Salesforce object access auditor

Related tags

CLI Tools raccoon
Overview

Salesforce object access auditor

Released as open source by NCC Group Plc - https://www.nccgroup.com/

Developed by Jerome Smith @exploresecurity (with thanks to Viktor Gazdag @wucpi)

https://www.github.com/nccgroup/raccoon

Released under AGPL - refer to LICENSE for more information.

Description

This tool establishes which Profiles and Permissions Sets (with active users) have some combination of read/edit/delete permissions to ALL records for a given set of objects, based on their effective sharing and objects settings. From this output, misconfigurations that potentially allow excessive access to objects that hold sensitive data can be investigated. Refer to the accompanying blog post for background at https://research.nccgroup.com/2021/06/28/are-you-oversharing-in-salesforce.

It is recommended that results are verified manually with direct reference to the Salesforce configuration and/or testing of the affected Profiles and Permission Sets. Should discrepancies be found, please file an issue with as much detail as possible.

Usage

Requirements:

  • Python 3
  • The Python requests module (covered by requirements.txt)
  • A non-SSO user account with the following minimum permissions:
    • 'API Enabled'
    • 'View Setup and Configuration'
    • 'Modify Metadata Through Metadata API Functions' (see note below)
    • Read permission on all the objects to be audited (or grant 'View All Data')
  • The password for this account
  • The security token for this account (if coming from an IP address outside any defined Network Access ranges). Refer to this article for more information.

Create a JSON config file (or use config.json as a template):

{
	"hostname": "somewhere.my.salesforce.com",
	"username": "",
	"password": "",
	"token": "<optional token>",
	"objects": ["Account", "Contact"],
	"checkLimits": true,
	"debug": <optional debug level (0, 1 or 2)>
}

objects is a list of Salesforce objects of interest (Raccoon starts from the point "this is the data I care about"). Using the formal object API names will be quickest but, should a match not be found, Raccoon will try some simple matches based, for example, on the object's display label (both singular and plural) and a missing namespace. If Raccoon still fails to find a match, the program will carry on but flag this up in the output.

checkLimits allows you to check the allowance of API calls remaining for the instance under investigation within the 24-hour rolling period. Raccoon makes relatively few calls per object (in addition to a fixed number per run) but, as a courtesy, this parameter allows you to check your limits before proceeding. The default value is true. The total number of possible remaining requests at the checkpoint is not certain because the number of calls will depend on how many objects have a 'Controlled by Parent' sharing model. The stated number assumes that they all do and is thus a maximum.

Then run:

git clone https://github.com/nccgroup/raccoon
pip3 install -r requirements.txt
python3 raccoon.py <config_file>

Output

Sample (abridged and anonymised) output:

Raccoon - Salesforce object access auditor
- version 1.0
- https://www.github.com/nccgroup/raccoon
* Refer to README for usage notes including important limitations *

Target instance: somewhere.my.salesforce.com
- Login successful

4,969,529 API requests can be sent to this instance from a 24-hour limit of 5,000,000
- Up to 33 further requests are required to complete (3 requests sent so far)
- Do you want to continue? Enter 'y' to proceed: y

Validating objects
- Found object 'Accounts' with API name 'Account'
- Found object 'Contact' with API name 'Contact'
- Found object 'Quotes' with API name 'Quote__c'
- Found object 'Quote Lines' with API name 'QuoteLine__c'

Evaluating 28 Profiles and 104 Permission Sets
- Profiles with active users: 15
- Permission Sets with active users: 67
- Ignoring 50 unused Profiles and Permission Sets

Global Sharing Overrides (ALL records for ALL objects)
------------------------------------------------------

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - System Administrator                              61/91                    [I]

  READ
  Profiles
  - Integration User                         [C]      1/1                      [I]
  - Analytics Cloud Integration User                  1/1                      [I]

Object Sharing (ALL records for EACH object)
--------------------------------------------

Account:
  Organization-wide default sharing
  - Internal: Public Read Only
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Integration User                         [C]      1/1                      [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

  READ
  Profiles
  - Read Only                                [C]      192/199                  [I]
  - Sales User                               [C]      192/248                  [I]
  - Finance User                             [C]      16/20                    [I]
  - Standard User                                     6/3075                   [I]
  Permission Sets (* Groups)
  * Accounts PS Group                        [C]      36/39                    [I]
  - Sales Operations                         [C]      24/26                    [I]
  - SharePoint User                          [C]      3/4                      [I]

