OrgMonitor is a Salesforce Connected App written in Node.js used to gather the stats necessary to evaluate the basic security posture of a wide portfolio of Salesforce Orgs. It runs a set of SOQL queries against all connected Orgs on an hourly basis: it answers questions like "how many users/profiles/permsets/roles/classes do we have?", gives you visibility of users with high-level privileges (VAD, MAD, AuthorApex, etc), and surfaces Health Check score and risks — all from a central location.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
The application requires:
- One or more Salesforce Orgs (production or sandbox)
Create a Connected App
- Create a Connected App in your main Salesforce Org by navigating to Setup > Create > Apps, then click on "New"
- Set the
Selected OAuth Scopesvalue to
Access and manage your data (api)and
Perform requests on your behalf at any time (refresh_token, offline_access)
- Set the
Callback URLvalue to
- Save and note down the
Download and run the application
- Download this repo to your local machine
- Create the following ENV variables:
PORTis the port the web application will run on, defaults to 3000
developmentallows the application to bypass the built-in SAML SSO auth
DATABASE_URLis a connection string pointing to your PostgresSQL database
MONGODB_URIis a connection string pointing to your MongoDB database
CLIENT_IDis the newly created Connected App's
CLIENT_SECRETis the newly created Connected App's
REDIRECT_URIis the newly created Connected App's
CORP_DOMAINis your corporate domain (i.e.: mycompany.com) used to identify Salesforce users without corporate email
COOKIE_SECRETis a secret used to sign the session cookie
ADMIN_TOKENis a secret used to edit/delete Org information such as name or description
ENCRYPTION_KEYis a hex string representing 32 random bytes, used to encrypt/decrypt the Oauth refresh tokens (AES 256). Generate one with
openssl rand -hex 32.
- Install Node.js dependencies through Yarn, with
- Run the server with
node server.js, confirm you see the
App listening on port 3000message in the console
http://localhost:3000/setup, confirm you see the
Successfully setup DBmessage in the console
- Kill and restart the server with
node server.jsand start the worker with
http://localhost:3000and you should now see the OrgMonitor homepage
Create a dedicated user for OrgMonitor in each of your Orgs, and connect them to OrgMonitor
- It's recommended to create a dedicated user/profile for OrgMonitor with no CRUD access and only
View All Users,
View Health Checkand
View Setup and Configurationpermissions, with proper IP whitelisting
- You're now ready to connect your Salesforce Orgs by navigating to
http://localhost:3000/add/prodfor Production Orgs, or
http://localhost:3000/add/sandboxfor Sandbox Orgs, logging in with the credentials of the newly created users, and accepting the Oauth request
When ready for production deployment:
- Edit the Connected App and include the new hostname to the
- Update the application's
REDIRECT_URIvalue to match the
- Update the application's
productionand add the following ENV variables (refer to the Passport-SAML documentation on how to set these) to enable SAML SSO auth in order to protect access to the application's data:
Copyright (c) 2017, salesforce.com, inc.
All rights reserved.
Licensed under the BSD 3-Clause license.
For full license text, see LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause