Salesforce object access auditor

Released as open source by NCC Group Plc - https://www.nccgroup.com/

Developed by Jerome Smith @exploresecurity (with thanks to Viktor Gazdag @wucpi)

https://www.github.com/nccgroup/raccoon

Released under AGPL - refer to LICENSE for more information.

Description

This tool establishes which Profiles and Permissions Sets (with active users) have some combination of read/edit/delete permissions to ALL records for a given set of objects, based on their effective sharing and objects settings. From this output, misconfigurations that potentially allow excessive access to objects that hold sensitive data can be investigated. Refer to the accompanying blog post for background at https://research.nccgroup.com/2021/06/28/are-you-oversharing-in-salesforce.

It is recommended that results are verified manually with direct reference to the Salesforce configuration and/or testing of the affected Profiles and Permission Sets. Should discrepancies be found, please file an issue with as much detail as possible.

Usage

Requirements:

• Python 3
• The Python requests module (covered by requirements.txt)
• A non-SSO user account with the following minimum permissions:
  • 'API Enabled'
  • 'View Setup and Configuration'
  • 'Modify Metadata Through Metadata API Functions' (see note below)
  • Read permission on all the objects to be audited (or grant 'View All Data')
• The password for this account
• The security token for this account (if coming from an IP address outside any defined Network Access ranges). Refer to this article for more information.

Create a JSON config file (or use config.json as a template):

{
	"hostname": "somewhere.my.salesforce.com",
	"username": "",
	"password": "",
	"token": "<optional token>",
	"objects": ["Account", "Contact"],
	"checkLimits": true,
	"debug": <optional debug level (0, 1 or 2)>
}

objects is a list of Salesforce objects of interest (Raccoon starts from the point "this is the data I care about"). Using the formal object API names will be quickest but, should a match not be found, Raccoon will try some simple matches based, for example, on the object's display label (both singular and plural) and a missing namespace. If Raccoon still fails to find a match, the program will carry on but flag this up in the output.

checkLimits allows you to check the allowance of API calls remaining for the instance under investigation within the 24-hour rolling period. Raccoon makes relatively few calls per object (in addition to a fixed number per run) but, as a courtesy, this parameter allows you to check your limits before proceeding. The default value is true. The total number of possible remaining requests at the checkpoint is not certain because the number of calls will depend on how many objects have a 'Controlled by Parent' sharing model. The stated number assumes that they all do and is thus a maximum.

Then run:

git clone https://github.com/nccgroup/raccoon
pip3 install -r requirements.txt
python3 raccoon.py <config_file>

Output

Sample (abridged and anonymised) output:

Raccoon - Salesforce object access auditor
- version 1.0
- https://www.github.com/nccgroup/raccoon
* Refer to README for usage notes including important limitations *

Target instance: somewhere.my.salesforce.com
- Login successful

4,969,529 API requests can be sent to this instance from a 24-hour limit of 5,000,000
- Up to 33 further requests are required to complete (3 requests sent so far)
- Do you want to continue? Enter 'y' to proceed: y

Validating objects
- Found object 'Accounts' with API name 'Account'
- Found object 'Contact' with API name 'Contact'
- Found object 'Quotes' with API name 'Quote__c'
- Found object 'Quote Lines' with API name 'QuoteLine__c'

Evaluating 28 Profiles and 104 Permission Sets
- Profiles with active users: 15
- Permission Sets with active users: 67
- Ignoring 50 unused Profiles and Permission Sets

Global Sharing Overrides (ALL records for ALL objects)
------------------------------------------------------

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - System Administrator                              61/91                    [I]

  READ
  Profiles
  - Integration User                         [C]      1/1                      [I]
  - Analytics Cloud Integration User                  1/1                      [I]

Object Sharing (ALL records for EACH object)
--------------------------------------------

Account:
  Organization-wide default sharing
  - Internal: Public Read Only
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Integration User                         [C]      1/1                      [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

  READ
  Profiles
  - Read Only                                [C]      192/199                  [I]
  - Sales User                               [C]      192/248                  [I]
  - Finance User                             [C]      16/20                    [I]
  - Standard User                                     6/3075                   [I]
  Permission Sets (* Groups)
  * Accounts PS Group                        [C]      36/39                    [I]
  - Sales Operations                         [C]      24/26                    [I]
  - SharePoint User                          [C]      3/4                      [I]

  Sharing Rules (manual check required):
  - Criteria-based rules configured
  - Ownership-based rules configured

Contact:
  Organization-wide default sharing
  - Internal: Controlled by Parent
  - External: <Undefined>
  Parent object: 'Account'
  - Internal: Public Read Only
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Integration User                                  1/1                      [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

  READ
  Profiles
  - Read Only                                [C]      192/199                  [I]
  - Sales User                               [C]      192/248                  [I]
  - Finance User                             [C]      16/20                    [I]
  - Standard User                                     6/3075                   [I]
  Permission Sets (* Groups)
  - Sales Operations                         [C]      24/26                    [I]

