Get set for an illuminating episode with our special guest, Jagannathan Padmanabhan, a security advocate within his current role as a Technical Architect at Salesforce. Jagan brings to the fore how he leverages Salesforce to tackle customer challenges and his fervor for platform security. He imparts his wisdom on the zero trust security model and the principle of least privilege, both key aspects in maintaining a safe platform.

Prepare to be enthralled as Jagan unveils the intricate workings of event-driven architecture within Salesforce. He walks us through the various events that transpire when a user logs in, accesses a list view, generates reports, or logs out. By the closure of our engaging conversation, you’ll have a deeper comprehension of file and event security in Salesforce – a pertinent skill in this digital age. Don’t miss out on this enlightening conversation!

Show Highlights:

  • Discussion on Salesforce’s zero trust security model and the principle of least privilege.
  • Explanation of the role of Salesforce Shield in platform security.
  • In-depth exploration of event-driven architecture within Salesforce.
  • Introduction to the Event Monitoring add-on license, file events, and transaction security policies.
  • How developers can use condition builders or Apex classes to send notifications and alerts.
  • Importance of file and event security in Salesforce and its practical application in solving customer problems.

Links:

Episode Transcript:

Jagannathan Padmanabhan:
Oh yeah, so back then when I started using computer, at that time I was in high school. I remember myself and my friends used to create Yawgu chat rooms, and then we just play around in the chat messengers and all those stuff.

Josh Birk:
That is Jagannathan Padmanabhan, a technical architect here at Salesforce. I’m Josh Birk, your host for the Salesforce Developer Podcast, and here on the podcast you’ll hear stories and insights from developers for developers. Today we’re going to talk with Jagannathan about file and event security, and how you can implement it in Salesforce. But we will start just as we left off and as we often do with his early years.

Jagannathan Padmanabhan:
Oh yeah. So, I started my journey back then 2011 as a junior developer. That time I got trained in Java. Fortunately, I got a project request and they asked me if I could work in a Salesforce platform. I just said yes and took that opportunity and then not turning back. So, I think it’s a great opportunity someone offered me.

Josh Birk:
Nice. How did you find learning the platform from a Java perspective?

Jagannathan Padmanabhan:
Oh yeah, so initial Java, I was trying to correlate Java concepts with Salesforce and then it is pretty much… I felt very comfortable with all these platform related modules.

Josh Birk:
Got you. How would you describe your current job at Salesforce?

Jagannathan Padmanabhan:
Yeah, so current job, I work as a technical architect, part of our customer success group. So, each customer is different and unique when it comes to solving the problems. I just love working with the customers and trying to understand what are the pain points they have? And how we can use Salesforce to help them solve all those issues.

Josh Birk:
Got it. How long was your journey from being a… just going from Java to Apex, but then also becoming a technical architect?

Jagannathan Padmanabhan:
Oh yeah, so the journey initially, three months I trained in Java and then as a junior developer itself, I started working the platform. So, I got hold of it and then I am fortunate to work in three product transitions, like I was… I still remember the days where we used to work in Classic getting video pages and then transition to Lightning Aura, and then now we are in the CLWS space.

Josh Birk:
Right.

Jagannathan Padmanabhan:
I just love this transition.

Josh Birk:
Nice. I guess it’s true, you do learn a lot about the platform when you have to take it apart and put it all back together again.

Jagannathan Padmanabhan:
Yeah, true. Back then at that time we didn’t even have a Trailhead. So, it was a lot of developer forums in which you post a question, wait for the response and, you know.

Josh Birk:
The dark old days before Trailhead existed. I love [inaudible 00:02:39].

Jagannathan Padmanabhan:
Yeah.

Josh Birk:
Is there something in particular about security that you’ve always found attractive?

Jagannathan Padmanabhan:
Oh yeah. So, apart from being a Salesforce architect, suddenly I got interest in platform security. Out of my free interest, I just started understanding how platform security works. And then at one point of time, I started contributing to our platform product securities. So, once I started getting into this platform security, I just got interested into our security focused products like Shield, even monitoring data detect.
So, that is how I felt like whenever I start building an application, I will try to think from a hacker mindset, what are the possible ways to get the data out of it? And then how do we make sure we prevent all those? So that mindset really helps me how to build secure applications.

Josh Birk:
Well, and I think that segues into, because I think a lot of people don’t know, some of the intricacies when they have a bright new shiny Salesforce org. Are there early resources, if somebody’s kind of a real newbie but they have person org or something like that? Are there resources you like to point people to get started on knowing those ins and outs?

Jagannathan Padmanabhan:
Yeah, definitely. So, I highly recommend them to go through zero trust security model, which is pretty generic. Like how dow we… even if it’s an admin right, how do we make sure we provide least privileged access, and then open up access if it is needed? So, that is what I would recommend them to go for.

Josh Birk:
Walk through that last part. What do we mean when we say the principle of least privilege?

