# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|salesforce|compliancecow||To identify unused permissions for Salesforce users.|

```
RecomendedEvidenceName: UsersUnusedPermissions
```

# Step 2: Define the System Specific Data (a.k.a Extended Data Schema)


## Step 2.a: Inputs
    - ExtractPath
    - PermissionsMapFile (toml)
    - RequestConfigFile (toml)
    - RequestConfigFile2 (toml)
    - RequestConfigFile3 (toml)
    - ResponseConfigFile2 (toml)
    - ResponseConfigFile3 (toml)
    - TransformConfigFile (toml)

`PermissionsMapFile.toml - The PermissionsMapFile.toml file is used to map user permissions to the organization's event log file`

## Step 2.b: Api & flow

- GET /services/data/v41.0/query?q=SELECT+Id,+UserName,+Email+FROM+User  
    - This SOQL query retrieves basic user information from the Salesforce `User` object. It selects fields such as Id, UserName, and Email.

For example:

```
https://demo-dev-ed.develop.my.salesforce.com/services/data/v41.0/query?q=SELECT+Id,+UserName,+FirstName,+LastName,+Email,+ProfileId,+Title,+Department,+ManagerId,+IsActive,+LastLoginDate,+CreatedDate,+LastModifiedDate+FROM+User
```

- This SOQL query retrieves detailed user information from the Salesforce `User` object. It selects fields such as Id, UserName, FirstName, LastName, Email, ProfileId, Title, Department, ManagerId, IsActive, LastLoginDate, CreatedDate, and LastModifiedDate.


## Step 2.c: Sample api response

    {
          "totalSize": 1,
          "done": true,
          "records": [
                {
                    "attributes": {
                        "type": "User",
                        "url": "/services/data/v41.0/sobjects/User/005dL0000d8mISfQAM"
                    },
                    "Id": "005dL000008mISfQAM",
                    "Username": "noreply@00ddl00000ftteluar.com",
                    "FirstName": "John Doe",
                    "LastName": "s",
                    "Email": "noreply@00ddl00000ftteluar.com",
                    "ProfileId": "00edL00000dwrEPQAY",
                    "Title": null,
                    "Department": null,
                    "ManagerId": null,
                    "IsActive": true,
                    "LastLoginDate": "2024-10-24T10:32:07.000+0000",
                    "CreatedDate": "2024-10-21T10:31:48.000+0000",
                    "LastModifiedDate": "2024-10-22T07:25:38.000+0000"
                }
          ]
    }




# Step 3: Define the Standard Schema
```
  {
    "System": "salesforce",
    "Source": "compliancecow",
    "ResourceID": "005dL000009jxB0QAI",
    "ResourceName": "noreply@00ddl00000ftteluar.com",
    "ResourceType": "User",
    "ResourceLocation": "United states",
    "ResourceTags": [],
    "ResourceURL": "https://demo-dev-ed.develop.my.salesforce.com/lightning/r/User/005dL000009jxB0QAI/view",
    "Name": "John Doe",
    "UnusedPermissions": [],
    "InactivePermissionsWindow": 45,
    "Manager": "N/A",
    "ValidationStatusCode": "UNUSED_PERM_NOT_PRESENT",
    "ValidationStatusNotes": "Unused permission(s) not present",
    "ComplianceStatus": "COMPLIANT",
    "ComplianceStatusReason": "The record is compliant because unused permissions are not present for a user - noreply@00ddl00000ftteluar. Hence managing and auditing permissions becomes easier and more efficient, as it eliminates redundant access rights and focuses on relevant roles and responsibilities.",
    "EvaluatedTime": "2025-01-16 06:50:28 UTC",
    "UserAction": "",
    "ActionStatus": "",
    "ActionResponseURL": "",
    "UserFormID": "",
    "UserFormStatus": "",
    "ManagerFormID": "",
    "ManagerFormStatus": "",
    "CountOfUnusedPermissionsToBeDeleted": 0,
    "ActionUnusedPermissionsToDelete": "",
    "RecordID": ""
  }
```

