OrgMonitor is a Salesforce Connected App written in Node.js used to gather the stats necessary to evaluate the basic security posture of a wide portfolio of Salesforce Orgs. It runs a set of SOQL queries against all connected Orgs on an hourly basis: it answers questions like "how many users/profiles/permsets/roles/classes do we have?", gives you visibility of users with high-level privileges (VAD, MAD, AuthorApex, etc), and surfaces Health Check score and risks — all from a central location.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
The application requires:
Selected OAuth Scopesvalue to
Access and manage your data (api)and
Perform requests on your behalf at any time (refresh_token, offline_access)
Callback URLvalue to
PORTis the port the web application will run on, defaults to 3000
developmentallows the application to bypass the built-in SAML SSO auth
DATABASE_URLis a connection string pointing to your PostgresSQL database
MONGODB_URIis a connection string pointing to your MongoDB database
CLIENT_IDis the newly created Connected App's
CLIENT_SECRETis the newly created Connected App's
REDIRECT_URIis the newly created Connected App's
CORP_DOMAINis your corporate domain (i.e.: mycompany.com) used to identify Salesforce users without corporate email
COOKIE_SECRETis a secret used to sign the session cookie
ADMIN_TOKENis a secret used to edit/delete Org information such as name or description
ENCRYPTION_KEYis a hex string representing 32 random bytes, used to encrypt/decrypt the Oauth refresh tokens (AES 256)
node server.js, confirm you see the
App listening on port 3000message in the console
http://localhost:3000/setup, confirm you see the
Successfully setup DBmessage in the console
node server.jsand start the worker with
http://localhost:3000and you should now see the OrgMonitor homepage
View All Users,
View Health Checkand
View Setup and Configurationpermissions, with proper IP whitelisting
http://localhost:3000/add/prodfor Production Orgs, or
http://localhost:3000/add/sandboxfor Sandbox Orgs, logging in with the credentials of the newly created users, and accepting the Oauth request
When ready for production deployment:
REDIRECT_URIvalue to match the
productionand add the following ENV variables (refer to the Passport-SAML documentation on how to set these) to enable SAML SSO auth in order to protect access to the application's data:
Copyright (c) 2017, salesforce.com, inc.
All rights reserved.
Licensed under the BSD 3-Clause license.
For full license text, see LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause