Salesforce Security: Fully Automated
1 like1,106 views
The document outlines the implementation and security measures of Salesforce at the University of Pittsburgh, detailing the phases from initial selection to current application management. Key initiatives include automating user access requests, managing security through Active Directory integration, and enhancing auditing processes. The document emphasizes the need for effective security and management strategies to support 1,500 users with a small team.
Salesforce Security: Fully Automated
- 1. Salesforce Security: Fully Automated Daniel McGaughey, Developer Cristy Spino, IT Service Owner Enterprise CRM University of Pittsburgh
- 2. University of Pittsburgh Just a little information about Pitt
- 3. Getting Started with Salesforce NOV 2015 – JAN 2016 • ERM selection committee • Project team conducted 25 critical requirements sessions on 4 campuses • Met with over 200 staff • Identified 136 unique requirements for an Enterprise CRM FEB 2016 – JUL 2016 • RFI sent to 15 vendors, 7 submitted responses • RFP included 2 vendors • Completed reference checks • Conducted onsite product demos Office of the Chancellor initiative
- 4. Getting Started with Salesforce AUG 2016 – DEC 2016 • Salesforce Recommendation • Roadmap, Planning • Recruiting and Service Discovery • Project and budget approval JAN 2017 – FEB 2018 • Build the team • Select implementation partner • Go Live with 2 Applications (Recruiting and Service Desk) • Roadmap 20+ new projects • Support / maintain projects Office of the Chancellor initiative
- 5. Salesforce Environment Current Environment • 5 Enterprise CRM team members in central IT • 1,500 Salesforce licenses • ~440 current users Applications • Service Cloud • Marketing Cloud • Knowledge • Visit Days for Recruiting Events • Conga • Task Ray University of Pittsburgh
- 6. “How can we maintain security for 1,500 users and support our applications with 5 team members? What can we automate?
- 7. Lots of users, Lots of requests, 1 small but powerful team Team Users Roadmap • 1 instance • Support 2 active application in Production • Kick off 3 new projects • Recruiting for Regional Campuses • Advancement • Economic Partnership • Manage 20+ new application requests Director Admin Admin Developer IT Service owner
- 9. Business Cases PHASE 1 To enhance security, prepare for enterprise and better utilize our Salesforce Administrators time • During authentication auto assign and enforce security by utilizing Active Directory group membership validate access and system privileges • An audit log is updated when a user is created and when a user or their permissions are changed PHASE 2 Fully automate access requests and license management • Salesforce Service Request to request elevated access with workflow for approval and automatic AD group management • Automate license recovery for inactive users • Annual security audit process Two Phases
- 10. High Level Requirements JIT: • Users must log in using Pitt Passport – the university’s SSO solution • Users are provisioned every time they log in to the system • System times out and logs out with inactivity, forces user to log in again • If the user has not logged in for an extended period (3 months) of time the license is revoked Security Request • Security form creates a Security Request Case Security Request Form • Form will default fields related to the submitters or on behalf of contact record • Ability to request to add or remove privileges • Two levels of approval is required, manager and security, unless the manager is submitting on behalf of a direct report • Request for restricted data requires a third level of approval from the data steward Security Case Approver • Case is created and routed through the approval process • Approvers have two options, approve or reject. If reject they must enter a comment • Approvers are notified when a security case requires attention. Notifications are sequential, manager, then security, then the data steward AD Group Update • Once approval is received, the user credentials are added to the appropriate AD group Just in Time Provisioning / Security Request
- 11. Just in Time (JIT)
- 12. Just in Time
- 13. JIT Steps Step 1 • The program uses the AD Group membership provided by the Shibboleth response and creates the permissions that should be assigned to a person when they are logging in Step 2 • The program compares the calculated assignments to the ones that are currently active on the User record • If no updates are needed, process ends • If new or the removal of privileges are needed proceed to step three Step 3 • The program creates or updates the user record. It removes all of the current permissions listed and replaces with the new ones calculated in step two Step 4 • The Security audit log is updated with the actions taken
- 14. Current Automation User Creation / Update License Assignment Active / Inactive Profile Name Email Address User Access Checkboxes Marketing User Knowledge User Service Cloud User Live Agent User Membership Public Groups Queues Permission Sets All of these items are automated – saving significant manual effort:
- 15. Setup Screens AD Group definition
- 16. Setup Screens Items Associated with AD Group
- 17. Questions?