  Sharing Rules (manual check required):
  - Criteria-based rules configured
  - Ownership-based rules configured

Contact:
  Organization-wide default sharing
  - Internal: Controlled by Parent
  - External: <Undefined>
  Parent object: 'Account'
  - Internal: Public Read Only
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Integration User                                  1/1                      [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

  READ
  Profiles
  - Read Only                                [C]      192/199                  [I]
  - Sales User                               [C]      192/248                  [I]
  - Finance User                             [C]      16/20                    [I]
  - Standard User                                     6/3075                   [I]
  Permission Sets (* Groups)
  - Sales Operations                         [C]      24/26                    [I]

Quote__c:
  Organization-wide default sharing
  - Internal: Public Read/Write
  - External: <Undefined>

  READ/EDIT                                  [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Sales User                               [C]      192/248                  [I]

  READ
  Profiles
  - Finance User                             [C]      16/20                    [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

QuoteLine__c:
  Organization-wide default sharing
  - Internal: Controlled by Parent
  - External: <Undefined>
  Parent object: 'Quote__c'
  - Internal: Public Read/Write
  - External: <Undefined>

  READ/EDIT/DELETE                           [C]ustom Active/Total [G]uest[E]xt[I]nt
  Profiles
  - Sales User                               [C]      192/248                  [I]

  READ
  Profiles
  - Finance User                             [C]      16/20                    [I]
  Permission Sets (* Groups)
  - Mulesoft Integration                     [C]      2/2                      [I]

Total API requests sent: 31

Raccoon only examines Profiles and Permission Sets with active users to reduce the verbosity of its output. Information about this is displayed, after which:

  • Global Sharing Overrides are displayed first since Profiles and Permission Sets that are allowed to 'View All Data' and 'Modify All Data' have rights over ALL objects.
  • Each object is then audited in turn with read+edit+delete privileges considered first, then read+edit, and lastly just read. A Profile or Permission Set is only listed once within the output - in the section containing the highest set of effective permissions. This is to avoid repetition - for example, it is implicit that a Profile with 'Modify All Data' has read+edit+delete on all the objects specified; thus, it is only shown under "Global Sharing Overrides", it is not also listed under each object's results. The only exception is when Profiles or Permission Sets with the global 'View All Data' privilege have further edit/delete permissions enabled at the object level.
  • For each object, the existence of Sharing Rules is highlighted but not qualified further.

If assignment of privileges has been granted through a Permission Set Group, as opposed to a single Permission Set, an asterisk appears as an indentation marker to the left of the name instead of the usual hyphen (Accounts PS Group in the above sample output). In addition, whether the Profile or Permission Set is custom is also shown.

For both global and object sharing, Profiles and Permission Sets are ordered to reflect the likely interest. The first level of ordering concerns which type of user is assigned - 'guest' (unauthenticated) first, followed by 'external' (various types of portal user) then 'internal' (anything else). It is important to note that 'external' here is related to the definition used in the context of the 'external sharing model' [ref]. The idea here is to highlight potentially excessive sharing for unauthenticated or portal users. However, it is somewhat experimental because the Salesforce documentation is not comprehensive in its list of valid 'UserType' values for the 'User' object [ref]. As a result, it is possible that misclassification could occur - please file an issue in such a case. The second level of ordering is based on the number of active users - highest first (the total number of assigned users is also displayed for information).

Notes

Raccoon's primary objective is to highlight instances of widespread access to all records, and it covers:

  • Master-Detail relationships where sharing is 'Controlled by Parent' (but only if there is a single Master-Detail relationship and the parent is directly above the child i.e. the parent's sharing model cannot also be 'Controlled by Parent').
  • Special 'Controlled by Parent' relationships between Contact/Order/Asset and the parent Account (which work slightly differently to the normal Master-Detail relationship). To reiterate, only Profiles and Permission Sets with active users are considered.

Other sharing operations that target only a subset of records are not considered; specifically:

  • Manual sharing configured by users on individual records
  • 'Implicit' (aka 'built-in') sharing for certain children of Account when its sharing model is Private
  • Sharing Sets
  • Share Groups
  • Sharing based on Role hierarchy As mentioned above, though, the existence of Sharing Rules for an object is checked.

