Managing Separation of Duties and Sensitive Access in Salesforce with Fastpath
By Ryan Gase
In this blog, I will be talking about Separation of Duties (“SOD”) and Sensitive Access (“SA”) reporting for Salesforce using Fastpath. Personally, I’ve supported hundreds of customers as they have implemented Fastpath software as their answer to SOD, Change Tracking, Identity, Certifications and much more.
Many customers come to Fastpath because they have SOX compliance needs and/or have manual SOD processes that they would like to automate for the future. Fastpath was built to quickly help customers with their SOD requirements and automate manual processes that exhaust key resources within companies.
Fastpath's Solution for Automating SOD Processes in Salesforce
To serve customer needs, Fastpath has created a SaaS cloud offering that connects to Salesforce via an API connection. This connection enables Fastpath to pull in Salesforce users and their security data (Field, Object, System, Custom permissions) so that it can be analyzed through the different Fastpath product offerings.
Within the Access Control product, Fastpath has an out-of-the box SOD ruleset that will allow customers to run User Risk and Role Risk (also referred as Profile and Permission Set) reports the first day they connect Fastpath and Salesforce. The SOD ruleset is pre-built with Business Processes (“BP”) that are unique to the Salesforce system. These BP’s are built with securable objects (Object & System permissions) from Salesforce that would allow users to update or maintain (above Read or View level of access) said BP’s. The SOD ruleset can be customized from what is provided out-of-the box so that organizations can tailor the ruleset to how they see fit. It’s also important to know Fastpath customers also combine Fastpath rulesets from multiple systems into one ruleset so that they can run SOD risks between say Salesforce and NetSuite. This is recognized as cross-application risk analysis.
Fastpath's Solution for Automating Sensitive Access Reporting in Salesforce
Another important distinction in the ruleset is the option to create SA risks within the ruleset. I have heard from many organizations that they also require the ability to report on SA to permissions in Salesforce just as much as SOD. When running the risk reports, users can filter on SOD or SA risk types to make the reporting easy.
To further automate processes in regard to SOD and SA reviews, the Access Control product also allows organizations to define their mitigation control processes for risks within the ruleset or to user risks on an individual basis. Fastpath has out-of-the box mitigation resolutions to select from or users can create their own. Customers also have the ability to import Controls from an audit control library and leverage those for risk mitigations. To make this process even easier, Fastpath has additional connectors to AuditBoard and Workiva.
The final piece of automation is delivered through Fastpath’s robust reporting system. Customers can schedule nearly every report that is found in Fastpath depending on their needs of a daily, weekly, monthly, quarterly, or annual frequency. Administrators also have the option to require a signature from the recipients. All of this information is kept for an audit trail. My favorite part is the ability to setup and maintain the scheduled reports via software which helps deliver a consistent process that is repeatable for the future.
Fastpath should give organizations confidence in their ability to manage Separation of Duties and Sensitive Access in Salesforce by creating automation, accuracy, and consistency.