Salesforce Security Guide Impl

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 260 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Salesforce Security Guide
Version 44.0, Winter 19
@salesforcedocs
Last updated: October 24, 2018
© Copyright 20002018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,
as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.
CONTENTS
Chapter 1: Salesforce Security Guide ......................................1
Salesforce Security Basics ................................................2
Phishing and Malware ..............................................2
Security Health Check ...............................................4
Auditing ........................................................5
Salesforce Shield ..................................................5
Transaction Security Policies ...........................................6
Salesforce Security Film Festival .........................................7
Authenticate Users .....................................................7
Elements of User Authentication ........................................7
Configure User Authentication .........................................19
Give Users Access to Data ...............................................73
Control Who Sees What .............................................74
User Permissions .................................................76
Object Permissions ................................................88
Custom Permissions ...............................................91
Profiles ........................................................93
User Role Hierarchy ...............................................107
Share Objects and Fields ...............................................107
Field-Level Security ................................................108
Sharing Rules ...................................................115
User Sharing ....................................................137
What Is a Group? .................................................141
Organization-Wide Sharing Defaults ....................................147
Strengthen Your Data's Security with Shield Platform Encryption ......................151
Encrypt Fields, Files, and Other Data Elements With Encryption Policy ..............152
Filter Encrypted Data with Deterministic Encryption ..........................168
Cache-Only Key Service (Beta) ........................................171
Manage Shield Platform Encryption ....................................184
Monitoring Your Organizations Security .....................................224
Monitor Login History ..............................................225
Field History Tracking ..............................................226
Monitor Setup Changes ............................................231
Transaction Security Policies .........................................234
Security Guidelines for Apex and Visualforce Development ........................245
Cross-Site Scripting (XSS) ...........................................245
Formula Tags ..................................................247
Cross-Site Request Forgery (CSRF) .....................................248
SOQL Injection ..................................................249
Data Access Control ...............................................251
Index ...........................................................252
Contents
CHAPTER 1 Salesforce Security Guide
Salesforce is built with security to protect your data and applications. You can also implement your own
security scheme to reflect the structure and needs of your organization. Protecting your data is a joint
responsibility between you and Salesforce. The Salesforce security features enable you to empower your
users to do their jobs safely and efficiently.
In this chapter ...
Salesforce Security
Basics
Authenticate Users
Give Users Access to
Data
Share Objects and
Fields
Strengthen Your
Data's Security with
Shield Platform
Encryption
Monitoring Your
Organizations
Security
Security Guidelines
for Apex and
Visualforce
Development
1
Salesforce Security Basics
The Salesforce security features help you empower your users to do their jobs safely and efficiently. Salesforce limits exposure of data
to the users that act on it. Implement security controls that you think are appropriate for the sensitivity of your data. We'll work together
to protect your data from unauthorized access from outside your company and from inappropriate usage by your users.
IN THIS SECTION:
Phishing and Malware
Trust starts with transparency. Thats why Salesforce displays real-time information on system performance and security on the trust
site at http://trust.salesforce.com. This site provides live data on system performance, alerts for current and recent phishing and
malware attempts, and tips on best security practices for your organization.
Security Health Check
As an admin, you can use Health Check to identify and fix potential vulnerabilities in your security settings, all from a single page. A
summary score shows how your org measures against a security baseline, like the Salesforce Baseline Standard. You can upload up
to five custom baselines to use instead of the Salesforce Baseline Standard.
Auditing
Auditing provides information about use of the system, which can be critical in diagnosing potential or real security issues. The
Salesforce auditing features don't secure your organization by themselves; someone in your organization should do regular audits
to detect potential abuse.
Salesforce Shield
Salesforce Shield is a trio of security tools that admins and developers can use to build a new level of trust, transparency, compliance,
and governance right into business-critical apps. It includes Platform Encryption, Event Monitoring, and Field Audit Trail. Ask your
Salesforce administrator if Salesforce Shield is available in your organization.
Transaction Security Policies
Policies evaluate activity using events that you specify. For each policy, you define real-time actions, such as notify, block, force
two-factor authentication, freeze user, or end a session.
Salesforce Security Film Festival
For quick introductions to some of the most important Salesforce security concepts, try watching some of these entertaining and
instructive videos.
Phishing and Malware
Trust starts with transparency. Thats why Salesforce displays real-time information on system performance and security on the trust site
at http://trust.salesforce.com. This site provides live data on system performance, alerts for current and recent phishing and malware
attempts, and tips on best security practices for your organization.
The Security tab on the trust site includes valuable information that can help you to safeguard your company's data. In particular, be on
the alert for phishing and malware.
Phishing is a social engineering technique that attempts to acquire sensitive information such as usernames, passwords, and credit
card details by masquerading as a trustworthy entity in an electronic communication. Phishers often direct users to enter details at
a fake website whose URL and look-and-feel are almost identical to the legitimate one. As the Salesforce community grows, it has
become an increasingly appealing target for phishers. You will never get an email or a phone call from a Salesforce employee asking
you to reveal a password, so dont reveal it to anyone. You can report any suspicious activities by clicking the Report a Suspicious
Email link under the Trust tab at http://trust.salesforce.com.
2
Salesforce Security BasicsSalesforce Security Guide
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general term
used to cover a variety of forms of hostile, intrusive, or annoying software, and it includes computer viruses and spyware.
What Salesforce Is Doing About Phishing and Malware
Customer security is the foundation of customer success, so Salesforce continues to implement the best possible practices and technologies
in this area. Recent and ongoing actions include:
Actively monitoring and analyzing logs to enable proactive alerts to customers who have been affected.
Collaborating with leading security vendors and experts on specific threats.
Executing swift strategies to remove or disable fraudulent sites (often within an hour of detection).
Reinforcing security education and tightening access policies within Salesforce.
Evaluating and developing new technologies both for our customers and for deployment within our infrastructure.
What Salesforce Recommends You Do
Salesforce is committed to setting the standards in software-as-a-service as an effective partner in customer security. So, in addition to
internal efforts, Salesforce strongly recommends that customers implement the following changes to enhance security:
Modify your Salesforce implementation to activate IP range restrictions. This allows users to access Salesforce only from your corporate
network or VPN. For more information, see Restrict Where and When Users Can Log In to Salesforce on page 20.
Set session security restrictions to make spoofing more difficult. For more information, see Modify Session Security Settings on page
31.
Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts.
Use security solutions from leading vendors to deploy spam filtering and malware protection.
Designate a security contact within your organization so that Salesforce can more effectively communicate with you. Contact your
Salesforce representative with this information.
Consider using two-factor authentication techniques to restrict access to your network. For more information, see Two-Factor
Authentication on page 10.
Use Transaction Security to monitor events and take appropriate actions. For more information, see Transaction Security Policies on
page 6.
Salesforce has a Security Incident Response Team to respond to any security issues. To report a security incident or vulnerability to
Salesforce, contact security@salesforce.com. Describe the issue in detail, and the team will respond promptly.
3
Phishing and MalwareSalesforce Security Guide
Security Health Check
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To view Health Check and
export custom baselines:
View Health Check
To import custom baselines:
Manage Health Check
As an admin, you can use Health Check to identify and fix potential vulnerabilities in your security
settings, all from a single page. A summary score shows how your org measures against a security
baseline, like the Salesforce Baseline Standard. You can upload up to five custom baselines to use
instead of the Salesforce Baseline Standard.
From Setup, enter Health Check in the Quick Find box, then select Health Check.
In the baseline dropdown (1), choose the Salesforce Baseline Standard or a custom baseline. The
baseline consists of recommended values for High-Risk, Medium-Risk, Low-Risk, and Informational
Security Settings (2). If you change settings to be less restrictive than whats in the baseline, your
health check score (3) and grade (4) decreases.
Your settings are shown with information about how they compare against baseline values (5). To remediate a risk, edit the setting (6)
or use Fix Risks (7) to quickly change settings to your selected baselines recommended values without leaving the Health Check page.
You can import, export, edit, or delete a custom baseline with the baseline control menu (8).
Note: When we introduce new settings to Security Health Check, they are added to the Salesforce Baseline Standard with default
values. If you have a custom baseline, you are prompted to add the new settings when you open your custom baseline.
Example: Suppose that you changed your password minimum length from 8 (the default value) to 5, and changed other Password
Policies settings to be less restrictive. These changes make your users passwords more vulnerable to guessing and other brute
force attacks. As a result, your overall score decreases, and the settings are listed as risks.
Fix Risks Limitations
Not all settings can be changed using the Fix Risks button. If a setting you want to adjust does not appear on the Fix Risks screen, change
it manually using the Edit link on the Health Check page.
SEE ALSO:
Salesforce Help: How Is the Health Check Score Calculated?
Salesforce Help: Create a Custom Baseline for Health Check
Salesforce Help: Custom Baseline File Requirements
4
Security Health CheckSalesforce Security Guide
Auditing
Auditing provides information about use of the system, which can be critical in diagnosing potential or real security issues. The Salesforce
auditing features don't secure your organization by themselves; someone in your organization should do regular audits to detect potential
abuse.
To verify that your system is actually secure, you should perform audits to monitor for unexpected changes or usage trends.
Record Modification Fields
All objects include fields to store the name of the user who created the record and who last modified the record. This provides some
basic auditing information.
Login History
You can review a list of successful and failed login attempts to your organization for the past six months. See Monitor Login History
on page 225.
Field History Tracking
You can also enable auditing for individual fields, which will automatically track any changes in the values of selected fields. Although
auditing is available for all custom objects, only some standard objects allow field-level auditing. See Field History Tracking on page
226.
Setup Audit Trail
Administrators can also view a Setup Audit Trail, which logs when modifications are made to your organizations configuration. See
Monitor Setup Changes on page 231.
Salesforce Shield
Salesforce Shield is a trio of security tools that admins and developers can use to build a new level of trust, transparency, compliance,
and governance right into business-critical apps. It includes Platform Encryption, Event Monitoring, and Field Audit Trail. Ask your
Salesforce administrator if Salesforce Shield is available in your organization.
Platform Encryption
Platform Encryption allows you to natively encrypt your most sensitive data at rest across all your Salesforce apps. This helps you protect
PII, sensitive, confidential, or proprietary data and meet both external and internal data compliance policies while keeping critical app
functionality like search, workflow, and validation rules. You keep full control over encryption keys and can set encrypted data
permissions to protect sensitive data from unauthorized users. See Platform Encryption. on page 151
Event Monitoring
Event Monitoring gives you access to detailed performance, security, and usage data on all your Salesforce apps. Every interaction is
tracked and accessible via API, so you can view it in the data visualization app of your choice. See who is accessing critical business data
when, and from where. Understand user adoption across your apps. Troubleshoot and optimize performance to improve end-user
experience. Event Monitoring data can be easily imported into any data visualization or application monitoring tool like Wave Analytics,
Splunk, or New Relic. To get started, check out our Event Monitoring training course.
Field Audit Trail
Field Audit Trail lets you know the state and value of your data for any date, at any time. You can use it for regulatory compliance, internal
governance, audit, or customer service. Built on a big data backend for massive scalability, Field Audit Trail helps companies create a
forensic data-level audit trail with up to 10 years of history, and set triggers for when data is deleted. See Field Audit Trail on page 230.
5
AuditingSalesforce Security Guide
Transaction Security Policies
EDITIONS
Available in: Salesforce
Classic and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
Requires purchasing
Salesforce Shield or
Salesforce Event Monitoring
add-on subscriptions.
Policies evaluate activity using events that you specify. For each policy, you define real-time actions,
such as notify, block, force two-factor authentication, freeze user, or end a session.
When you enable Transaction Security for your org, two policies are created.
Concurrent User Session Limit policy to limit concurrent login sessions. The policy is triggered
in two ways.
A user with five current sessions tries to log in for a sixth session.
An administrator who is already logged in tries to log in a second time.
Lead Data Export policy to block excessive data downloads of leads. The policy is triggered
when a download either:
Retrieves more than 2,000 lead records
Takes more than one second to complete
The policies corresponding Apex classes (ConcurrentSessionsPolicyCondition and
DataLoaderLeadExportCondition) are also created in the org. An administrator can enable the policies immediately or edit
the Apex classes to customize them.
For example, suppose that you activate the Concurrent User Session Limit policy to limit the number of concurrent sessions per user. In
addition, you change the policy to notify you via email when the policy is triggered. You also update the policys Apex implementation
to limit users to three sessions instead of the default five sessions. (Thats easier than it sounds.) Later, someone with three login sessions
tries to create a fourth. The policy prevents that and requires ending one of the existing sessions before proceeding with the new session.
At the same time, you are notified that the policy was triggered.
The Transaction Security architecture uses the Security Policy Engine to analyze events and determine the necessary actions.
A transaction security policy consists of events, notifications, and actions. For example, when a user tries to export Account data, you
can block the operation and get notified by email.
6
Transaction Security PoliciesSalesforce Security Guide
Salesforce Security Film Festival
For quick introductions to some of the most important Salesforce security concepts, try watching some of these entertaining and
instructive videos.
Introduction to the Salesforce Security Model
Who Sees What
Workshop: What's Possible with Salesforce Data Access and Security
Security and the Salesforce Platform: Patchy Morning Fog Clearing to Midday
Understanding Multitenancy and the Architecture of the Salesforce Platform
Authenticate Users
Authentication means preventing unauthorized access to your organization or its data by making sure each logged in user is who they
say they are.
IN THIS SECTION:
Elements of User Authentication
Salesforce provides several methods to authenticate users. Some methods are automatically enabled, and some require that you
enable and configure them. Using this user authentication spectrum, you can build authentication to fit your orgs needs and your
users use patterns.
Configure User Authentication
Choose login settings to ensure that your users are who they say they are.
Elements of User Authentication
Salesforce provides several methods to authenticate users. Some methods are automatically enabled, and some require that you enable
and configure them. Using this user authentication spectrum, you can build authentication to fit your orgs needs and your users use
patterns.
User Authentication Spectrum
At one end of the user authentication spectrum, Salesforce automatically enables certain authentication methods. These methods
include passwords, cookies, and identity verification.
At the other end of the spectrum, you enable and configure user authentication methods to best fit your orgs needs and users use
patterns. These methods include two-factor authentication, single sign-on, My Domain, network-based security, session security, custom
login flows, connected apps, and desktop client access.
IN THIS SECTION:
Passwords
Salesforce provides each user in your organization with a unique username and password that must be entered each time a user
logs in. As an administrator, you can configure several settings to ensure that your users passwords are strong and secure.
Cookies
Salesforce issues a session cookie to record encrypted authentication information for the duration of a specific session.
7
Salesforce Security Film FestivalSalesforce Security Guide
Single Sign-On
Salesforce has its own system of user authentication, but some companies prefer to use an existing single sign-on capability to
simplify and standardize their user authentication.
My Domain
Using My Domain, you can define a Salesforce subdomain name to manage login and authentication for your org in several key
ways.
Two-Factor Authentication
Two-factor authentication is the most effective way to protect your orgs user accounts. As a Salesforce admin, amplify your orgs
security by requiring a second level of authentication for every user login. You can also require two-factor authentication when a
user meets certain criteria, such as attempting to view reports or access a connected app.
Network-Based Security
Network-based security limits where users can log in from, and when they can log in. This is different from user authentication, which
only determines who can log in. Use network-based security to limit the window of opportunity for an attacker and to make it more
difficult for an attacker to use stolen credentials.
Device Activation
Device activation tracks information about the devices from which users have verified their identity. Salesforce prompts users to
verify their identity when they access Salesforce from an unrecognized browser or application. Device activation is an extra layer of
security on top of username and password authentication.
Session Security
After logging in, a user establishes a session with the platform. Use session security to limit exposure to your network when a user
leaves the computer unattended while still logged in. Session security also limits the risk of internal attacks, such as when one
employee tries to use another employees session. Choose from several session settings to control session behavior.
Custom Login Flows
Login flows allow admins to build post-authentication processes to match their business practices, associate the flow with a user
profile, and send the user through that flow when logging in. Salesforce directs users to the login flow after they authenticate but
before they access your org or community. After users complete the login flow, theyre logged in to your Salesforce org or community.
The login process can also log out users immediately if necessary.
Single Sign-On
Single sign-on (SSO) lets users access authorized network resources with one login. You validate usernames and passwords against
your corporate user database or other client app rather than Salesforce managing separate passwords for each resource.
Connected Apps
A connected app integrates an application with Salesforce using APIs. Connected apps use standard SAML and OAuth protocols to
authenticate, provide single sign-on, and provide tokens for use with Salesforce APIs. In addition to standard OAuth capabilities,
connected apps allow Salesforce admins to set various security policies and have explicit control over who can use the corresponding
apps.
Desktop Client Access
Connect Offline and Connect for Office are desktop clients that integrate Salesforce with your PC. As an administrator, you can control
which desktop clients your users can access as well as whether users are automatically notified when updates are available.
8
Elements of User AuthenticationSalesforce Security Guide
Passwords
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Password policies available
in: All Editions
USER PERMISSIONS
To set password policies:
Manage Password
Policies
To reset user passwords
and unlock users:
Reset User Passwords
and Unlock Users
Salesforce provides each user in your organization with a unique username and password that must
be entered each time a user logs in. As an administrator, you can configure several settings to ensure
that your users passwords are strong and secure.
Password policiesSet various password and login policies, such as specifying an amount of
time before all users passwords expire and the level of complexity required for passwords. See
Set Password Policies on page 27.
User password expirationExpire the passwords for all users in your organization, except for
users with Password Never Expires permission. See Expire Passwords for All Users on page
30.
User password resetsReset the password for specified users. See Reset Passwords for Your
Users.
Login attempts and lockout periodsIf a user is locked out of Salesforce because of too many
failed login attempts, you can unlock them. See Edit Users.
Password Requirements
A password cant contain a users username and cant match a users first or last name. Passwords
also cant be too simple. For example, a user cant change their password to password.
For all editions, a new organization has the following default password requirements. You can
change these password policies in all editions, except for Personal Edition.
A password must contain at least eight characters, including one alphabetic character and one number.
The security questions answer cant contain the users password.
When users change their password, they cant reuse their last three passwords.
Cookies
Salesforce issues a session cookie to record encrypted authentication information for the duration of a specific session.
The session cookie does not include the user's username or password. Salesforce does not use cookies to store other confidential user
and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs.
Single Sign-On
Salesforce has its own system of user authentication, but some companies prefer to use an existing single sign-on capability to simplify
and standardize their user authentication.
You have two options to implement single sign-onfederated authentication using Security Assertion Markup Language (SAML) or
delegated authentication.
Federated authentication using Security Assertion Markup Language (SAML) lets you send authentication and authorization data
between affiliated but unrelated web services. You can log in to Salesforce from a client app. Salesforce enables federated
authentication for your org automatically.
Delegated authentication SSO integrates Salesforce with an authentication method that you choose. You can integrate authentication
with your LDAP (Lightweight Directory Access Protocol) server or use a token instead of a password for authentication. You manage
delegated authentication at the permission level, not at the org level, giving you more flexibility. With permissions, you can require
some to use delegated authentication while others use their Salesforce-managed password.
Delegated authentication offers the following benefits.
9
Elements of User AuthenticationSalesforce Security Guide
Uses a stronger form of user authentication, such as integration with a secure identity provider
Makes your login page private and accessible only behind a corporate firewall
Differentiates your org from all other companies that use Salesforce to reduce phishing attacks
You must contact Salesforce to enable delegated authentication before you can configure it on your org.
Authentication providers let your users log in to your Salesforce org using their login credentials from an external service provider.
Salesforce supports the OpenID Connect protocol, which lets users log in from any OpenID Connect provider, such as Google, PayPal,
and LinkedIn. When an authentication provider is enabled, Salesforce doesnt validate a users password. Instead, Salesforce uses
the users login credentials from the external service provider to establish authentication credentials.
Identity Providers
An identity provider is a trusted provider that lets you use single sign-on (SSO) to access other websites. A service provider is a website
that hosts apps. You can enable Salesforce as an identity provider and define one or more service providers. Your users can then access
other apps directly from Salesforce using SSO. SSO is a great help to your usersinstead of having to remember many passwords, they
only have to remember one.
For more information, see Identity Providers and Service Providers in the Salesforce online help.
My Domain
Using My Domain, you can define a Salesforce subdomain name to manage login and authentication for your org in several key ways.
Highlight your business identity with your unique domain URL
Brand your login screen and customize right-frame content
Block or redirect page requests that dont use the new domain name
Work in multiple Salesforce orgs at the same time
Set custom login policy to determine how users are authenticated
Let users log in using a social account, like Google and Facebook, from the login page
Allow users to log in once to access external services
For more information, see My Domain in Salesforce Help.
Two-Factor Authentication
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, Developer, and
Contact Manager Editions
Two-factor authentication is the most effective way to protect your orgs user accounts. As a
Salesforce admin, amplify your orgs security by requiring a second level of authentication for every
user login. You can also require two-factor authentication when a user meets certain criteria, such
as attempting to view reports or access a connected app.
Two-factor authentication is an essential user authentication methodso essential that Salesforce
provides two types of two-factor authentication.
Service-basedAlso known as device activation, service-based two-factor authentication is
automatically enabled for all orgs.
Policy-basedAdmins enable policy-based two-factor authentication. It is an admins best
tool to protect org user accounts.
For help with configuring two-factor authentication, see the Admin Guide to Two-Factor
Authentication and the Trailhead Module Secure Your Users Identity.
10
Elements of User AuthenticationSalesforce Security Guide
Org Policies That Require Two-Factor Authentication
Set policies that require a second level of authentication for every login, for logins through the API (for developers and client applications),
or for access to specific features. Users provide the second factor by downloading and installing a mobile authenticator app, such as the
Salesforce Authenticator app or the Google Authenticator app, on their mobile device. They can also use a U2F security key as the second
factor. After users connect an authenticator app or register a security key with their Salesforce account, they can use these authentication
methods whenever your orgs policies require two-factor authentication.
The Salesforce Authenticator mobile app (version 2 and later) sends a push notification to the users mobile device when the Salesforce
account requires identity verification. The user responds on the mobile device to verify or block the activity. The user can enable location
services for the app and automate verifications from trusted locations, such as a home or office. Salesforce Authenticator also generates
verification codes, sometimes called time-based one-time passwords (TOTPs). Users can choose to enter a password plus the code
instead of responding to a push notification from the app for two-factor verification. Or they can get a verification code from another
authenticator app.
If users lose or forget the device they usually use for two-factor authentication, you can generate a temporary verification code for them.
You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user
can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code,
then generate a new one. Users can expire their own valid codes in their personal settings.
SEE ALSO:
Set Up Two-Factor Authentication
Network-Based Security
Network-based security limits where users can log in from, and when they can log in. This is different from user authentication, which
only determines who can log in. Use network-based security to limit the window of opportunity for an attacker and to make it more
difficult for an attacker to use stolen credentials.
Device Activation
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, Developer, and
Contact Manager Editions
Device activation tracks information about the devices from which users have verified their identity.
Salesforce prompts users to verify their identity when they access Salesforce from an unrecognized
browser or application. Device activation is an extra layer of security on top of username and
password authentication.
When a user logs in from outside a trusted IP range from an unrecognized browser or app, Salesforce
challenges the user to verify identity. Salesforce uses the highest-priority verification method
available for each user. In order of priority, the methods are:
1. Push notification or location-based automated verification with the Salesforce Authenticator
mobile app (version 2 or later) connected to the users account
2. U2F security key registered with the users account
3. Verification code generated by a mobile authenticator app connected to the users account
4. Verification code sent via SMS to the users verified mobile device
5. Verification code sent via email to the users registered email address
11
Elements of User AuthenticationSalesforce Security Guide
Session Security
After logging in, a user establishes a session with the platform. Use session security to limit exposure to your network when a user leaves
the computer unattended while still logged in. Session security also limits the risk of internal attacks, such as when one employee tries
to use another employees session. Choose from several session settings to control session behavior.
You can control when an inactive user session expires. The default session timeout is two hours of inactivity. When the session timeout
is reached, users are prompted with a dialog that allows them to log out or continue working. If they dont respond to this prompt, they
are logged out.
Note: When users close a browser window or tab, they arent automatically logged out from their Salesforce session. Ensure that
your users are aware of this behavior and that they end all sessions properly by selecting Your Name > Logout.
By default, Salesforce uses TLS (Transport Layer Security) and requires secure connections (HTTPS) for all communication. The Require
secure connections (HTTPS) setting determines whether TLS (HTTPS) is required for access to Salesforce. If you ask Salesforce to disable
this setting and change the URL from https:// to http://, you can still access the application. However, for added security,
require all sessions to use TLS. For more information, see Modify Session Security Settings on page 31.
You can restrict access to certain types of resources based on the level of security associated with the authentication (login) method for
the users current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change
the session security level and define policies so that specified resources are available only to users assigned a High Assurance level. For
details, see Session-level Security on page 37.
You can control whether your org stores user logins and whether they can appear from the Switcher with the settings Enable caching
and autocomplete on login page, Enable user switching, and Remember me until logout.
Custom Login Flows
Login flows allow admins to build post-authentication processes to match their business practices, associate the flow with a user profile,
and send the user through that flow when logging in. Salesforce directs users to the login flow after they authenticate but before they
access your org or community. After users complete the login flow, theyre logged in to your Salesforce org or community. The login
process can also log out users immediately if necessary.
What can you do with a login flow?
Enhance or customize the login experience. For example, add a logo or login message.
Collect and update user data. For example, request an email address, phone number, or mailing address.
Interact with users, and ask them to perform an action. For example, complete a survey or accept terms of service.
Connect to an external identity service or geo-fencing service, and collect or verify user information.
Enforce strong authentication. For example, implement a two-factor authentication method using hardware, SMS, biometric, or
another authentication technique.
Run a confirmation process. For example, have a user define a secret question, and validate the answer during login.
Create more granular policies. For example, set up a policy that sends a notification every time a user logs in during non-standard
working hours.
The first step is to create a flow using either the Cloud Flow Designer or Visualforce. The Cloud Flow Designer is a point-and-click tool
that you can use to design a simple flow that users execute when logging in. Use Visualforce to have complete control over how the
login page looks and behaves.
Next, you designate the flow as a login flow and associate it with specific profiles in your org. You can create multiple login flows and
associate each one with a different user profile. Users assigned to one profile, like sales reps, experience a particular login process as they
log in. Users assigned to a different profile like service reps, experience a different login process.
12
Elements of User AuthenticationSalesforce Security Guide
After you associate a login flow with a profile, it is applied each time a user with that profile logs in to Salesforce, communities, the
Salesforce app, and even Salesforce client applications that use OAuth. You can apply login flows to Salesforce orgs and communities,
including external identity communities.
Login flows support all Salesforce authentication methods: standard username and password, delegated authentication, SAML single
sign-on, and social sign-on through a third-party authentication provider. For example, users logging in with a LinkedIn account can go
through a login flow specific for LinkedIn users.
Note: You cant apply login flows to API logins or when sessions are passed to the UI through frontdoor.jsp from a non-UI
login process.
SEE ALSO:
Login Flow Examples
Single Sign-On
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Federated Authentication is
available in: All Editions
Delegated Authentication is
available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Authentication Providers are
available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To view the settings:
View Setup and
Configuration
To edit the settings:
Customize Application
AND
Modify All Data
Single sign-on (SSO) lets users access authorized network resources with one login. You validate
usernames and passwords against your corporate user database or other client app rather than
Salesforce managing separate passwords for each resource.
Salesforce offers the following ways to use SSO.
Federated authentication using Security Assertion Markup Language (SAML) lets you send
authentication and authorization data between affiliated but unrelated web services. You can
log in to Salesforce from a client app. Salesforce enables federated authentication for your org
automatically.
Delegated authentication SSO integrates Salesforce with an authentication method that you
choose. You can integrate authentication with your LDAP (Lightweight Directory Access Protocol)
server or use a token instead of a password for authentication. You manage delegated
authentication at the permission level, not at the org level, giving you more flexibility. With
permissions, you can require some to use delegated authentication while others use their
Salesforce-managed password.
Delegated authentication offers the following benefits.
Uses a stronger form of user authentication, such as integration with a secure identity
provider
Makes your login page private and accessible only behind a corporate firewall
Differentiates your org from all other companies that use Salesforce to reduce phishing
attacks
You must contact Salesforce to enable delegated authentication before you can configure it
on your org.
Authentication providers let your users log in to your Salesforce org using their login credentials
from an external service provider. Salesforce supports the OpenID Connect protocol, which lets
users log in from any OpenID Connect provider, such as Google, PayPal, and LinkedIn. When
an authentication provider is enabled, Salesforce doesnt validate a users password. Instead,
Salesforce uses the users login credentials from the external service provider to establish
authentication credentials.
When you have an external identity provider and configure SSO for your Salesforce org, Salesforce
is then acting as a service provider. You can also enable Salesforce as an identity provider and use SSO to connect to a different service
provider. Only the service provider needs to configure SSO.
13
Elements of User AuthenticationSalesforce Security Guide
The Single Sign-On Settings page displays which version of SSO is available for your org. To learn more about SSO settings, see Configure
SAML Settings for Single Sign-On. For more information about SAML and Salesforce security, see the Security Implementation Guide.
Benefits of SSO
Implementing SSO brings several advantages to your org.
Reduced administrative costsWith SSO, users memorize a single password to access network resources and external apps and
Salesforce. When accessing Salesforce from inside the corporate network, users log in seamlessly and arent prompted for a username
or password. When accessing Salesforce from outside the corporate network, the users corporate network login works to log them
in. With fewer passwords to manage, system admins receive fewer requests to reset forgotten passwords.
Leverage existing investmentMany companies use a central LDAP database to manage user identities. You can delegate
Salesforce authentication to this system. Then when users are removed from the LDAP system, they can no longer access Salesforce.
Users who leave the company automatically lose access to company data after their departure.
Time savingsOn average, users take 520 seconds to log in to an online app. It can take longer if they mistype their username
or password and are prompted to reenter them. With SSO in place, manually logging in to Salesforce is avoided. These saved seconds
reduce frustration and add up to increased productivity.
Increased user adoptionDue to the convenience of not having to log in, users are more likely to use Salesforce regularly. For
example, users can send email messages that contain links to information in Salesforce, such as records and reports. When the
recipient of the email message clicks the links, the corresponding Salesforce page opens.
Increased securityAll password policies that youve established for your corporate network are in effect for Salesforce. Sending
an authentication credential thats only valid for a single time also increases security for users who have access to sensitive data.
SEE ALSO:
Best Practices and Tips for Implementing Single Sign-On
Connected Apps
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Connected Apps can be
created in: Group,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
Connected Apps can be
installed in: All Editions
USER PERMISSIONS
Customize Application AND either
Modify All Data OR Manage Connected Apps
To read, create, update, or delete connected
apps:
Customize Application AND either
Modify All Data OR Manage Connected Apps
To update all fields except Profiles,
Permission Sets, and Service Provider SAML
Attributes:
Customize Application AND Modify All DataTo update Profiles, Permission Sets, and
Service Provider SAML Attributes:
Customize Application AND either
Modify All Data OR Manage Connected Apps
To install and uninstall connected apps:
Customize Application AND either
Modify All Data OR Manage Connected Apps
To install and uninstall packaged connected
apps:
AND Download AppExchange Packages
14
Elements of User AuthenticationSalesforce Security Guide
A connected app integrates an application with Salesforce using APIs. Connected apps use standard SAML and OAuth protocols to
authenticate, provide single sign-on, and provide tokens for use with Salesforce APIs. In addition to standard OAuth capabilities, connected
apps allow Salesforce admins to set various security policies and have explicit control over who can use the corresponding apps.
IN THIS SECTION:
User Provisioning for Connected Apps
A connected app links your users with a third-party app. User provisioning for a connected app simplifies account creation and links
your Salesforce users accounts to their third-party accounts. After the accounts are linked, you can configure the App Launcher to
display the connected app as a tile. With a single click, users get instant access to the third-party app.
User Provisioning for Connected Apps
A connected app links your users with a third-party app. User provisioning for a connected app simplifies account creation and links
your Salesforce users accounts to their third-party accounts. After the accounts are linked, you can configure the App Launcher to display
the connected app as a tile. With a single click, users get instant access to the third-party app.
Heres a user provisioning scenario. You configure user provisioning for a G Suite connected app in your org. Then you assign the
Employees profile to that connected app. When you create a user in your org and assign the user to the Employees profile, the user is
provisioned in G Suite. When the user is deactivated, or the profile assignment changes, the user is deprovisioned from G Suite.
User provisioning applies only to users with a profile or permission set that grants them access to the connected app.
Salesforce provides a wizard to guide you through the user provisioning settings for each connected app. You can also run reports to
see who has access to specific third-party apps. These reports give you a centralized view of all user accounts across all connected apps.
User Provisioning Requests
After you configure user provisioning, Salesforce manages requests for updates on the third-party system. Salesforce sends user provisioning
requests to the third-party system based on specific events in your org, either through the UI or API calls. This table shows the events
that trigger user provisioning requests and their associated operations.
ObjectOperationEvent
UserCreateCreate user
UserUpdateUpdate user (for selected attributes)
UserDeactivateDisable user
UserActivateEnable user
UserLoginFreezeFreeze user
UserLoginUnfreezeUnfreeze user
UserReactivateReactivate user
UserCreate or DeactivateChange user profile
PermissionSetAssignmentCreate or DeactivateAssign or unassign a permission set to a user
SetupEntityAccessCreate or DeactivateAssign or unassign a profile to the
connected app
15
Elements of User AuthenticationSalesforce Security Guide
ObjectOperationEvent
SetupEntityAccessCreate or DeactivateAssign or unassign a permission set to the
connected app
The operation value is stored in the UserProvisioningRequest object. Salesforce can either process the request immediately or wait for
an approval process to complete (if you requested approvals when running the wizard). To process the request, Salesforce uses a flow
of the type User Provisioning, which includes a reference to the Apex UserProvisioningPlugin class. The flow calls
the third-party services API to manage user account provisioning on that system.
To send user provisioning requests based on events in Active Directory (AD), use Salesforce Identity Connect to capture AD events, and
synchronize them into Salesforce. Then, Salesforce sends the user provisioning requests to the third-party system to provision or
deprovision users.
Considerations
Entitlements
The roles and permissions for the service provider cant be managed or stored in the Salesforce org. So specific entitlements to
resources at the service provider arent included when a user requests access to a third-party app that has user provisioning enabled.
With user provisioning, you can create a user account for a service provider. However, the service provider must manage any additional
roles or permissions for the user.
Scheduled account reconciliation
Run the User Provisioning wizard each time you want to collect and analyze users in the third-party system. You cant configure an
interval for an automatic collection and analysis.
Access recertification
After an account is created for the user, validation of the users access to resources at the service provider must be performed at the
service provider.
Desktop Client Access
EDITIONS
Connect Offline available in:
Salesforce Classic
Connect Offline available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
Connect for Office available
in: both Salesforce Classic
and Lightning Experience
Connect for Office available
in: All Editions except
Database.com
Connect Offline and Connect for Office are desktop clients that integrate Salesforce with your PC.
As an administrator, you can control which desktop clients your users can access as well as whether
users are automatically notified when updates are available.
To set permissions for Salesforce for Outlook, use the Manage Email Client Configurations
permission.
You can set users' access to desktop client by editing their profiles.
The desktop client access options are:
MeaningOption
The respective client download page in users personal
settings is hidden. Also, users can't log in from the client.
Off (access denied)
The respective client download page in users personal
settings is hidden. Users can log in from the client but
can't upgrade it from their current version.
On, no updates
16
Elements of User AuthenticationSalesforce Security Guide
MeaningOption
Users can download, log in from, and upgrade the client, but don't see alerts
when a new version is made available.
On, updates w/o alerts
Users can download, log in from, and upgrade the client. They can see update
alerts, and can follow or ignore them.
On, updates w/alerts
Users can download, log in from, and upgrade the client. When a new version
is available, they can see an update alert. They can't log in from the client until
they have upgraded it.
On, must update w/alerts
Connect Offline is the only client available with Developer Edition. In Personal, Group, and Professional Editions, all users have the system
default On, updates w/o alerts for all clients.
Note:
Desktop client access is available only for users whose profiles have the API Enabled permission.
If users can see alerts and they have logged in to Salesforce from the client in the past, an alert banner automatically appears in the
Home tab when a new version is available. Clicking the banner opens the Check for Updates page, where users can download and run
installer files. From their personal settings, users can also access the Check for Updates page, regardless of whether an alert has occurred.
IN THIS SECTION:
Desktop Client Access in the Enhanced Profile User Interface
To make updates to your desktop client access settings, use the enhanced profile user interface. For example, change Connect for
Outlook alert settings from here.
View and Edit Desktop Client Access in the Original Profile User Interface
17
Elements of User AuthenticationSalesforce Security Guide
Desktop Client Access in the Enhanced Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs)
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To view desktop client
access settings:
View Setup and
Configuration
To edit desktop client access
settings:
Manage Profiles and
Permission Sets
To make updates to your desktop client access settings, use the enhanced profile user interface.
For example, change Connect for Outlook alert settings from here.
Connect Offline and Connect for Office are desktop clients that integrate Salesforce with your PC.
As an administrator, you can control which desktop clients your users can access as well as whether
users are automatically notified when updates are available.
Note: To access desktop clients, users must also have the API Enabled permission.
On the Desktop Client Access page in the enhanced profile user interface, you can:
Search for an object, permission, or setting
Clone the profile
Delete custom profile
Change the profile name or description
Go to the profile overview page
Switch to a different settings page
18
Elements of User AuthenticationSalesforce Security Guide
View and Edit Desktop Client Access in the Original Profile User Interface
EDITIONS
Connect Offline available in:
Salesforce Classic
Connect Offline available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
Connect for Office available
in: both Salesforce Classic
and Lightning Experience
Connect for Office available
in: All Editions except
Database.com
USER PERMISSIONS
To view desktop client
access settings:
View Setup and
Configuration
To edit desktop client access
settings:
Manage Profiles and
Permission Sets
Connect Offline and Connect for Office are desktop clients that integrate Salesforce with your PC.
As an administrator, you can control which desktop clients your users can access as well as whether
users are automatically notified when updates are available.
Note: To access desktop clients, users must also have the API Enabled permission.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Click Edit next to a profile name, and scroll to the Desktop Integration Clients section at the
bottom of the page.
Configure User Authentication
Choose login settings to ensure that your users are who they say they are.
IN THIS SECTION:
Restrict Where and When Users Can Log In to Salesforce
You can restrict the hours during which users can log in and the range of IP addresses from
which they can log in and access Salesforce. If IP address restrictions are defined for a users
profile and a login originates from an unknown IP address, Salesforce does not allow the login.
These restrictions help protect your data from unauthorized access and phishing attacks.
Set Password Policies
Improve your Salesforce org security with password protection. You can set password history,
length, and complexity requirements. You can also specify what to do when a user forgets the
password.
Expire Passwords for All Users
As an administrator, you can expire passwords for all users any time you want to enforce extra
security for your organization. After expiring passwords, all users are prompted to reset their
password the next time they log in.
Modify Session Security Settings
You can modify session security settings to specify the session connection type, timeout restrictions, and IP address ranges to protect
against malicious attacks and more.
Configure When Users Are Prompted to Verify Identity
You can control how and when users are prompted to verify their identity.
Require High-Assurance Session Security for Sensitive Operations
To secure different setup areas in your org, require a high-assurance level of security for sensitive operations, like accessing reports
and managing IP addresses. You can also block users from accessing these setup areas.
Create a Login Flow
A login flow directs users through a login process before they access your Salesforce org or community. You can use a login flow to
control the business processes that your users follow when they log in to Salesforce. After Salesforce authenticates a user, the login
flow directs the user through a process, such as enforcing strong authentication or collecting user information. When users complete
the login flow successfully, they are redirected to their Salesforce org or community. If unsuccessful, the flow can log out users
immediately.
19
Configure User AuthenticationSalesforce Security Guide
Set Up a Login Flow and Connect to Profiles
After you create a flow using the Cloud Flow Designer or Visualforce, you designate it as a login flow and then associate it with user
profiles. When users with an associated profile log in, theyre directed to the login flow.
Login Flow Examples
You can use a login flow to customize the login experience and integrate business processes with Salesforce authentication. Common
uses cases include collecting and updating user data at login, configuring two-factor authentication, or integrating third-party strong
authentication methods.
Set Up Two-Factor Authentication
Two-factor authentication is the most effective way to protect your orgs user accounts. Admins enable two-factor authentication
through permissions or profile settings. Users register for two-factor authentication through their own personal settings, using
secondary authenticators such as mobile authenticator apps or U2F security keys.
Deploy Third-Party SMS-Based Two-Factor Authentication
Two-factor authentication (2FA) enhances security when validating a users identity and protects access to your Salesforce org. In
addition to a password, SMS-based 2FA requires the user to provide a one-time password (OTP) code received on a mobile device.
Limit the Number of Concurrent Sessions with Login Flows
You can use a login flow to restrict the number of simultaneous Salesforce sessions per user.
Restrict Where and When Users Can Log In to Salesforce
You can restrict the hours during which users can log in and the range of IP addresses from which they can log in and access Salesforce.
If IP address restrictions are defined for a users profile and a login originates from an unknown IP address, Salesforce does not allow the
login. These restrictions help protect your data from unauthorized access and phishing attacks.
Login Hours
For each profile, you can set the hours when users can log in. See:
View and Edit Login Hours in the Enhanced Profile User Interface
View and Edit Login Hours in the Original Profile User Interface
Two-Factor Authentication for User Interface Logins
For each profile, you can require users to use a second form of authentication when they log in via the user interface. See Set Two-Factor
Authentication Login Requirements on page 56 and Set Two-Factor Authentication Login Requirements and Custom Policies for Single
Sign-On, Social Sign-On, and Communities.
Two-Factor Authentication for API Logins
For each profile, you can require a verification code (also called a time-based one-time password, or TOTP) instead of the standard
security token. Users connect an authenticator app that generates verification codes to their account. Users with the Two-Factor
Authentication for API Logins permission use a code instead of the standard security token whenever its requested, such as when
resetting the accounts password. See Set Two-Factor Authentication Login Requirements for API Access on page 58.
Login IP Address Ranges
For Enterprise, Performance, Unlimited, Developer, and Database.com editions, you can set the Login IP Range addresses from which
users can log in on an individual profile. Users outside of the Login IP Range set on a profile cant access your Salesforce org.
20
Configure User AuthenticationSalesforce Security Guide
For Contact Manager, Group, and Professional Editions, set the Login IP Range. From Setup, enter Session Settings in the
Quick Find box, then select Session Settings.
Login IP Address Range Enforcement for All Access Requests
You can restrict all access to Salesforce to the IP addresses included in Login IP Ranges in users profiles. For example, suppose a user
logs in successfully from an IP address defined in Login IP Ranges. The user then moves to a different location and has a new IP address
that is outside of Login IP Ranges. When the user refreshes the browser or tries to access Salesforce, including access from a client
application, the user is denied. To enable this option, from Setup, enter Session Settings in the Quick Find box, select
Session Settings, and then select Enforce login IP ranges on every request. This option affects all user profiles that have login IP
restrictions.
Org-wide Trusted IP Ranges
For all users, you can set a list of IP address ranges from which they can always log in without receiving a login challenge. These users
can log in to your org after they provide the additional verification. See Set Trusted IP Ranges for Your Organization.
When users log in to Salesforce via the user interface, the API, or a desktop client such as Salesforce for Outlook, Connect Offline, Connect
for Office, or the Data Loader, Salesforce confirms that the login is authorized as follows.
1. Salesforce checks whether the users profile has login hour restrictions. If login hour restrictions are specified for the users profile,
any login outside the specified hours is denied.
2. If the user has the Two-Factor Authentication for User Interface Logins permission, Salesforce prompts the user for a second form
of authentication upon logging in. If the users account isnt already connected to a mobile authenticator app such as Salesforce
Authenticator, Salesforce first prompts the user to connect the app.
3. If the user has the Two-Factor Authentication for API Logins permission and has connected an authenticator app to the account,
Salesforce returns an error if the user uses the standard security token. The user has to enter a verification code (time-based one-time
password) generated by the authenticator app instead.
4. Salesforce then checks whether the users profile has IP address restrictions. If IP address restrictions are defined for the users profile,
logins from an undesignated IP address are denied, and logins from a specified IP address are allowed. If the Enforce login IP ranges
on every request session setting is enabled, the IP address restrictions are enforced for each page request, including requests from
client applications.
5. If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from a device used to access
Salesforce before.
If the users login is from a device and browser that Salesforce recognizes, the login is allowed.
If the users login is from an IP address in your orgs trusted IP address list, the login is allowed.
If the users login is not from a trusted IP address or a device and browser Salesforce recognizes, the login is blocked.
Whenever a login is blocked or returns an API login fault, Salesforce has to verify the users identity:
For access via the user interface, the user is prompted to verify using Salesforce Authenticator (version 2 or later), or to enter a
verification code.
Note: Users arent asked for a verification code the first time they log in to Salesforce.
For access via the API or a client, users must add their security token to the end of their password to log in. Or, if Two-Factor
Authentication on API Logins is set on the user profile, users enter a verification code generated by an authenticator app.
A security token is an automatically generated key from Salesforce. For example, if a users password is mypassword, and the
security token is XXXXXXXXXX, the user must enter mypasswordXXXXXXXXXX to log in. Or some client applications have a
separate field for the security token.
21
Configure User AuthenticationSalesforce Security Guide
Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface.
When a user changes a password or resets a security token, Salesforce sends a new security token to the email address on the users
Salesforce record. The security token is valid until the user resets the security token, changes a password, or has a password reset.
Tip: Before you access Salesforce from a new IP address, we recommend that you get your security token from a trusted
network using Reset My Security Token.
Tips on Setting Login Restrictions
Consider the following when setting login restrictions.
When a users password is changed, the security token is reset. Log in via the API or a client can be blocked until the user adds the
automatically generated security token to the end of the password.
Partner Portal and Customer Portal users arent required to activate their browser to log in.
For more information on API login faults, see the Core Data Types Used in API Calls topic in the SOAP API Developer Guide.
If single sign-on (SSO) is enabled for your org, API and desktop client users can log in to Salesforce unless their profile has IP address
restrictions set and they try to log in from outside of the range defined. Also the SSO authority usually handles login lockout policies
for users with the Is Single Sign-On Enabled permission. However, if the security token is enabled for your org, your orgs login
lockout settings determine how many times users can attempt to log in with an invalid security token before being locked out of
Salesforce.
These events count toward the number of times users can attempt to log in with an invalid password before getting locked out of
Salesforce, as defined in your orgs login lockout settings.
Each time users are prompted to verify identity
Each time users incorrectly add the security token or verification code to the end of their password to log in to Salesforcevia the
API or a client
IN THIS SECTION:
Restrict Login IP Ranges in the Enhanced Profile User Interface
Control login access at the user level by specifying a range of allowed IP addresses on a users profile. When you define IP address
restrictions for a profile, a login from any other IP address is denied.
Restrict Login IP Addresses in the Original Profile User Interface
Control login access at the user level by specifying a range of allowed IP addresses on a users profile. When you define IP address
restrictions for a profile, a login from any other IP address is denied.
View and Edit Login Hours in the Enhanced Profile User Interface
For each profile, you can specify the hours when users can log in.
View and Edit Login Hours in the Original Profile User Interface
Specify the hours when users can log in based on the user profile.
Set Trusted IP Ranges for Your Organization
Trusted IP Ranges define a list of IP addresses from which users can log in without receiving a login challenge for verification of their
identity, such as a code sent to their mobile phone.
22
Configure User AuthenticationSalesforce Security Guide
Restrict Login IP Ranges in the Enhanced Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To view login IP ranges:
View Setup and
Configuration
To edit and delete login IP
ranges:
Manage Profiles and
Permission Sets
Control login access at the user level by specifying a range of allowed IP addresses on a users profile.
When you define IP address restrictions for a profile, a login from any other IP address is denied.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select a profile and click its name.
3. In the profile overview page, click Login IP Ranges.
4. Specify allowed IP addresses for the profile.
To add a range of IP addresses from which users can log in, click Add IP Ranges. Enter a
valid IP address in the IP Start Address and a higher-numbered IP address in the
IP End Address field. To allow logins from only a single IP address, enter the same
address in both fields.
To edit or remove ranges, click Edit or Delete for that range.
Important:
The IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist
in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff,
where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is
255.255.255.255. A range cant include IP addresses both inside and outside
of the IPv4-mapped IPv6 address space. Ranges like 255.255.255.255 to
::1:0:0:0 or :: to ::1:0:0:0 arent allowed.
Partner User profiles are limited to five IP addresses. To increase this limit, contact
Salesforce.
5. Optionally enter a description for the range. If you maintain multiple ranges, use the Description
field to provide details, like which part of your network corresponds to this range.
Note: You can further restrict access to Salesforce to only those IPs in Login IP Ranges. To enable this option, in Setup, enter
Session Settings in the Quick Find box, then select Session Settings and select Enforce login IP ranges on every
request. This option affects all user profiles that have login IP restrictions.
23
Configure User AuthenticationSalesforce Security Guide
Restrict Login IP Addresses in the Original Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: All Editions
USER PERMISSIONS
To view login IP ranges:
View Setup and
Configuration
To edit and delete login IP
ranges:
Manage Profiles and
Permission Sets
Control login access at the user level by specifying a range of allowed IP addresses on a users profile.
When you define IP address restrictions for a profile, a login from any other IP address is denied.
1. How you restrict the range of valid IP addresses on a profile depends on your Salesforce edition.
If youre using an Enterprise, Unlimited, Performance, or Developer Edition, from Setup,
enter Profiles in the Quick Find box, then select Profiles, and select a profile.
If youre using a Group, or Personal Edition, from Setup, enter Session Settings in
the Quick Find box, then select Session Settings.
In a Professional Edition, the location of IP ranges depends on whether you have the "Edit
Profiles & Page Layouts" org preference enabled as an add-on feature.
With the "Edit Profiles & Page Layouts" org preference enabled, IP ranges are on individual
profiles.
Without the "Edit Profiles & Page Layouts" org preference enabled, IP ranges are on the
Session Settings page.
2. Click New in the Login IP Ranges related list.
3. Enter a valid IP address in the IP Start Address field and a higher-numbered IP address
in the IP End Address field.
The start and end addresses define the range of allowable IP addresses from which users can log in. To allow logins from a single IP
address, enter the same address in both fields.
The IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space
::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is
255.255.255.255. A range cant include IP addresses both inside and outside of the IPv4-mapped IPv6 address space.
Ranges like 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 arent allowed.
Partner User profiles are limited to five IP addresses. To increase this limit, contact Salesforce.
4. Optionally enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, such as
which part of your network corresponds to this range.
5. Click Save.
Note: Cache settings on static resources are set to private when accessed via a Salesforce Site whose guest user's profile has
restrictions based on IP range or login hours. Sites with guest user profile restrictions cache static resources only within the browser.
Also, if a previously unrestricted site becomes restricted, it can take up to 45 days for the static resources to expire from the Salesforce
cache and any intermediate caches.
Note: You can further restrict access to Salesforce to only those IPs in Login IP Ranges. To enable this option, in Setup, enter
Session Settings in the Quick Find box, then select Session Settings and select Enforce login IP ranges on every
request. This option affects all user profiles that have login IP restrictions.
24
Configure User AuthenticationSalesforce Security Guide
View and Edit Login Hours in the Enhanced Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To view login hour settings:
View Setup and
Configuration
To edit login hour settings:
Manage Profiles and
Permission Sets
For each profile, you can specify the hours when users can log in.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select a profile and click its name.
3. In the profile overview page, scroll down to Login Hours and click Edit.
4. Set the days and hours when users with this profile can log in to the organization.
To allow users to log in at any time, click Clear all times. To prohibit users from using the
system on a specific day, set the start and end times to the same value.
