Appearance
SOC 2 Controls
This page lists SBS controls tagged for this regulation or framework. The mappings are indicative only and help readers identify controls that directly support demonstrating compliance.
These entries are an index into the benchmark. The canonical control content remains on the benchmark pages.
- Total tagged controls: 33
- Benchmark sections represented: 8
Controls By Benchmark Section
Access Controls
12 control(s) in this benchmark section.
SBS-ACS-001: Enforce a Documented Permission Set Model
High Source pageControl Statement: All permission sets, permission set groups, and profiles must conform to a documented model maintained in a system of record and enforced continuously.
Why tagged: Requires logical access controls and identity/access management; a permission set model is foundational to IAM.
SBS-ACS-002: Documented Justification for All API-Enabled Authorizations
High Source pageControl Statement: Every authorization granting the API Enabled permission must have documented business or technical justification recorded in a system of record.
Why tagged: IAM and logical access require documented justification for API and bulk access capabilities.
SBS-ACS-003: Documented Justification for Approve Uninstalled Connected Apps Permission
Critical Source pageControl Statement: The Approve Uninstalled Connected Apps permission must only be assigned to highly trusted users with documented justification and must not be granted to end-users.
Why tagged: Logical access controls must restrict which applications users can authorize to access the system.
SBS-ACS-004: Documented Justification for All Super Admin–Equivalent Users
High Source pageControl Statement: All users with simultaneous View All Data, Modify All Data, and Manage Users permissions must be documented in a system of record with clear business or technical justification.
Why tagged: Identity and access management require documented justification for privileged and administrative access.
SBS-ACS-005: Only Use Custom Profiles for Active Users
High Source pageControl Statement: All active users must be assigned custom profiles. The out-of-the-box standard profiles must not be used.
Why tagged: Logical access must be defined and controlled by the organization rather than by default configurations.
SBS-ACS-006: Documented Justification for Use Any API Client Permission
Critical Source pageControl Statement: The Use Any API Client permission, which bypasses default behavior in orgs with "API Access Control" enabled, must only be assigned to highly trusted users with documented justification and must not be granted to end-users.
Why tagged: Logical access must restrict which clients can access the system; bypass must be justified and limited.
SBS-ACS-007: Maintain Inventory of Non-Human Identities
High Source pageControl Statement: Organizations must maintain an authoritative inventory of all non-human identities, including integration users, automation users, bot users, and API-only accounts.
Why tagged: Identity management requires an authoritative inventory of all identities with system access.
SBS-ACS-008: Restrict Broad Privileges for Non-Human Identities
High Source pageControl Statement: Non-human identities must not be assigned permissions that bypass sharing rules or grant administrative capabilities unless documented business justification exists.
Why tagged: IAM requires least privilege for all identities, including integration and system accounts.
SBS-ACS-009: Implement Compensating Controls for Privileged Non-Human Identities
Moderate Source pageControl Statement: Non-human identities with permissions that bypass sharing rules or grant administrative capabilities must have compensating controls implemented to mitigate risk.
Why tagged: Layered controls for privileged and system accounts are expected for logical access and IAM.
SBS-ACS-010: Enforce Periodic Access Review and Recertification
Moderate Source pageControl Statement: All user access and configuration influencing permissions and sharing must be formally reviewed and recertified at least annually by designated busines stakeholders, with documented approval and remediation of unauthorized or excessive access.
Why tagged: Periodic review of access and removal of inappropriate access are required IAM controls.
SBS-ACS-011: Enforce Governance of Access and Authorization Changes
High Source pageControl Statement: All changes to Salesforce user access and authorization must be governed through a documented process that requires approval, records business justification, and produces an auditable record of the change.
Why tagged: IAM and change management require approval and audit trail for access and authorization changes.
SBS-ACS-012: Classify Users for Login Hours Restrictions
Moderate Source pageControl Statement: Organizations must maintain a documented classification of users requiring login hours restrictions or equivalent off-hours authentication monitoring.
