Skip to content
SFHound

High-Risk Permissions

System permissions in Salesforce are modelled in SFHound as edge types from SFProfile or SFPermissionSet to the central SFOrganization node. This makes risk stratification and Cypher-based detection straightforward.

Tier Zero — Org compromise

These permissions individually enable an attacker to fully compromise the Salesforce org. Users holding any of them through any assignment chain should be treated as Tier Zero principals.

Define Tier Zero in BloodHound

Paste this Cypher rule in BloodHound CE under Configuration → Tier Zero → Custom Cypher Rule:

MATCH (u:SFUser)-[:AssignedProfile|AssignedPermissionSet]->(ps)-[:ModifyAllData|ManageUsers|ManageProfilesPermissionsets|AuthorApex|CustomizeApplication|ManageSharing]->(:SFOrganization)
WHERE ps:SFProfile OR ps:SFPermissionSet
RETURN DISTINCT u;

Tier Zero permission details

ModifyAllData Critical

Grants the ability to read, edit, and delete every record in the org, regardless of sharing rules, OWD, or role hierarchy.

Abuse: Use the REST API to bulk-export or overwrite all records. Combined with ApiEnabled, a compromised service account can exfiltrate the entire org via SOQL or Bulk API.

MITRE ATT&CK: T1078 (Valid Accounts), T1567 (Exfiltration Over Web Service)

Remediation:

  • Audit with: MATCH (ps)-[:ModifyAllData]->(org:SFOrganization) RETURN ps.name
  • Remove from all non-administrator Profiles and Permission Sets.
  • Ensure service accounts with ApiEnabled do not also hold ModifyAllData.

AuthorApex Critical

Grants the ability to create and deploy Apex code — arbitrary server-side execution within the Salesforce platform.

Abuse: Deploy a trigger or scheduled job that creates an admin user or exfiltrates data asynchronously via HttpCallout. Apex runs in a privileged system context that bypasses most sharing and FLS checks.

MITRE ATT&CK: T1059 (Command and Scripting Interpreter)

Remediation:

  • Restrict AuthorApex to named developers with change-management oversight.
  • Audit all Apex classes deployed in the last 30 days.

ManageUsers Critical

Grants the ability to create, edit, activate, and deactivate user records.

Abuse: Create a new System Administrator user or re-activate a dormant admin account to obtain persistent privileged access.

MITRE ATT&CK: T1136 (Create Account), T1098 (Account Manipulation)

Remediation:

  • Assign only to HR/admin systems via dedicated Permission Sets.
  • Monitor UserLogin and User audit events in the Event Log.

ManageProfilesPermissionsets Critical

Grants the ability to create and edit Profiles and Permission Sets.

Abuse: Add ModifyAllData or AuthorApex to a low-privilege Permission Set, then assign that set to a compromised user — effectively self-escalating.

MITRE ATT&CK: T1484 (Domain Policy Modification)

Remediation:

  • Treat as equivalent to ModifyAllData.
  • Audit who holds this permission weekly.

CustomizeApplication High

Grants the ability to customise application metadata: add fields, modify page layouts, create flows, and edit validation rules.

Abuse: Create a malicious Flow that silently exfiltrates data on every record save, or add a hidden formula field that routes sensitive data to an external callout.

MITRE ATT&CK: T1137 (Office Application Startup — analogous platform persistence)

ManageSharing High

Grants the ability to modify sharing rules and Organisation-Wide Defaults.

Abuse: Change a private object’s OWD to “Public Read/Write”, instantly exposing all records to all users without any further permission changes.

MITRE ATT&CK: T1078.004 (Cloud Accounts)

Tier Zero — Object access

You can also define Tier Zero users based on access to your highest-value SObjects:

MATCH (u:SFUser)-[:AssignedProfile|AssignedPermissionSet|AssignedPermissionSetGroup|HasPermissionSet|IncludesPermissionSet*1..5]->(ps)-[:CanCreate|CanRead|CanEdit|CanDelete|CanViewAll|CanModifyAll]->(obj:SFSObject)
WHERE obj.name IN ["SECRETDATA__C", "SENSITIVEDATA__C"]
  AND (ps:SFPermissionSet OR ps:SFProfile)
RETURN DISTINCT u;

Replace "SECRETDATA__C" and "SENSITIVEDATA__C" with your actual SObject API names.

Tier Zero — Field access

For crown-jewel fields specifically:

MATCH (u:SFUser)-[:AssignedProfile|AssignedPermissionSet|AssignedPermissionSetGroup|HasPermissionSet|IncludesPermissionSet|CanCreate|CanRead|CanEdit|CanDelete|CanViewAll|CanModifyAll|IsVisible|ReadOnly|Contains*1..10]->(f:SFField)
WHERE f.name IN ["SECRETDATA__C.HIGHLYSENSITIVEFIELD__C","SENSITIVEDATA__C.HIGHLYSENSITIVEFIELD__C"]
RETURN DISTINCT u
LIMIT 1000;

Medium-risk permissions

PermissionRiskNotes
ManageRoles🟠 MediumCan restructure the role hierarchy, changing record visibility for all users below the modified node
ManageTranslation🟠 MediumCan rename fields and labels org-wide — useful for social engineering phishing in-app
ViewAllData🔴 HighRead-only equivalent of ModifyAllData — exfiltration risk
ApiEnabledℹ️ InfoRequired for any programmatic access; escalates impact of all other permissions
EditTask🟡 LowSharing-gated; blast radius expands significantly when combined with ViewAllData
EditEvent🟡 LowSharing-gated via ControlledByParent OWD

Detection queries

All users with any Tier Zero permission

MATCH p=(u:SFUser)-[:AssignedProfile|AssignedPermissionSet|AssignedPermissionSetGroup|HasPermissionSet|IncludesPermissionSet*1..5]->(ps)-[r:ModifyAllData|ManageSharing|ManageProfilesPermissionsets|CustomizeApplication|AuthorApex|ManageUsers|ManageRoles|ViewAllData]->(org:SFOrganization)
WHERE (ps:SFProfile OR ps:SFPermissionSet)
  AND u <> org
RETURN p
LIMIT 1000

Permission set count per user (identify over-privileged users)

MATCH (u:SFUser)-[:AssignedPermissionSet]->(ps:SFPermissionSet)
RETURN u.name, COUNT(ps) AS PermSetCount
ORDER BY PermSetCount DESC
LIMIT 50

Service accounts with high-risk permissions (username contains “api” or “int”)

MATCH (u:SFUser)-[:AssignedProfile|AssignedPermissionSet]->(ps)-[perm:ModifyAllData|AuthorApex|ManageUsers]->(org:SFOrganization)
WHERE toLower(u.Username) CONTAINS 'api'
   OR toLower(u.Username) CONTAINS 'int'
   OR toLower(u.Username) CONTAINS 'service'
RETURN u.name, u.Username, type(perm) AS DangerousPermission

Remediation checklist

  • Run the Tier Zero Cypher query and review all returned users
  • Verify each assignment has a documented business justification
  • Separate ModifyAllData from ApiEnabled — service accounts should never need both
  • Enforce MFA on all Tier Zero users via login policies
  • Enable enhanced transaction security policies for high-risk permissions
  • Set up SIEM alerting on PermissionSet changes via the Salesforce Event Log