OrgMonitor is a Salesforce Connected App written in Node.js used to gather the stats necessary to evaluate the basic security posture of a wide portfolio of Salesforce Orgs. It runs a set of SOQL queries against all connected Orgs on an hourly basis: it answers questions like "how many users/profiles/permsets/roles/classes do we have?", gives you visibility of users with high-level privileges (VAD, MAD, AuthorApex, etc), and surfaces Health Check score and risks — all from a central location.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
The application requires:
Selected OAuth Scopes
value to Access and manage your data (api)
and Perform requests on your behalf at any time (refresh_token, offline_access)
Callback URL
value to http://localhost:3000/callback
Consumer Key
and Consumer Secret
valuesPORT
is the port the web application will run on, defaults to 3000NODE_ENV
set to development
allows the application to bypass the built-in SAML SSO authDATABASE_URL
is a connection string pointing to your PostgresSQL databaseMONGODB_URI
is a connection string pointing to your MongoDB databaseCLIENT_ID
is the newly created Connected App's Consumer Key
valueCLIENT_SECRET
is the newly created Connected App's Consumer Secret
valueREDIRECT_URI
is the newly created Connected App's Callback URL
valueCORP_DOMAIN
is your corporate domain (i.e.: mycompany.com) used to identify Salesforce users without corporate emailCOOKIE_SECRET
is a secret used to sign the session cookieADMIN_TOKEN
is a secret used to edit/delete Org information such as name or descriptionENCRYPTION_KEY
is a hex string representing 32 random bytes, used to encrypt/decrypt the Oauth refresh tokens (AES 256). Generate one with openssl rand -hex 32
.yarn install
node server.js
, confirm you see the App listening on port 3000
message in the consolehttp://localhost:3000/setup
, confirm you see the Successfully setup DB
message in the consolenode server.js
and start the worker with node worker.js
http://localhost:3000
and you should now see the OrgMonitor homepageAPI Enabled
, View All Users
, View Health Check
and View Setup and Configuration
permissions, with proper IP whitelistinghttp://localhost:3000/add/prod
for Production Orgs, or http://localhost:3000/add/sandbox
for Sandbox Orgs, logging in with the credentials of the newly created users, and accepting the Oauth requestWhen ready for production deployment:
Callback URL
valueREDIRECT_URI
value to match the Callback URL
NODE_ENV
value to production
and add the following ENV variables (refer to the Passport-SAML documentation on how to set these) to enable SAML SSO auth in order to protect access to the application's data:
SAML_ENTRY_POINT
SAML_ISSUER
SAML_CALLBACK
SAML_CERT
Copyright (c) 2017, salesforce.com, inc.
All rights reserved.
Licensed under the BSD 3-Clause license.
For full license text, see LICENSE file in the repo root or https://opensource.org/licenses/BSD-3-Clause