Why tagged: Logical access controls may include time-based restrictions or monitoring for sensitive roles.
Authentication
4 control(s) in this benchmark section.
SBS-AUTH-001: Enable Organization-Wide SSO Enforcement Setting
Critical Source pageControl Statement: Salesforce production orgs must enable the org-level setting that disables Salesforce credential logins for all users.
Why tagged: Logical access and identity management require centralized authentication and credential control.
SBS-AUTH-002: Govern and Document All Users Permitted to Bypass Single Sign-On
Moderate Source pageControl Statement: All users who do not have the "Is Single Sign-On Enabled" permission must be explicitly authorized, documented in a system of record, and limited to approved administrative or break-glass use cases.
Why tagged: IAM requires documented governance of identity and access exceptions.
SBS-AUTH-003: Prohibit Broad or Unrestricted Profile Login IP Ranges
Moderate Source pageControl Statement: Profiles in Salesforce production orgs must not contain login IP ranges that effectively permit access from the full public internet or other overly broad ranges that bypass network-based access controls.
Why tagged: Logical access controls may include network or location-based restrictions.
SBS-AUTH-004: Enforce Strong Multi-Factor Authentication for External Users with Substantial Access to Sensitive Data
Critical Source pageControl Statement: All Salesforce interactive authentication flows for external human users with substantial access to sensitive data must enforce multi-factor authentication that includes at least one strong authentication factor.
Why tagged: Identity and access management require multi-factor authentication for sensitive access.
Customer Portals
3 control(s) in this benchmark section.
SBS-CPORTAL-001: Prevent Insecure Direct Object Reference (IDOR) in Portal Apex
Critical Source pageControl Statement: All Apex methods exposed to Experience Cloud or customer portal users must enforce server-side authorization for every record accessed or modified. User-supplied parameters (including record IDs, filters, field names, or relationship references) must not be trusted as the basis for access control and must be validated against the running user's sharing, CRUD, and FLS permissions before use.
Why tagged: Logical access controls must enforce authorization on every data access.
SBS-CPORTAL-002: Restrict Guest User Record Access
Critical Source pageControl Statement: Unauthenticated guest users in customer portals must be restricted to authentication and registration flows only, with no direct access to business objects or custom Apex methods that query organizational data.
Why tagged: Logical access must restrict guest and anonymous access to business data.
SBS-CPORTAL-004: Prevent Parameter-Based Record Access in Portal-Exposed Flows
Critical Source pageControl Statement: Autolaunched Flows exposed to customer portal users must not accept user-supplied input variables that directly determine which records are accessed.
Why tagged: Logical access controls must enforce authorization in all portal-exposed components.
Deployments
4 control(s) in this benchmark section.
SBS-DEP-001: Require a Designated Deployment Identity for Metadata Changes
High Source pageControl Statement: Salesforce production orgs must designate a single deployment identity that is exclusively used for all metadata deployments and high-risk configuration changes performed through automated or scripted release processes.
Why tagged: Logical access and change accountability require production changes to be traceable to a controlled service identity.
SBS-DEP-002: Establish and Maintain a List of High-Risk Metadata Types Prohibited from Direct Production Editing
High Source pageControl Statement: Salesforce production orgs must maintain an explicit list of high-risk metadata types that must never be edited directly in production by human users, defaulting at minimum to the SBS baseline list while allowing organizations to extend or refine it as needed.
Why tagged: Logical access governance requires explicit restrictions on direct edits to sensitive production configuration.
SBS-DEP-003: Monitor and Alert on Unauthorized Modifications to High-Risk Metadata
High Source pageControl Statement: Salesforce production orgs must implement a monitoring capability that detects and reports any modification to high-risk metadata performed by a user other than the designated deployment identity.
Why tagged: Monitoring change activity to detect unauthorized modification of security-sensitive configuration is expected evidence for controlled operations.
SBS-DEP-006: Configure Salesforce CLI Connected App with Token Expiration Policies
High Source pageControl Statement: Organizations must configure the Connected App used for Salesforce CLI authentication with refresh token expiration of 90 days or less and access token timeout of 15 minutes or less.
Why tagged: Identity and access management require controlled token lifetime and session duration for CLI-based administrative access.
Event Monitoring
2 control(s) in this benchmark section.
SBS-MON-003: Monitor for Suspicious Logins
High Source pageControl Statement: Organizations must continuously monitor and alert on anomalous login patterns to promptly detect and mitigate compromised accounts and application credentials.
Why tagged: Identity and access management controls routinely expect monitoring for suspicious authentication activity.
SBS-MON-004: Monitor for Suspicious API Activity
High Source pageControl Statement: Organizations must continuously monitor and alert on all API activity to establish a baseline, detect anomalous and malicious activity, and identify potential application and integration abuse in a timely manner.
Why tagged: Logical access and non-human identity controls routinely expect monitoring of integration and API activity for abuse.
File Security
1 control(s) in this benchmark section.
SBS-FILE-002: Require Passwords on Public Content Links for Sensitive Content
High Source pageControl Statement: Organizations must ensure that Public Content links to sensitive content have a password.
Why tagged: Logical access controls require sensitive content shared externally to be limited to authorized recipients.
Integrations
4 control(s) in this benchmark section.
SBS-INT-001: Enforce Governance of Browser Extensions Accessing Salesforce
Moderate Source pageControl Statement: Organizations must enforce a centrally managed mechanism that restricts which browser extensions are permitted to access Salesforce, and must not allow the use of unmanaged or uncontrolled extensions.
Why tagged: Logical access governance includes restricting unmanaged software that can interact with authenticated Salesforce sessions.
SBS-INT-002: Inventory and Justification of Remote Site Settings
Moderate Source pageControl Statement: Organizations must maintain an authoritative inventory of all Remote Site Settings and document a business justification for each endpoint approved for Apex HTTP callouts.
Why tagged: Documented governance of approved outbound endpoints supports control over data flows to external services.
SBS-INT-003: Inventory and Justification of Named Credentials
Moderate Source pageControl Statement: Organizations must maintain an authoritative inventory of all Named Credentials and document a business justification for each external endpoint and authentication configuration approved for use in Salesforce.
Why tagged: Documented governance of authenticated integrations supports control over which external services can be used from Salesforce.
SBS-INT-004: Retain API Total Usage Event Logs for 30 Days
High Source pageControl Statement: The organization must retain API Total Usage event log data (EventLogFile EventType=ApiTotalUsage) for at least the immediately preceding 30 days using Salesforce-native retention or automated external export and storage.
Description:
If the organization’s Salesforce does not provide at least 30 days of ApiTotalUsage EventLogFile availability in Salesforce, the organization must automatically export newly available ApiTotalUsage event log files at least once every 24 hours to an external log store that retains a minimum of 30 days of data.
Why tagged: Logical access monitoring routinely expects retained logs of API and integration access activity.
OAuth Security
3 control(s) in this benchmark section.
SBS-OAUTH-001: Require Formal Installation of Connected Apps
Critical Source pageControl Statement: Organizations must formally install all connected apps used for OAuth authentication rather than relying on user-authorized OAuth connections.
Why tagged: Logical access and identity management require centrally governed application access paths.
SBS-OAUTH-002: Require Profile or Permission Set Access Control for Connected Apps
Critical Source pageControl Statement: Organizations must control access to each formally installed connected app exclusively through assigned profiles or permission sets.
Why tagged: Logical access and IAM controls require application access to be granted through explicit authorization models.
SBS-OAUTH-003: Add Criticality Classification of OAuth-Enabled Connected Apps
High Source pageControl Statement: All OAuth-enabled Connected Apps must be recorded in an authoritative system of record and assigned a documented vendor criticality rating reflecting integration importance and data sensitivity.
Why tagged: Documented IAM and integration governance routinely expect an authoritative inventory of connected applications.