If users are logged in when their login hours end, they can continue to view their current page,
but they cant take any further action.
Note: The first time login hours are set for a profile, the hours are based on the organizations
Default Time Zone as specified on the Company Information page in Setup. After
that, any changes to the organizations Default Time Zone wont change the time
zone for the profiles login hours. As a result, the login hours are always applied at those exact
times even if a user is in a different time zone or if the organizations default time zone is
changed.
Depending on whether youre viewing or editing login hours, the hours may appear differently.
On the Login Hours edit page, hours are shown in your specified time zone. On the profile
overview page, they appear in the organizations original default time zone.
View and Edit Login Hours in the Original Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
USER PERMISSIONS
To set login hours:
Manage Profiles and
Permission Sets
Specify the hours when users can log in based on the user profile.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles, and select a
profile.
2. Click Edit in the Login Hours related list.
3. Set the days and hours when users with this profile can use the system.
To allow users to log in at any time, click Clear All Times. To prohibit users from using the
system on a specific day, set the start and end times to the same value.
If users are logged in when their login hours end, they can continue to view their current page,
but they cant take any further action.
4. Click Save.
25
Configure User AuthenticationSalesforce Security Guide
Note: The first time login hours are set for a profile, the hours are based on the organizations Default Time Zone as
specified on the Company Information page in Setup. After that, any changes to the organizations Default Time Zone
wont change the time zone for the profiles login hours. As a result, the login hours are always applied at those exact times even
if a user is in a different time zone or if the organizations default time zone is changed.
Depending on whether youre viewing or editing login hours, the hours appear differently. On the profile detail page, hours are
shown in your specified time zone. On the Login Hours edit page, they appear in the organizations default time zone.
Set Trusted IP Ranges for Your Organization
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: All Editions
USER PERMISSIONS
To change network access:
Manage IP Addresses
Trusted IP Ranges define a list of IP addresses from which users can log in without receiving a login
challenge for verification of their identity, such as a code sent to their mobile phone.
Note: Who Sees What: Organization Access (English only)
Watch how you can restrict login through IP ranges and login hours.
To help protect your organizations data from unauthorized access, you can specify a list of IP
addresses from which users can log in without receiving a login challenge. However, this does not
restrict access, entirely, for users outside of the Trusted IP Range. After these users complete the
login challenge (usually by entering a code sent to their mobile device or email address), they can
log in.
1. From Setup, enter Network Access in the Quick Find box, then select Network
Access.
2. Click New.
3. Enter a valid IP address in the Start IP Address field and a higher IP address in the End IP Address field.
The start and end addresses define the range of allowable IP addresses from which users can log in, including the start and end
values. If you want to allow logins from a single IP address, enter the same address in both fields.
The start and end IP addresses must be in an IPv4 range and include no more than 33,554,432 addresses (225, a /7 CIDR block).
4. Optionally, enter a description for the range. For example, if you maintain multiple ranges, enter details about the part of your network
that corresponds to this range.
5. Click Save.
Note: For organizations that were activated before December 2007, Salesforce automatically populated your organizations
trusted IP address list in December 2007, when this feature was introduced. The IP addresses from which trusted users had already
accessed Salesforce during the past six months were added.
26
Configure User AuthenticationSalesforce Security Guide
Set Password Policies
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Contact
Manager, Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To set password policies:
Manage Password
Policies
Improve your Salesforce org security with password protection. You can set password history,
length, and complexity requirements. You can also specify what to do when a user forgets the
password.
You can set different password and login policies based on the type of user.
Note: User passwords cannot exceed 16,000 bytes.
Logins are limited to 3,600 per hour per user. This limit applies to organizations created after
Summer 08.
1. From Setup, enter Password Policies in the Quick Find box, then select Password
Policies.
2. Customize the password settings.
DescriptionField
The length of time until a user password
expires and must be changed. The default is
90 days. This setting isnt available for
Self-Service portals. This setting doesnt apply
to users with the Password Never Expires
permission.
When you change the User passwords
expire in setting and the new expiration
User passwords expire in
date is earlier than a users previous expiration
date, the change affects the users password
expiration date. To remove an expiration date,
select Never expires.
Save users previous passwords so that they
must use a new, unique password when
Enforce password history
changing passwords. Password history is not
saved until you set this value. The default is 3
passwords remembered. You cannot
select No passwords remembered
unless you select Never expires for the
User passwords expire in field.
This setting isnt available for Self-Service
portals.
The minimum number of characters required
for a password. When you set this value,
Minimum password length
existing users arent affected until the next
time they change their passwords. The default
is 8 characters.
27
Configure User AuthenticationSalesforce Security Guide
DescriptionField
The types of characters that must be used in a users password.Password complexity requirement
No restrictionHas no requirements and is the least
secure option.
Must mix alpha and numeric
charactersThe default setting. Requires at least one
alphabetic character and one number.
Must mix alpha, numeric, and special
charactersRequires at least one alphabetic character,
one number, and one of the following characters: ! # $
% - _ = + < >.
Must mix numbers and uppercase and
lowercase lettersRequires at least one number,
one uppercase letter, and one lowercase letter.
Must mix numbers, uppercase and
lowercase letters, and special
charactersRequires at least one number, one
uppercase letter, one lowercase letter, and one of the
following characters: ! # $ % - _ = + < >.
Note: Only the characters listed meet the requirement.
Other symbol characters are not considered special
characters.
Choose Cannot contain password to restrict the
answer to the password hint question from containing the
Password question requirement
password itself. Choose None, the default, for no restrictions on
the answer. The user must provide an answer to the password
hint question. This setting is not available for Self-Service portals,
Customer Portals, or partner portals.
The number of login failures allowed for a user before the user
is locked out. This setting isnt available for Self-Service portals.
Maximum invalid login attempts
The duration of the login lockout. The default is 15 minutes. This
setting isnt available for Self-Service portals.
When a user is logged in to an active session but is later locked
out, the user remains logged in to the active session.
Lockout effective period
Note: A locked-out user must wait until the lockout
period expires. Alternatively, a user with the Reset User
Passwords and Unlock Users permission can unlock a user
from Setup.
a. Enter Users in the Quick Find box.
b. Select Users.
c. Select the user, and click Unlock.
28
Configure User AuthenticationSalesforce Security Guide
DescriptionField
This button is available only when a user is locked
out.
Hide answers to security questions as the user types. The default
is to show the answer in plain text.
Obscure secret answer for password resets
Note: If your org uses the Microsoft Input Method Editor
(IME) with the input mode set to Hiragana, when you type
ASCII characters, theyre converted in to Japanese
characters in normal text fields. However, the IME doesnt
work properly in fields with obscured text. If your orgs
users cannot properly enter their passwords or other
values after enabling this feature, disable the feature.
A password cant be changed more than once in a 24-hour
period.
Require a minimum 1 day password lifetime
When selected, apps can use the setPassword() API to
change the current users password to a specific value. Deselect
Allow use of setPassword() API for
self-resets
this option for increased security. When deselected, apps must
use the changeOwnPassword() API to prompt users to
set their password value. The changeOwnPassword() API
verifies the users current password before allowing the change.
When you deselect this option, you cant select it again.
3. Customize the forgotten password and locked account assistance information.
Note: This setting is not available for Self-Service portals, Customer Portals, or partner portals.
DescriptionField
If set, the message you enter appears in the We cant reset your
password email. Users receive this email when they lock
Message
themselves out by trying to reset their password too many times.
The text also appears at the bottom of the Answer Your Security
Question page when users reset their passwords.
You can add the name of your internal help desk or a system
administrator to the default text. The message appears only for
accounts that need an administrator to reset the password.
Lockouts due to time restrictions get a different system email
message.
If set, this link displays along with the text defined in the
Message field. In the We cant reset your password email,
Help link
the URL displays exactly as typed in the Help link field, so
29
Configure User AuthenticationSalesforce Security Guide
DescriptionField
the user can see where the link goes. This URL display format is
for security because the user is not within a Salesforce org.
On the Answer Your Security Question page, the Help link
URL combines with the text in the Message field and forms a
clickable link. Security isnt an issue because the user is in a
Salesforce org when changing passwords.
Valid protocols are:
http
https
mailto
4. Specify an alternative home page for users with the API Only User permission. After completing user management tasks such as
resetting a password, API-only users are redirected to the specified URL rather than to the login page.
5. Click Save.
Expire Passwords for All Users
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To expire all passwords:
Reset User Passwords
and Unlock Users
As an administrator, you can expire passwords for all users any time you want to enforce extra
security for your organization. After expiring passwords, all users are prompted to reset their password
the next time they log in.
To expire passwords for all users, except those users with the Password Never Expires permission:
1. From Setup, enter Expire All Passwords in the Quick Find box, then select
Expire All Passwords.
2. Select Expire all user passwords.
3. Click Save.
The next time users log in, they are prompted to reset their password.
Considerations When Expiring Passwords
Users might need to activate their computers to log in to Salesforce.
Expire all user passwords doesnt affect Self-Service portal users, because they
arent direct Salesforce users.
30
Configure User AuthenticationSalesforce Security Guide
Modify Session Security Settings
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
The Lock sessions to the IP
address from which they
originated setting is
available in: Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
All other settings available
in: Essentials, Personal,
Contact Manager, Group,
Professional, Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
USER PERMISSIONS
To modify session security
settings:
Customize Application
You can modify session security settings to specify the session connection type, timeout restrictions,
and IP address ranges to protect against malicious attacks and more.
1. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
2. Customize the session security settings.
Note: Identity verification settings are also available on the Identity Verification page on
page 39. You can change identity verification settings in either location.
DescriptionField
Length of time after which the system logs out inactive
users. For Portal users, the timeout is between 10
minutes and 24 hours even though you can only set it
as low as 15 minutes. Select a value between 15 minutes
and 24 hours. Choose a shorter timeout period if your
org has sensitive information and you want to enforce
stricter security.
Timeout value
Note: The last active session time value isnt
updated until halfway through the timeout
period. So if you have a 30-minute timeout, the
system doesnt check for activity until 15 minutes
have passed. For example, if you update a record
after 10 minutes, the last active session time
value isnt updated because there was no activity
after 15 minutes. Youre logged out in 20 more
minutes (30 minutes total), because the last
active session time wasnt updated. Suppose
that you update a record after 20 minutes. Thats
5 minutes after the last active session time is
checked. Your timeout resets, and you have
another 30 minutes before being logged out,
for a total of 50 minutes.
Determines whether the system prompts inactive users
with a timeout warning message. Users are prompted
Disable session timeout warning
popup
30 seconds before timeout as specified by the Timeout
value.
Requires that when sessions time out for inactive users,
current sessions become invalid. The browser refreshes
Force logout on session timeout
and returns to the login page. To access the org, the
user must log in again.
Note: Do not select Disable session timeout
warning popup when using this setting.
Determines whether user sessions are locked to the IP
address from which the user logged in, helping to
Lock sessions to the IP address from
which they originated
31
Configure User AuthenticationSalesforce Security Guide
DescriptionField
prevent unauthorized persons from hijacking a valid session.
Note: This setting can inhibit various applications and mobile devices.
Associates a current UI session for a user, such as a community user, with a
specific domain. The setting helps prevent unauthorized use of the session
Lock sessions to the domain in which they were
first used
ID in another domain. This setting is enabled by default for orgs created with
the Spring 15 release or later.
Determines whether HTTPS is required to log in to or access Salesforce.
This setting is enabled by default for security reasons. This setting does not
apply to API requests. All API requests require HTTPS.
Require secure connections (HTTPS)
To enable HTTPS on communities and Salesforce Sites, see HSTS for Sites and
Communities.
Note: The Reset Passwords for Your Users page can only be accessed
using HTTPS.
Determines whether HTTPS is required for connecting to third-party domains.
This setting is enabled by default on accounts created after the Summer 17
release.
Require secure connections (HTTPS) for all
third-party domains
Determines whether an administrator who is logged in as another user is
returned to their previous session after logging out as the secondary user.
If the setting is enabled, an administrator must log in again to continue using
Salesforce after logging out as the user. Otherwise, the administrator is returned
Force relogin after Login-As-User
to the original session after logging out as the user. This setting is enabled by
default for all orgs.
Restricts session ID cookie access. A cookie with the HttpOnly attribute is not
accessible via non-HTTP methods, such as calls from JavaScript.
Require HttpOnly attribute
Note: If you have a custom or packaged application that uses
JavaScript to access session ID cookies, selecting Require HttpOnly
attribute breaks your application. It denies the application access to
the cookie. If Require HttpOnly attribute is selected, the AJAX Toolkit
debugging window isnt available.
Sets the org to send session information using a POST request, instead of a
GET request, for cross-domain exchanges. An example of a cross-domain
Use POST requests for cross-domain sessions
exchange is when a user is using a Visualforce page. In this context, POST
requests are more secure than GET requests because POST requests keep the
session information in the body of the request. However, if you enable this
setting, embedded content from another domain, such as:
<img
src="https://acme.force.com/pic.jpg"/>
32
Configure User AuthenticationSalesforce Security Guide
DescriptionField
sometimes doesnt display.
Restricts the IP addresses from which users can access Salesforce to only the
IP addresses defined in Login IP Ranges. If this setting is enabled, login IP
Enforce login IP ranges on every request
ranges are enforced on each page request, including requests from client
applications. If this setting isnt enabled, login IP ranges are enforced only
when a user logs in. This setting affects all user profiles that have login IP
restrictions.
Allows the users browser to store usernames. If enabled, after initial login,
usernames are auto-filled into the Username field on the login page. If the
Enable caching and autocomplete on login page
user selected Remember me on the login page, the username persists after
the session expires or the user logs out. The username also appears on the
Switcher. This setting is selected by default for all orgs.
Note: If you disable this setting, the Remember me option doesnt
appear on your orgs login page or from the Switcher.
Enables secure data caching in the browser to improve page reload
performance by avoiding extra round trips to the server. This setting is selected
by default for all orgs.
Enable secure and persistent browser caching to
improve performance
Warning: Disabling secure and persistent browser caching has a
significant negative performance impact on Lightning Experience. Only
disable in the following scenarios:
Your companys policy doesnt allow browser caching, even if the
data is encrypted.
During development in a sandbox or Developer Edition org to see
the effect of any code changes without needing to empty the
secure cache.
Determines whether the Switcher appears when your orgs users select their
profile picture. This setting is selected by default for all organizations. The
Enable user switching
Enable caching and autocomplete on login page setting must also be enabled.
Deselect the Enable user switching setting to prevent your org from appearing
in Switchers on other orgs. It also prevents your org users from seeing the
Switcher when they select their profile picture.
Normally, usernames are cached only while a session is active or if a user
selects Remember Me. For SSO sessions, the remember option isn't available.
Remember until logout
So, once the session expires, the username disappears from the login page
and the Switcher. By enabling Remember me until logout, the cached
usernames are deleted only if the user explicitly logs out. If the session times
out, they appear on the Switcher as inactive. This way, if the users are on their
own computer and allow a session to time out, they can select the username
to reauthenticate. If they're on a shared computer, the username is deleted
immediately when the user logs out.
33
Configure User AuthenticationSalesforce Security Guide
DescriptionField
This setting applies to all your orgs users. This option isn't enabled by default.
However, we encourage you to enable it as a convenience to your users. Keep
this setting disabled if your org doesn't expose all your SSO or authentication
providers on your login page.
Load Lightning Experience and other apps faster by enabling Akamais content
delivery network (CDN) to serve the static content for Lightning Component
Enable Content Delivery Network (CDN) for
Lightning Component framework
framework. A CDN generally speeds up page load time, but it also changes
the source domain that serves the files. If your company has IP range
restrictions for content served from Salesforce, test thoroughly before enabling
this setting.CDNs improve the load time of static content by storing cached
versions in multiple geographic locations. This setting turns on CDN delivery
for the static JavaScript and CSS in the Lightning Component framework. It
doesnt distribute your orgs data or metadata in a CDN.
Allows users to receive a one-time password delivered via SMS. If this setting
is selected, administrators or users must verify their mobile phone number
Enable the SMS method of identity confirmation
before taking advantage of this feature. This setting is selected by default for
all orgs.
In API version 31.0 and earlier, requires the use of security tokens for API logins
from callouts. Examples are Apex callouts or callouts using the AJAX proxy. In
API version 32.0 and later, security tokens are required by default.
Require security tokens for API logins from callouts
(API version 31.0 and earlier)
Specifies a range of IP addresses users must log in from (inclusive), or the login
fails.
To specify a range, click New and enter a Start IP Address and End IP Address
to define the range, which includes the start and end values.
Login IP Ranges (for Contact Manager, Group, and
Professional Editions)
This field is not available in Enterprise, Unlimited, Performance, and Developer
Editions. In those editions, you can specify a valid Login IP Range in the user
profile settings.
Allows users to use a U2F security key for two-factor authentication and identity
verification. Instead of using Salesforce Authenticator, one-time passwords
Let users use a security key (U2F)
generated by an authenticator app, or one-time passwords sent by email or
SMS, users insert their registered U2F security key into a USB port to complete
verification.
Requires users to confirm their identities to add a two-factor authentication
method, such as Salesforce Authenticator, instead of requiring a relogin as
before.
Require identity verification during two-factor
authentication registration
Requires users to log in again and confirm their identity before the change to
their email address is applied. Salesforce asks the user to verify identity using
Require identity verification for change of email
address
a registered verification method, such as Salesforce Authenticator, SMS text
message, or email.
34
Configure User AuthenticationSalesforce Security Guide
DescriptionField
Note: If the users identity verification method is email, the verification
code is sent to the users previously registered email address rather
than the new email address.
Allows users to verify identity by automatically approving notifications in
Salesforce Authenticator, whenever users are in trusted locations such as a
Allow location-based automated verifications with
Salesforce Authenticator
home or office. If you allow automated verifications, you can allow them from
Allow only from trusted IP addresses any location or restrict them to only trusted IP addresses, such as your
corporate network.
Allows users to use Lightning Login for password-free Salesforce logins, relying
on Salesforce Authenticator for identity verification.
Allow Lightning Login
Records users logout events. This setting is available only if the
LogoutEventStream object functionality is enabled in your org by Salesforce.
Enable Logout Events Stream
Note: This setting does not record timeout events. An exception is
when users are automatically logged out of the org after their session
times out because the org has Force logout on session timeout
enabled. In this case, a logout event is recorded. However, if users close
their browser during a session, regardless of whether the Force logout
on session timeout setting is enabled, a logout event isnt recorded.
Protects against clickjack attacks on setup Salesforce pages. Clickjacking is
also known as a user interface redress attack. (Setup pages are available from
the Setup menu.)
Enable clickjack protection for Setup pages
Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking
is also known as a user interface redress attack. Setup pages already include
Enable clickjack protection for non-Setup Salesforce
pages
protection against clickjack attacks. (Setup pages are available from the Setup
menu.) This setting is selected by default for all orgs.
Protects against clickjack attacks on your Visualforce pages with headers
enabled. Clickjacking is also known as a user interface redress attack.
Enable clickjack protection for customer Visualforce
pages with standard headers
Warning: If you use custom Visualforce pages within a frame or iframe,
you sometimes see a blank page or the page displays without the
frame. For example, Visualforce pages in a page layout dont function
when clickjack protection is on.
Protects against clickjack attacks on your Visualforce pages with headers
disabled when setting showHeader="false" on the page. Clickjacking
is also known as a user interface redress attack.
Enable clickjack protection for customer Visualforce
pages with headers disabled
Warning: If you use custom Visualforce pages within a frame or iframe,
you sometimes see a blank page or the page displays without the
frame. For example, Visualforce pages in a page layout dont function
when clickjack protection is on.
35
Configure User AuthenticationSalesforce Security Guide
DescriptionField
Protects against Cross Site Request Forgery (CSRF) attacks by modifying
non-Setup pages. Non-Setup pages include a random string of characters in
Enable CSRF protection on GET requests on
non-setup pages
the URL parameters or as a hidden form field. With every GET and POST request,
Enable CSRF protection on POST requests on
non-setup pages the application checks the validity of this string of characters. The application
doesnt execute the command unless the value found matches the expected
value. This setting is selected by default for all orgs.
The Lightning Component framework already uses Content Security Policy
(CSP), the W3C standard to control the source of content that can be loaded
Enable Stricter Content Security Policy
on a page. The Enable Stricter Content Security Policy setting additionally
prohibits the use of unsafe-inline for script-src to mitigate the
risk of cross-site scripting attacks.
Prevent Lightning component authors from modifying JavaScript prototypes
of global objects that are shared between namespaces. This restriction enables
Freeze JavaScript Prototypes
better code separation between components and prevents malicious or
inadvertent tampering of shared objects, such as the JavaScript APIs or DOM
APIs.
Note: Cisco Webex Teams and Meetings features aren't compatible
with the Freeze JavaScript Prototypes setting. If you have one of these
Webex features enabled, you cant enable this setting.
Protects against reflected cross-site scripting attacks. If a reflected cross-site
scripting attack is detected, the browser shows a blank page with no content.
XSS protection
Prevents the browser from inferring the MIME type from the document
content. It also prevents the browser from executing malicious files (JavaScript,
Stylesheet) as dynamic content.
Content Sniffing protection
When loading pages, the referrer header shows only Salesforce.com rather
than the entire URL. This feature eliminates the potential for a referrer header
Referrer URL Protection
to reveal sensitive information that could be present in a full URL, such as an
org ID. This feature is supported only for Chrome and Firefox.
Requires HTTPS on communities and Salesforce Sites.HSTS for Sites and Communities
Note: This setting must be enabled in two locations. HSTS for Sites
and Communities must be enabled in Session Settings, and Require
Secure Connections (HTTPS) must be enabled in the community or
Salesforce Site security settings. See Creating and Editing Salesforce
Sites.
Displays a warning message when users click links that take them outside the
salesforce.com domain. The warning message includes the full link to the
Warn users before they are redirected outside of
Salesforce
external URL and the domain name. Use this feature to protect your users
from malicious URLs and phishing. In Lightning Experience, the warning
message applies only to web tabs.
Redirects users to a specific page after they log out of Salesforce, such as an
authentication providers page or a custom-branded page. This URL is used
Logout URL
36
Configure User AuthenticationSalesforce Security Guide
DescriptionField
only if no logout URL is specified in the identity provider, SAML single sign-on,
or external authentication provider settings. If no value is specified for Logout
URL, the default is https://login.salesforce.com, unless
MyDomain is enabled. If My Domain is enabled, the default is
https://customdomain.my.salesforce.com.
Specifies how long the account verification link in welcome emails to new
users is valid. You can select 1, 7, or 180 days. By default, account verification
links expire after 7 days.
When you update this setting, the change applies to links in welcome emails
that were already sent. For example, you added a user and sent a welcome
Link expires in
email two days ago when links expired in seven days. If you update the setting
so that links expire in one day, the link in the email you sent two days ago is
no longer valid.
3. Click Save.
Session Security Levels
You can restrict access to certain types of resources based on the level of security associated with the authentication (login) method for
the users current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change
the session security level and define policies so that specified resources are available only to users assigned a High Assurance level.
For sensitive operations, require a high-assurance level of security, or block users altogether. If users already have a high-assurance
session after logging in, they arent prompted to verify their identity again in the same session, even if you require high assurance for
these operations.
The following table lists the different authentication methods and their default session security levels.
DescriptionDefault Session Security
Level
Type
Users log in by providing a username and password on a
login page.
StandardUsername and Password
Users log in by providing a username and a password that
is validated using a callout to a delegated authentication
endpoint.
StandardDelegated Authentication
Users verify their identity when accessing Salesforce from
a new browser or device.
StandardActivation
Internal users log in by using Salesforce Authenticator
instead of a password.
StandardLightning Login
External users of communities log in by providing a
verification code instead of a password.
StandardPasswordless Login
Users complete a two-factor authentication challenge to
access a resource. For example, a user must complete
High AssuranceTwo-Factor Authentication
37
Configure User AuthenticationSalesforce Security Guide
DescriptionDefault Session Security
Level
Type
two-factor authentication when accessing a report that
requires a High Assurance level with the Raise session level
policy.
Warning: Be cautious about changing the security
level of Two-Factor Authentication to Standard. If
Two-Factor Authentication has a Standard level, but
the user profile setting Session security level
required at login requires a High Assurance session
security level, the user cant log in. User access is
blocked when the high assurance requirement isnt
met.
Users log in to Salesforce using their login credentials from
an external service provider.
StandardAuthentication Provider
Users are authenticated using the SAML protocol for single
sign-on.
StandardSAML
Note: The security level for a SAML session can also
be specified using the SessionLevel attribute of the
SAML assertion sent by the identity provider. The
attribute can take one of two values, STANDARD or
HIGH_ASSURANCE.
To change the security level associated with a login method:
1. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
2. Under Session Security Levels, select the login method.
3. To move the method to the proper category, click the Add or Remove arrow.
Reports and dashboards in Salesforce and connected apps use session-level security. You can set policies requiring High Assurance on
these types of resources. You can also specify an action to take when the session used to access the resource is not High Assurance. The
supported actions are:
BlockBlocks access to the resource by showing an insufficient privileges error.
Raise session levelPrompts users to complete two-factor authentication. When users authenticate successfully, they can access
the resource. For reports and dashboards, you can apply this action when users access reports or dashboards, or just when they
export and print them.
Warning: Raising the session level to high assurance by redirecting the user to complete two-factor authentication is not a
supported action in Lightning Experience. If your org enabled Lightning Experience, and you set a policy that requires a
high-assurance session to access reports and dashboards, Lightning Experience users with a standard session are blocked from
reports and dashboards. Also, they dont see the icons for these resources in the navigation menu. As a workaround, users with a
standard assurance session can log out and log in again using an authentication method that is defined as high assurance by their
org. Then they have access to reports and dashboards. Or, they can switch to Salesforce Classic, where theyre prompted to raise
the session level when they attempt to access reports and dashboards.
To set a High Assurance required policy for accessing a connected app:
38
Configure User AuthenticationSalesforce Security Guide
1. From Setup, enter Connected Apps in the Quick Find box, then select the option for managing connected apps.
2. Click Edit next to the connected app.
3. Select High Assurance session required.
4. Select one of the actions presented.
5. Click Save.
To set a High Assurance required policy for accessing reports and dashboards:
1. From Setup, enter Access Policies in the Quick Find box, then select Access Policies.
2. Select High Assurance session required.
3. Select one of the actions presented.
4. Click Save.
Note: You also can set the High Assurance requirement for reports and dashboards on the Identity Verification page. For more
information, see Require High Assurance Session Security for Sensitive Operations.
Session levels have no impact on resources in the app other than connected apps, reports, and dashboards for which explicit security
policies have been defined.
Configure When Users Are Prompted to Verify Identity
EDITIONS
Available in: all editions
USER PERMISSIONS
To modify identity verification
settings:
Customize Application
You can control how and when users are prompted to verify their identity.
1. In Setup, enter Identity in the Quick Find box, and then click Identity Verification.
2. Customize the identity verification settings, and then click Save.
DescriptionField
Allows users to receive a one-time password
delivered via SMS. If this setting is selected,
administrators or users must verify their
mobile phone number before taking
advantage of this feature. This setting is
selected by default for all orgs.
Enable the SMS method of identity
confirmation
In API version 31.0 and earlier, requires the use
of security tokens for API logins from callouts.
Require security tokens for API logins from
callouts (API version 31.0 and earlier)
Examples are Apex callouts or callouts using
the AJAX proxy. In API version 32.0 and later,
security tokens are required by default.
Allows users to use a U2F security key for
two-factor authentication and identity
Let users use a security key (U2F)
verification. Instead of using Salesforce
Authenticator, one-time passwords generated
by an authenticator app, or one-time
passwords sent by email or SMS, users insert
their registered U2F security key into a USB
port to complete verification.
39
Configure User AuthenticationSalesforce Security Guide
DescriptionField
Requires users to confirm their identities to add a two-factor
authentication method, such as Salesforce Authenticator, instead
of requiring a relogin as before.
Require identity verification during two-factor authentication
registration
Requires users to log in again and confirm their identity before
the change to their email address is applied. Salesforce asks the
Require identity verification for change of email address
user to verify identity using a registered verification method, such
as Salesforce Authenticator, SMS text message, or email.
Note: If the users identity verification method is email,
the verification code is sent to the users previously
registered email address rather than the new email
address.
Allows users to verify identity by automatically approving
notifications in Salesforce Authenticator, whenever users are in
Allow location-based automated verifications with Salesforce
Authenticator
trusted locations such as a home or office. If you allow automated
Allow only from trusted IP addresses verifications, you can allow them from any location or restrict
them to only trusted IP addresses, such as your corporate
network.
These identity verification settings are also available on the Session Settings page. You can change the settings in either location.
SEE ALSO:
Modify Session Security Settings
Require High-Assurance Session Security for Sensitive Operations
Require High-Assurance Session Security for Sensitive Operations
EDITIONS
Available in: all editions
USER PERMISSIONS
To modify session security
settings:
Customize Application
To secure different setup areas in your org, require a high-assurance level of security for sensitive
operations, like accessing reports and managing IP addresses. You can also block users from accessing
these setup areas.
These settings apply only to users who have user permissions to access these operations. If users
have a high-assurance session after logging in, they arent prompted to verify their identity in the
same session, even if you require high assurance for sensitive operations.
1. In Setup, enter Identity in the Quick Find box, and then click Identity Verification.
2. Under Session Security Level Policies, raise the session security level to high assurance, or block
users.
Reports and DashboardsControls access to reports and dashboards. This setting is also
available on the Reports and Dashboards Access Policies page. You can change this setting in either location.
Manage Encryption KeysControls access to the Platform Encryption page, the Certificate and Key Management Setup page,
and the TenantSecret object.
Manage Auth. ProvidersControls access to the Auth. Providers page, the User Details Setup page, and the AuthProvider object.
Manage Login Access PoliciesControls access to the Login Access Policies Setup page.
40
Configure User AuthenticationSalesforce Security Guide
Manage IP AddressesControls access to the Network Access Setup page.
Manage Password PoliciesControls access to the Password Policies Setup page and profile details.
Manage SharingControls access to the Sharing Settings Setup page, the SharingRules object, and the CustomObjects
sharingModel field in Metadata API.
SEE ALSO:
Configure When Users Are Prompted to Verify Identity
Modify Session Security Settings
Create a Login Flow
EDITIONS
Available in: both Salesforce
Classic and Lightning
Experience
Available in: Essentials,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To open, edit, or create a
flow in the Cloud Flow
Designer:
Manage Flow
A login flow directs users through a login process before they access your Salesforce org or
community. You can use a login flow to control the business processes that your users follow when
they log in to Salesforce. After Salesforce authenticates a user, the login flow directs the user through
a process, such as enforcing strong authentication or collecting user information. When users
complete the login flow successfully, they are redirected to their Salesforce org or community. If
unsuccessful, the flow can log out users immediately.
Before creating a login flow, its important to understand login flow execution.
To invoke a login flow, the user must first be authenticated. Login flows dont replace the existing
Salesforce authentication process. They integrate new steps or ask the user for information.
During login-flow execution, users have restricted access. Users in a login flow can access only
the flowthey cant bypass it to get to the application. They can log in to the org only when
they successfully authenticate and complete the flow.
You can create two types of login flows:
Screen flow, which you create declaratively using the Cloud Flow Designer
Visualforce Page, which you create programmatically using Visualforce
After creating the flow, you designate it as a login flow from Setup and choose which profiles apply.
You can create multiple login flows and associate each one with a different user profile. Users assigned to one profile, like sales reps,
experience a particular login process as they log in. Users assigned to a different profile like service reps, experience a different login
process.
IN THIS SECTION:
Create a Login Flow with the Cloud Flow Designer
Use the point-and-click Cloud Flow Designer to create a login flow declaratively. With this tool, you create a screen flowa collection
of screens and connectors that step users through a business process when they log in.
Create a Custom Login Flow with Visualforce
Use Visualforce and an Apex controller to create a custom login flow programmatically. With Visualforce, you have complete control
over how your login page looks, behaves, and where users go after they complete the flow. You can design your login page from
scratch and control every pixel of the page.
41
Configure User AuthenticationSalesforce Security Guide
Create a Login Flow with the Cloud Flow Designer
EDITIONS
Available in: both Salesforce
Classic and Lightning
Experience
Available in: Essentials,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To open, edit, or create a
flow in the Cloud Flow
Designer:
Manage Flow
Use the point-and-click Cloud Flow Designer to create a login flow declaratively. With this tool, you
create a screen flowa collection of screens and connectors that step users through a business
process when they log in.
Note: You can also use Visualforce to create a Visualforce Page login flow in code.
Modify the default login flow to meet your needs. You can customize the login page by:
Supplying your own logo
Changing the colors of the background and login button
Displaying content on the right frame of the page
Follow these steps to build a login flow using the Cloud Flow Designer.
1. Create a screen flow with the Cloud Flow Designer.
Note: Make sure that you save and activate the flow.
2. From Setup, designate the flow as a login flow, and associate the flow with user profiles. See
Set Up a Login Flow and Connect to Profiles.
Create a Custom Login Flow with Visualforce
Use Visualforce and an Apex controller to create a custom login flow programmatically. With Visualforce, you have complete control
over how your login page looks, behaves, and where users go after they complete the flow. You can design your login page from scratch
and control every pixel of the page.
Define the business process in an Apex controller of the Visualforce page. Salesforce doesnt pass input variables to a Visualforce Page
login flow, but you have access to user and login context. You must include one of these Apex methods.
Auth.SessionManagement.finishLoginFlow() indicates that the login flow is done and redirects the user to the
home page
Auth.SessionManagement.finishLoginFlow(startURL) indicates that the login flow is done and redirects the
user to a specific page.
The login flow runs in a restricted session. Calling a finishLoginFlow method removes the session restriction and gives users
access to Salesforce or their community. You decide when or under what condition to call the method to remove the session restriction.
Heres an example of a Visualforce Page login flow. The user clicks a button to invoke the finishLoginFlow method. Specify
showHeader=”false” for the login flow to work correctly.
<apex:page showHeader="false" controller="VFLoginFlowController">
<h1>You are in VF Login Flow</h1>
<apex:form >
<apex:commandButton action="{!FinishLoginFlowHome}" value="Finish and Go to Home"/>
<apex:commandButton action="{!FinishLoginFlowStartUrl}" value="Finish and Go to
StartUrl"/>
</apex:form>
</apex:page>
Heres an example of an Apex controller that defines the business process.
public class VFLoginFlowController {
public PageReference FinishLoginFlowStartUrl() {
42
Configure User AuthenticationSalesforce Security Guide
//do stuff
//finish the login flow and send you to the startUrl (account page in this case)
return Auth.SessionManagement.finishLoginFlow('/001');
}
public PageReference FinishLoginFlowHome() {
//do stuff
//finish the login flow and send you the default homepage
return Auth.SessionManagement.finishLoginFlow();
}
}
Give each profile that you want to associate with this Visualforce Page access.
1. From Setup, enter Visualforce in the Quick Find box, then select Visualforce Page.
2. Next to the Visualforce page that you want to use, click Security.
3. From the list of available profiles, add the profiles that you want to associate with this login flow.
4. From Setup, designate the Visualforce page as a login flow, and connect the profiles to it. See Set Up a Login Flow and Connect to
Profiles.
Set Up a Login Flow and Connect to Profiles
EDITIONS
Available in: both Salesforce
Classic and Lightning
Experience
Available in: Essentials,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
After you create a flow using the Cloud Flow Designer or Visualforce, you designate it as a login
flow and then associate it with user profiles. When users with an associated profile log in, theyre
directed to the login flow.
Note: Dont associate a login flow with your administrator profile until you are sure that the
login flow works properly. Otherwise, if it fails, you cant log in to your org.
1. From Setup, enter Login in the Quick Find box, then select Login Flows.
2. Click New.
3. On the Login Flow Edit page, enter a name for the login flow.
43
Configure User AuthenticationSalesforce Security Guide
4. Select the type of flow you created. Choose Flow if you created the flow with the Cloud Flow Designer. Choose Visualforce Page
if you created the flow with Visualforce.
Note: For Visualforce Page login flows, make sure that the profiles that you intend to associate with this login flow have access
to the Visualforce Page.
5. From the dropdown list of available flows, choose which one to use for this login flow.
6. Select a user license for the profile that you want to connect to the login flow.
7. From the list of available profiles for this license, select the profile to associate with this login flow.
8. If you want the login flow to resemble the Lightning Experience UI, select Render Flow in Lightning Runtime. If you dont select
this option, the login flow resembles Salesforce Classic.
Note: A login flow is independent of which UI users use: Lightning Experience or Salesforce Classic. You can set a login flow
to resemble Lightning Experience even if users log in to Salesforce Classic. Likewise, you can set a login flow to resemble
Salesforce Classic even if users log in to Lightning Experience.
9. Click Save.
Repeat the process to associate other profiles with the login flow.
After you connect the login flow, you can edit or delete it from the Login Flows Setup page.
Login Flow Examples
You can use a login flow to customize the login experience and integrate business processes with Salesforce authentication. Common
uses cases include collecting and updating user data at login, configuring two-factor authentication, or integrating third-party strong
authentication methods.
Lets look at three common use cases for login flows.
Collect and update user data during login
Apply customized two-factor authentication (2FA)
Integrate third-party strong authentication mechanisms
Collect and Update User Data at Login
This login flow collects and updates information about the user at login by requesting the users phone numbers.
1. Query the user object for the users phone numbers, if they exist.
2. Display the numbers, and ask the user to confirm or update them.
3. Update the user object with new numbers, if provided.
Create the Flow
1. Go to the Cloud Flow Designer.
44
Configure User AuthenticationSalesforce Security Guide
2. On the Resources tab, create a variable that contains the users user ID.
The login event passes a list of context attributes to the flow. To query and use these attributes, define local text variables using the
LoginFlow_ATTRIBUTE_NAME format, for example, LoginFlow_UserId.
After you add the attribute, it appears on the Explorer tab under Variables.
When you use the following input attributes, their values are populated in the flow when it starts.
LoginFlow_LoginType
LoginFlow_IpAddress
LoginFlow_UserAgent
LoginFlow_Platform
LoginFlow_Application
LoginFlow_Community
LoginFlow_SessionLevel
LoginFlow_UserId
You can also set the output attributes in the flow.
LoginFlow_FinishLocation (type string)This attribute determines where to send the user when the flow completes.
LoginFlow_ForceLogout (type boolean)When this variable is set to true, the user is immediately logged out.
You can use the attribute LoginFlow_UserId to verify the ID of the user logging in and query the associated user object.
3. On the Resources tab, click Create New to create an sObject variable where you can store the user object.
4. Create a Fast Lookup element that looks up the user object.
45
Configure User AuthenticationSalesforce Security Guide
5. Specify the user attributes that you want to store in the variable, for example, Phone and MobilePhone.
6. Create a welcome screen for collecting or displaying the phone numbers at login.
7. Create a record update component for updating the numbers.
46
Configure User AuthenticationSalesforce Security Guide
8. Name the login flow and save it.
9. Connect the login flow to a user profile. Best practice is to create a dedicated test user with a test profile.
Note: Dont associate a login flow with your administrator profile until you are sure that the login flow works properly.
Otherwise, if it fails, you cant log in to your org.
10. Log out, and then log in as the test user to test the flow.
When you test the Welcome Flow example, heres how it looks using Lightning Experience.
47
Configure User AuthenticationSalesforce Security Guide
Configure Two-Factor Authentication
This example implements a login flow that enhances time-based one-time password (TOTP) authentication with a two-factor authentication
method that Salesforce supports. The TOTP algorithm computes a one-time password from a shared secret key and the current time.
The flow does the following.
If the user is not yet registered, generates a new secret key, and prompts the user to register the key with a QR (Quick Response)
code. After the user provides a valid TOTP token, the secret key is stored in the user record. The key is reused for future logins.
If the user is already registered, prompts the user only for the TOTP token.
Users can use a time-based authentication application (such as Salesforce Authenticator or Google Authenticator) to scan the QR code
and generate a TOTP token.
You can enhance this flow and customize the user experience by adding a corporate logo, colors, and so forth. You can even add and
enforce different policies. For example, you can build an IP-based, two-factor authentication process that requires a second authentication
factor only when the IP address is outside of a certain range.
This example uses the TwoFactorInfo object and the Auth.SessionManagement Apex class to customize and manage the
standards-based TOTP two-factor authentication that Salesforce supports.
1. Look up the TwoFactorInfo object for the current user. If the user is not registered, generate a key.
2. Determine whether the user is already registered with TOTP.
3. If the user is already registered, prompt the user to provide the TOTP token.
4. If the user is not registered, prompt the user to register with a QR code and provide the TOTP token.
5. Validate the TOTP token. If the token is valid, the login flow finishes, and the user logs in.
6. If the TOTP token is invalid, send the user back to step 2.
48
Configure User AuthenticationSalesforce Security Guide
Configure the TOTP Flow
1. Create the variables.
secretStores the secret key for all twofactor operations.
qr_urlStores the URL for the QR code encoding of the secret key.
IsTokenValidStores the verification result.
The variables secret and qr_url are text, and IsTokenValid is a boolean data type.
2. Set up the TOTPPlugin to generate a new secret for users that are not are already registered with a TOTP.
A plug-in is an Apex class that extends the standard functionality of a flow. You can use a plug-in to do a complex calculation, make
API calls to external services, and more.
TOTPPlugin accesses the Salesforce TOTP methods, generates a time-based secret key with a QR code, and validates the TOTP. The
Apex class for TOTPPlugin is available in the login flow sample package.
The plug-in takes these input parameters.
OTP_INPUTThe TOTP token that the user provides.
OTP_REGISTRATION_INPUTThe TOTP token that the user provides when first registering.
SECRET_INPUTThe secret key used to generate the TOTP.
It returns the following parameters.
SECRET_OUTPUTA secret key generated by the plug-in.
49
Configure User AuthenticationSalesforce Security Guide
QR_URL_OUTPUTA QR encoding of the secret key.
IsValid_OUTPUTIf the validation succeeded, it returns true. Otherwise, it returns false.
Configure a TOTPPlugin instance to generate a new secret key and QR code if the user is not already registered. In this case, no input
is passed.
The secret key and URL for the QR code are stored in the qr_url and secret variables.
3. Configure a decision element to register a user.
The Registration decision element verifies whether secret is null. If it is not null, the user must register, so define Register
as the outcome of the decision. Otherwise, the user is already registered and must provide only the TOTP token. In this case, the
outcome is Get TOTP, which is also the default outcome.
50
Configure User AuthenticationSalesforce Security Guide
4. Configure the Get TOTP screen.
Users that are already registered are redirected to this screen and asked to provide the TOTP token. The input TOTP token is saved
in OTP_input.
5. Configure the Registration screen.
This screen presents the QR code, asks the user to scan and initialize the TOTP client application and provide the TOTP token.
6. Validate the TOTP token.
Define another instance of the TOTPPlugin for validating the TOTP token that the user provides.
51
Configure User AuthenticationSalesforce Security Guide
The plug-in supports these use cases.
The user comes from the Registration screen. The user has to scan the QR code and provide the TOTP token. Both the TOTP
token and secret are passed to the TOTPPlugin for validation. The TOTPPlugin validates the TOTP token against the secret. If valid,
the secret is registered on the user record and used for future logins.
The user comes from the Get Token screen. The user is already registered, so provides only the TOTP. The TOTP token is passed
via the TokenInput parameter to the TOTPPlugin for validation.
The isTokenValid parameter returns the validation status, which is then saved in isTokenValid.
The decision element has two possible outcomes.
The token is valid if IsTokenValid is true.
The token is invalid, which is the default.
7. Configure a decision element to log in the user.
If the validation succeeds, the user proceeds to the end of the flow, clicks to the next step, and logs in to the application. If the
validation fails, the flow redirects the user back to step 2 in the flow. In step 2, a registered user is asked to provide a new TOTP token.
If the user isnt yet registered, the user is asked to register and provide a new TOTP token.
52
Configure User AuthenticationSalesforce Security Guide
8. Save the login flow, activate it, and connect it with a user profile.
Integrate Third-Party Strong Authentication Methods
You can use login flows to interact with external third-party authentication services by using an API.
For example, Yubico offers strong authentication using a hardware token called a YubiKey. Yubico also provides an example Apex library
and login flow on GitHub. The library supplies Apex classes for validating YubiKey OTPs (one-time passwords). The classes allow Salesforce
users to use a YubiKey as a second authentication factor at login. For more information, see yubikey-salesforce-client.
You can also implement a third-party SMS or voice delivery service, like Twilio or TeleSign, to implement a SMS-based two-factor
authentication and identity the verification flow. For more information, see Deploy Third-Party SMS-Based Two-Factor Authentication.
Login Flow Samples Package
The Login Flow Samples Package is an unmanaged package that installs different login flow samples into your Salesforce org. It contains
the following examples.
Email ConfirmationSend email with a verification code
SF-TOTPEnable TOTP two-factor authentication
Conditional TwoFactorSkip two-factor authentication for users who come from a trusted IP address
Identity ConfirmationConfirm the user identity using email or two-factor authentication
Accept Terms of ServiceAsk the user to agree to terms before continuing
SEE ALSO:
Deploy Third-Party SMS-Based Two-Factor Authentication
Limit the Number of Concurrent Sessions with Login Flows
Custom Login Flows
YubiKey for salesforce.com
53
Configure User AuthenticationSalesforce Security Guide
Set Up Two-Factor Authentication
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, Developer, and
Contact Manager Editions
Two-factor authentication is the most effective way to protect your orgs user accounts. Admins
enable two-factor authentication through permissions or profile settings. Users register for two-factor
authentication through their own personal settings, using secondary authenticators such as mobile
authenticator apps or U2F security keys.
You can customize two-factor authentication in the following ways.
Require it for every login. Set the two-factor login requirement for every time the user logs in
to Salesforce. You can also enable this feature for API logins, which includes the use of client
applications like the Data Loader. For more information, see Set Two-Factor Authentication
Login Requirements or Set Two-Factor Authentication Login Requirements for API Access.
Use stepped up authentication (also known as high assurance authentication). Sometimes
you dont need two-factor authentication for every users login, but you want to secure certain
resources. If the user tries to use a connected app or reports, Salesforce prompts the user to
verify identity. For more information, see Session Security Levels.
Use profile policies and session settings. First, in the user profile, set Session security level required at login to High Assurance.
Then set session security levels in your orgs session settings to apply the policy for particular login methods. In your orgs session
settings, review the session security levels to make sure that Two-Factor Authentication is in the High Assurance column. For more
information, see Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and
Communities.
Warning: If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that
grants standard-level security.
Only authentication flows that include a user approval step support using API logins with the High Assurance session security level.
These flows are the OAuth 2.0 refresh token flow, web server flow, and user-agent flow. All other flows, such as the JSON Web Token
(JWT) bearer token flow, dont include a user approval step. For flows without a user approval step, API logins with the High Assurance
session security level are blocked.
Its possible that users are prompted to verify their identity with two-factor authentication twice during the OAuth approval flow.
The first challenge is on the UI session. The second challenge happens when the access token is bridged into the UI. This second
challenge is triggered because the High Assurance session security level isnt transferred to the access token.
Use login flows. Use the Flow Designer and profiles to build post-authentication requirements as the user logs in, including custom
two-factor authentication processes. For more information, see the following examples.
Login Flow Examples
Deploy Third-Party SMS-Based Two-Factor Authentication
Enhancing Security with Two-Factor Authentication (Salesforce Classic)
IN THIS SECTION:
Set Two-Factor Authentication Login Requirements
As a Salesforce admin, you can require your users to use a second factor of authentication when they log in.
Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social Sign-On, and Communities
Use profile policies and session settings to set two-factor authentication login requirements for users. All Salesforce user interface
authentication methods, including username and password, delegated authentication, SAML single sign-on, and social sign-on
through a third-party authentication provider, are supported. You can apply the two-factor authentication requirement to users in
Salesforce orgs and Communities.
54
Configure User AuthenticationSalesforce Security Guide
Set Two-Factor Authentication Login Requirements for API Access
Salesforce admins can set the Two-Factor Authentication for API Logins permission to use a second authentication challenge for
API access to Salesforce. API access includes the use of applications like the Data Loader and developer tools for customizing an
organization or building client applications.
Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
The Salesforce Authenticator app on your mobile device is the second factor of authentication. Use the app to add an extra level of
security to your account.
Verify Your Identity with a One-Time Password Generator App or Device
Connect a one-time password generator app, such as Salesforce Authenticator or Google Authenticator, to verify your identity. The
app generates a verification code, sometimes called a time-based one-time password.
Disconnect Salesforce Authenticator (Versions 2 and 3) from a Users Account
Only one Salesforce Authenticator (version 2 or later) mobile app can be connected to a users account at a time. If your user loses
access to the app by replacing or losing the mobile device, disconnect the app from the users account. As long as the user (or
assigned profile) still has the two-factor permission enabled, and no other authenticator method is connected to their account,
Salesforce prompts the user to connect a new authenticator method the next time they log in.
Disconnect a Users One-Time Password Generator App
Besides Salesforce Authenticator, one other mobile authenticator app that generates verification codes (one-time passwords) can
be connected to a users account at a time. If your user loses access to the app by replacing or losing the mobile device, disconnect
the app from your users account. The next time your user logs in with two-factor authentication, if no other identity verification
method is connected, Salesforce prompts the user to connect a new authenticator app.
Generate a Temporary Identity Verification Code
Generate a temporary verification code for users who cant access the device they usually use for two-factor authentication. You set
when the code expires, from 1 to 24 hours after you generate it. The code can be used multiple times until it expires.
Expire a Temporary Verification Code
Expire a users temporary verification code when the user no longer needs it for two-factor authentication
Delegate Two-Factor Authentication Management Tasks
Let users who arent Salesforce admins provide support for two-factor authentication in your org. For example, suppose you want
your companys Help Desk staff to generate temporary verification codes for users who lost or forgot the device they usually use for
two-factor authentication. Assign Help Desk staff members the Manage Two-Factor Authentication in User Interface permission
so that they can generate codes and support end users with other two-factor authentication tasks.
SEE ALSO:
Two-Factor Authentication
55
Configure User AuthenticationSalesforce Security Guide
Set Two-Factor Authentication Login Requirements
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Contact Manager, Group,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To edit profiles and
permission sets:
Manage Profiles and
Permission Sets
As a Salesforce admin, you can require your users to use a second factor of authentication when
they log in.
You can require two-factor authentication each time a user logs in with a username and password
to Salesforce, including orgs with custom domains created using My Domain. To set the requirement,
select the Two-Factor Authentication for User Interface Logins permission in the user profile
(for cloned profiles only) or permission set.
See how to set up a two-factor authentication requirement for your org and how your users can
use the Salesforce Authenticator app. Salesforce Authenticator: Set Up a Two-Factor
Authentication Requirement (Salesforce Classic)
Users with the Two-Factor Authentication for User Interface Logins permission have to provide a
second factor, such as a mobile authenticator app or U2F security key, each time they log in to
Salesforce.
You can also use a profile-based policy to set a two-factor authentication requirement for users
assigned to a particular profile. Use the profile policy when you want to require two-factor
authentication for users of the following authentication methods:
SAML for single sign-on
Social sign-on in to Salesforce orgs or Communities
Username and password authentication into Communities
All Salesforce user interface authentication methods, including username and password, delegated authentication, SAML single sign-on,
and social sign-on through an authentication provider, are supported. In the user profile, set Session security level required at login
to High Assurance. Then set session security levels in your orgs session settings to apply the policy for particular login methods. Also
in your orgs session settings, review the session security levels to make sure that Two-Factor Authentication is in the High Assurance
column.
Warning: If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants
standard-level security.
Users might be prompted to verify their identity with two-factor authentication twice during the OAuth approval flow. The first challenge
is on the UI session. The second challenge happens when the access token is bridged into the UI, because the High Assurance session
security level isnt transferred to the access token.
56
Configure User AuthenticationSalesforce Security Guide
Set Two-Factor Authentication Login Requirements and Custom Policies for Single Sign-On, Social
Sign-On, and Communities
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To edit profiles and
permission sets:
Manage Profiles and
Permission Sets
To generate a temporary
verification code
Manage Two-Factor
Authentication in User
Interface
Use profile policies and session settings to set two-factor authentication login requirements for
users. All Salesforce user interface authentication methods, including username and password,
delegated authentication, SAML single sign-on, and social sign-on through a third-party
authentication provider, are supported. You can apply the two-factor authentication requirement
to users in Salesforce orgs and Communities.
To require two-factor authentication for users assigned to a particular profile, edit the Session
security level required at login profile setting. Then set session security levels in your orgs session
settings to apply the policy for particular login methods.
By default, the session security requirement at login for all profiles is None. You can edit a profiles
Session Settings to change the requirement to High Assurance. When profile users with this
requirement use a login method that grants standard-level security instead of high assurance, such
as username and password, theyre prompted to verify their identity with two-factor authentication.
After users authenticate successfully, theyre logged in to Salesforce.
You can edit the security level assigned to a login method in your orgs Session Settings.
Users with mobile devices can use the Salesforce Authenticator mobile app or another authenticator
app for two-factor authentication. Internal users can connect the app to their account in the
Advanced User Details page of their personal settings. If you set the High Assurance requirement
on a profile, any profile user who doesnt already have Salesforce Authenticator or another
authenticator app connected to their account is prompted to connect the app before they can log
in. After they connect the app, theyre prompted to use the app to verify their identity.
Users with registered U2F security keys can use them for two-factor authentication.
Community members with the High Assurance profile requirement are prompted to connect an authenticator app during login.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select a profile.
3. Scroll to Session Settings and find the Session security level required at login setting.
4. Click Edit.
5. For Session security level required at login, select High Assurance.
6. Click Save.
7. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
8. In Session Security Levels, make sure that Two-Factor Authentication is in the High Assurance column.
If Two-Factor Authentication is in the Standard column, users get an error when they log in with a method that grants standard-level
security.
9. Note: Consider moving Activation to the High Assurance column. With this setting, users who verify their identity from an
unrecognized browser or app establish a high-assurance session. When Activation is in the High Assurance column, profile
users who verify their identity at login arent challenged to verify their identity again to satisfy the high-assurance session
security requirement.
Save your changes.
Example: Youve configured Facebook and LinkedIn as authentication providers in your community. Many of your community
members use social sign-on to log in using the username and password from their Facebook or LinkedIn accounts. You want to
increase security by requiring Customer Community users to use two-factor authentication when they log in with their Facebook
57
Configure User AuthenticationSalesforce Security Guide
account, but not with their LinkedIn account. You edit the Customer Community User profile and set the Session security level
required at login to High Assurance. In your orgs Session Settings, you edit the Session Security Levels. You place Facebook in
the Standard column. In the High Assurance column, you place Two-Factor Authentication. You also place LinkedIn in the High
Assurance column.
Note: You can also use login flows to change the users session security level to initiate identity verification under specific
conditions. Login flows let you build a custom post-authentication process that meets your business requirements.
If users lose or forget the device they usually use for two-factor authentication, you can generate a temporary verification code for them.
You set when the code expires, from 1 to 24 hours after you generate it. Your user can use the code multiple times until it expires. A user
can have only one temporary code at a time. If a user needs a new code while the old code is still valid, you can expire the old code,
then generate a new one. Users can expire their own valid codes in their personal settings.
Note: The High Assurance profile requirement applies to user interface logins. OAuth token exchanges arent subject to
the requirement. OAuth refresh tokens that were obtained before a High Assurance requirement is set for a profile can still
be exchanged for access tokens that are valid for the API. Tokens are valid even if they were obtained with a standard-assurance
session. To require users to establish a high-assurance session before accessing the API with an external application, first revoke
existing OAuth tokens for users with that profile. Then set a High Assurance requirement for the profile. Users have to log
in with two-factor authentication and reauthorize the application.
Set Two-Factor Authentication Login Requirements for API Access
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Contact Manager,
Database.com, Developer,
Enterprise, Group,
Performance, Professional,
and Unlimited Editions
USER PERMISSIONS
To edit system permissions
in profiles:
Manage Profiles and
Permission Sets
To enable this feature:
Two-Factor
Authentication for User
Interface Logins
Salesforce admins can set the Two-Factor Authentication for API Logins permission to use a second
authentication challenge for API access to Salesforce. API access includes the use of applications
like the Data Loader and developer tools for customizing an organization or building client
applications.
The Two-Factor Authentication for User Interface Logins permission is a prerequisite for the
Two-Factor Authentication for API Logins permission. Users who have these permissions enabled
have to complete two-factor authentication when they log in to Salesforce through the user interface.
Users must download and install an authenticator app on their mobile device and connect the app
to their Salesforce account. Then they can use verification codes (time-based one-time passwords,
or TOTP) from the app for two-factor authentication.
For developer tools that use API logins, log in with a security token or TOTP instead of Salesforce
Authenticator when two-factor authentication is enabled for a user. For Force.com IDE, log in by
using a username and password, plus a security token.
58
Configure User AuthenticationSalesforce Security Guide
Connect Salesforce Authenticator (Version 3 or Later) to Your Account for Identity Verification
EDITIONS
Salesforce Authenticator
setup available in: both
Salesforce Classic and
Lightning Experience
Mobile app available in:
Essentials, Group,
Professional, Enterprise,
Performance, Unlimited,
Developer, and Contact
Manager Editions
The Salesforce Authenticator app on your mobile device is the second factor of authentication. Use
the app to add an extra level of security to your account.
1. Download and install version 3 or later of the Salesforce Authenticator app for the type of mobile
device you use. For iPhone, get the app from the App Store. For Android devices, get the app
from Google Play.
If you previously installed version 1 of Salesforce Authenticator on your mobile device, you can
update the app to version 3 through the App Store or Google Play. The update preserves any
connected accounts you already have in the app. These accounts are code-only accounts that
generate verification codes but dont receive push notifications or allow location-based
automated verifications. If you have a code-only account for the username you used for your
current login to Salesforce, swipe left in the app to remove that username before proceeding.
In the following steps, you connect the account for that username again. The new connected
account gives you full Salesforce Authenticator version 3 functionality. If you already have
version 2 installed, version 3 updates are pushed out to you and there is no need to take action.
2. From your personal settings, enter Advanced User Details in the Quick Find box, then select Advanced User Details.
No results? Enter Personal Information in the Quick Find box, then select Personal Information.
3. Find App Registration: Salesforce Authenticator and click Connect.
4. For security purposes, youre prompted to log in to your account.
5. Open the Salesforce Authenticator app on your mobile device.
If youre opening the app for the first time, you see a tour of the apps features. Take the tour, or go straight to adding your Salesforce
account to the app.
6. In the app, tap Add an Account to add your account.
The app generates a unique two-word phrase.
7. Back in your browser, enter the phrase in the Two-Word Phrase field.
8. Click Connect.
If you previously connected an authenticator app that generates verification codes to your account, you sometimes see an alert.
Connecting a new version of the Salesforce Authenticator mobile app invalidates the codes from your old app. When you need a
verification code, get it from Salesforce Authenticator from now on.
9. In the Salesforce Authenticator app on your mobile device, you see details about the account youre connecting. To complete the
account connection, tap Connect in the app.
To help keep your account secure, we send you an email notification whenever a new identity verification method is added to your
Salesforce account. You get the email whether you add the method or your Salesforce admin adds it on your behalf.
If your administrator requires two-factor authentication for increased security when you log in or access reports or dashboards, use the
app to verify your account activity. If youre required to use two-factor authentication before you have the app connected, youre
prompted to connect it the next time you log in to Salesforce. If you dont yet have the two-factor authentication requirement, you can
still connect the app to your account through your personal settings.
After you connect the app, you get a notification on your mobile device when you do something that requires identity verification. When
you receive the notification, open the app on your mobile device, check the activity details, and respond on your mobile device to verify.
If you are notified about activity you dont recognize, use the app to block the activity. You can flag the blocked activity for your Salesforce
admin. The app also provides a verification code that you can use as an alternate method of identity verification.
59
Configure User AuthenticationSalesforce Security Guide
Verify Your Identity with a One-Time Password Generator App or Device
EDITIONS
Available in: Both Salesforce
Classic and Lightning
Experience
Available in: All Editions
Connect a one-time password generator app, such as Salesforce Authenticator or Google
Authenticator, to verify your identity. The app generates a verification code, sometimes called a
time-based one-time password.
If your company requires two-factor authentication for increased security when you log in, access
connected apps, reports, or dashboards, use a code from the app. If youre required to use two-factor
authentication before you have an app connected, youre prompted to connect one the next time
you log in to Salesforce.
1. Download the supported authenticator app for your device type. You can use any authenticator
app that supports the time-based one-time password (TOTP) algorithm (IETF RFC 6238), such as Salesforce Authenticator for iOS,
Salesforce Authenticator for Android, or Google Authenticator.
2. From your personal settings, enter Advanced User Details in the Quick Find box, then select Advanced User Details.
No results? Enter Personal Information in the Quick Find box, then select Personal Information.
3. Find App Registration: One-Time Password Generator and click Connect.
If youre connecting an authenticator app other than Salesforce Authenticator, use this setting. If youre connecting Salesforce
Authenticator, use this setting if youre only using its one-time password generator feature (not the push notifications available in
version 2 or later).
Note: If youre connecting Salesforce Authenticator so that you can use push notifications, use the App Registration:
Salesforce Authenticator setting instead. That setting enables both push notifications and one-time password
generation.
You can connect up to two authenticator apps to your Salesforce account for one-time password generation: Salesforce Authenticator
and one other authenticator app.
4. For security purposes, youre prompted to log in to your account.
5. Using the authenticator app on your mobile device, scan the QR code.
Alternatively, click I Cant Scan the QR Code in your browser. The browser displays a security key. In the authenticator app, enter
your username and the key displayed.
6. In Salesforce, enter the code generated by the authenticator app in the Verification Code field.
The authenticator app generates a new verification code periodically. Enter the current code.
7. Click Connect.
To help keep your account secure, we send you an email notification whenever a new identity verification method is added to your
Salesforce account. You get the email whether you add the method or your Salesforce admin adds it on your behalf.
SEE ALSO:
Salesforce Help: Personalize Your Salesforce Experience
60
Configure User AuthenticationSalesforce Security Guide
Disconnect Salesforce Authenticator (Versions 2 and 3) from a Users Account
EDITIONS
Available in: Both Salesforce
Classic and Lightning
Experience
Available in: All Editions
USER PERMISSIONS
To disconnect a users
Salesforce Authenticator
app:
Manage Two-Factor
Authentication in User
Interface or the System
Administrator profile
Only one Salesforce Authenticator (version 2 or later) mobile app can be connected to a users
account at a time. If your user loses access to the app by replacing or losing the mobile device,
disconnect the app from the users account. As long as the user (or assigned profile) still has the
two-factor permission enabled, and no other authenticator method is connected to their account,
Salesforce prompts the user to connect a new authenticator method the next time they log in.
These steps are for Salesforce admins (or users with the Manage Two-Factor Authentication in
User Interface permission) who want to disconnect a users Salesforce Authenticator account in
an orgs Setup. For example, admins follow these steps when a user loses the device running
Salesforce Authenticator. For users who want to disconnect Salesforce Authenticator on their device
to switch to a new device or simply remove an unused connection, see the help topic Remove an
Account from Salesforce Authenticator (Versions 2 and 3).
1. From Setup, enter Users in the Quick Find box, then select Users.
2. Click the users name.
3. On the users detail page, click Disconnect next to the App Registration:
Salesforce Authenticator field.
Disconnect a Users One-Time Password Generator App
EDITIONS
Available in: Both Salesforce
Classic and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, Developer, and
Contact Manager Editions
USER PERMISSIONS
To disconnect a users
authenticator app:
Manage Two-Factor
Authentication in User
Interface
Besides Salesforce Authenticator, one other mobile authenticator app that generates verification
codes (one-time passwords) can be connected to a users account at a time. If your user loses access
to the app by replacing or losing the mobile device, disconnect the app from your users account.
The next time your user logs in with two-factor authentication, if no other identity verification
method is connected, Salesforce prompts the user to connect a new authenticator app.
1. From Setup, enter Users in the Quick Find box, then select Users.
2. Click the users name.
3. On the users detail page, click Disconnect next to the App Registration: One-Time
Password Generator field.
Your users can disconnect the app from their own account. In personal settings, they go to the
Advanced User Details page and click Disconnect next to the App Registration:
One-Time Password Generator field.
61
Configure User AuthenticationSalesforce Security Guide
Generate a Temporary Identity Verification Code
EDITIONS
Available in: Both Salesforce
Classic and Lightning
Experience
Available in: Essentials,
Contact Manager, Group,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To generate a temporary
verification code:
Manage Two-Factor
Authentication in User
Interface
Generate a temporary verification code for users who cant access the device they usually use for
two-factor authentication. You set when the code expires, from 1 to 24 hours after you generate
it. The code can be used multiple times until it expires.
Temporary verification codes are valid for two-factor authentication only. They arent valid for device
activations. That is, when users log in from an unrecognized browser or app and we require identity
verification, they cant use a temporary code.
1. From Setup, enter Users in the Quick Find box, then select Users.
2. Click the name of the user who needs a temporary verification code.
You cant generate a code for an inactive user.
3. Find Temporary Verification Code, then click Generate.
If you dont already have a session with a high-assurance security level, Salesforce prompts you
to verify your identity.
4. Set when the code expires, and click Generate Code.
5. Give the code to your user, then click Done.
After you click Done, you cant return to view the code again, and the code isnt displayed
anywhere in the user interface.
Your user can use the temporary verification code multiple times until it expires. Each user can have
only one temporary verification code at a time. If a user forgets or loses the code before it expires, you can manually expire the old code
and generate a new one. You can generate up to six codes per hour for each user.
Note: When you add an identity verification method to a users account, the user gets an email. To stop sending emails to users
when new identity verification methods are added to their accounts, contact Salesforce.
Expire a Temporary Verification Code
EDITIONS
Available in: Both Salesforce
Classic and Lightning
Experience
Available in: Essentials,
Contact Manager, Group,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To expire a users temporary
verification code:
Manage Two-Factor
Authentication in User
Interface
Expire a users temporary verification code when the user no longer needs it for two-factor
authentication
Each user can have only one temporary verification code at a time. If a user forgets or loses the code
before it expires, you can manually expire the old code and generate a new one. You can generate
up to six codes per hour for each user.
1. From Setup, enter Users in the Quick Find box, then select Users.
2. Click the name of the user whose temporary verification code you need to expire.
3. Find Temporary Verification Code, and click Expire Now.
62
Configure User AuthenticationSalesforce Security Guide
Delegate Two-Factor Authentication Management Tasks
EDITIONS
Available in: Both Salesforce
Classic and Lightning
Experience
Available in: Essentials,
Contact Manager, Group,
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To edit profiles and
permission sets:
Manage Profiles and
Permission Sets
Let users who arent Salesforce admins provide support for two-factor authentication in your org.
For example, suppose you want your companys Help Desk staff to generate temporary verification
codes for users who lost or forgot the device they usually use for two-factor authentication. Assign
Help Desk staff members the Manage Two-Factor Authentication in User Interface permission so
that they can generate codes and support end users with other two-factor authentication tasks.
To assign the permission, select Manage Two-Factor Authentication in User Interface in the user
profile (for cloned profiles only) or permission set. Users with the permission can perform the
following tasks.
Generate a temporary verification code for a user who cant access the device normally used
for two-factor authentication.
Disconnect identity verification methods from a users account when the user loses or replaces
a device.
View user identity verification activity on the Identity Verification History page.
View the Identity Verification Methods report by clicking a link on the Identity Verification History
page.
Create user list views that show which identity verification methods users have registered.
Note: Although non-admin users with the permission can view the Identity Verification
Methods report, they cant create custom reports that include data restricted to users with
the Manage Users permission.
Deploy Third-Party SMS-Based Two-Factor Authentication
Two-factor authentication (2FA) enhances security when validating a users identity and protects access to your Salesforce org. In addition
to a password, SMS-based 2FA requires the user to provide a one-time password (OTP) code received on a mobile device.
To implement 2FA, you can take advantage of a third-party SMS or voice delivery service, like Twilio or TeleSign, together with a Salesforce
login flow.
Lets break down an SMS-based 2FA process.
1. As the user logs in, the login flow generates a random OTP and sends it via voice or text message to the users phone.
2. The user provides the OTP to the Salesforce application.
3. Salesforce verifies the code.
4. If the code is valid, Salesforce permits user access.
The login flow has four steps.
63
Configure User AuthenticationSalesforce Security Guide
1. Record lookupQueries the user record to get the mobile phone number.
2. SMS plug-inAn Apex class that generates the OTP and uses a third-party SMS delivery service to send it to the users mobile device.
3. ScreenPrompts the user to provide the received OTP.
4. DecisionCompares the OTP generated by the flow with the one that the user provides. If equal, the flow is completed, and the
user is redirected to the application. Otherwise, the flow generates another code and asks the user to reverify.
Configure the Flow
This example uses the Twilio Apex SDK to perform SMS delivery operations. However, you can use any cloud-based SMS or voice vendor
that has a public API to access its services.
1. Go to the Cloud Flow Designer in Salesforce and create a flow.
2. Create a LoginFlow_UserId input text variable. This variable is populated with the user ID during the login event.
3. Create text variables.
MobileThe users mobile number
VerificationCodeThe OTP generated by the Apex plug-in
CodeThe OTP collected from the user
StatusThe status returned when the plug-in executes
64
Configure User AuthenticationSalesforce Security Guide
4. Create a record lookup that queries the UserObject based on the user ID and stores the mobile number in the Mobile input
variable.
5. Install the Twilio Apex SDK from https://github.com/twilio/twilio-salesforce.
6. To allow the SMS plug-in to perform outbound API calls to Twilio web services, set up https://api.twilio.com as a remote site in
Salesforce. In Setup, enter Remote Site Settings in the Quick Find box, select Remote Site Settings, and add the Twilio
web services URL.
7. Create an Apex class.
01 global class SMSPlugin implements Process.Plugin {
02
03 global Process.PluginDescribeResult describe() {
04
05 Process.PluginDescribeResult result = new Process.PluginDescribeResult();
06 result.tag='Identity';
07 result.name='SMS Plugin';
08 result.description='Two factor authentication with SMS';
09
10 result.inputParameters = new List<Process.PluginDescribeResult.InputParameter>
{
11 new Process.PluginDescribeResult.InputParameter('AccountSid',
Process.PluginDescribeResult.ParameterType.STRING, true),
65
Configure User AuthenticationSalesforce Security Guide
12 new Process.PluginDescribeResult.InputParameter('Token',
Process.PluginDescribeResult.ParameterType.STRING, true),
13 new Process.PluginDescribeResult.InputParameter('To',
Process.PluginDescribeResult.ParameterType.STRING, true),
14 new Process.PluginDescribeResult.InputParameter('From',
Process.PluginDescribeResult.ParameterType.STRING, true),
15 new Process.PluginDescribeResult.InputParameter('Message',
Process.PluginDescribeResult.ParameterType.STRING, true)
16 };
17
18 result.outputParameters = new List<Process.PluginDescribeResult.OutputParameter>
{
19 new Process.PluginDescribeResult.OutputParameter('Status',
Process.PluginDescribeResult.ParameterType.STRING),
20 new Process.PluginDescribeResult.OutputParameter('VerificationCode',
Process.PluginDescribeResult.ParameterType.STRING)
21 };
22
23 return result;
24
25 }
26
27
28 global Process.PluginResult invoke(Process.PluginRequest request) {
29
30 Map<String, Object> result = new Map<String, Object>();
31 String AccountSid = (String)request.inputParameters.get('AccountSid');
32 String token = (String)request.inputParameters.get('Token');
33 String To = (String)request.inputParameters.get('To');
34 String From_a = (String)request.inputParameters.get('From');
35 String Message = (String)request.inputParameters.get('Message');
36 if (Message == null) Message = 'Your verification code is: ';
37
38 TwilioRestClient client = new TwilioRestClient(AccountSid, Token);
39 TwilioSMS sms;
40
41 Integer rand = Math.round(Math.random()*100000);
42 String VerificationCode = string.valueOf(rand);
43 String Body = Message + VerificationCode;
44
45 Map<String,String> params = new Map<String,String> {
46 'To' => To,
47 'From' => From_a,
48 'Body' => Body
49 };
50
51 try {
52 sms = client.getAccount().getSMSMessages().create(params);
53 result.put('Status', sms.getStatus());
54 } catch(Exception ex) {
55 result.put('Status', 'Failure');
56 }
57 result.put('VerificationCode', VerificationCode);
66
Configure User AuthenticationSalesforce Security Guide
58 return new Process.PluginResult(result);
59 }
60 }
8. Create an SMS plug-in that generates an OTP code and sends it via SMS to the users mobile number. The plug-in takes these inputs.
AccountSidTwilio Account SID (username from your Twilio account)
TokenTwilio Auth Token (password from your Twilio account)
FromThe SMS From number
MessageThe message sent to the user with the verification code
ToThe users mobile phone number
The plug-in returns two values.
StatusThe status of the SMS delivery operation
VerificationCodeThe verification code generated and sent to the user
9. Create a screen element that prompts for the verification code received.
67
Configure User AuthenticationSalesforce Security Guide
10. Create a decision element with two outcomes.
ValidThe verification code is the same as the code the user provided.
InvalidThe valid condition is not met, so the outcome is invalid.
11. Save and activate the flow.
12. Connect the login flow to a user profile.
13. Log out, and then log in as a test user thats connected with a test profile.
68
Configure User AuthenticationSalesforce Security Guide
Extending the Flow
In a production deployment, its common to extend this basic flow. For example, you can add customization, validation, or policies, such
as:
BrandingAdd a corporate logo and message to the verification screen.
ValidationVerify whether the user record included a phone number. If not, prompt the user to enter one.
RetriesIf the OTP code that the user provides is wrong, the login flow generates a new OTP code and sends it to the user. Its
typical to limit the number of retries or to temporarily block a user login after several unsuccessful verification attempts.
PoliciesIf the user has registered a landline phone but not a mobile phone number, send the OTP over voice rather than SMS.
Alternatively, if Salesforce doesnt have a registered phone number for the user, send the OTP code by email. Another approach is
to challenge the user with a second authentication factor, such as a Salesforce time-based OTP or a hardware-based OTP, like a
YubiKey.
SEE ALSO:
Login Flow Examples
Limit the Number of Concurrent Sessions with Login Flows
You can use a login flow to restrict the number of simultaneous Salesforce sessions per user.
Install the Concurrent-Sessions Package
The concurrent-sessions unmanaged package includes the elements and sources of a login flow solution. The package includes a plug-in
that retrieves the number of concurrent sessions for a user. If the pending login exceeds the concurrent session limit, the flow blocks it.
You can customize the package, for example, changing the session limit. By default, the package uses a session limit of 1.
1. To install the concurrent-sessions package, go to
https://login.salesforce.com/packaging/installPackage.apexp?p0=04to0000000WR73.
2. After you install the package, you can connect the login flow to user profiles. Assign the flow to profiles for which you want to limit
concurrent sessions.
69
Configure User AuthenticationSalesforce Security Guide
Creating the Package Components
Lets take a closer look at the components in the concurrent-sessions package. If the package didnt exist, heres how you can create the
plug-in and the login flow.
SessionPlugin is an Apex class that retrieves the number of concurrent sessions. The class queries the AuthSession table and sums the
number of sessions, excluding temporary sessions.
1. In Setup, enter Apex Classes in the Quick Find box, and select Apex Classes.
2. To create a class, click New.
3. Copy and paste this code as the Apex class content.
global class SessionPlugin implements Process.Plugin
{
global Process.PluginDescribeResult describe()
{
Process.PluginDescribeResult result = new Process.PluginDescribeResult();
result.description='This plug-in returns the no of concurrent sessions for the
current user';
result.tag='Identity';
result.inputParameters = new List<Process.PluginDescribeResult.InputParameter> {
};
result.outputParameters = new List<Process.PluginDescribeResult.OutputParameter>
{
new Process.PluginDescribeResult.OutputParameter('CONCURRENT_NO',
Process.PluginDescribeResult.ParameterType.INTEGER)
};
return result;
}
global Process.PluginResult invoke(Process.PluginRequest request)
{
Map<String, Object> result = new Map<String, Object>();
List<AuthSession> sessions;
Integer no = 0;
String userid = UserInfo.getUserId();
sessions = [Select Id, ParentId, SessionType from AuthSession where
UsersId=:userid];
for (AuthSession s : sessions)
{
// Count only parent and non-temp sessions
if(s.ParentId == null && s.SessionType != 'TempUIFrontdoor' )
{
no++;
}
}
result.put('CONCURRENT_NO', no);
return new Process.PluginResult(result);
70
Configure User AuthenticationSalesforce Security Guide
}
}
Creating the Login Flow
The packages login flow includes these elements:
SessionPluginThe Apex plug-in that queries the number of concurrent sessions.
DecisionVerifies whether the number of concurrent sessions exceeds the limit. The outcome determines whether the login is
blocked or allowed.
Block ScreenIf the login exceeds the limit, the flow displays the block screen element.
AssignmentIf the login exceeds the limit, this element assigns the LoginFlow_ForceLogout variable to true and
prevents the login.
Dummy ScreenThis element is a placeholder. A flow requires a UI element to follow an output variable.
1. To create a flow, go to the Cloud Flow Designer in Salesforce.
2. On the Resources tab, create a LoginFlow_ForceLogout output variable. When set to true, this variable blocks the login attempt.
3. Create a numeric variable to store the allowed number of concurrent sessions for the user.
4. Create a block screen element.
71
Configure User AuthenticationSalesforce Security Guide
5. Create a dummy screen.
6. Create an assignment element that sets the LoginFlow_ForceLogout output variable to true.
7. Create a decision element that has two outcomes. If the login exceeds the limit, the outcome is Block, which is the default.
Otherwise, the outcome is Allow.
72
Configure User AuthenticationSalesforce Security Guide
8. Save the flow and its elements.
9. Activate the flow.
10. Connect the login flow to a user profile. Best practice is to create a dedicated test user with a test profile.
11. Log out, and then log in as the test user and test the flow.
When you assign the profile to users, Salesforce redirects them at login through the flow. When a login attempt exceeds the limit,
the user sees the block screen and cant log in. Heres an example of the block screen in Lightning Experience.
SEE ALSO:
Login Flow Examples
Give Users Access to Data
Choosing the data set that each user or group of users can see is one of the key decisions that affects data security. You need to find a
balance between limiting access to data, thereby limiting risk of stolen or misused data, versus the convenience of data access for your
users.
73
Give Users Access to DataSalesforce Security Guide
IN THIS SECTION:
Control Who Sees What
Salesforce provides a flexible, layered data sharing design that allows you to expose different data sets to different sets of users, so
users can do their job without seeing data they don't need to see. Use permission sets and profiles to specify the objects and fields
users can access. Use organization-wide sharing settings, user roles, sharing rules to specify the individual records that users can
view and edit.
User Permissions
User permissions specify what tasks users can perform and what features users can access. For example, users with the View Setup
and Configuration permission can view Setup pages, and users with the API Enabled permission can access any Salesforce API.
Object Permissions
Object permissions specify the base-level access users have to create, read, edit, and delete records for each object. You can manage
object permissions in permission sets and profiles.
Custom Permissions
Use custom permissions to give users access to custom processes or apps.
Profiles
Profiles define how users access objects and data, and what they can do within the application. When you create users, you assign
a profile to each one.
User Role Hierarchy
Salesforce offers a user role hierarchy that you can use with sharing settings to determine the levels of access that users have to your
Salesforce orgs data. Roles within the hierarchy affect access on key components such as records and reports.
Control Who Sees What
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs)
The available data
management options vary
according to which
Salesforce Edition you have.
Salesforce provides a flexible, layered data sharing design that allows you to expose different data
sets to different sets of users, so users can do their job without seeing data they don't need to see.
Use permission sets and profiles to specify the objects and fields users can access. Use
organization-wide sharing settings, user roles, sharing rules to specify the individual records that
users can view and edit.
Note: Who Sees What: Overview (English only)
Watch a demo on controlling access to and visibility of your data.
Tip: When implementing security and sharing rules for your organization, make a table of
the various types of users in your organization. In the table, specify the level of access to data
that each type of user needs for each object and for fields and records within the object. You
can refer to this table as you set up your security model.
Object-Level Security (Permission Sets and Profiles)
Object-level securityor object permissionsprovide the bluntest way to control data. Using object permissions you can prevent
a user from seeing, creating, editing, or deleting any instance of a particular type of object, such as a lead or opportunity. Object
permissions let you hide whole tabs and objects from particular users, so that they dont even know that type of data exists.
You specify object permissions in permission sets and profiles. Permission sets and profiles are collections of settings and permissions
that determine what a user can do in the application, similar to a group in a Windows network, where all of the members of the
group have the same folder permissions and access to the same software.
Profiles are typically defined by a users job function (for example, system administrator or sales representative). A profile can be
assigned to many users, but a user can be assigned to only one profile. You can use permission sets to grant additional permissions
74
Control Who Sees WhatSalesforce Security Guide
and access settings to users. Its easy to manage users permissions and access with permission sets, because you can assign multiple
permission sets to a single user.
Field-Level Security (Permission Sets and Profiles)
In some cases, you may want users to have access to an object, but limit their access to individual fields in that object. Field-level
securityor field permissionscontrol whether a user can see, edit, and delete the value for a particular field on an object. They
let you protect sensitive fields without having to hide the whole object from users. Field permissions are also controlled in permission
sets and profiles.
Unlike page layouts, which only control the visibility of fields on detail and edit pages, field permissions control the visibility of fields
in any part of the app, including related lists, list views, reports, and search results. To ensure that a user cant access a particular field,
use field permissions. No other settings provide the same level of protection for a field.
Note: Field-level security doesnt prevent searching on the values in a field. When search terms match on field values protected
by field-level security, the associated records are returned in the search results without the protected fields and their values.
Record-Level Security (Sharing)
After setting object- and field-level access permissions, you may want to configure access settings for the actual records themselves.
Record-level security lets you give users access to some object records, but not others. Every record is owned by a user or a queue.
The owner has full access to the record. In a hierarchy, users higher in the hierarchy always have the same access to users below
them in the hierarchy. This access applies to records owned by users, as well as records shared with them.
To specify record-level security, set your organization-wide sharing settings, define a hierarchy, and create sharing rules.
Organization-wide sharing settingsThe first step in record-level security is to determine the organization-wide sharing settings
for each object. Organization-wide sharing settings specify the default level of access users have to each others records.
You use organization-wide sharing settings to lock down your data to the most restrictive level, and then use the other record-level
security and sharing tools to selectively give access to other users. For example, lets say users have object-level permissions to
read and edit opportunities, and the organization-wide sharing setting is Read-Only. By default, those users can read all opportunity
records, but cant edit any unless they own the record or are granted additional permissions.
Role hierarchyOnce youve specified organization-wide sharing settings, the first way you can give wider access to records is
with a role hierarchy. Similar to an organization chart, a role hierarchy represents a level of data access that a user or group of
users needs. The role hierarchy ensures that users higher in the hierarchy always have access to the same data as people lower
in their hierarchy, regardless of the organization-wide default settings. Role hierarchies dont have to match your organization
chart exactly. Instead, each role in the hierarchy should represent a level of data access that a user or group of users needs.
You can also use a territory hierarchy to share access to records. A territory hierarchy grants users access to records based on
criteria such as zip code, industry, revenue, or a custom field that is relevant to your business. For example, you could create a
territory hierarchy in which a user with the North America role has access to different data than users with the Canada and
United States roles.
Note: Although its easy to confuse permission sets and profiles with roles, they control two very different things. Permission
sets and profiles control a users object and field access permissions. Roles primarily control a users record-level access
through role hierarchy and sharing rules.
Sharing rulesSharing rules let you make automatic exceptions to organization-wide sharing settings for particular sets of users,
to give them access to records they dont own or cant normally see. Sharing rules, like role hierarchies, are only used to give
additional users access to recordsthey cant be stricter than your organization-wide default settings.
Manual sharingSometimes its impossible to define a consistent group of users who need access to a particular set of records.
In those situations, record owners can use manual sharing to give read and edit permissions to users who would not have access
to the record any other way. Although manual sharing isnt automated like organization-wide sharing settings, role hierarchies,
or sharing rules, it gives record owners the flexibility to share particular records with users that need to see them.
75
Control Who Sees WhatSalesforce Security Guide
Apex managed sharingIf sharing rules and manual sharing dont give you the control you need, you can use Apex managed
sharing. Apex managed sharing allows developers to programmatically share custom objects. When you use Apex managed
sharing to share a custom object, only users with the Modify All Data permission can add or change the sharing on the custom
object's record, and the sharing access is maintained across record owner changes.
User Permissions
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
The user permissions
available vary according to
which edition you have.
User permissions specify what tasks users can perform and what features users can access. For
example, users with the View Setup and Configuration permission can view Setup pages, and
users with the API Enabled permission can access any Salesforce API.
You can enable user permissions in permission sets and custom profiles. In permission sets and the
enhanced profile user interface, these permissionsas well as their descriptionsare listed in the
App Permissions or System Permissions pages. In the original profile user interface, user permissions
are listed under Administrative Permissions and General User Permissions.
To view permissions and their descriptions, from Setup, enter Permission Sets in the Quick
Find box, then select Permission Sets, then select or create a permission set. Then from the
Permission Set Overview page, click App Permissions or System Permissions.
IN THIS SECTION:
User Permissions and Access
User permissions and access settings are specified in profiles and permission sets. To use them effectively, understand the differences
between profiles and permission sets.
Permission Sets
A permission set is a collection of settings and permissions that give users access to various tools and functions. The settings and
permissions in permission sets are also found in profiles, but permission sets extend users functional access without changing their
profiles.
User Permissions and Access
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
The available permissions
and settings vary according
to which Salesforce edition
you have.
Permission sets available in:
Essentials, Contact
Manager, Professional,
Group, Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
User permissions and access settings are specified in profiles and permission sets. To use them
effectively, understand the differences between profiles and permission sets.
User permissions and access settings specify what users can do within an organization:
Permissions determine a user's ability to edit an object record, view the Setup menu, empty
the organizational Recycle Bin, or reset a user's password.
Access settings determine other functions, such as access to Apex classes, app visibility, and
the hours when users can log in.
Every user is assigned only one profile, but can also have multiple permission sets. When determining
access for your users, use profiles to assign the minimum permissions and access settings for specific
groups of users. Then use permission sets to grant more permissions as needed.
This table shows the types of permissions and access settings that are specified in profiles and
permission sets.
In Permission Sets?In Profiles?Permission or Setting Type
Assigned apps
76
User PermissionsSalesforce Security Guide
In Permission Sets?In Profiles?Permission or Setting Type
Tab settings
Record type assignments
Page layout assignments
Object permissions
Field permissions
User permissions (app and system)
Apex class access
Visualforce page access
External data source access
Service provider access (if Salesforce is
enabled as an identity provider)
Custom permissions
Desktop client access
Login hours
Login IP ranges
IN THIS SECTION:
Revoking Permissions and Access
Revoking Permissions and Access
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
You can use profiles and permission sets to grant access, but not to deny access. Any permission
granted from either a profile or permission set is honored. For example, if Transfer Record isn't
enabled in Jane Smith's profile, but is enabled in two of her permission sets, she can transfer records
regardless of whether she owns them. To revoke a permission, you must remove all instances of
the permission from the user. You can do this with the following actionseach has possible
consequences.
ConsequenceAction
The permission or access setting is disabled for
all other users assigned to the profile or
permission sets.
Disable a permission or remove an access setting
in the profile and any permission sets that are
assigned to the user.
The user may lose other permissions or access
settings associated with the profile or permission
sets.
If a permission or access setting is enabled in
the user's profile, assign a different profile to the
user.
AND
77
User PermissionsSalesforce Security Guide
ConsequenceAction
If the permission or access setting is enabled in any permission
sets that are assigned to the user, remove the permission set
assignments from the user.
To resolve the consequence in either case, consider all possible options. For example, you can clone the assigned profile or any assigned
permission sets where the permission or access setting is enabled. Then, disable the permission or access setting, and assign the cloned
profile or permission sets to the user. Another option is to create a base profile with the least number of permissions and settings that
represents the largest number of users possible. Then create permission sets that layer more access.
Permission Sets
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
A permission set is a collection of settings and permissions that give users access to various tools
and functions. The settings and permissions in permission sets are also found in profiles, but
permission sets extend users functional access without changing their profiles.
Users can have only one profile but, depending on the Salesforce edition, they can have multiple
permission sets. You can assign permission sets to various types of users, regardless of their profiles.
Create permission sets to grant access among logical groupings of users, regardless of their primary
job function. For example, lets say you have several users with a profile called Sales User. This profile
allows assignees to read, create, and edit leads. Some, but not all, of these users also need to delete
and transfer leads. Instead of creating another profile, create a permission set.
Or, lets say you have an Inventory custom object in your org. Many users need Read access to this object, and a smaller number of
users need Edit access. You can create a permission set that grants Read access and assign it to the appropriate users. You can then
create another permission set that gives Edit access to the Inventory object and assign it to the smaller group of users.
If a permission isnt enabled in a profile but is enabled in a permission set, users with that profile and permission set have the permission.
For example, if Manage Password Policies isnt enabled in Jane Smiths profile but is enabled in one of her permission sets, she can
manage password policies.
IN THIS SECTION:
Create and Edit Permission Set List Views
You can create and edit permission set list views to show a list of permission sets with specific fields and permissions. For example,
you could create a list view of all permission sets in which Modify All Data is enabled.
Edit Permission Sets from a List View
You can change permissions in up to 200 permission sets directly from the list view, without accessing individual permission sets.
App and System Settings in Permission Sets
In permission sets, permissions and settings are organized into app and system categories. These categories reflect the rights users
need to administer and use system and app resources.
78
User PermissionsSalesforce Security Guide
Permission Set Assigned Users Page
From the Assigned Users page, you can view all users who are assigned to a permission set, assign more users, and remove user
assignments.
Search Permission Sets
To quickly navigate to other pages in a permission set, you can enter search terms in any permission set detail page.
View and Edit Assigned Apps in Permission Sets
Assigned app settings specify the apps that users can select in the Lightning Platform app menu.
Assign Custom Record Types in Permission Sets
Enable Custom Permissions in Permission Sets
Custom permissions give you a way to provide access to custom processes or apps. After youve created a custom permission and
associated it with a process or app, you can enable the permission in permission sets.
Manage Permission Set Assignments
You can assign permission sets to a single user from the user detail page or assign multiple users to a permission set from any
permission set page.
Create and Edit Permission Set List Views
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To create, edit, and delete
permission set list views:
Manage Profiles and
Permission Sets
You can create and edit permission set list views to show a list of permission sets with specific fields
and permissions. For example, you could create a list view of all permission sets in which Modify
All Data is enabled.
1. In the Permission Sets page, click Create New View, or select a view and click Edit.
2. Enter the view name.
3. Under Specify Filter Criteria, specify the conditions that the list items must match, such as
Modify All Data equals True.
a. Type a setting name, or click to search for and select the setting you want.
b. Choose a filter operator.
c. Enter the value that you want to match.
Tip: To show only permission sets with no user license, enter User License for
the Setting, set the Operator to equals, and enter "" in the Value field.
d. To specify another filter condition, click Add Row. You can specify up to 25 filter condition
rows.
4. Under Select Columns to Display, specify the settings that you want to appear as columns in
the list view. You can add up to 15 columns.
a. From the Search drop-down list, select a setting type.
b. Enter the first few letters of the setting you want to add and click Find.
Note: If the search finds more than 500 values, no results appear. Refine your search criteria to show fewer results.
5. Click Save, or if you're cloning an existing view, rename it and click Save As.
79
User PermissionsSalesforce Security Guide
Edit Permission Sets from a List View
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To edit multiple permission
sets from the list view:
Manage Profiles and
Permission Sets
You can change permissions in up to 200 permission sets directly from the list view, without
accessing individual permission sets.
Note: Use care when editing permission sets with this method. Making mass changes can
have a widespread effect on users in your organization.
1. Select or create a list view that includes the permission sets and permissions you want to edit.
2. To edit multiple permission sets, select the checkbox next to each one you want to edit. If you
select permission sets on multiple pages, the selections on each page are remembered.
3. Double-click the permission you want to edit. For multiple permission sets, double-click the
permission in any of the selected permission sets.
4. In the dialog box that appears, enable or disable the permission. In some cases, changing a
permission can also change other permissions. For example, if Manage Cases and Transfer
Cases are enabled in a permission set and you disable Transfer Cases, then Manage Cases
is also disabled. In this case, the dialog box lists the affected permissions.
5. To change multiple permission sets, select All n selected records (where n is the number
of permission sets you selected).
6. Click Save.
If you edit multiple permission sets, only the permission sets that support the permission you are
editing change. For example, lets say you use inline editing to enable Modify All Data in ten
permission sets, but one permission set doesnt have Modify All Data. In this case, Modify All Data is enabled in all the permission
sets, except the one without Modify All Data.
Any changes you make are recorded in the setup audit trail.
App and System Settings in Permission Sets
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
In permission sets, permissions and settings are organized into app and system categories. These
categories reflect the rights users need to administer and use system and app resources.
App Settings
Apps are sets of tabs that users can change by selecting the drop-down menu in the header. All
underlying objects, components, data, and configurations remain the same, regardless of the
selected app. In selecting an app, users navigate in a set of tabs that allows them to efficiently use
the underlying functionality for app-specific tasks. For example, let's say you do most of your work
in the sales app, which includes tabs like Accounts and Opportunities. To track a new marketing
campaign, rather than adding the Campaigns tab to the sales app, you select Marketing from the
app drop-down to view your campaigns and campaign members.
The Apps section of the permission sets overview page contains settings that are directly associated
with the business processes the apps enable. For example, customer service agents might need to
manage cases, so the Manage Cases permission is in the Call Center section of the App Permissions page. Some app settings aren't
related to app permissions. For example, to enable the Time-Off Manager app from the AppExchange, users need access to the appropriate
Apex classes and Visualforce pages, as well as the object and field permissions that allow them to create new time-off requests.
80
User PermissionsSalesforce Security Guide
System Settings
Some system functions apply to an organization and not to any single app. For example, View Setup and Configuration allows users
to view setup and administrative settings pages. Other system functions apply to all apps. For example, the Run Reports and Manage
Dashboards permissions allow managers to create and manage reports in all apps. In some cases, such as with Modify All Data, a
permission applies to all apps, but also includes non-app functions, like the ability to download the Data Loader.
Permission Set Assigned Users Page
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To view users that are
assigned to a permission
set:
View Setup and
Configuration
From the Assigned Users page, you can view all users who are assigned to a permission set, assign
more users, and remove user assignments.
To view all users who are assigned to a permission set, from any permission set page, click Manage
Assignments. From the Assigned Users page, you can:
Assign users to the permission set
Remove user assignments from the permission set
Edit a user
View a user's detail page by clicking the name, alias, or username
View a profile by clicking the profile name
81
User PermissionsSalesforce Security Guide
Search Permission Sets
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To search permission sets:
View Setup and
Configuration
To quickly navigate to other pages in a permission set, you can enter search terms in any permission
set detail page.
On any of the permission sets detail pages, type at least three consecutive letters of an object,
setting, or permission name in the Find Settings... box. The search terms aren't case-sensitive.
As you type, suggestions for results that match your search terms appear in a list. Click an item in
the list to go to its settings page.
For some categories, you can search for the specific permission or setting name. For other categories,
search for the category name.
ExampleSearch forItem
Type sales in the Find Settings box, then
select Sales from the list.
App nameAssigned apps
Lets say you have an Albums custom object.
Type albu, then select Albums.
Object nameObjects
Lets say your Albums object contains a
Description field. To find the Description
field for albums, type albu, select Albums,
and scroll down to Description under
Field Permissions.
Parent object name
Fields
Record types
Type rep, then select Reports.Tab or parent object
name
Tabs
Type api, then select API Enabled.Permission nameApp and system
permissions
To find Apex class access settings, type apex,
then select Apex Class Access. To find
Category nameAll other categories
custom permissions, type cust, then select
Custom Permissions. And so on.
If you dont get any results, dont worry. Heres some tips that can help:
Check if the search term has at least three consecutive characters that match the object, setting, or permission name.
The permission, object, or setting you're searching for might not be available in the current Salesforce org.
The item youre searching for might not be available for the user license thats associated with the current permission set. For example,
a permission set with the Standard Platform User license doesnt include the Modify All Data permission.
The permission set license associated with the permission set doesnt include the object, setting, or permission name youre searching
for.
82
User PermissionsSalesforce Security Guide
View and Edit Assigned Apps in Permission Sets
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To edit assigned app
settings:
Manage Profiles and
Permission Sets
Assigned app settings specify the apps that users can select in the Lightning Platform app menu.
Unlike profiles, you cant assign a default app in permission sets. You can only specify whether apps
are visible.
To assign apps:
1. From Setup, enter Permission Sets in the Quick Find box, then select Permission
Sets.
2. Select a permission set, or create one.
3. On the permission set overview page, click Assigned Apps.
4. Click Edit.
5. To assign apps, select them from the Available Apps list and click Add. To remove apps from
the permission set, select them from the Enabled Apps list and click Remove.
6. Click Save.
Assign Custom Record Types in Permission Sets
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Record types available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To assign record types in
permission sets:
Manage Profiles and
Permission Sets
1. From Setup, enter Permission Sets in the Quick Find box, then select Permission
Sets.
2. Select a permission set, or create one.
3. On the permission set overview page, click Object Settings, then click the object you want.
4. Click Edit.
5. Select the record types you want to assign to this permission set.
6. Click Save.
IN THIS SECTION:
How is record type access specified?
You can assign record types to users in their profile or permission sets, or a combination of
both. Record type assignment behaves differently in profiles and permission sets.
83
User PermissionsSalesforce Security Guide
How is record type access specified?
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
You can assign record types to users in their profile or permission sets, or a combination of both.
Record type assignment behaves differently in profiles and permission sets.
A users default record type is specified in the users personal settings. You cant specify a default
record type in permission sets.
You can assign the --Master-- record type in profiles. In permission sets, you can assign
only custom record types. The behavior for record creation depends on which record types are
assigned in profiles and permission sets.
When they create a
record...
And this total number of
custom record types in
their permission sets...
If users have this record
type on their profile...
The new record is associated
with the Master record type
None--Master--
The new record is associated
with the custom record type.
One--Master--
Users cant select the Master
record type.
Users are prompted to select
a record type.
Multiple--Master--
Users are prompted to select
a record type. In their personal
One or moreCustom
settings, users can set an
option to use their default
record type and not be
prompted to choose a record
type.
Page layout assignments are specified in profiles onlytheyre not available in permission sets. When a permission set specifies a
custom record type, users with that permission set get the page layout assignment thats specified for that record type in their profile.
(In profiles, page layout assignments are specified for every record type, even when record types arent assigned.)
For lead conversion, the default record type specified in a users profile is used for the converted records.
Users can view records assigned to any record type. As a result, a page layout is assigned to every record type on a user's profile. A
record type assignment on a users profile or permission set doesnt determine whether a user can view a record with that record
type. The record type assignment simply specifies that the user can use that record type when creating or editing a record.
Record types in permission sets arent supported in packages and change sets. As a result, any record type assignments in permission
sets in a sandbox organization must be manually reproduced in a production organization.
84
User PermissionsSalesforce Security Guide
Enable Custom Permissions in Permission Sets
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
In Group and Professional
Edition organizations, you
cant create or edit custom
permissions, but you can
install them as part of a
managed package.
USER PERMISSIONS
To enable custom
permissions in permission
sets:
Manage Profiles and
Permission Sets
Custom permissions give you a way to provide access to custom processes or apps. After youve
created a custom permission and associated it with a process or app, you can enable the permission
in permission sets.
1. From Setup, enter Permission Sets in the Quick Find box, then select Permission
Sets.
2. Select a permission set, or create one.
3. On the permission set overview page, click Custom Permissions.
4. Click Edit.
5. To enable custom permissions, select them from the Available Custom Permissions list and
then click Add. To remove custom permissions from the permission set, select them from the
Enabled Custom Permissions list and then click Remove.
6. Click Save.
Manage Permission Set Assignments
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
You can assign permission sets to a single user from the user detail page or assign multiple users
to a permission set from any permission set page.
Assign Permission Sets to a Single User
Assign a Permission Set to Multiple Users
Remove User Assignments from a Permission Set
IN THIS SECTION:
Assign Permission Sets to a Single User
Assign permission sets or remove permission set assignments for a single user from the user
detail page.
Assign a Permission Set to Multiple Users
Assign a permission set to one or more users from any permission set page.
Remove User Assignments from a Permission Set
From any permission set page, you can remove the permission set assignment from one or more users.
85
User PermissionsSalesforce Security Guide
Assign Permission Sets to a Single User
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To assign permission sets:
Assign Permission Sets
Assign permission sets or remove permission set assignments for a single user from the user detail
page.
The Permission Set Assignments page shows:
Permission sets with no associated license. For example, you can assign a permission set if None
was selected for the license type in the permission set. Make sure that the users license allows
all the permission sets enabled settings and permissions. If the users license doesnt allow
selected permissions, the assignment fails.
Permission sets that match the users license. For example, if a users license is Chatter Only,
you can assign permission sets with the Chatter Only license.
Permission sets specific to permission set licenses. Lets say you create a permission set named
Identity and associate that permission set to the Identity Connect permission set license. When
you assign users to Identity, they receive all functionality available with the Identity Connect
permission set license.
Note: Some permissions require users to have a permission set license before you can grant
the permissions. For example, if you add the Use Identity Connect user permission to the
Identity permission set, you can assign only users with the Identity Connect permission set
license to the permission set.
1. From Setup, enter Users in the Quick Find box, then select Users.
2. Select a user.
3. In the Permission Set Assignments related list, click Edit Assignments.
4. To assign a permission set, select it under Available Permission Sets and click Add. To remove a permission set assignment, select
it under Enabled Permission Sets and click Remove.
5. Click Save.
Tip: You can perform this and other administration tasks from the SalesforceA mobile app.
86
User PermissionsSalesforce Security Guide
Assign a Permission Set to Multiple Users
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To assign a permission set
to users:
Assign Permission Sets
Assign a permission set to one or more users from any permission set page.
1. Select the permission set that you want to assign to users.
2. Click Manage Assignments and then Add Assignments.
3. Select the checkboxes next to the names of the users you want assigned to the permission set,
and click Assign.
Messages confirm success or indicate if a user doesnt have the appropriate licenses for assignment.
Remove User Assignments from a Permission Set
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in:Essentials,
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To remove permission set
assignments:
Assign Permission Sets
From any permission set page, you can remove the permission set assignment from one or more
users.
1. From Setup, enter Permission Sets in the Quick Find box, then select Permission
Sets.
2. Select a permission set.
3. In the permission set toolbar, click Manage Assignments.
4. Select the users to remove from this permission set.
You can remove up to 1000 users at a time.
5. Click Remove Assignments.
This button is only available when one or more users are selected.
6. To return to a list of all users assigned to the permission set, click Done.
87
User PermissionsSalesforce Security Guide
Object Permissions
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Object permissions specify the base-level access users have to create, read, edit, and delete records
for each object. You can manage object permissions in permission sets and profiles.
Object permissions either respect or override sharing rules and settings. The following permissions
specify the access that users have to objects.
Respects or
Overrides Sharing?
