Using Elements.cloud, you can find all users who have dangerous system permissions within Salesforce Org and understand which profile, permission set or permission set group grants them that dangerous permission.
Prerequisites
Your space must be on Enterprise license or consulting license
Synced Org Model
View access to the Org Model within Elements app
Scheduled batch job in the managed package to get profile data
Supported dangerous permissions
The report will look for following 33 system permissions within Salesforce:
Allow user to access privacy data
Manage Encryption Keys
Modify All Data
View All Data
View Concealed Field Data
View Encrypted Data
Weekly Data Export
Bulk API Hard Delete
Create Public Links
Edit Read Only Fields
Export Reports
Manage Sharing
Modify Data Classification
Apex REST Services
Customize Application
Manage IP Addresses
Manage Login Access Policies
Manage Multi-Factor Authentication in API
API EnabledRun the report on users with dangerous permissions
Manage Auth. Providers
Manage Certificates
Manage Connected Apps
Modify Metadata Through Metadata API Functions
View Setup and Configuration
Manage Internal Users
Manage Users
Assign Permission Sets
Manage Custom Permissions
Manage Password Policies
Manage Profiles and Permission Sets
Manage Roles
Password Never Expires
Reset User Passwords and Unlock Users
Analyze which users have dangerous permissions and why
In order to see the list of users with dangerous system permissions in your Salesforce Org:
Go to your Org model
Click on the report icon in top right section of the screen
Click to run a new report
From the list of available reports, scroll down to option 'Users with dangerous permissions'