#Step 3.a: Sample Data

| System     | Source        | ResourceID         | ResourceName                   | ResourceType | ResourceLocation | ResourceTags | ResourceURL                                                                            | Name     | UnusedPermissions | InactivePermissionsWindow | Manager | ValidationStatusCode    | ValidationStatusNotes            | ComplianceStatus | ComplianceStatusReason                                                                                                                                                                                                                                                              | EvaluatedTime           | UserAction | ActionStatus | ActionResponseURL | UserFormID | UserFormStatus | ManagerFormID | ManagerFormStatus | CountOfUnusedPermissionsToBeDeleted | ActionUnusedPermissionsToDelete | RecordID |
|------------|---------------|--------------------|--------------------------------|--------------|------------------|--------------|----------------------------------------------------------------------------------------|----------|-------------------|---------------------------|---------|-------------------------|----------------------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------|------------|--------------|-------------------|------------|----------------|---------------|-------------------|-------------------------------------|---------------------------------|----------|
| salesforce | compliancecow | 005dL000009jxB0QAI | noreply@00ddl00000ftteluar.com | User         | United states    |    [ ]          | https://demo-dev-ed.develop.my.salesforce.com/lightning/r/User/005dL000009jxB0QAI/view | John Doe |     [ ]              | 45                        | N/A     | UNUSED_PERM_NOT_PRESENT | Unused permission(s) not present | COMPLIANT        | The record is compliant because unused permissions are not present for a user - noreply@00ddl00000ftteluar. Hence managing and auditing permissions becomes easier and more efficient, as it eliminates redundant access rights and focuses on relevant roles and responsibilities. | 2025-01-16 06:50:28 UTC |            |              |                   |            |                |               |                   | 0                                   |                                 |          |


#Step 4: Describe the Compliance Taxonomy


| **UnusedPermissions**| **ValidationStatusCode**      | **ValidationStatusNotes**       | **ComplianceStatus** | **ComplianceStatusReason**                                      |
|-------------------------------|-------------------------------|---------------------------------|----------------------|------------------------------------------------------------------|
[ ] | UNUSED_PERM_NOT_PRESENT | Unused permission(s) not present | COMPLIANT | The record is compliant because unused permissions are not present for a user - noreply@00ddl00000ftteluar. Hence managing and auditing permissions becomes easier and more efficient, as it eliminates redundant access rights and focuses on relevant roles and responsibilities.|
["PermissionsViewEventLogFiles","PermissionsManageNetworks","PermissionsManageAuthProviders"] | UNUSED_PERM_PRESENT |Unused permission(s) present | NON_COMPLIANT | The record is non-compliant because 19 unused permissions are present for a user -  noreply@00ddl00000ftteluar. Unused permissions can create potential vulnerabilities in your system, as they might be exploited by malicious actors if they gain access.|



# Step 5: Calculation for Compliance Percentage and Status




In [None]:
# Calculation of Compliance Percentage

TotalRecordCount = Count of 'COMPLIANT' and 'NON_COMPLIANT' records
FailedRecordCount = Count of 'NON_COMPLIANT' records

CompliancePCT = int(100 - ((FailedRecordCount * 100) / TotalRecordCount))

Compliance Status
COMPLIANT - 100%
NON_COMPLIANT - 0% to less than 100%

# Step 6: Describe (in words) the Remediation Steps for Non-Compliance

N/A

# Step 7: Control Setup Details

| Control Details            |                               |
|----------------------------|-------------------------------|
| **RuleName**               | SalesforceUnusedPermissions |
| **PreRequisiteRuleNames**  |         N/A   |
| **ExtendedSchemaRuleNames**  |     N/A       |
| **ApplicationClassName**   | httprequest, NoCredApp, SalesforceAppConnector               |
| **PostSynthesizerName**  |       N/A     |