DescriptionPermission
Respects sharingUsers can only view records of this type.Read
Respects sharingUsers can read and create records.Create
Respects sharingUsers can read and update records.Edit
Respects sharingUsers can read, edit, and delete records.Delete
Overrides sharingUsers can view all records associated with this
object, regardless of sharing settings.
View All
Overrides sharingUsers can read, edit, delete, transfer, and
approve all records associated with this object,
regardless of sharing settings.
Modify All
Note: Modify All on documents allows
access to all shared and public folders,
but not the ability to edit folder
properties or create new folders. To edit
folder properties and create new folders,
users must have the Manage Public
Documents permission.
IN THIS SECTION:
View All and Modify All Permissions Overview
The View All and Modify All permissions ignore sharing rules and settings, allowing administrators to grant access to records
associated with a given object across the organization. View All and Modify All can be better alternatives to the View All Data
and Modify All Data permissions.
Comparing Security Models
View All and Modify All Permissions Overview
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: All Editions
The View All and Modify All permissions ignore sharing rules and settings, allowing administrators
to grant access to records associated with a given object across the organization. View All and
Modify All can be better alternatives to the View All Data and Modify All Data permissions.
Be aware of the following distinctions between the permission types.
88
Object PermissionsSalesforce Security Guide
Users who need themUsed forPermissions
Delegated administrators who manage records for
specific objects
Delegation of object permissions.View All
Modify All
Administrators of an entire organizationManaging all data in an organization; for example,
data cleansing, deduplication, mass deletion, mass
transferring, and managing record approvals.
Users with View All Data (or Modify All Data)
permission can view (or modify) all apps and data,
even if the apps and data are not shared with them.
View All Data
Modify All Data Note: If a user requires access to metadata
but not to data, you can enable the Modify
Metadata permission (beta) to give the access
the user needs without providing access to
org data. See Modify Metadata Permission
(Beta) in Salesforce Help.
Users who need to see all users in the organization.
Useful if the organization-wide default for the user
Viewing all users in the organization. Grants Read
access to all users, so that you can see their user
View All Users
object is Private. Administrators with the Managerecord details, see them in searches, list views, and
so on. Users permission are automatically granted the View
All Users permission.
View All and Modify All are not available for ideas, price books, article types, and products.
View All and Modify All allow for delegation of object permissions only. To delegate user administration and custom object
administration duties, define delegated administrators.
View All Users is available if your organization has User Sharing, which controls user visibility in the organization. To learn about User
Sharing, see User Sharing.
Comparing Security Models
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs)
Available in: Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
Salesforce user security is an intersection of sharing, and user and object permissions. In some cases,
such as in end-user record level access, it is advantageous to use sharing to provide access to records.
In other cases, such as when delegating record administration tasks like transferring records, cleansing
data, deduplicating records, mass deleting records, and delegating workflow approval processes,
it is advantageous to override sharing and use permissions to provide access to records.
The Read, Create, Edit, and Delete permissions respect sharing settings, which control access
to data at the record level. The View All and Modify All permissions override sharing settings for
specific objects. Additionally, the View All Data and Modify All Data permissions override sharing
settings for all objects.
The following table describes the differences between the security models.
Permissions that Override SharingPermissions that Respect Sharing
Delegated data administratorsEnd-usersTarget audience
View All and Modify AllRead, Create, Edit, and Delete object
permissions;
Sharing settings
Where managed
89
Object PermissionsSalesforce Security Guide
Permissions that Override SharingPermissions that Respect Sharing
View All and Modify AllPrivate, Read-Only, Read/Write,
Read/Write/Transfer/Full Access
Record access levels
Available on all objects with Modify AllRespects sharing settings, which vary by
object
Ability to transfer
Available on all objects with Modify AllNoneAbility to approve records, or edit and
unlock records in an approval process
Available on all objects with View AllAvailable with a sharing rule that states: the
records owned by the public group Entire
Ability to report on all records
Organization are shared with a specified
group, with Read-Only access
Available on most objects via object
permissions
Available on all objects except products,
documents, solutions, ideas, notes, and
attachments
Object support
Note: View All and Modify All
are not available for ideas, price
books, article types, and products.
Profile or permission setsRoles, Roles and Subordinates, Roles and
Internal Subordinates, Roles, Internal and
Group access levels determined by
Portal Subordinates, Queues, Teams, and
Public Groups
Available on private contacts, opportunities,
and notes and attachments with View All
and Modify All
Not availablePrivate record access
Available on all objects with Modify AllAvailable to the record owner and any user
above the record owner in the role hierarchy
Ability to manually share records
Available with Modify All on casesNot availableAbility to manage all case comments
90
Object PermissionsSalesforce Security Guide
Custom Permissions
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
In Group and Professional
Edition organizations, you
cant create or edit custom
permissions, but you can
install them as part of a
managed package.
Use custom permissions to give users access to custom processes or apps.
In Salesforce, many features require access checks that specify which users can access certain
functions. Permission set and profiles settings include built-in access settings for many entities, like
objects, fields, tabs, and Visualforce pages. However, permission sets and profiles dont include
access for some custom processes and apps. For example, for a time-off manager app, all users
might need to be able to submit time-off requests but only a smaller set of users need to approve
time-off requests. You can use custom permissions for these types of controls.
Custom permissions let you define access checks that can be assigned to users via permission sets
or profiles, similar to how you assign user permissions and other access settings. For example, you
can define access checks in Apex that make a button on a Visualforce page available only if a user
has the appropriate custom permission.
You can query custom permissions in these ways.
To determine which users have access to a specific custom permission, use Salesforce Object
Query Language (SOQL) with the SetupEntityAccess and CustomPermission sObjects.
To determine what custom permissions users have when they authenticate in a connected
app, reference the user's Identity URL, which Salesforce provides along with the access token
for the connected app.
IN THIS SECTION:
Create Custom Permissions
Create custom permissions to give users access to custom processes or apps.
Edit Custom Permissions
Edit custom permissions that give users access to custom processes or apps.
91
Custom PermissionsSalesforce Security Guide
Create Custom Permissions
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
In Group and Professional
Edition organizations, you
cant create or edit custom
permissions, but you can
install them as part of a
managed package.
USER PERMISSIONS
To create custom
permissions:
Manage Custom
Permissions
Create custom permissions to give users access to custom processes or apps.
1. From Setup, enter Custom Permissions in the Quick Find box, then select Custom
Permissions.
2. Click New.
3. Enter the permission information:
Labelthe permission label that appears in permission sets
Namethe unique name thats used by the API and managed packages
Descriptionoptionally, a description that explains what functions the permission
grants access to, such as Approve time-off requests.
Connected Appoptionally, the connected app thats associated with this permission
4. Click Save.
92
Custom PermissionsSalesforce Security Guide
Edit Custom Permissions
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
In Group and Professional
Edition organizations, you
cant create or edit custom
permissions, but you can
install them as part of a
managed package.
USER PERMISSIONS
To edit custom permissions:
Manage Custom
Permissions
Edit custom permissions that give users access to custom processes or apps.
1. From Setup, enter Custom Permissions in the Quick Find box, then select Custom
Permissions.
2. Click Edit next to the permission that you need to change.
3. Edit the permission information as needed.
Labelthe permission label that appears in permission sets
Namethe unique name thats used by the API and managed packages
Descriptionoptionally, a description that explains what functions the permission
grants access to, such as Approve time-off requests.
Connected Appoptionally, the connected app thats associated with this permission
4. Click Save.
Profiles
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
Profiles define how users access objects and data, and what they can do within the application.
When you create users, you assign a profile to each one.
Watch how you can grant users access to objects using profiles.
Who Sees What: Object Access (English only)
Your org includes several standard profiles where you can edit a limited number of settings. With
editions that contain custom profiles, you can edit all permissions and settings except the user
license. In Contact Manager, Essentials Edition, and Group Edition orgs, you can assign standard
profiles to your users, but you cant view or edit the standard profiles, and you cant create custom
profiles.
Every profile belongs to exactly one user license type.
IN THIS SECTION:
Work in the Enhanced Profile User Interface Page
In the enhanced profile user interface, the profile overview page provides an entry point for all settings and permissions for a profile.
93
ProfilesSalesforce Security Guide
Work in the Original Profile Interface
To view a profile on the original profile page, from Setup, enter Profiles in the Quick Find box, then select Profiles, then
select the profile you want.
Manage Profile Lists
Profiles define how users access objects and data, and what they can do within the application. When you create users, you assign
a profile to each one. To view the profiles in your organization, from Setup, enter Profiles in the Quick Find box, then
select Profiles.
Edit Multiple Profiles with Profile List Views
If enhanced profile list views are enabled for your organization, you can change permissions in up to 200 profiles directly from the
list view, without accessing individual profile pages.
Clone Profiles
Instead of creating profiles, save time by cloning existing profiles and customizing them.
Viewing a Profile's Assigned Users
To view all users that are assigned to a profile from the profile overview page, click Assigned Users (in the enhanced profile user
interface) or View Users (in the original profile user interface). From the assigned users page, you can:
View and Edit Tab Settings in Permission Sets and Profiles
Tab settings specify whether a tab appears in the All Tabs page or is visible in a tab set.
Enable Custom Permissions in Profiles
Custom permissions give you a way to provide access to custom processes or apps. After youve created a custom permission and
associated it with a process or app, you can enable the permission in profiles.
94
ProfilesSalesforce Security Guide
Work in the Enhanced Profile User Interface Page
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To view profiles:
View Setup and
Configuration
To delete profiles and edit
profile properties:
Manage Profiles and
Permission Sets
In the enhanced profile user interface, the profile overview page provides an entry point for all
settings and permissions for a profile.
To open the profile overview page, from Setup, enter Profiles in the Quick Find box,
then select Profiles and click the profile you want to view.
IN THIS SECTION:
Assign Record Types and Page Layouts in the Enhanced Profile User Interface
App and System Settings in the Enhanced Profile User Interface
Search in the Enhanced Profile User Interface
To locate an object, tab, permission, or setting name on a profile page, type at least three
consecutive letters in the Find Settings box. As you type, suggestions for results that
match your search terms appear in a list. Click an item in the list to go to its settings page.
95
ProfilesSalesforce Security Guide
Assign Record Types and Page Layouts in the Enhanced Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
Record types available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To edit record type and
page layout access settings:
Manage Profiles and
Permission Sets
In the enhanced profile user interface, Record Types and Page Layout Assignments settings determine
the record type and page layout assignment mappings that are used when users view records.
They also determine which record types are available when users create or edit records.
To specify record types and page layout assignments:
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select a profile.
3. In the Find Settings... box, enter the name of the object you want and select it from the list.
4. Click Edit.
5. In the Record Types and Page Layout Assignments section, make changes to the settings as
needed.
DescriptionSetting
Lists all existing record types for the object.
--Master-- is a system-generated record type that's used
when a record has no custom record type associated with it.
When --Master-- is assigned, users can't set a record
type to a record, such as during record creation. All other
record types are custom record types.
Record Types
The page layout to use for each record type. The page layout
determines the buttons, fields, related lists, and other elements
Page Layout Assignment
that users with this profile see when creating records with the
associated record type. Since all users can access all record
types, every record type must have a page layout assignment,
even if the record type isn't specified as an assigned record
type in the profile.
Record types that are checked in this column are available
when users with this profile create records for the object. If
Assigned Record Types
--Master-- is selected, you can't select any custom record
types; and if any custom record types are selected, you can't
select --Master--.
The default record type to use when users with this profile
create records for the object.
Default Record Type
The Record Types and Page Layout Assignments settings have some variations for the following objects or tabs.
VariationObject or Tab
If your organization uses person accounts, the accounts object additionally includes
Business Account Default Record Type and Person Account Default Record Type
Accounts
settings, which specify the default record type to use when the profile's users create
business or person account records from converted leads.
96
ProfilesSalesforce Security Guide
VariationObject or Tab
The cases object additionally includes Case Close settings, which show the page layout
assignments to use for each record type on closed cases. That is, the same record type
Cases
may have different page layouts for open and closed cases. With this additional setting,
when users close a case, the case may have a different page layout that exposes how
it was closed.
You can't specify custom record types for the home tab. You can only select a page
layout assignment for the --Master-- record type.
Home
6. Click Save.
IN THIS SECTION:
Assign Record Types to Profiles in the Original Profile User Interface
After you create record types and include picklist values in them, add record types to user profiles. If you assign a default record type
to a profile, users with that profile can assign the record type to records that they create or edit.
Assign Page Layouts in the Original Profile User Interface
If youre already working in an original profile user interface, you can access, view, and edit all page layout assignments easily in one
location.
Assign Record Types to Profiles in the Original Profile User Interface
EDITIONS
Available in: both Salesforce
Classic and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To assign record types to
profiles:
Customize Application
After you create record types and include picklist values in them, add record types to user profiles.
If you assign a default record type to a profile, users with that profile can assign the record type to
records that they create or edit.
Note: Users can view records of any record type, even if the record type is not associated
with their profile.
You can associate several record types with a profile. For example, a user needs to create hardware
and software sales opportunities. In this case, you can create and add both Hardware and Software
record types to the users profile.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select a profile. The record types available for that profile are listed in the Record Type Settings
section.
3. Click Edit next to the appropriate type of record.
4. Select a record type from the Available Record Types list and add it to the Selected Record Types
list.
Master is a system-generated record type that's used when a record has no custom record
type associated with it. When you assign Master, users can't set a record type to a record, such as during record creation. All other
record types are custom record types.
5. From Default, choose a default record type.
If your organization uses person accounts, this setting also controls which account fields display in the Quick Create area of
the accounts home page.
97
ProfilesSalesforce Security Guide
6. If your organization uses person accounts, set default record type options for both person accounts and business accounts. From
the Business Account Default Record Type and then the Person Account Default Record Type
drop-down list, choose a default record type.
These settings are used when defaults are needed for both kinds of accounts, such as when converting leads.
7. Click Save.
Options in the Record Type Settings section are blank wherever no record types exist. For example, if you have two record types for
opportunities but no record types for accounts, the Edit link only displays for opportunities. In this example, the picklist values and
default value for the master are available in all accounts.
Note: If your organization uses person accounts, you can view the record type defaults for business accounts and person accounts.
Go to Account Record Type Settings in the profile detail page. Clicking Edit in the Account Record Type Settings is another way
to begin setting record type defaults for accounts.
Assign Page Layouts in the Original Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
Record types available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To assign page layouts in
profiles:
Manage Profiles and
Permission Sets
If youre already working in an original profile user interface, you can access, view, and edit all page
layout assignments easily in one location.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select a profile.
3. Click View Assignment next to any tab name in the Page Layouts section.
4. Click Edit Assignment.
5. Use the table to specify the page layout for each profile. If your organization uses record types,
a matrix displays a page layout selector for each profile and record type.
Selected page layout assignments are highlighted.
Page layout assignments you change are italicized until you save your changes.
6. If necessary, select another page layout from the Page Layout To Use drop-down list
and repeat the previous step for the new page layout.
7. Click Save.
98
ProfilesSalesforce Security Guide
App and System Settings in the Enhanced Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
In the enhanced profile user interface, administrators can easily navigate, search, and modify settings
for a single profile. Permissions and settings are organized into pages under app and system
categories, which reflect the rights users need to administer and use app and system resources.
App Settings
Apps are sets of tabs that users can change by selecting the drop-down menu in the header. All
underlying objects, components, data, and configurations remain the same, regardless of the
selected app. In selecting an app, users navigate in a set of tabs that allows them to efficiently use
the underlying functionality for app-specific tasks. For example, let's say you do most of your work
in the sales app, which includes tabs like Accounts and Opportunities. To track a new marketing
campaign, rather than adding the Campaigns tab to the sales app, you select Marketing from the
app drop-down to view your campaigns and campaign members.
In the enhanced profile user interface, the Apps section of the overview page contains settings that are directly associated with the
business processes that the apps enable. For example, customer service agents may need to manage cases, so the Manage Cases
permission is in the Call Center section of the App Permissions page. Some app settings aren't related to app permissions. For example,
to enable the Time-Off Manager app from the AppExchange, users need access to the appropriate Apex classes and Visualforce pages,
as well as the object and field permissions that allow them to create new time-off requests.
Note: Regardless of the currently selected app, all of a user's permissions are respected. For example, although the Import Leads
permission is under the Sales category, a user can import leads even while in the Service app.
System Settings
Some system functions apply to an organization and not to any single app. For example, login hours and login IP ranges control a user's
ability to log in, regardless of which app the user accesses. Other system functions apply to all apps. For example, the Run Reports and
Manage Dashboards permissions allow managers to create and manage reports in all apps. In some cases, such as with Modify All
Data, a permission applies to all apps, but also includes non-app functions, like the ability to download the Data Loader.
Search in the Enhanced Profile User Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
The available profile
permissions and settings
vary according to which
Salesforce edition you have.
USER PERMISSIONS
To find permissions and
settings in a profile:
View Setup and
Configuration
To locate an object, tab, permission, or setting name on a profile page, type at least three consecutive
letters in the Find Settings box. As you type, suggestions for results that match your search
terms appear in a list. Click an item in the list to go to its settings page.
Search terms arent case-sensitive. For some categories, you can search for the specific permission
or setting name. For other categories, search for the category name.
ExampleSearch forItem
Type sales in the Find Settings box, then
select Sales from the list.
App nameAssigned apps
Lets say you have an Albums custom object.
Type albu, then select Albums.
Object nameObjects
99
ProfilesSalesforce Security Guide
ExampleSearch forItem
Lets say your Albums object contains a Description field. To find
the Description field for albums, type albu, select Albums,
and scroll down to Description under Field Permissions.
Parent object name
Fields
Record types
Page layout assignments
Type rep, then select Reports.Tab or parent object nameTabs
Type api, then select API Enabled.Permission nameApp and system permissions
To find Apex class access settings, type apex, then select Apex
Class Access. To find custom permissions, type cust, then
select Custom Permissions. And so on.
Category nameAll other categories
If no results appear in a search:
Check if the permission, object, tab, or setting youre searching for is available in the current organization.
Verify that the item youre searching for is available for the user license thats associated with the current profile. For example, a
profile with the High Volume Customer Portal license doesnt include the Modify All Data permission.
Ensure that your search term contains at least three consecutive characters that match the name of the item you want to find.
Make sure that you spelled the search term correctly.
Work in the Original Profile Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
To view a profile on the original profile page, from Setup, enter Profiles in the Quick Find
box, then select Profiles, then select the profile you want.
On the profile detail page, you can:
Edit the profile
Create a profile based on this profile
For custom profiles only, click Delete to delete the profile
Note: You cant delete a profile thats assigned to a user, even if the user is inactive.
View the users who are assigned to this profile
IN THIS SECTION:
Edit Profiles in the Original Profile Interface
Profiles define how users access objects and data and what they can do within the application.
In standard profiles, you can edit a limited number of settings. In custom profiles, you can edit
all available permissions and settings, except the user license.
100
ProfilesSalesforce Security Guide
Edit Profiles in the Original Profile Interface
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To edit app and system
permissions in profiles:
Manage Profiles and
Permission Sets
To edit app and system as
well as object and field
permissions in profiles:
Manage Profiles and
Permission Sets
AND
Customize Application
Profiles define how users access objects and data and what they can do within the application. In
standard profiles, you can edit a limited number of settings. In custom profiles, you can edit all
available permissions and settings, except the user license.
Note: Editing some permissions can result in enabling or disabling other ones. For example,
enabling View All Data enables Read for all objects. Likewise, enabling Transfer Leads
enables Read and Create on leads.
Tip: If enhanced profile list views are enabled for your organization, you can change
permissions for multiple profiles from the list view.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select the profile you want to change.
3. On the profile detail page, click Edit.
101
ProfilesSalesforce Security Guide
Manage Profile Lists
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To view profiles, and print
profile lists:
View Setup and
Configuration
To delete profile list views:
Manage Profiles and
Permission Sets
To delete custom profiles:
Manage Profiles and
Permission Sets
Profiles define how users access objects and data, and what they can do within the application.
When you create users, you assign a profile to each one. To view the profiles in your organization,
from Setup, enter Profiles in the Quick Find box, then select Profiles.
Viewing Enhanced Profile Lists
If enhanced profile list views are enabled for your organization, you can use additional tools to
customize, navigate, manage, and print profile lists.
Show a filtered list of profiles by selecting a view from the drop-down list.
Delete a view by selecting it from the drop-down list and clicking Delete.
Create a list view or edit an existing view.
Create a profile.
Print the list view by clicking .
Refresh the list view after creating or editing a view by clicking .
Edit permissions directly in the list view.
View or edit a profile by clicking its name.
Delete a custom profile by clicking Del next to its name.
Note: You cant delete a profile thats assigned to a user, even if the user is inactive.
Viewing the Basic Profile List
Create a profile.
View or edit a profile by clicking its name.
Delete a custom profile by clicking Del next to its name.
102
ProfilesSalesforce Security Guide
Edit Multiple Profiles with Profile List Views
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
USER PERMISSIONS
To edit multiple profiles from
the list view:
Manage Profiles and
Permission Sets
AND
Customize Application
If enhanced profile list views are enabled for your organization, you can change permissions in up
to 200 profiles directly from the list view, without accessing individual profile pages.
Editable cells display a pencil icon ( ) when you hover over the cell, while non-editable cells display
a lock icon ( ). In some cases, such as in standard profiles, the pencil icon appears but the setting
is not actually editable.
Warning: Use care when editing profiles with this method. Because profiles affect a user's
fundamental access, making mass changes may have a widespread effect on users in your
organization.
1. Select or create a list view that includes the profiles and permissions you want to edit.
2. To edit multiple profiles, select the checkbox next to each profile you want to edit.
If you select profiles on multiple pages, Salesforce remembers which profiles are selected.
3. Double-click the permission you want to edit.
For multiple profiles, double-click the permission in any of the selected profiles.
4. In the dialog box that appears, enable or disable the permission.
In some cases, changing a permission may also change other permissions. For example, if
Customize Application and View Setup and Configuration are disabled and you enable
Customize Application, then View Setup and Configuration is also enabled. In this case, the
dialog box lists the affected permissions.
5. To change multiple profiles, select All n selected records (where n is the number of profiles you selected).
6. Click Save.
Note:
For standard profiles, inline editing is available only for the Single Sign-On and Affected By Divisions permissions.
If you edit multiple profiles, only those profiles that support the permission you are changing will change. For example, if you
use inline editing to add Modify All Data to multiple profiles, but because of its user license the profile doesn't have Modify
All Data, the profile won't change.
If any errors occur, an error message appears, listing each profile in error and a description of the error. Click the profile name to open
the profile detail page. The profiles you've clicked appear in the error window in gray, strike-through text. To view the error console, you
must have pop-up blockers disabled for the Salesforce domain.
Any changes you make are recorded in the setup audit trail.
103
ProfilesSalesforce Security Guide
Clone Profiles
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To create profiles:
Manage Profiles and
Permission Sets
Instead of creating profiles, save time by cloning existing profiles and customizing them.
Tip: If you clone profiles to enable certain permissions or access settings, consider using
permission sets. For more information, see Permission Sets. Also, if your profile name contains
more than one word, avoid extraneous spacing. For example, Acme User and Acme User
are identical other than spacing between Acme and User. Using both profiles in this case
can result in confusion for admins and users.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. In the Profiles list page, do one of the following:
Click New Profile, then select an existing profile thats similar to the one you want to create.
If enhanced profile list views are enabled, click Clone next to a profile thats similar to the
one you want to create.
Click the name of a profile thats similar to the one you want to create, then in the profile
page, click Clone.
A new profile uses the same user license as the profile it was cloned from.
3. Enter a profile name.
4. Click Save.
Viewing a Profile's Assigned Users
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Custom Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
To view all users that are assigned to a profile from the profile overview page, click Assigned Users
(in the enhanced profile user interface) or View Users (in the original profile user interface). From
the assigned users page, you can:
Create one or multiple users
Reset passwords for selected users
Edit a user
View a user's detail page by clicking the name, alias, or username
View or edit a profile by clicking the profile name
If Google Apps is enabled in your organization, export users to Google and create Google
Apps accounts by clicking Export to Google Apps
104
ProfilesSalesforce Security Guide
View and Edit Tab Settings in Permission Sets and Profiles
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs)
Tab settings available in: All
Editions except
Database.com
Permission sets available in:
Contact Manager,
Professional, Group,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Profiles available in:
Professional, Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
USER PERMISSIONS
To view tab settings:
View Setup and
Configuration
To edit tab settings:
Manage Profiles and
Permission Sets
Tab settings specify whether a tab appears in the All Tabs page or is visible in a tab set.
1. From Setup, either:
Enter Permission Sets in the Quick Find box, then select Permission Sets, or
Enter Profiles in the Quick Find box, then select Profiles
2. Select a permission set or profile.
3. Do one of the following:
Permission sets or enhanced profile user interfaceIn the Find Settings... box, enter the
name of the tab you want and select it from the list, then click Edit.
Original profile user interfaceClick Edit, then scroll to the Tab Settings section.
4. Specify the tab settings.
5. (Original profile user interface only) To reset users tab customizations to the tab visibility settings
that you specify, select Overwrite users' personal tab customizations.
6. Click Save.
Note: If Salesforce CRM Content is enabled for your organization but the Salesforce CRM
Content User checkbox isnt enabled on the user detail page, the Salesforce CRM Content
app has no tabs.
105
ProfilesSalesforce Security Guide
Enable Custom Permissions in Profiles
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Essentials,
Group, Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
In Group and Professional
Edition organizations, you
cant create or edit custom
permissions, but you can
install them as part of a
managed package.
USER PERMISSIONS
To enable custom
permissions in profiles:
Manage Profiles and
Permission Sets
Custom permissions give you a way to provide access to custom processes or apps. After youve
created a custom permission and associated it with a process or app, you can enable the permission
in profiles.
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
2. Select a profile.
3. Depending on which user interface youre using, do one of the following.
Enhanced profile user interface: Click Custom Permissions, and then click Edit.
Original profile user interface: In the Enabled Custom Permissions related list, click Edit.