Quote__c:
  Organization-wide default sharing
  - Internal: Public Read/Write
  - External: <Undefined>

  READ/EDIT                                  [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Sales User                               [C]      192/248                  [I]

  READ
  Profiles
  - Finance User                             [C]      16/20                    [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

QuoteLine__c:
  Organization-wide default sharing
  - Internal: Controlled by Parent
  - External: <Undefined>
  Parent object: 'Quote__c'
  - Internal: Public Read/Write
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Sales User                               [C]      192/248                  [I]

  READ
  Profiles
  - Finance User                             [C]      16/20                    [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

Total API requests sent: 31

Raccoon only examines Profiles and Permission Sets with active users to reduce the verbosity of its output. Information about this is displayed, after which:

• Global Sharing Overrides are displayed first since Profiles and Permission Sets that are allowed to 'View All Data' and 'Modify All Data' have rights over ALL objects.
• Each object is then audited in turn with read+edit+delete privileges considered first, then read+edit, and lastly just read. A Profile or Permission Set is only listed once within the output - in the section containing the highest set of effective permissions. This is to avoid repetition - for example, it is implicit that a Profile with 'Modify All Data' has read+edit+delete on all the objects specified; thus, it is only shown under "Global Sharing Overrides", it is not also listed under each object's results. The only exception is when Profiles or Permission Sets with the global 'View All Data' privilege have further edit/delete permissions enabled at the object level.
• For each object, the existence of Sharing Rules is highlighted but not qualified further.

If assignment of privileges has been granted through a Permission Set Group, as opposed to a single Permission Set, an asterisk appears as an indentation marker to the left of the name instead of the usual hyphen (Accounts PS Group in the above sample output). In addition, whether the Profile or Permission Set is custom is also shown.

For both global and object sharing, Profiles and Permission Sets are ordered to reflect the likely interest. The first level of ordering concerns which type of user is assigned - 'guest' (unauthenticated) first, followed by 'external' (various types of portal user) then 'internal' (anything else). It is important to note that 'external' here is related to the definition used in the context of the 'external sharing model' [ref]. The idea here is to highlight potentially excessive sharing for unauthenticated or portal users. However, it is somewhat experimental because the Salesforce documentation is not comprehensive in its list of valid 'UserType' values for the 'User' object [ref]. As a result, it is possible that misclassification could occur - please file an issue in such a case. The second level of ordering is based on the number of active users - highest first (the total number of assigned users is also displayed for information).

Notes

Raccoon's primary objective is to highlight instances of widespread access to all records, and it covers:

• Master-Detail relationships where sharing is 'Controlled by Parent' (but only if there is a single Master-Detail relationship and the parent is directly above the child i.e. the parent's sharing model cannot also be 'Controlled by Parent').
• Special 'Controlled by Parent' relationships between Contact/Order/Asset and the parent Account (which work slightly differently to the normal Master-Detail relationship). To reiterate, only Profiles and Permission Sets with active users are considered.

Other sharing operations that target only a subset of records are not considered; specifically:

• Manual sharing configured by users on individual records
• 'Implicit' (aka 'built-in') sharing for certain children of Account when its sharing model is Private
• Sharing Sets
• Share Groups
• Sharing based on Role hierarchy As mentioned above, though, the existence of Sharing Rules for an object is checked.

Certain objects, such as 'User' and 'File', do not fit the standard sharing model and/or other system permissions come into play. Known instances are flagged in the output if they are specified in the objects list.

Instances with over 2,000 combined Profiles and Permission Sets are not supported due to platform limitations on the use of 'GROUP BY' in SOQL statements. This is a generous allowance and should only be a blocker in the most extreme cases.

Account permissions

This tool only performs read operations. It might therefore be surprising to see 'Modify Metadata Through Metadata API Functions' as a requirement for the account used to run the tool. However, at the time of writing, it does not appear possible to configure an account with read-only permissions to the Metadata API. From this:

Identify a user that has the API Enabled permission and the Modify Metadata Through Metadata API Functions permission or Modify All Data permission. These permissions are required to access Metadata API calls. If a user requires access to metadata but not to data, enable the Modify Metadata Through Metadata API Functions permission. Otherwise, enable the Modify All Data permission.

It was therefore deemed preferable to use 'Modify Metadata Through Metadata API Functions' as a minimum requirement over 'Modify All Data'.

Reporting bugs

If the problem is with login then please first double-check the hostname, username, password and security token (if required). Also consider if the password needs resetting because this case returns an error that is indistinguishable from an invalid login (check by logging into the standard Salesforce web portal).

Run the tool with debug set to 2, as the verbose output may help to identify the cause. This level also outputs a stack trace to a file named in the output. If reporting an issue, please include both the console output and stack trace (anonymise as needed).

Why 'Raccoon'?

Known for rummaging around objects.