Skip to main content

Using Process Configuration Mining for Compliance and Security Reviews

Use Process Configuration Mining to identify and fix overprovisioned access and Separation of Duties risks for Salesforce compliance.

Updated this week

Why perform compliance and security reviews with Process Configuration Mining?

Overprovisioned Salesforce Orgs pose a significant compliance and security risk—users often have more access than necessary to sensitive processes. This undermines SOX compliance, blurs accountability, and exposes data to unauthorized actions.

The problem also severely impacts AI initiatives. When every user has access to every stage of every process, the quality and reliability of data suffers. Intelligent recommendations and automated decision-making require good data. Overprovisioned Orgs create noisy, unreliable datasets that make true Agentification impossible.

Addressing overprovisioning directly through technical audits of profiles and permission sets is rarely effective. These issues are seen as purely technical and fail to attract business sponsorship.

Process Configuration Mining changes the conversation: by generating real-world business process diagrams that show exactly who can perform what actions, it frames the issue in business terms that stakeholders understand and care about. This makes access governance an actionable business priority.

When to perform compliance and security reviews?

Use Process Configuration Mining when preparing for:

  • SOX audits, security certifications, or internal control assessments.

  • Separation of Duties (SoD) reviews across processes such as Opportunity-to-Cash

  • Initiatives aimed at preparing the Org for AI and Agentification.

  • Business stakeholder-led reviews where securing critical processes is a goal.

Prerequisites

Perform Compliance and Security Review

Step 1: Generate Process Diagrams for Key Business Objects

Begin by generating business process diagrams for objects that are central to compliance-sensitive operations.

Focus on key lifecycle objects such as Opportunity, Quote, Order, and Contract. These objects commonly represent critical stages in business cycles like Quote-to-Cash, where maintaining strict Separation of Duties is essential.

Examples of typical Salesforce capabilities where SoD across objects may be necessary include:

  • Opportunity vs. Quote Management: The user who creates an Opportunity should not necessarily be the one generating or approving a related Quote.

  • Quote vs. Order Creation: The ability to generate a Quote should be separate from the ability to convert it into an Order to prevent unauthorized commitments.

  • Order vs. Contract Finalization: Users who create Orders should not be the same users who approve or activate related Contracts, ensuring legal and financial controls are enforced.

  • Opportunity vs. Opportunity Close: A sales rep who opens an Opportunity should not be able to mark it as Closed Won without review by a manager or a different approver.

  • Case vs. Case Closure: In service processes, the agent logging a new Case should not be the same person authorized to close high-severity Cases without review.

Step 2: Focus on ‘Create’ Activities and Who Can Perform Them

The first column, on the left, in the generated diagram represents all the different ways a new record can be created (via actions, related lists, flows, apex etc.) These steps list the Human Resources—users or roles—who have the technical ability to create records.

Long lists of roles at the creation step indicate excessive access. Critical business records should have tightly controlled creation rights. Broad creation permissions not only jeopardize compliance but also diminish the clarity required for AI-driven process management.

Step 3: Review Record Transitions and Workflow Steps

Examine all activities that move a record through its lifecycle, such as stage or status changes. Review the Human Resources assigned to each of these steps. If the same roles can create records and move them to completion stages, Separation of Duties has been compromised.

Identifying these points visually within the process flow makes it easier to present and prioritize necessary access control changes.

Step 4: Compare Processes Across Objects to Spot Role Overlap

Expand your analysis by generating process diagrams for related objects and comparing them side-by-side. For example, review the Opportunity, Quote, Order, and Contract diagrams together to spot overlapping Human Resources across different records.

If the same profiles or permission sets appear across multiple object lifecycles without distinction, this highlights systemic Separation of Duties risks. The process diagrams make these overlaps immediately visible, where a traditional permissions matrix would obscure them.

Step 5: Raise Stories to Trigger Permission Reviews

Where overprovisioning or Separation of Duties violations are found, raise User Stories directly from the corresponding activities in the diagram. Create a story for each problematic 'create' activity and one for a representative workflow step, since permission issues apply across multiple workflow steps.

Each story will be automatically linked to the process steps, and you will be one click away from accessing related Salesforce metadata.

Step 6: Use Linked Metadata and Access Analyzer to Guide Fixes

Leverage the metadata links attached to each process step to identify the Profiles and Permission Sets that grant inappropriate access. Open them one by one and make necessary changes.

Through this structured and business-aligned review, compliance goals can be met effectively while ensuring minimal disruption to users and processes.

Did this answer your question?