Skip to main content

vulkro-sf org perms

Walks every Profile, Permission Set, and Permission Set Group in the live org and reports over-privilege, dormant admin assignments, and the guest-user posture that has been the root cause of the published Experience Cloud breaches (Loblaw, ADT). This is the most operational of the vulkro-sf org subcommands: it surfaces what a real auditor would write up in an IAM review.

Findings are reported with the assigning entity (the profile or permset that grants the perm) AND the count of users currently inheriting it, so you can see both the configuration risk and its blast radius in one row.

Synopsis

vulkro-sf org perms --target-org <alias> [flags]

Flags

FlagTypeDefaultDescription
--target-org <alias>string(required)The sf CLI org alias to inspect.
--format <fmt>enumtextOutput format: text, json, sarif.
--include-standard-profilesbooloffInclude findings on Salesforce-shipped standard profiles (System Administrator, Standard User, etc.). Off by default because customers usually cannot change them. Turn on for a complete audit.
--dormant-days <N>int90Threshold for dormant-admin detection. A user holding an admin perm whose last login is older than N days is reported as a dormant admin.

What gets reported

  • Profiles with ModifyAllData - the single most powerful data permission on the platform. Reported at High severity for every custom profile that grants it; standard profiles are excluded by default.
  • Profiles with ManageUsers - lateral-movement risk: a user with this perm can create or modify other users and reassign ownership.
  • Profiles with AuthorApex - authoring permission for Apex code, which means write access to detector-bypass logic. Reported on every assignee.
  • Permission Sets with the same three perms - identical scope to the profile rules above, but reported per assigned user (a permset grants finer-grained surface than a profile).
  • Permission Set Groups - aggregated perms via group composition are walked transitively. The reported assignee count includes every user who inherits the perm through any group in the org.
  • Dormant admin assignments - any user whose LastLoginDate is older than --dormant-days AND who holds at least one of the three admin perms above. The first published breach class to highlight this risk was the Salesloft Drift incident, where dormant integration users were the lateral-movement pivot.
  • Guest-user license profiles with read or View All on sensitive standard objects (Account, Contact, Opportunity, Case, Lead, Quote). This is the configuration shape that produced the Loblaw and ADT Experience Cloud breaches and the AuraInspector class of enumerations. Reported at Critical severity for any custom guest profile with read on Account or Contact.

Examples

# Default run: custom profiles + permsets + groups + dormant admins.
vulkro-sf org perms --target-org my-prod

# Complete audit including standard profiles.
vulkro-sf org perms --target-org my-prod --include-standard-profiles

# Tight dormant-admin window (catch admins idle for 30 days, not 90).
vulkro-sf org perms --target-org my-prod --dormant-days 30

# JSON output for ingestion into a SIEM or governance dashboard.
vulkro-sf org perms --target-org my-prod --format json -o perms.json

Exit codes

  • 0 - scan completed, no over-privilege or dormant-admin findings.
  • 1 - scan completed, findings were reported.
  • 2 - error: sf CLI not on PATH, alias not authenticated, network failure, or the org rejected the metadata / tooling API call.

Privacy

org perms reads Profile, PermissionSet, PermissionSetGroup, PermissionSetAssignment, and the User records used to compute LastLoginDate for dormant-admin detection. No business-record SOQL is issued: no Account, no Opportunity, no Case row is fetched. The read against User is restricted to the fields needed for the dormant-admin computation (Id, Username, LastLoginDate, plus the permset / profile assignment links).

Where to go next