Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to resources, enforcing policies, auditing usage, and providing the information necessary as required. These combined processes are considered important for effective application management and security. AAA provides a method to identify which users are logged into the application and each user’s authority level. AAA also provides the capability to monitor user activity and provide accounting information.
- Authentication— Who are you?
- Authorization— What resources are you permitted to use?
- Accounting— What resources were accessed, at what time, by whom, and what operations were performed?
The three phases ensure that legitimate users are permitted access. A remote user must be authenticated before being permitted access to network resources.
Authentication allows the user to submit a username and password and permits challenges and responses. After the user is authenticated, authorization defines what services or resources in the network users are permitted access to. The operations permitted here can include accessing an application or record and the actions that can be performed on these.
- Provides a way of identifying a user typically by having the user enter a valid user name/ valid password or any other authentication mechanism before access is granted.
- The process of authentication is based on each user having a unique set of criteria for gaining access.
- The AAA server (Salesforce for example) compares a user’s authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the instance. If the credentials are at variance, authentication fails and access is denied.
- Salesforce provides several methods to authenticate users. Some methods are automatically enabled, and some require that you enable and configure them. Using this user authentication spectrum, you can build authentication to fit your org’s needs and your users’ use patterns. These methods include two-factor authentication, single sign-on, My Domain, network-based security, session security, custom login flows, connected apps, and desktop client access.
- A user must gain authorization for doing certain tasks on the application that he is authenticated on.
- Authorization process determines whether a user has the authority for performing the actions that he is trying to perform on the application.
- Authorization is a process of enforcing policies, determining what types or qualities of activities, resources or services a user is permitted after he is authenticated to an application.
- Authorization allows administrators to control the level of access users have after they successfully gain access to the application through authentication.
- Configuring authorization and restricting access to data on Salesforce Platform is easy. By simply assigning a certain profile or permission set to a user, an admin can define what level of access the user has to the data stored in the org. This is accomplished in three main ways
- Create, read, update and Delete (CRUD) settings determine which objects a user can create, edit, delete and update.
- Field Level Security settings determine which fields user can read and edit.
- Sharing rules determine which records are visible to the users.
- Accounting allows administrators to collect information about users. Specifically, administrators can track which user logged into which application, what actions has he performed.
- Auditing provides information about use of the system, which can be critical in diagnosing potential or real security issues. The Salesforce auditing features don’t secure your organization by themselves; someone in your organization should do regular audits to detect potential abuse.
- Salesforce has below auditing mechanisms
- Record Modification Fields that track users who created the record and who last modified the record along with the dates.
- Login History to review a list of successful and failed login attempts to your org for last 6 months.
- Field History tracking tracks any changes to the values of selected fields.
- Setup Audit Trail that logs modifications to orgs metadata (configuration).
- Salesforce Shield is a trio of security tools that admins and developers can use to build a new level of trust, transparency, compliance, and governance right into business-critical apps. It includes Platform Encryption, Event Monitoring, and Field Audit Trail.