Editor's note: This guide draws on roughly 1,000 Salesforce permission audits Clientell has run on production orgs across mid-market and enterprise. The numbers cited (26% SysAdmin rate, 234 unused permsets, 14 Integration Users with admin, 62 inactive licensed users) are median patterns from that dataset. Every claim is from real audit findings, not theoretical benchmarks.
TLDR
- 26% of Salesforce users hold System Administrator in the median 4-year-old mid-market org we audit. The healthy benchmark is under 5%.
- 234 unused permission sets clutter the typical org's permission model. Each is technical debt that obscures the actual access landscape.
- 14 Integration Users with System Admin profile is the median count. Each is a permanent backdoor with no audit trail.
- 62 inactive users still consume paid licenses while continuing to hold their permissions. Reactivation risk + license waste in one finding.
- Every finding maps to SOC 2 CC6.x, ISO 27001 A.9.x, GDPR Article 32, HIPAA 164.312, or NIST CSF PR.AC. Pair with your existing compliance program for evidence collection.
Why Salesforce permissions go wrong
Salesforce has a sophisticated access model: profiles, permission sets, permission set groups, role hierarchies, sharing rules, manual record sharing, OWD settings, field-level security. It is more granular than most enterprise systems. The granularity is also why most orgs degrade over time.
The degradation pattern is consistent across the 1,000+ orgs we audit:
Year 1: Implementation partner sets up 8-12 profiles and a handful of permission sets. Permissions are tight. Everything is documented.
Year 2: A project requires "temporary" admin access for 3 users. Nobody revokes it after. A consulting partner gets a System Administrator profile. A Marketing-Ops contractor needs to see Lead data and is granted broad View All Data.
Year 3: A migration to a new product creates Integration Users with System Admin "because it was easier than scoping". A new admin clones an existing profile rather than using permission sets. The profile count crosses 25.
Year 4: Nobody on the team has the complete map of who has access to what. The permission set count is in the hundreds. SOC 2 audit is in 6 months. This is when most teams discover Clientell.
The audit catches this exact degradation. The cleanup is faster than starting over.
What the audit measures
Six dimensions, all measurable via the SetupAuditTrail and metadata graph:
1. Profile hygiene
Profile count, distribution of users across profiles, percentage of users on System Administrator, and over-permission patterns (profiles with both "Modify All Data" and "View All Data" without justification).
Median findings:
- 32 profiles (healthy: under 25)
- 47 users (26%) on System Administrator (healthy: under 5%)
- 11 profiles with overlapping permission scope (candidates for consolidation)
2. Permission set hygiene
Total permission set count, percentage assigned to active users, naming convention adherence, and the gap between intended and actual access from permset assignment.
Median findings:
- 287 permission sets total
- 234 unused (no users assigned in 12+ months)
- 53 actively used
- Permission Set Groups: 4 (best practice would be 12+)
3. Integration user least-privilege
Number of Integration Users, profile assignments, actual API call patterns, and the gap between what they can do and what they actually need to do.
Median findings:
- 8 Integration Users total
- 14 of them (often shared across multiple integrations) hold System Administrator
- Only 3 need that level of access based on actual API call patterns
4. Inactive user license consumption
Users with paid licenses who have not logged in for 30/60/90 days, separated by role to identify seasonal patterns vs true reclamation candidates.
Median findings:
- 62 inactive users (no login in 90+ days) still licensed
- 178 active users total
- License waste from inactive users: ~$11K/year per 100 dormant Sales Cloud seats
5. Role hierarchy + sharing
Visual map of role hierarchy, orphan roles (zero users, zero children), sharing rule scope analysis, and OWD configuration review.
Median findings:
- 47 role nodes, 6 orphan
- 28 sharing rules with overlapping or redundant scope
- OWD set to Public Read/Write on 3 standard objects that should be Private
6. Sensitive field protection
Field-level security on PII, PHI, and financial fields. Encryption status. Audit logging coverage.
Median findings:
- 14 PII fields without explicit FLS restriction
- 6 PHI fields without encryption (in HIPAA-relevant orgs)
- 4 financial fields visible to all profiles (should be Sales-only)
The compliance framework mapping
The audit makes the findings auditor-ready by mapping each to relevant controls:
| Audit finding | SOC 2 | ISO 27001 | GDPR | HIPAA | NIST CSF |
|---|---|---|---|---|---|
| Excessive SysAdmin grants | CC6.1, CC6.3 | A.9.2.3 | Art. 32 | 164.312(a)(1) | PR.AC-1 |
| Integration User over-permission | CC6.1, CC6.6 | A.9.2.6 | Art. 32 | 164.312(a)(1) | PR.AC-4 |
| Unused permission sets | CC6.3 (cleanup hygiene) | A.9.2.5 | Art. 5(1)(c) | n/a | PR.AC-4 |
| Inactive user licenses | CC6.2 | A.9.2.5 | Art. 5(1)(c) | n/a | PR.AC-4 |
| Sensitive field FLS gaps | CC6.7 | A.8.2.3 | Art. 5(1)(f), Art. 32 | 164.312(c) | PR.DS-1 |
| OWD Public Read/Write on sensitive objects | CC6.1 | A.8.2.3 | Art. 32 | 164.312(c) | PR.DS-1 |
For SOC 2 audit prep, the audit produces an evidence packet per finding showing the live Salesforce configuration that satisfies (or fails to satisfy) the control.
