Add Salesforce FedRAMP page

maxvp · maxvp · commit 895caef784c6 · 2025-01-30T17:07:20.000-06:00
diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx
@@ -0,0 +1,80 @@
+---
+pcx_content_type: reference
+title: Salesforce (FedRAMP)
+rss: file
+head:
+  - tag: title
+    content: Salesforce (FedRAMP) - CASB
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	params={{
+		one: "Salesforce (FedRAMP)",
+		two: "FedRAMP Salesforce environment",
+	}}
+/>
+
+## Integration prerequisites
+
+- A FedRAMP-compliant Salesforce environment (most editions are compatible)
+- Permissions to a Salesforce organization with either:
+  - System Administrator permission
+  - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data
+
+## Integration permissions
+
+For the Salesforce (FedRAMP) integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App:
+
+- `Manage user data via APIs (api)`
+- `Manage user data via Web browsers (web)`
+- `Perform requests at any time (refresh_token, offline_access)`
+- `Access unique user identifiers (openid)`
+
+These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the [Salesforce OAuth Tokens and Scopes documentation](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm).
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	params={{ one: "Salesforce (FedRAMP)", two: "salesforce-fedramp" }}
+/>
+
+### File sharing
+
+Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion.
+
+| Finding type                                                                                  | FindingTypeID                          | Severity |
+| --------------------------------------------------------------------------------------------- | -------------------------------------- | -------- |
+| Salesforce (FedRAMP): Content Document publicly accessible without a password                 | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical |
+| Salesforce (FedRAMP): Content Document publicly accessible with weak password                 | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High     |
+| Salesforce (FedRAMP): Content Document publicly accessible and password protected             | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium   |
+| Salesforce (FedRAMP): Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium   |
+| Salesforce (FedRAMP): Content Document larger than 2 GB                                       | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium   |
+
+### Account misconfigurations
+
+Discover account and admin-level settings that have been configured in an insecure way.
+
+| Finding type                                                        | FindingTypeID                          | Severity |
+| ------------------------------------------------------------------- | -------------------------------------- | -------- |
+| Salesforce (FedRAMP): Domain without HTTPS                          | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High     |
+| Salesforce (FedRAMP): Default Account record access allows edit     | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium   |
+| Salesforce (FedRAMP): Default Case record access allows edit        | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium   |
+| Salesforce (FedRAMP): Default Contact record access allows edit     | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium   |
+| Salesforce (FedRAMP): Default Lead record access allows edit        | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium   |
+| Salesforce (FedRAMP): Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium   |
+| Salesforce (FedRAMP): Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low      |
+
+### User access
+
+Flag user access issues, including account misuse and users not following best practices.
+
+| Finding type                                                          | FindingTypeID                          | Severity |
+| --------------------------------------------------------------------- | -------------------------------------- | -------- |
+| Salesforce (FedRAMP): User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium   |
+| Salesforce (FedRAMP): Inactive user                                   | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low      |
+| Salesforce (FedRAMP): User has never logged in                        | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low      |
+| Salesforce (FedRAMP): User has not logged in for 90+ days             | `8395c824-bc44-4c12-b300-40f2477384d4` | Low      |