Certain objects, such as 'User' and 'File', do not fit the standard sharing model and/or other system permissions come into play. Known instances are flagged in the output if they are specified in the objects list.

Instances with over 2,000 combined Profiles and Permission Sets are not supported due to platform limitations on the use of 'GROUP BY' in SOQL statements. This is a generous allowance and should only be a blocker in the most extreme cases.

Account permissions

This tool only performs read operations. It might therefore be surprising to see 'Modify Metadata Through Metadata API Functions' as a requirement for the account used to run the tool. However, at the time of writing, it does not appear possible to configure an account with read-only permissions to the Metadata API. From this:

Identify a user that has the API Enabled permission and the Modify Metadata Through Metadata API Functions permission or Modify All Data permission. These permissions are required to access Metadata API calls. If a user requires access to metadata but not to data, enable the Modify Metadata Through Metadata API Functions permission. Otherwise, enable the Modify All Data permission.

It was therefore deemed preferable to use 'Modify Metadata Through Metadata API Functions' as a minimum requirement over 'Modify All Data'.

Reporting bugs

If the problem is with login then please first double-check the hostname, username, password and security token (if required). Also consider if the password needs resetting because this case returns an error that is indistinguishable from an invalid login (check by logging into the standard Salesforce web portal).

Run the tool with debug set to 2, as the verbose output may help to identify the cause. This level also outputs a stack trace to a file named in the output. If reporting an issue, please include both the console output and stack trace (anonymise as needed).

Why 'Raccoon'?

Known for rummaging around objects.

You might also like...
PostgreSQL database access simplified

Queries: PostgreSQL Simplified Queries is a BSD licensed opinionated wrapper of the psycopg2 library for interacting with PostgreSQL. The popular psyc

Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:
Software to automate the management and configuration of any infrastructure or application at scale. Get access to the Salt software package repository here:

Latest Salt Documentation Open an issue (bug report, feature request, etc.) Salt is the world’s fastest, most intelligent and scalable automation engi

The windML framework provides an easy-to-use access to wind data sources within the Python world, building upon numpy, scipy, sklearn, and matplotlib. Renewable Wind Energy, Forecasting, Prediction

windml Build status : The importance of wind in smart grids with a large number of renewable energy resources is increasing. With the growing infrastr

An API Client package to access the APIs for NBA.com

nba_api An API Client package to access the APIs for NBA.com Development Version: v1.1.9 nba_api is an API Client for www.nba.com. This package is mea

PyMed is a Python library that provides access to PubMed.

IMPORTANT NOTE: I don't have time to maintain this library (as some of you might have noticed). The PubMed API is a little chaotic, without a clear do

PRAW, an acronym for "Python Reddit API Wrapper", is a python package that allows for simple access to Reddit's API.

PRAW: The Python Reddit API Wrapper PRAW, an acronym for "Python Reddit API Wrapper", is a Python package that allows for simple access to Reddit's AP

A minimalistic library designed to provide native access to YNAB data from Python

pYNAB A minimalistic library designed to provide native access to YNAB data from Python. Install The simplest way is to install the latest version fro

Python wrapper to access the amazon selling partner API

PYTHON-AMAZON-SP-API Amazon Selling-Partner API If you have questions, please join on slack Contributions very welcome! Installation pip install pytho

A very simple asynchronous wrapper that allows you to get access to the Oracle database in asyncio programs.

cx_Oracle_async A very simple asynchronous wrapper that allows you to get access to the Oracle database in asyncio programs. Easy to use , buy may not

Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules
Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules

About: Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux an

PRAW, an acronym for "Python Reddit API Wrapper", is a python package that allows for simple access to Reddit's API.

PRAW: The Python Reddit API Wrapper PRAW, an acronym for "Python Reddit API Wrapper", is a Python package that allows for simple access to Reddit's AP

A Python library to access Instagram's private API.

Instagram Private API A Python wrapper for the Instagram private API with no 3rd party dependencies. Supports both the app and web APIs. Overview I wr

Middleware for Starlette that allows you to store and access the context data of a request. Can be used with logging so logs automatically use request headers such as x-request-id or x-correlation-id.

starlette context Middleware for Starlette that allows you to store and access the context data of a request. Can be used with logging so logs automat

Nginx UI allows you to access and modify the nginx configurations files without cli.
Nginx UI allows you to access and modify the nginx configurations files without cli.

nginx ui Table of Contents nginx ui Introduction Setup Example Docker UI Authentication Configure the auth file Configure nginx Introduction We use ng

keyring MITkeyring (🥉27 · ⭐ 630) - Store and access your passwords safely. MIT

The Python keyring library provides an easy way to access the system keyring service from python. It can be used in any application that needs safe pa

Middleware for Starlette that allows you to store and access the context data of a request. Can be used with logging so logs automatically use request headers such as x-request-id or x-correlation-id.

starlette context Middleware for Starlette that allows you to store and access the context data of a request. Can be used with logging so logs automat

Middleware for Starlette that allows you to store and access the context data of a request. Can be used with logging so logs automatically use request headers such as x-request-id or x-correlation-id.

starlette context Middleware for Starlette that allows you to store and access the context data of a request. Can be used with logging so logs automat

Stand-alone parser for User Access Logging from Server 2012 and newer systems
Stand-alone parser for User Access Logging from Server 2012 and newer systems

KStrike Stand-alone parser for User Access Logging from Server 2012 and newer systems BriMor Labs KStrike This script will parse data from the User Ac

Owner
NCC Group Plc
Please report all security issues to security at nccgroup dot com
NCC Group Plc
pypinfo is a simple CLI to access PyPI download statistics via Google's BigQuery.

pypinfo: View PyPI download statistics with ease. pypinfo is a simple CLI to access PyPI download statistics via Google's BigQuery. Installation pypin

Ofek Lev 351 Dec 26, 2022
Python CLI vm manager for remote access of docker images via noVNC

vmman is a tool to quickly boot and view docker-based VMs running on a linux server through noVNC without ssh tunneling on another network.

UCSD Engineers for Exploration 1 Nov 29, 2021
Objexplore is an interactive Python object explorer for the terminal.

Objexplore is an interactive Python object explorer for the terminal. Use it while debugging, or exploring a new library, or whatever! 9D1FAC73-B2A5-4

kylepollina 249 Dec 23, 2022
Understanding the field usage of any object in Salesforce

Understanding the field usage of any object in Salesforce One of the biggest problems that I have addressed while working with Salesforce is to unders

Sebastian Undurraga 1 Dec 14, 2021
A very simple Salesforce.com REST API client for Python

Simple Salesforce Simple Salesforce is a basic Salesforce.com REST API client built for Python 3.5, 3.6, 3.7 and 3.8. The goal is to provide a very lo

simple salesforce 1.4k Dec 29, 2022
Find unused resource keys in properties files in a Salesforce Commerce Cloud project and get rid of them.

Find Unused Resource Keys Find unused resource keys in properties files in a Salesforce Commerce Cloud project and get rid of them. It looks through a

Noël 5 Jan 8, 2022
Salesforce Recon and Exploitation Toolkit

Salesforce Recon and Exploitation Toolkit Salesforce Recon and Exploitation Toolkit Usage python3 main.py <URL> References Announcement Blog - https:/

null 81 Dec 23, 2022
Python library for serializing any arbitrary object graph into JSON. It can take almost any Python object and turn the object into JSON. Additionally, it can reconstitute the object back into Python.

jsonpickle jsonpickle is a library for the two-way conversion of complex Python objects and JSON. jsonpickle builds upon the existing JSON encoders, s

null 1.1k Jan 2, 2023
Convert your JSON data to a valid Python object to allow accessing keys with the member access operator(.)

JSONObjectMapper Allows you to transform JSON data into an object whose members can be queried using the member access operator. Unlike json.dumps in

Owen Trump 4 Jul 20, 2022
Tools to create pixel-wise object masks, bounding box labels (2D and 3D) and 3D object model (PLY triangle mesh) for object sequences filmed with an RGB-D camera.

Tools to create pixel-wise object masks, bounding box labels (2D and 3D) and 3D object model (PLY triangle mesh) for object sequences filmed with an RGB-D camera. This project prepares training and testing data for various deep learning projects such as 6D object pose estimation projects singleshotpose, as well as object detection and instance segmentation projects.

null 305 Dec 16, 2022