Managing System Administrator access well is more about restraint than configuration. The four-step routine covers: limit System Administrator grants to a small named group, build narrower admin profiles for the broader admin team, configure security layers (MFA, IP restrictions, session settings), and audit System Administrator activity weekly through the Setup Audit Trail. Each step compounds the security posture; together they let an org operate with strong administrative governance while still moving fast on configuration changes.
- Limit System Administrator grants to a small named group
Identify the users who genuinely need full System Administrator access: the lead admin, the platform architect, an emergency backup. Document each grant in the access registry with the user, the date, the business justification. For every other admin-team member, plan a narrower role. Resist the pressure to grant System Administrator to everyone who asks; broad grants are easy to give and hard to revoke later. Aim for fewer than five System Administrators in a mid-sized org; very large orgs may have ten, never more without strong justification.
- Build narrower admin profiles for the broader admin team
For each admin-team role (Sales Operations Admin, Service Operations Admin, Data Admin, Release Engineer), build a custom profile cloned from System Administrator with the unneeded permissions removed. Remove Modify All Data if the role does not need to bypass sharing. Remove Customize Application if the role does not modify metadata. Save the profile and assign it to the right users. Add permission set groups on top for specific responsibilities that exceed the base profile. Document each profile intent and the rationale for each permission decision.
- Configure security layers
Require multi-factor authentication for every System Administrator account (Setup, Identity Verification, MFA settings). Configure login IP restrictions on the System Administrator profile so the credential is only usable from approved IP ranges. Set session security to High Assurance Required for sensitive actions (Setup pages, Apex execution). Enable Setup Audit Trail email notifications for any System Administrator-only configuration changes so the security team gets visibility. Each layer adds friction for attackers; combined, they make compromise much harder.
- Audit System Administrator activity weekly
Open Setup, View Setup Audit Trail, and filter to actions by System Administrators in the past week. Review the changes for anything unexpected: a permission set assigned to a non-admin, a sharing rule modified outside business hours, a profile cloned without explanation. Investigate anomalies. Rotate the review responsibility across the admin team so the discipline persists. Track the count of System Administrators in the org; if the number grows quietly, push back on the latest grant and confirm it is truly needed. Run an annual full review where every grant is re-justified.
- System Administrator access has org-wide blast radius. A compromised account can delete every record, export Personal Data, and grant access to attackers. Treat the credential as high-value.
- Granting System Administrator broadly is easy; revoking is hard. Users get used to the access and push back when downgraded. Set the bar high at grant time.
- Custom admin profiles cloned from System Administrator drift over Salesforce releases. New permissions added in each release may need to be reviewed and added to the custom profile.
- Service accounts should not use the standard System Administrator profile. Build dedicated profiles for integration users with only the permissions the integration needs; this limits blast radius if the credential leaks.
- Shared System Administrator credentials destroy the audit trail. Every action attributes to the shared identity; never share credentials across users.