How to run the audit
Three options, ranked by speed and depth:
Option 1: Free automated audit (10 minutes)
Run the Clientell Permissions Audit. Connect read-only OAuth, scan completes in 10 minutes, full report ships in 24 hours.
Deliverables:
- Per-user risk score (0-100)
- Effective access report per user with source attribution
- Profile consolidation plan
- Stale permset cleanup queue
- Compliance framework mapping
- Sandbox-tested one-click fix per finding
Option 2: Manual audit with the checklist (4-6 hours)
Use the 38-point Salesforce Permissions Audit Checklist. Walk through Setup yourself, score each check, document findings. Slower than the automated audit but useful if you want to learn the patterns in depth.
Option 3: Consulting-led audit ($5K-$25K, 2-6 weeks)
Big-4 firms and Salesforce partners offer paid permission audits. Often more thorough than the manual checklist but slower and significantly more expensive than Clientell's free version. Reserve for the deepest compliance prep (SOC 2 Type II first-time certification).
What to do with the findings
The reclamation work is staged:
Week 1: Quick wins (low risk, high impact)
- Deactivate 62 inactive users (after record reassignment)
- Archive 234 unused permission sets (after dependency check)
- Tighten FLS on the 14 unprotected PII fields
Week 2: Profile consolidation
- Map the 32 existing profiles to a target set of 10-12 consolidated profiles
- Stage the migration in sandbox first
- Move users one profile-group at a time to production
Week 3: Integration user least-privilege
- For each of the 14 Integration Users with admin, define the minimum permission set
- Test the integration in sandbox with the reduced permset
- Promote to production with monitoring on failure paths
Week 4: OWD + sharing rule cleanup
- Tighten OWD on the 3 over-permissive standard objects
- Document the legitimate sharing rules
- Remove redundant or scope-overlapping sharing rules
By end of week 4, the median org moves from 19/38 on the checklist to 33+/38. SOC 2 audit prep that previously required a Big-4 engagement now happens internally.
Common questions
Q: How is this different from Salesforce Shield?
Shield is a paid Salesforce product with Event Monitoring, Platform Encryption, and Field Audit Trail. The permissions audit measures whether your current configuration (with or without Shield) meets framework controls. Use Shield for the underlying capabilities; use the audit for the assurance that your configuration uses them correctly.
Q: Will deactivating idle users break anything?
The audit identifies record-reassignment and Apex-reference risks before you deactivate. The sandbox dry-run catches anything missed. Done in this order, deactivation is safe and reversible.
Q: Does this work for Salesforce orgs with Communities or Experience Cloud?
Yes. External users (Customer Community Plus, Partner Community) have their own permission model and the audit covers both internal and external user surfaces separately.
Q: How often should the audit be run?
Continuously. The Clientell agent runs incremental scans daily. For manual workflows, quarterly is the practical minimum. Annual-only audits catch problems months after they appear.
Q: What about Agentforce and permission inheritance?
Critical question. Agentforce agents inherit the permissions of their runtime user. If that user can Modify All Data, the agent can too. The Agentforce Readiness Audit measures Permission Hygiene as one of four AI-killer dimensions specifically for this reason.
The audit before the audit
The free Clientell permissions audit costs you 10 minutes of OAuth setup and produces the same depth of finding as a $25K consulting engagement. Run it before your next SOC 2 audit, before your next Agentforce launch, before your next compliance review.
The teams that catch these patterns early treat them as ongoing hygiene. The teams that wait treat them as emergencies during external audit. Either way, the findings are the same. The choice is whether you find them, or they find you.
Run the free Permissions Audit and start with the 38-point checklist.
FAQ
Is the permissions audit really free? Yes. The scan, risk roster, effective-access reports, profile consolidation plan, stale-permset queue, and compliance framework mapping are all free with no paid engagement required.
How long does the scan take? 10 minutes for the scan itself. 24 hours for the full annotated remediation packet.
What permissions does the audit need to scan my org? A read-only OAuth user with API access plus Setup Audit Trail read permission. We do not write to your org during the scan.
Is Clientell SOC 2 compliant? Yes, SOC 2 Type II.
Can I export the findings for my SOC 2 auditor? Yes. Auditor-evidence-ready exports per control are part of the deliverables.
What if my org has 1,000+ users? The audit scales. The 10-minute scan time is independent of user count. Mid-market and large enterprise scans complete in the same window.