Presentation from Salesforce.org Higher Ed Summit 2018 by: Daniel McGaughey, University of Pittsburgh. Please join the University of Pittsburgh as we outline our approach to Salesforce security from an enterprise perspective. Pitt selected Salesforce as the platform to support a new Enterprise Relationship Management (ERM) system. Initial projects include implementation of Undergraduate Recruiting and Enterprise Service Desk. Using an enterprise approach to Salesforce security creates the base for future expansion. Salesforce security is configured using custom just in time provisioning so that user provisioning and de-provisioning is automated at login. Users are created and assigned a license at first login. User permissions are evaluated and updated at each login based on Active Directory group membership. Licenses will be revoked via a scheduled integration. Users who are not entitled to use the system will be denied login. We use Service Cloud cases to support the Security request and approval workflow. Once all approvals are complete users are added to appropriate Active Directory groups automatically. Pitt admins do not create users and assign permissions. Watch a recording of this presentation: https://youtu.be/NhHvNmmHaWs

1. Salesforce Security:
Fully Automated
Daniel McGaughey, Developer
Cristy Spino, IT Service Owner
Enterprise CRM
University of Pittsburgh

2. University of Pittsburgh
Just a little information about Pitt

3. Getting Started with Salesforce
NOV 2015 – JAN 2016
• ERM selection committee
• Project team conducted 25 critical requirements sessions on 4 campuses
• Met with over 200 staff
• Identified 136 unique requirements for an Enterprise CRM
FEB 2016 – JUL 2016
• RFI sent to 15 vendors, 7 submitted responses
• RFP included 2 vendors
• Completed reference checks
• Conducted onsite product demos
Office of the Chancellor initiative

4. Getting Started with Salesforce
AUG 2016 – DEC 2016
• Salesforce Recommendation
• Roadmap, Planning
• Recruiting and Service Discovery
• Project and budget approval
JAN 2017 – FEB 2018
• Build the team
• Select implementation partner
• Go Live with 2 Applications (Recruiting and Service Desk)
• Roadmap 20+ new projects
• Support / maintain projects
Office of the Chancellor initiative

5. Salesforce Environment
Current Environment
• 5 Enterprise CRM team members in central IT
• 1,500 Salesforce licenses
• ~440 current users
Applications
• Service Cloud
• Marketing Cloud
• Knowledge
• Visit Days for Recruiting Events
• Conga
• Task Ray
University of Pittsburgh

6. “How can we maintain security for
1,500 users and support our
applications with 5 team members?
What can we automate?

7. Lots of users, Lots of requests, 1 small but powerful team
Team Users Roadmap
• 1 instance
• Support 2 active
application in Production
• Kick off 3 new projects
• Recruiting for Regional
Campuses
• Advancement
• Economic Partnership
• Manage 20+ new
application requests
Director
Admin Admin Developer
IT Service
owner

8. Security and Provisioning

9. Business Cases
PHASE 1
To enhance security, prepare for enterprise and better utilize our Salesforce Administrators time
• During authentication auto assign and enforce security by utilizing Active Directory group
membership validate access and system privileges
• An audit log is updated when a user is created and when a user or their permissions are changed
PHASE 2
Fully automate access requests and license management
• Salesforce Service Request to request elevated access with workflow for approval and automatic AD group
management
• Automate license recovery for inactive users
• Annual security audit process
Two Phases

10. High Level Requirements
JIT:
• Users must log in using Pitt
Passport – the university’s SSO
solution
• Users are provisioned every
time they log in to the system
• System times out and logs out
with inactivity, forces user to log
in again
• If the user has not logged in for
an extended period (3 months)
of time the license is revoked
Security Request
• Security form creates a Security
Request Case
Security Request Form
• Form will default fields related
to the submitters or on behalf of
contact record
• Ability to request to add or
remove privileges
• Two levels of approval is
required, manager and security,
unless the manager is
submitting on behalf of a direct
report
• Request for restricted data
requires a third level of
approval from the data steward
Security Case Approver
• Case is created and routed
through the approval process
• Approvers have two options,
approve or reject. If reject they
must enter a comment
• Approvers are notified when a
security case requires attention.
Notifications are sequential,
manager, then security, then
the data steward
AD Group Update
• Once approval is received, the
user credentials are added to
the appropriate AD group
Just in Time Provisioning / Security Request

11. Just in Time (JIT)

12. Just in Time

13. JIT Steps
Step 1
• The program uses the AD Group membership
provided by the Shibboleth response and creates
the permissions that should be assigned to a
person when they are logging in
Step 2
• The program compares the calculated
assignments to the ones that are currently active
on the User record
• If no updates are needed, process ends
• If new or the removal of privileges are needed
proceed to step three
Step 3
• The program creates or updates the user record.
It removes all of the current permissions listed and
replaces with the new ones calculated in step two
Step 4
• The Security audit log is updated with the actions
taken

14. Current Automation
User Creation / Update
License Assignment
Active / Inactive
Profile
Name
Email Address
User Access Checkboxes
Marketing User
Knowledge User
Service Cloud User
Live Agent User
Membership
Public Groups
Queues
Permission Sets
All of these items are automated – saving significant manual effort:

15. Setup Screens
AD Group definition

16. Setup Screens
Items Associated with AD Group

17. Questions?