vulkro-sf recert
Produces an access recertification worksheet from the live org: a row
per privileged assignment (the user, the granting entity, the
permission, and how stale the grant is) that a reviewer signs off on or
marks for revocation. This is the artifact an access review actually
runs on, generated from the org's real state rather than a stale
spreadsheet. The single finding it emits is SF-ACCESS-RECERT-001.
Synopsis
vulkro-sf recert --target-org <alias> [flags]
Flags
| Flag | Type | Default | Description |
|---|---|---|---|
--target-org, -o <alias> | string | (required) | The sf CLI org alias or username, as known to sf org login. |
--format <fmt> | enum | table | Output format: table (human-readable worksheet on the terminal) or json (machine-readable, for ingestion into a GRC tool or a ticketing workflow). |
What it does
recert walks every privileged assignment in the org (the admin-class
permissions: ModifyAllData, ManageUsers, AuthorApex, ViewAllData,
and the assignments delivered through permission sets and permission set
groups) and builds a recertification row for each one. Every row carries
how long it has been since the assigned user last logged in, so a
reviewer can immediately separate the active grants from the dormant
ones that are the cheapest to revoke.
SF-ACCESS-RECERT-001 fires for any privileged assignment whose user
has not logged in within the staleness window. A stale privileged grant
is the highest-value cleanup target in an access review: an account no
one is using that still carries admin-class power.
The staleness window is controlled by the
VULKRO_SF_RECERT_STALE_DAYS environment variable (the number of days
of inactivity above which an assignment is flagged stale). Lower it for
high-sensitivity orgs that recertify monthly; raise it to match a
quarterly or semi-annual review cadence.
Example
# Generate the worksheet for a production org, table output.
vulkro-sf recert --target-org my-prod
# JSON for ingestion into a GRC or ticketing workflow.
vulkro-sf recert --target-org my-prod --format json > recert.json
# Treat any assignment idle longer than 30 days as stale.
VULKRO_SF_RECERT_STALE_DAYS=30 vulkro-sf recert -o my-prod
Exit codes
0- worksheet generated, no stale privileged assignments found.1- worksheet generated, one or moreSF-ACCESS-RECERT-001findings reported.2- error:sfCLI not on PATH, alias not authenticated, network failure, or the org rejected the metadata / tooling API call. The error message names the cause and the next step.
Privacy
recert reads User, PermissionSetAssignment,
PermissionSetGroupAssignment, Profile, PermissionSet, and
PermissionSetGroup. No business-record SOQL is issued: no Account, no
Opportunity, no Case row is fetched. The read against User is limited
to the identity and LastLoginDate fields the staleness computation
needs. The OAuth token stays in the sf CLI credential store on your
machine.
Where to go next
vulkro-sf org perms: the over-privilege and dormant-admin analysis that recertification acts on.- Least privilege and privilege escalation: the detector view of the same identity surface.
vulkro-sf role-hierarchy: visualize the role tree the assignments inherit through.