Jagannathan Padmanabhan:
Oh yeah, so let’s say there is an integration user, they want to connect with Salesforce and maybe trying to get the data outside of Salesforce. What I will do is I will just create a profile. Recently we have a profile named minimum access profile. So, I would recommend creating a minimum access profile. And then what I will do is I will just try to create a permission set on top of it, and then we’ll be very specific like what are the key objects they need to get access to?
And then the most important thing, let’s say when it comes to integration, user should be only an APO only user. Ideally, they don’t need a UA for it. So each profile is different. I would spend a lot of time understanding what exactly they need and then provide only those permission. If possible, I will try to come up with the expiration dates for the permission set as well, to make sure they get access only to what they want to get access to.

Josh Birk:
So, only what, but also only when they need access to?

Jagannathan Padmanabhan:
Oh, yeah.

Josh Birk:
Nice. Nice. So, my strategy of making everybody a system administrator would be a bad one.

Jagannathan Padmanabhan:
Oh yeah.

Josh Birk:
I mean, I usually only been a developer edition, so I have very little harm that I can make. Are there major tools a developer or admin should be aware of for security?

Jagannathan Padmanabhan:
Oh yeah. Security recently in Salesforce lab we have AppExchange product named User Permission and Assistant. So, once we have that app installed, that will give them a 360-degree view of what are the profiles they have and what are the permissions they have. And what are the permissions they have underneath the permission set. So, once they install and play around, they would be able to better understand if they have accidentally given any permission, which the user should not have access to. That is the right way to find out those information and then fix it right away.

Josh Birk:
Got you, nice. What kind of role does a product like Shield play?

Jagannathan Padmanabhan:
Oh yeah, so Shield, it comes with a bundle. The first thing comes up is like a platform encryption. So, if customers chose any sensitive information, if they want to encrypt the data and the rest. So they can make use of our platform encryption capabilities, which our product offers. And then Shield bundle also includes an even monitoring, which should be very useful for understanding user activities. So, these are the two main things I would recommend.

Josh Birk:
Nice. We’re going to talk about file events and events monitoring in a little bit, but I want to still stay a little high level. And we’re not going to try to guilt anybody, but are there basic security errors that you see repeatedly?

Jagannathan Padmanabhan:
Oh yeah. So for an example, I have seen a lot of profiles having export reports permission. And the problem is they might have clone from a profile which already exists, and because of that, that keeps on growing, Birk. I see a lot of profiles see export report permission, which is really not needed. At one point of time, what happens is in that customer or some people might misuse and use export report functions and they take the data outside of Salesforce.

Josh Birk:
Got it. I think this plays into my next question then. Are there special challenges that come to play when the scale of the org starts to progress? I guess I could piggyback on that last answer is, do you see even more of that behavior the larger an organization is?

Jagannathan Padmanabhan:
Oh yeah. So larger organizations, the problem, what we have seen is they frequently make a lot of changes in the permissions. So, if they don’t set up a process and safeguarding profiles and permissions, at one point of time they will end up having a lot of permissions with critical permission… A lot of permission sets and profiles with critical permissions, which they’re not supposed to.

Josh Birk:
Got it. Got it. Okay. Let’s dive into topic at hand, file events and how they play with security. But let’s start with the basics. What exactly are file events?

Jagannathan Padmanabhan:
Oh yeah. So, before I jump into file event, I think it is very important to provide some context about event monitoring. And then specifically around real time monitorings and all those stuff.

Josh Birk:
Cool.

Jagannathan Padmanabhan:
To start with, our Salesforce platform has been built on top of this event-driven architecture. So, let’s say when the user logs in, behind the scenes, we file a login event. And then let’s say when the user try to access any list views for an example. So, behind the scenes we file a list view event. The same applies, for example, when the user is trying to access a reports to be more specific, when the user is trying to preview the report or export the report, behind the scenes we file report events.
And then end of it when the user tries to log out, we file a logout event. So, pretty much technically we capture most of the user activities from login to logout. So all these, some are part of even log fails and some are part of realtime monitoring.

Josh Birk:
Okay. And when we say realtime monitoring, this is not a lot old school people like me think about APIs integrations, and things like that. And this more like a publication or subscription model, right? Where the logout event fires, you can have something on the event bus waiting for it to listen to it.

Jagannathan Padmanabhan:
Oh yeah. So, this event monitoring comes as part of add-on license. Either a customer can go with a Shield bundle or else they can go with a event add-on license separately. So, once they have this license set up, they should be able to understand their user activity by understanding these even data.

Josh Birk:
So, it gives them a bird’s eye view of what the users are actually doing.

Jagannathan Padmanabhan:
Oh yeah, exactly.

Josh Birk:
Nice. Then how does file events play into that?

Jagannathan Padmanabhan:
Oh yeah, so recently in summer ’23 release, we exposed file event which became generally available. So, what it does at eye level is, if any user is trying to access a file, for example, it could be like they are trying to preview the file. They are trying to view the file, or else they’re trying to download the file. Any file interaction events going forward, it will be captured in this realtime event monitoring, event named file event.
So with this, what we can do is we have a concept named transaction security policy underneath the realtime monitoring. So, with the transaction security policy, our customers can either use a Condition Builder, which is a point and click flow builder. Or else they can go with an Apex, which is a coding. They can choose any option they want and then they can write a file even. For example, if any file is tagged as illegal, even though they use it has a permission to download the file, we can restrict the file download using file event and transaction security policy.

Josh Birk:
So, it’s kind of like an old school trigger running on the event bus, and it gives you an at-the-time moment ability to stop something from a file being downloaded, if you think there’s no… What kind of comparisons are typical? Are you comparing the profile to aspects of the file? And how customized does that get?

Jagannathan Padmanabhan:
Yeah, it can go to a maximum extent. So, when it comes to the flow builder, currently we need to hard code some of the profile information if needed. But to be more scalable, one at this moment, we can go with the Apex class. That is the one I publish a blog as well. So using Apex, so once you get that file, you should be able to identify which user is trying to download the file. And then you can have some custom data driven. Like if it is a sales user, if the file is illegal, then that user should not be able to download the file. So, we should be able to play around with this using Apex.

Josh Birk:
Well, and I liked when the examples you gave in that blog post of every now and then an employee gets terminated, released from hire. I don’t know what the VC term for being fired these days is. Terminated does sound a little harsh. But anyway, their access isn’t always immediately revoked, right? But here you could at least have a file access layer which is saying, “Hey user, you’ve been flagged as no longer with us, you don’t get to download any files.”

Jagannathan Padmanabhan:
Yeah.

Josh Birk:
Nice. Are there other advantages to using Apex versus Flow?

Jagannathan Padmanabhan:
Oh yeah. So the Apex, the best part is we can have a customer data [inaudible 00:12:00] driven. And then to accommodate future use cases and all, right? It becomes even more easy for you and flexible to manage in the Apex. Whereas when it comes to Condition Builder, it depends on the use cases. Use cases is pretty simple, then Condition Builder will work. But if there are a different person who has comes into play, then Apex would be the best part.

Josh Birk:
Got it. And both Condition Builder and Apex both have the capacity to send out notifications and alerts, right?

Jagannathan Padmanabhan:
Well, yeah. So, once we choose either Condition Builder or Apex, on the next screen there is an option for us to set up a email template. So, either we can go for a standard email template, or else we can customize. Like we can bring in the fields from that event data in that email template. And then we can choose the recipient to whom this email should be triggered too.

Josh Birk:
Got it.

Jagannathan Padmanabhan:
In addition to email template, we do also have option for a notifications builder. So, once we select the recipient, in addition to getting an email, they can also get notified inside Salesforce, if they logged in using the wrench icon, the bell icon. They should be able to see the notification.

Josh Birk:
Nice. And so that would work on mobile too?

Jagannathan Padmanabhan:
Yeah.

Josh Birk:
Nice. Very cool. Are there other events that you think are commonplace for developers to think about this scenario?

Jagannathan Padmanabhan:
Oh yeah. So for example, report event is one of the key real-time monitoring event. Let’s say if the user is serving the notice free at that point of time, if you want them to restrict the report export, there are two ways to do it. Either you can go to a profile or a permission set and take out that export report permission. That is one way to do it. In addition to it, if you want to be more specific, like you want to give them export reports permission but you don’t want to… you want to make sure they should not export a particular report for an example, or a-

Josh Birk:
Got you.

Jagannathan Padmanabhan:
… particular set of reports. So if that is a case, realtime monitoring for report events would work.

Josh Birk:
Right. Any other general tips and tricks for platform security you want to throw out?

Jagannathan Padmanabhan:
I would say since we all know, right, we are going to get rid of profiles in the near future, a forward-looking statement, so-

Josh Birk:
Right.

Jagannathan Padmanabhan:
So permission still plays a vital role, so I would highly encourage our customers to make use of permission set and make it more granular. Make use of features like mute permission set, and then permission set expiration so that you will have a better control about giving granular permissions.

Josh Birk:
Got it. Touch a little bit more on that. So, if I currently have code relying on profiles, is this change going to force me to migrate my code to update my code?

Jagannathan Padmanabhan:
Oh yeah, down the lane we need to think about alternatives, like can we leverage custom permissions for an example? We need to think through other aspects of it.

Josh Birk:
And that’s our show. Now before we go, I did ask after Jagannathan’s favorite non-technical hobby.

Jagannathan Padmanabhan:
Oh yeah. So, I love playing badminton indoor one.

Josh Birk:
Nice.

Jagannathan Padmanabhan:
So, whenever I get time, I’ll just go there and play for one or two hours.

Josh Birk:
I want to thank Jagannathan for the great conversation and information. And as always, I want to thank you for listening. Now, if you want to learn more about this show, head on over to developer.salesforce.com/podcast where you can hear old episodes, see the show notes, and it links to your favorite podcast service. Thanks again, everybody. I’ll talk to you next week.

 Get notified of new episodes with the new Salesforce Developers Slack app.