A scannable, no-fluff checklist for every Salesforce admin running a security review. Each row has three fields: the check, why it matters, and how to verify it in Setup.
Don't work through all 47 in one sitting. Pick a category, walk the rows against a recent export of your org's metadata, and sign off. Repeat quarterly — security posture decays faster than most orgs plan for.
Start with identity — before anything else. Who can log in, how they authenticate, and whether their access is current and intentional.
Setup → Users → Company Users; filter Active = true; inspect the Last Login column for empty values.Setup → Users → Company Users; export to CSV; sort by Last Login; flag rows older than 90 days that remain Active.Setup → Profiles → System Administrator → Manage Users; confirm every assignee is a current named individual.Setup → Identity Verification; confirm Two-Factor Authentication for User Interface Logins is required for the admin profile and any session-level login.Setup → Profiles / Permission Sets; cross-check users that have both permissions active in their effective access.Setup → Users; filter by Profile or Permission Set with API Enabled; confirm each row has an assigned owner and a last-rotated date.Setup → Users; filter Inactive; cross-reference against your HR offboarding log or HRIS termination report.Connected apps authenticate as users and keep working long after those users leave. Treat them as live credentials with their own audit rhythm.
Setup → App Manager → Installed Packages; sort by Last Used; flag rows with empty values or older than 90 days.Setup → App Manager → Edit Policies → Refresh Token Policy; confirm Refresh token expires after is set to a finite value (e.g. 90 days).Setup → App Manager; review the Installed By field; cross-reference against the offboarding log.Setup → App Manager → Edit → Permitted Users; confirm policy is Admin approved users are pre-authorized unless the app genuinely needs org-wide access.full and refresh_token scopes has the broadest possible access. Scopes should match what the integration actually needs.Setup → App Manager → Edit → OAuth Scopes; flag apps requesting Full, Refresh Token, or Offline Access without a documented business reason.Setup → Named Credentials; review each row; flag any row whose Auth Protocol is Password Authentication.Setup → App Manager; confirm any app that runs server-to-server uses JWT Bearer flow rather than the username-password OAuth flow.Org-wide defaults set the baseline. Every subsequent sharing rule has to fight against the default. Get the default right and the rest of the model is simpler.
Setup → Sharing Settings → Org-Wide Defaults; locate every row whose Default External Access = Public Read/Write; confirm none of them hold PII or customer financial data.Setup → Sharing Settings, audit each object's Internal Access. For sensitive objects, confirm it is Private.Setup → Sharing Settings → [Object] Sharing Rules; open the rule; verify the criteria fields and values still resolve.AccountShare, OpportunityShare, ContactShare; filter where RowCause = Manual; review the grantor and recipient of each.Setup → Roles; walk the hierarchy top-down; confirm each role's parent matches the actual org chart.Setup → Sharing Settings → External OWD; confirm the external access column is Private for any object containing customer PII.Setup → Object Manager → Fields & Relationships; open each PII field; click Set Field-Level Security; confirm non-admin profiles are Read-Only or Hidden.Network controls are how you stop a stolen credential from being used anywhere in the world. Lock the perimeter to the IPs you actually log in from.
Setup → Profiles → System Administrator → Login IP Ranges; confirm at least one IP range is set and that it covers the actual admin work locations.Setup → Session Settings → Trusted IP Ranges; confirm a tight CIDR list covering your integration endpoints and offices.Setup → Password Policies; confirm at least 12-character minimum, complexity required, and password history prevents reuse.Setup → Profiles → [Profile] → Session Settings; review timeout values per profile; confirm they match the actual work pattern.Setup → Session Settings → Lock sessions to the domain; confirm this is enabled.* or stale development origins gives any browser-based attacker a path to invoke Salesforce APIs from a page they control.Setup → CORS; review each entry; remove any whitelist range covering all origins and any origin your team no longer uses.Audit logs tell you what happened. Monitoring configuration decides whether you get alerted before the incident is over. Both are required.
Setup → View Setup Audit Trail; confirm a recent weekly or monthly review by a named admin; export the trail to a longer-retention archive.Setup → Event Monitoring; confirm the feature is licensed and at least one EventLogFile stream is exporting to your SIEM.Setup → Object Manager → Fields & Relationships → Set History Tracking; confirm sensitive objects have at least 20 fields tracked.Setup → View Login History; confirm an alert or scheduled review triggers when a login IP falls outside Login IP Ranges.Setup → Apex Exception Email; confirm the recipient list includes a monitored mail group, not a personal inbox that may not be staffed.Backup posture is rarely the cause of an incident. It is the difference between an incident and a catastrophe. Audit it like the rest.
Setup → Data Export; confirm Export Now runs and a recurring schedule exists; confirm the download URL is captured into your backup pipeline.Setup → Data Management → Backup and Restore; confirm the feature is licensed and the weekly backup window is enabled.Setup → Sandboxes; confirm each sandbox's Refresh Interval and most recent refresh date; confirm the policy is documented in your release runbook.Setup → Data Management; review Recycle Bin policy; confirm any records needing longer retention are extracted via Data Loader before they age out.Setup → View Setup Audit Trail; filter for Delete actions on records and objects; confirm the trail is reviewed in your weekly security digest.The day-to-day administrative debris that compounds over years. Permission sets you forgot about. Flows from a 2022 project. Easy wins if you tackle them quarterly.
Setup → Permission Sets; export the list; sort by Last Modified Date; flag sets older than 24 months with low assignment counts.Setup → Profiles; filter to Custom Profiles; confirm each has a documented owner in your internal admin registry.Setup → Process Automation → Flows; review each Flow whose object is Account, Contact, or Opportunity; confirm Run In Mode is set to User rather than System.Setup → Object Manager → Validation Rules; export per object; confirm each rule has a documented business owner.Setup → Lightning App Builder; review pages for sensitive objects; flag any page that contains an HTML iframe, External Services, or a Visualforce component.Setup → Static Resources; review each resource's file content; flag any JS, JSON, or ZIP whose unzipped contents include keys, tokens, or passwords.Setup → Email-to-Case → Configure; confirm Enable Email-to-Case is on with a whitelisted sender list; flag any open inbound address.with sharing runs as system, ignoring the user's record-level access. This is the canonical Salesforce security bug — and it is still common in mature orgs.Setup → Apex Classes; confirm classes that touch Account, Contact, Opportunity, or any custom object with PII are declared public with sharing.The Permissions Scanner inventories profiles and permission sets, flags low-assignment sets, and surfaces FLS gaps in a single shareable report — client-side, no Salesforce credentials. The Items 1–7, 17, 21 in this checklist are exactly what it covers.