Salesforce Winter 2023 release notes from PwC

Takeaway #1: Emergency access automatically removed via Permission Set expiration

Salesforce has introduced a functionality to help assign expiration dates on the permission set or groups provisioned to the user. Salesforce Administrators now have a way of provisioning emergency access to users. This new Winter feature would work towards reducing the security risk from inappropriate access to critical applications, activities and data by enabling control over the elevated access that may be needed for production support activities.

This new feature will:

• Allow Salesforce admins to manage the time period for which a user can have specific permissions.
• Allow an expiration date on permission set or permission set group. Users will lose access to the permission set or group post the expiration date.

Firefighter or emergency access management is a critical function when running and maintaining an application. Administrators can start using this new feature to provision emergency access to the production environment. This functionality can help decrease the risk of excessive privilege access granted to users without a specific business or technical need.

Takeaway #2: The retirement of Process Builder and Workflow Rules may impact configurable controls implemented for compliance purposes

Workflows and Process Builder functionality has been retired as part of the Winter ʼ23 release. Flow Builder (introduced in the Spring ’19 release) will replace these two features. Flow Builder combines the capabilities of Workflow Rules and Process Builder in a single point-and-click tool.

Companies are allowed to continue to use Process Builder and Workflow Rules until the end of 2025, however, considering that Process Builders and Workflows Rules are often used to implement Business Process Controls and to comply with regulations, it is critical to understand the impact that their decommissioning can have on your business.

For example, a Purchase order approval process with delegation of authority built using Process Builder will need to be migrated to Flow Builder, and the updated configurations will be part of control documentation.

In order to enable a smooth transition from Process Builder and Workflow Rules to Flow Builder, Salesforce has introduced a tool called Migrate to Flow tool as part of the Winter ʼ23 release to help with migration.

Takeaway #3: Content Sniffing Protection enablement may require redesign of existing business processes

Content sniffing (aka MIME sniffing) is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it. It is generally used to compensate for a lack of accurate metadata that would otherwise be required to enable the file to be interpreted correctly by a browser. Bad actors may take advantage of content sniffing by disguising malicious scripts as other file types. When using Content Sniffing Protection the pages within Salesforce force the browser to use the definition sent by the server to determine the content type for external links and content, instead of relying on content sniffing. This can allow for the use of cross-site scripting vulnerabilities, and help prevent a browser from loading scripts disguised as other file types when a user accesses external content and websites from Salesforce.

By enabling Content Sniffing Protection, you can enhance your company’s overall security controls. However, it may require redesigning some elements of your pages, as content may not always load for end-users.

For example, if a payment site confirms that credit card information is held within Salesforce while Content Sniffing Protection is enabled, the page may not load, preventing the end user from paying.

Learn how PwC can help enhance your security while helping decrease the impact on the business processes and user experience.

Visit PwC’s Salesforce Alliance