal sharing (across business units at the same level) uses sharing rules, not the role hierarchy.
Field-Level Security
Even when a user can access a record, Field-Level Security controls which individual fields they can see and edit. Configure FLS at Setup ? Object Manager ? [Object] ? Fields ? [Field] ? Set Field-Level Security, or more efficiently via Profile ? Field Permissions or Permission Sets ? Object Settings ? Fields.
Fields that should have restricted FLS in most orgs:
- Social Security or National Insurance number fields (if stored)
- Bank account or payment card fields
- Salary or compensation data in HR-adjacent Salesforce orgs
- Internal cost/margin fields on Quote or Opportunity records – visible to management and finance, hidden from field sales
- Legal notes or attorney-client privileged correspondence fields
Salesforce Health Check
Salesforce Health Check (Setup ? Security ? Health Check) is a built-in security audit tool that scores your org’s security settings against Salesforce’s Baseline Standard. The Health Check dashboard shows:
- An overall security score (0-100)
- Individual setting assessments across: Session Settings, Password Policies, Network Access, Remote Site Settings, and Certificate and Key Management
- High-risk, medium-risk, and low-risk settings that fall below the baseline
- One-click fix options for many settings directly from the Health Check interface
Target a Health Check score of 80+ for standard orgs. Custom baselines can be created to reflect your organisation’s specific security requirements – for example, if your security policy mandates shorter session timeouts than Salesforce’s baseline, your custom baseline can reflect that standard.
Session Settings
Configure session security at Setup ? Security ? Session Settings:
- Session timeout: 2 hours of inactivity recommended for most orgs (default is 2 hours, some orgs set this too high at 8 hours, increasing exposure from unattended sessions)
- Lock sessions to IP: enables session locking to the IP address used at login – prevents session token theft attacks where a stolen cookie is used from a different IP
- Clickjack protection: enable for all pages – prevents Salesforce pages from being embedded in iframes on malicious sites
- Require HTTPS: Salesforce enforces HTTPS natively; verify that any custom Salesforce site (Experience Cloud sites) also enforces HTTPS
- Disable “Remember me” on login page: prevents browser session persistence that could expose access on shared machines
Audit Logging
Salesforce provides three native audit mechanisms:
- Setup Audit Trail: logs admin configuration changes (who changed which setting, when) – retained for 6 months. Download monthly to your security monitoring system if longer retention is required.
- Login History: records all login attempts (successful and failed) for 6 months. Accessible at Setup ? Users ? Login History. Review for unusual login patterns (logins from unexpected geographies, repeated failed attempts).
- Field History Tracking: logs changes to up to 20 tracked fields per object (before and after values, who changed, when). Enable on business-critical fields: deal stage, contract value, account tier.
For extended audit retention and real-time security monitoring, Salesforce Shield Event Monitoring (licensed separately) exports all user interaction logs – record views, report runs, data exports, API calls – to external SIEM systems (Splunk, Microsoft Sentinel, Sumo Logic) for threat detection and compliance audit trails extending beyond Salesforce’s native 6-month window.
Connected App Security
Third-party apps that connect to Salesforce via OAuth are a common security blind spot. Review connected apps at Setup ? Connected Apps ? Connected Apps OAuth Usage:
- Identify apps with broad OAuth scopes (Full Access, API access) – verify each is still actively used and the scope is necessary
- Revoke access for apps that are no longer in use or whose vendor relationship has ended
- Set IP relaxation to “Enforce IP restrictions” for connected apps where possible
- Use Named Credentials for outbound callouts from Salesforce to external systems – Named Credentials store API keys and credentials in Salesforce’s secure credential store rather than hardcoding them in Apex code or Flow variables
How long does it take to see ROI from Salesforce?
Most organizations see measurable ROI from Salesforce within 6-12 months of go-live, assuming the implementation was done correctly and adoption is active. Early wins typically come from pipeline visibility (fewer deals falling through the cracks) and time savings from automation (fewer manual follow-up reminders). Larger ROI gains – from better forecasting accuracy, improved win rates, and shorter sales cycles – typically take 9-18 months as the system accumulates enough data to reveal patterns. Companies that invest in change management alongside the technical implementation consistently reach ROI faster than those that treat it as a pure software deployment.
What’s the biggest mistake companies make with Salesforce?
The most common mistake is configuring Salesforce to match a generic best-practice template rather than the company’s actual sales process. When the CRM doesn’t reflect how the team works, reps build workarounds and CRM usage becomes performative – they update it because they have to, not because it helps them. The second most common mistake is under-investing in data quality from the start. Importing dirty, duplicate, or incomplete data as a “we’ll clean it up later” plan almost never results in cleanup – the bad data compounds and eventually undermines trust in the system.
How many users does Salesforce work well for?
Salesforce scales from individual users to enterprise organizations with thousands of seats, though the right tier and configuration differs significantly by team size. Small teams (under 10 users) benefit most from simplicity – stick to standard features, avoid over-customization, and prioritize adoption over sophistication. Mid-market teams (10-100 users) need more process definition, automation, and reporting structure. Enterprise implementations require dedicated admin resources, governance policies, and often external implementation support. Match the complexity of your Salesforce setup to the maturity and size of your team.
Can Salesforce integrate with our existing tools?
Most modern CRM platforms including Salesforce offer native integrations with common business tools – email clients (Gmail, Outlook), calendar apps, marketing platforms, support desks, and accounting software. For tools without native connectors, middleware platforms like Zapier, Make, or dedicated integration tools fill the gap. Before assuming an integration is available, verify whether it’s native (built and maintained by the CRM vendor), partner-built (listed on their marketplace but maintained by a third party), or middleware-dependent (requires Zapier or similar). Native integrations are generally more reliable and require less maintenance than middleware-based connections.
Problem: Configuration Completed Without Documenting the Setup
Salesforce configurations built without documentation create fragility – when the admin who set it up leaves or is unavailable, nobody understands why things are configured the way they are. Undocumented customizations, workflows, and field choices become institutional knowledge that walks out the door. Fix this by maintaining a living configuration document that records every non-default setting: custom fields and their purpose, automation rules and their trigger logic, permission sets and who holds them. Store it in a shared location and update it whenever the configuration changes.
Problem: Team Adoption Stalls Because Training Was One-Time Only
Organizations that run a single training session at launch and then leave users to figure things out on their own see adoption rates decline within 60 days as habits revert to spreadsheets and email threads. New hires get no structured Salesforce training at all. Fix this by building a recurring training cadence: a 30-minute monthly “tips and tricks” session for the whole team, a structured onboarding checklist for new users (covering the 10 most common tasks), and recorded walkthrough videos for each role stored in a shared knowledge base. The best-adopted Salesforce implementations treat training as a continuous program, not a one-time event.
Problem: Reports Built for Management Don’t Help the Frontline Team
Most Salesforce dashboards are designed to give managers visibility into team metrics – pipeline totals, activity counts, conversion rates. Reps who only see management-facing reports get no personal value from the CRM, which reduces their motivation to keep data clean and current. Fix this by building personal dashboards for each user role: a rep sees their own pipeline, their overdue activities, and their win rate this quarter versus last quarter. When individual contributors see Salesforce as a tool that helps them close more deals rather than just a reporting layer for management, data quality improves significantly.
The best security setup is the one that keeps data protected and workflows usable. If the rules are too broad, the data is exposed; if they are too tight, the team slows down.