4. To enable custom permissions, select them from the Available Custom Permissions list and
click Add. To remove custom permissions from the profile, select them from the Enabled Custom
Permissions list and click Remove.
5. Click Save.
106
ProfilesSalesforce Security Guide
User Role Hierarchy
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To view roles and role
hierarchy:
View Roles and Role
Hierarchy
To create, edit, and delete
roles:
Manage Roles
To assign users to roles:
Manage Internal Users
Salesforce offers a user role hierarchy that you can use with sharing settings to determine the levels
of access that users have to your Salesforce orgs data. Roles within the hierarchy affect access on
key components such as records and reports.
If your organization-wide defaults are more restrictive than Public Read/Write, use role
hierarchy to make records more accessible to users.
Watch a Demo: Who Sees What: Record Access via the Role Hierarchy (English only)
Users at any role level can view, edit, and report on all data thats owned by or shared with users
below them in their role hierarchy, unless your orgs sharing model for an object specifies otherwise.
Specifically, in the Organization-Wide defaults related list, you can disable the Grant Access Using
Hierarchies option for a custom object. When disabled, only the record owner and users who are
granted access by the organization-wide defaults receive access to the objects records.
Roles determine user access to cases, contacts, and opportunities, regardless of who owns those
records. The access level is specified on the Role Edit page. For example, you can set the contact
access so that users in a role can edit all contacts associated with accounts that they own, regardless
of who owns the contacts. And you can set the opportunity access so that users in a role can edit
all opportunities associated with accounts that they own, regardless of who owns the opportunities.
After you share a folder with a role, its visible only to users in that role, not to superior roles in the
hierarchy.
Share Objects and Fields
Give specific object or field access to selected groups or profiles.
IN THIS SECTION:
Field-Level Security
Field-level security settings let you restrict users access to view and edit specific fields.
Sharing Rules
Make automatic exceptions to your organization-wide sharing settings for defined sets of users.
User Sharing
User Sharing enables you to show or hide an internal or external user from another user in your organization.
What Is a Group?
A group consists of a set of users. A group can contain individual users, other groups, or the users in a particular role or territory. It
can also contain the users in a particular role or territory plus all the users below that role or territory in the hierarchy.
Organization-Wide Sharing Defaults
Define the default access level for an objects records with organization-wide sharing settings. Organization-wide sharing settings
can be set separately for custom objects and many standard objects, including assets, campaigns, cases, and accounts and their
contracts.
107
User Role HierarchySalesforce Security Guide
Field-Level Security
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs)
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Field-level security settings let you restrict users access to view and edit specific fields.
Note: Who Sees What: Field-Level Security (English only)
Watch how you can restrict access to specific fields on a profile-by-profile basis.
Your Salesforce org contains a lot of data, but you probably dont want every field accessible to
everyone. For example, your payroll manager probably wants to keep salary fields accessible only
to select employees. You can restrict user access in:
Detail and edit pages
Related lists
List views
Reports
Connect Offline
Email and mail merge templates
Custom links
The partner portal
The Salesforce Customer Portal
Synchronized data
Imported data
The fields that users see on detail and edit pages are a combination of page layouts and field-level security settings. The most restrictive
field access settings of the two always applies. For example, you can have a field thats required in a page layout but is read-only in the
field-level security settings. The field-level security overrides the page layout, so the field remains read-only.
Important: Field-level security doesnt prevent searching on the values in a field. When search terms match on field values
protected by field-level security, the associated records are returned in the search results without the protected fields and their
values.
You can define field-level security in either of these ways.
For multiple fields on a single permission set or profile
For a single field on all profiles
After setting field-level security, you can:
Create page layouts to organize the fields on detail and edit pages.
Tip: Use field-level security to restrict users access to fields, and then use page layouts to organize detail and edit pages within
tabs. This approach reduces the number of page layouts for you to maintain.
Verify users access to fields by checking field accessibility.
Customize search layouts to set the fields that appear in search results, in lookup dialog search results, and in the key lists on tab
home pages. To hide a field that's not protected by field-level security, omit it from the layout.
Note: Roll-up summary and formula fields are read-only on detail pages and not available on edit pages. They can also be visible
to users even though they reference fields that your users cant see. Universally required fields appear on edit pages regardless of
field-level security.
The relationship group wizard allows you to create and edit relationship groups regardless of field-level security.
108
Field-Level SecuritySalesforce Security Guide
IN THIS SECTION:
Set Field Permissions in Permission Sets and Profiles
Field permissions specify the access level for each field in an object.
Set Field-Level Security for a Single Field on All Profiles
Field Permissions
Field permissions specify the access level for each field in an object. In permission sets and the enhanced profile user interface, the
setting labels differ from those in the original profile user interface and in field-level security pages for customizing fields.
Classic Encryption for Custom Fields
Restrict other Salesforce users from seeing custom text fields you want to keep private. Only users with the permission View Encrypted
Data can see data in encrypted custom text fields.
Set Field Permissions in Permission Sets and Profiles
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
USER PERMISSIONS
To set field-level security:
Manage Profiles and
Permission Sets
AND
Customize Application
Field permissions specify the access level for each field in an object.
1. From Setup, either:
Enter Permission Sets in the Quick Find box, then select Permission Sets,
or
Enter Profiles in the Quick Find box, then select Profiles
2. Select a permission set or profile.
3. Depending on which interface you're using, do one of the following:
Permission sets or enhanced profile user interfaceIn the Find Settings... box, enter the
name of the object you want and select it from the list. Click Edit, then scroll to the Field
Permissions section.
Original profile user interfaceIn the Field-Level Security section, click View next to the
object you want to modify, and then click Edit.
4. Specify the field's access level.
5. Click Save.
109
Field-Level SecuritySalesforce Security Guide
Set Field-Level Security for a Single Field on All Profiles
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs)
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To set field-level security:
Manage Profiles and
Permission Sets
AND
Customize Application
1. From the management settings for the fields object, go to the fields area.
2. Select the field you want to modify.
3. Click View Field Accessibility.
4. Specify the field's access level.
Field Permissions
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Field permissions specify the access level for each field in an object. In permission sets and the
enhanced profile user interface, the setting labels differ from those in the original profile user
interface and in field-level security pages for customizing fields.
Enabled Settings in
Original Profile and
Field-Level Security
Interfaces
Enabled Settings in
Permission Sets and
Enhanced Profile User
Interface
Access Level
VisibleRead and EditUsers can read and edit the
field.
Visible and Read-OnlyReadUsers can read but not edit the
field.
NoneNoneUsers can't read or edit the
field.
110
Field-Level SecuritySalesforce Security Guide
Classic Encryption for Custom Fields
EDITIONS
Available in: both Salesforce
Classic and Lightning
Experience
Available in: Developer,
Enterprise, Performance,
Unlimited, and
Database.com Editions
Restrict other Salesforce users from seeing custom text fields you want to keep private. Only users
with the permission View Encrypted Data can see data in encrypted custom text fields.
Note: This information is about Classic Encryption and not Shield Platform Encryption.
Before you begin working with encrypted custom fields, review these implementation notes,
restrictions, and best practices.
Implementation Notes
Encrypted fields are encrypted with 128-bit master keys and use the Advanced Encryption
Standard (AES) algorithm. You can archive, delete, and import your master encryption key. To
enable master encryption key management, contact Salesforce.
You can use encrypted fields in email templates but the value is always masked regardless of whether you have the View Encrypted
Data permission.
If you have created encrypted custom fields, make sure that your organization has Require secure connections (HTTPS) enabled.
If you have the View Encrypted Data permission and you grant login access to another user, the user can see encrypted fields in
plain text.
Only users with the View Encrypted Data permission can clone the value of an encrypted field when cloning that record.
Only the <apex:outputField> component supports presenting encrypted fields in Visualforce pages.
Restrictions
Encrypted text fields:
Cannot be unique, have an external ID, or have default values.
For leads are not available for mapping to other objects.
Are limited to 175 characters because of the encryption algorithm.
Are not available for use in filters such as list views, reports, roll-up summary fields, and rule filters.
Cannot be used to define report criteria, but they can be included in report results.
Are not searchable, but they can be included in search results.
Are not available for: Connect Offline, Salesforce for Outlook, lead conversion, workflow rule criteria or formulas, formula fields,
outbound messages, default values, and Web-to-Lead and Web-to-Case forms.
Best Practices
Encrypted fields are editable regardless of whether the user has the View Encrypted Data permission. Use validation rules, field-level
security settings, or page layout settings to prevent users from editing encrypted fields.
You can still validate the values of encrypted fields using validation rules or Apex. Both work regardless of whether the user has the
View Encrypted Data permission.
Encrypted field data is not always masked in the debug log. Encrypted field data is masked if the Apex request originates from an
Apex Web service, a trigger, a workflow, an inline Visualforce page (a page embedded in a page layout), or a Visualforce email
template. In other cases, encrypted field data isnt masked in the debug log, like for example when running Apex from the Developer
Console.
111
Field-Level SecuritySalesforce Security Guide
Existing custom fields cannot be converted into encrypted fields nor can encrypted fields be converted into another data type. To
encrypt the values of an existing (unencrypted) field, export the data, create an encrypted custom field to store that data, and import
that data into the new encrypted field.
Mask Type is not an input mask that ensures the data matches the Mask Type. Use validation rules to ensure that the data
entered matches the mask type selected.
Use encrypted custom fields only when government regulations require it because they involve more processing and have
search-related limitations.
Note: This page is about Classic Encryption, not Shield Platform Encryption. What's the difference? on page 214
IN THIS SECTION:
Create Custom Fields
Capture your unique business data by storing it in custom fields. When you create a custom field, you configure where you want it
to appear and optionally control security at the field level.
112
Field-Level SecuritySalesforce Security Guide
Create Custom Fields
EDITIONS
Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Contact
Manager,Essentials, Group,
Professional, Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
Salesforce Connect external
objects are available in:
Developer Edition and for
an extra cost in: Enterprise,
Performance, and
Unlimited Editions
Custom fields arent
available on Activities in
Group Edition
Custom settings arent
available in Professional
Edition
Layouts arent available in
Database.com
USER PERMISSIONS
To create or change custom
fields:
Customize Application
Capture your unique business data by storing it in custom fields. When you create a custom field,
you configure where you want it to appear and optionally control security at the field level.
Watch a Demo: How to Create a Custom Field in Salesforce
Want to customize Salesforce so it captures all your business data? This short video walks you
through how to create a custom picklist field, from choosing the correct field type to applying field
level security.
Watch a Demo: How to Add a Custom Field in Salesforce (Lightning Experience)
Want to add and arrange a new field while viewing an individual record for an object? This short
video walks you through creating a picklist field while viewing a contact, and then changing the
page layout for the field.
Before you begin, determine the type of field you want to create.
Note: When your org is close to the limit of 800 custom fields and you delete or create fields,
field creation can fail. The physical delete process reclaims and cleans fields, making them
count temporarily toward the limit. The delete process runs only when the queue is full, so
it can take days or weeks to start. In the meantime, the deleted fields are still counted as part
of the limit. To request immediate deletion of fields, contact Salesforce Support.
1. From the management settings for the object you want to add a field to, go to Fields.
Custom task and event fields are accessible from the object management settings for Activities.
2. Click New.
Tip: On custom objects, you can also set field dependencies and field history tracking in
this section.
3. Choose the type of field and click Next. Consider the following.
Some data types are available for certain configurations only. For example, the
Master-Detail Relationship option is available for custom objects only when
the custom object doesnt already have a master-detail relationship.
Custom settings and external objects allow only a subset of the available data types.
You cant add a multi-select picklist, rich text area, or dependent picklist custom field to
opportunity splits.
Relationship fields count towards custom field limits.
Additional field types may appear if an AppExchange package using those field types is installed.
The Roll-Up Summary option is available on certain objects only.
Field types correspond to API data types.
If your organization uses Shield Platform Encryption, ensure you understand how to encrypt custom fields using the Shield
Platform Encryption offering.
4. For relationship fields, associate an object with the field and click Next.
5. For indirect lookup relationship fields, select a unique, external ID field on the parent object, and then click Next. The parent field
values are matched against the values of the child indirect lookup relationship field to determine which records are related to each
other.
6. To base a picklist field on a global picklist value set, select the value set to use.
113
Field-Level SecuritySalesforce Security Guide
7. Enter a field label.
Salesforce populates Field Name using the field label. This name can contain only underscores and alphanumeric characters,
and must be unique in your org. It must begin with a letter, not include spaces, not end with an underscore, and not contain two
consecutive underscores. Use the field name for merge fields in custom links, custom s-controls, and when referencing the field
from the API.
Tip: Ensure that the custom field name and label are unique for that object.
If a standard and custom field have identical names or labels, the merge field displays the custom field value.
If two custom fields have identical names or labels, the merge field may display an unexpected value.
If you create a field label called Email and a standard field labeled Email already exists, the merge field may be unable
to distinguish between the fields. Adding a character to the custom field name makes it unique. For example, Email2.
8. Enter field attributes and select the appropriate checkboxes to specify whether the field must be populated and what happens if
the record is deleted.
9. For master-detail relationships on custom objects, optionally select Allow reparenting to allow a child record in the master-detail
relationship to be reparented to a different parent record.
10. For relationship fields, optionally create a lookup filter to limit search results for the field. Not available for external objects.
11. Click Next.
12. In Enterprise, Unlimited, Performance, and Developer Editions, specify the fields access settings for each profile, and click Next.
Enabled SettingsAccess Level
VisibleUsers can read and edit the field.
Visible and Read-OnlyUsers can read but not edit the field.
NoneUsers cant read or edit the field.
Note:
When you create a custom field, by default the field isnt visible or editable for portal profiles, unless the field is universally
required.
13. Choose the page layouts that will display the editable field and click Next.
Location on Page LayoutField
Last field in the first two-column section.Normal
End of the first one-column section.Long text area
Bottom of the user detail page.User
Cant remove it from page layouts or make read only.Universally required
14. For relationship fields, optionally create an associated records related list and add it to page layouts for that object.
To edit the related list name on page layouts, click Related List Label and enter the new name.
114
Field-Level SecuritySalesforce Security Guide
To add the related list to customized page layouts, select Append related list to users’ existing personal
customizations.
15. Click Save to finish or Save & New to create more custom fields.
Note: Creating fields may require changing a large number of records at once. To process these changes efficiently, your request
may be queued and you may receive an email notification when the process has completed.
SEE ALSO:
Salesforce Help: Find Object Management Settings
Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Account, asset, and contact
sharing rules are available
in: Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
Account territory, case, lead,
opportunity, order, and
custom object sharing rules
are available in: Enterprise,
Performance, Unlimited,
and Developer Editions
Campaign sharing rules are
available in Enterprise,
Performance, Unlimited,
and Developer Editions and
in Professional Edition for an
additional cost
Record types are available
in Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
Make automatic exceptions to your organization-wide sharing settings for defined sets of users.
Note: Who Sees What: Record Access via Sharing Rules (English only)
Watch how you can grant access to records using sharing rules.
For example, use sharing rules to extend sharing access to users in public groups, roles, or territories.
Sharing rules can never be stricter than your organization-wide default settings. They simply allow
greater access for particular users.
You can create these types of sharing rules.
Set Default Sharing
Access for
Based onType
Accounts and their associated
contracts, opportunities, cases,
and optionally, contacts and
orders
Account owner or other criteria,
including account record types
or field values
Account sharing rules
Accounts and their associated
cases, contacts, contracts, and
opportunities
Territory assignmentAccount territory sharing rules
Individual assetsAsset owner or other criteria,
including asset record types or
field values
Asset sharing rules
Individual campaignsCampaign owner or other
criteria, including campaign
record types or field values
Campaign sharing rules
Individual cases and associated
accounts
Case owner or other criteria,
including case record types or
field values
Case sharing rules
Individual contacts and
associated accounts
Contact owner or other criteria,
including contact record types
or field values
Contact sharing rules
115
Sharing RulesSalesforce Security Guide
Set Default Sharing Access forBased onType
Individual custom object recordsCustom object owner or other criteria,
including custom object record types or
field values
Custom object sharing rules
Individual data privacy recordsData privacy record owner or other criteria,
including field values. Data privacy records
are based on the Individual object.
Data privacy sharing rules
Individual flow interviewsFlow interview owner or other criteria, such
as the pause reason
Flow interview sharing rules
Individual leadsLead owner or other criteria, including lead
record types or field values
Lead sharing rules
Individual locationsLocation owner or other criteriaLocation sharing rules
Individual opportunities and their associated
accounts
Opportunity owner or other criteria,
including opportunity record types or field
values
Opportunity sharing rules
Individual ordersOrder owner or other criteria, including
order record types or field values
Order sharing rules
Individual product itemsProduct item owner or other criteriaProduct item sharing rules
Individual product requestsProduct request owner only; criteria-based
sharing rules arent available
Product request sharing rules
Individual product transfersProduct transfer owner only; criteria-based
sharing rules arent available
Product transfer sharing rules
Individual return ordersReturn order owner or other criteriaReturn order sharing rules
Individual service appointmentsService appointment owner or other criteriaService appointment sharing rules
Individual service contractsService contract owner only; criteria-based
sharing rules arent available
Service contract sharing rules
Individual service crewsService crew owner only; criteria-based
sharing rules arent available
Service crew sharing rules
Individual service resourcesService resource owner or other criteriaService resource sharing rules
Individual service territoriesService territory owner or other criteriaService territory sharing rules
Individual shipmentsShipment owner only; criteria-based sharing
rules arent available
Shipment sharing rules
Individual time sheetsTime sheet owner only; criteria-based
sharing rules arent available
Time sheet sharing rules
Individual usersGroup membership or other criteria,
including username and whether the user
is active
User sharing rules
116
Sharing RulesSalesforce Security Guide
Set Default Sharing Access forBased onType
Individual user provisioning requestsUser provisioning request owner, only;
criteria-based sharing rules arent available
User provisioning request sharing rules
Individual work ordersWork order owner or other criteria, including
work order record types or field values
Work order sharing rules
Individual work typesWork type owner or other criteriaWork type sharing rules
Note:
You cant include high-volume portal users in sharing rules because they dont have roles and cant be in public groups.
Developers can use Apex to programmatically share custom objects (based on record owners, but not other criteria). This does
not apply to User Sharing.
IN THIS SECTION:
Criteria-Based Sharing Rules
Creating Lead Sharing Rules
Creating Account Sharing Rules
Create Account Territory Sharing Rules
Account territory sharing rules are based on territory assignment. You can define up to 300 account territory sharing rules.
Create Contact Sharing Rules
Make automatic exceptions to your contact organization-wide sharing settings for defined sets of users.
Creating Opportunity Sharing Rules
Creating Case Sharing Rules
Creating Campaign Sharing Rules
Creating Custom Object Sharing Rules
Creating User Sharing Rules
Share members of a group to members of another group, or share users based on criteria.
Sharing Rule Categories
Editing Lead Sharing Rules
Editing Account Sharing Rules
Editing Account Territory Sharing Rules
Editing Contact Sharing Rules
Editing Opportunity Sharing Rules
Editing Case Sharing Rules
Editing Campaign Sharing Rules
Editing Custom Object Sharing Rules
Editing User Sharing Rules
Sharing Rule Considerations
117
Sharing RulesSalesforce Security Guide
Recalculate Sharing Rules
When you make changes to groups, roles, and territories, sharing rules are reevaluated to add or remove access as necessary.
Asynchronous Parallel Recalculation of Sharing Rules
Speed up sharing rule recalculation by running it asynchronously and in parallel.
Criteria-Based Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Accounts, Opportunities,
Cases, Contacts, and record
types are not available in
Database.com
Criteria-based sharing rules determine whom to share records with based on field values in records.
For example, lets say you use a custom object for job applications, with a custom picklist field
named Department. A criteria-based sharing rule could share all job applications in which the
Department field is set to IT with all IT managers in your organization.
Note:
Although criteria-based sharing rules are based on values in the records and not the
record owners, a role or territory hierarchy still allows users higher in the hierarchy to
access the records.
You cant use Apex to create criteria-based sharing rules. Also, criteria-based sharing
cannot be tested using Apex.
You can use the SharingRules type in the Metadata API to create criteria-based sharing
rules starting in API version 24.0.
You cant include high-volume portal users in sharing rules because they dont have roles
and cant be in public groups.
You can create criteria-based sharing rules for accounts, assets, opportunities, cases, contacts, leads,
campaigns, work orders, and custom objects. You can create up to 50 criteria-based sharing rules per object.
Record types
These field types:
Auto Number
Checkbox
Date
Date/Time
Email
Number
Percent
Phone
Picklist
Text
Text Area
URL
Lookup Relationship (to user ID or queue ID)
Note: Text and Text Area are case-sensitive. For example, a criteria-based sharing rule that specifies Manager in a text field
doesnt share records that have manager in the field. To create a rule with several common cases of a word, enter each value
separated by a comma.
118
Sharing RulesSalesforce Security Guide
Creating Lead Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Lead sharing rules are based on the record owner or on other criteria, including record type and
certain field values. You can define up to 300 lead sharing rules, including up to 50 criteria-based
sharing rules.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Lead Sharing Rules related list, click New.
4. Enter the Label Name and Rule Name. The Label is the sharing rule label as it appears on the
user interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
6. Select a rule type.
7. Depending on the rule type you selected, do the following:
Based on record ownerIn the owned by members of line, specify the users whose records will be shared:
select a category from the first drop-down list and a set of users from the second drop-down list (or lookup field, if your organization
has over 200 queues, groups, roles, or territories).
Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a literal number or string. Click Add Filter Logic...
to change the default AND relationship between each filter.
Note: To use a field thats not supported by criteria-based sharing rules, you can create a workflow rule or Apex trigger
to copy the value of the field into a text or numeric field, and use that field as the criterion.
8. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
9. Select the sharing access setting for users.
DescriptionAccess Setting
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
10. Click Save.
119
Sharing RulesSalesforce Security Guide
Creating Account Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Account sharing rules can be based on the record owner or on other criteria, including record type
and certain field values. You can define up to 300 account sharing rules, including up to 50
criteria-based sharing rules.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Account Sharing Rules related list, click New.
4. Enter the Label Name and Rule Name. The Label is the sharing rule label as it appears on the
user interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
6. Select a rule type.
7. Depending on the rule type you selected, do the following:
Based on record ownerIn the owned by members of line, specify the
users whose records will be shared: select a category from the first drop-down list and a set of users from the second drop-down
list (or lookup field, if your organization has over 200 queues, groups, roles, or territories).
Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a literal number or string. Click Add Filter Logic...
to change the default AND relationship between each filter.
Note: To use a field thats not supported by criteria-based sharing rules, you can create a workflow rule or Apex trigger
to copy the value of the field into a text or numeric field, and use that field as the criterion.
8. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
9. Select a setting for Default Account, Contract and Asset Access.
10. In the remaining fields, select the access settings for the records associated with the shared accounts.
DescriptionAccess Setting
Users cant view or update records, unless access is granted
outside of this sharing rule.
Private
(available for associated contacts, opportunities, and cases only)
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
Note: Contact Access is not available when the organization-wide default for contacts is set to Controlled by Parent.
11. Click Save.
120
Sharing RulesSalesforce Security Guide
Create Account Territory Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Account territory sharing rules are based on territory assignment. You can define up to 300 account
territory sharing rules.
Note: The original territory management feature is scheduled for retirement for all customers
as of Summer 20. After the feature is retired, users cant access the original territory
management feature and its underlying data. We encourage you to migrate to Enterprise
Territory Management. For more information, see The Original Territory Management Module
Will Be Retired in the Summer 20 Release. The information in this topic applies to the original
Territory Management feature only, and not to Enterprise Territory Management.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Account Territory Sharing Rules related list, click New.
4. Enter the Label Name and Rule Name. The Label is the sharing rule label as it appears on the
user interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to 1000 characters.
6. In the Accounts in Territory line, select Territories or Territories and Subordinates from the first dropdown list and a territory from
the second dropdown list.
7. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
8. Select a setting for Default Account, Contract and Asset Access.
9. In the remaining fields, select the access setting for the records associated with the shared account territories.
DescriptionAccess Setting
Users cant view or update records, unless access is granted
outside of this sharing rule.
Private
(available for associated contacts, opportunities, and cases only)
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
Note: Contact Access is not available when the organization-wide default for contacts is set to Controlled by Parent.
10. Click Save.
121
Sharing RulesSalesforce Security Guide
Create Contact Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Make automatic exceptions to your contact organization-wide sharing settings for defined sets of
users.
Contact sharing rules can be based on the record owner or on other criteria, including record type
and certain field values. You can define up to 300 contact sharing rules, including up to 50
criteria-based sharing rules.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Contact Sharing Rules related list, click New.
4. Enter the Label Name and Rule Name. The Label is the sharing rule label as it appears on the
user interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
6. Select a rule type.
7. Depending on the rule type you selected, do the following:
Based on record ownerIn the owned by members of line, specify the users whose records will be shared:
select a category from the first drop-down list and a set of users from the second drop-down list (or lookup field, if your organization
has over 200 queues, groups, roles, or territories).
Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a literal number or string. Click Add Filter Logic...
to change the default AND relationship between each filter.
Note: To use a field thats not supported by criteria-based sharing rules, you can create a workflow rule or Apex trigger
to copy the value of the field into a text or numeric field, and use that field as the criterion.
8. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
9. Select the sharing access setting for users.
DescriptionAccess Setting
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
10. Click Save.
122
Sharing RulesSalesforce Security Guide
Creating Opportunity Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Opportunity sharing rules can be based on the record owner or on other criteria, including record
type and certain field values. You can define up to 300 opportunity sharing rules, including up to
50 criteria-based sharing rules.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Opportunity Sharing Rules related list, click New.
4. Enter the Label Name and Rule Name. The Label is the sharing rule label as it appears on the
user interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
6. Select a rule type.
7. Depending on the rule type you selected, do the following:
Based on record ownerIn the owned by members of line, specify the users whose records will be shared:
select a category from the first drop-down list and a set of users from the second drop-down list (or lookup field, if your organization
has over 200 queues, groups, roles, or territories).
Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a literal number or string. Click Add Filter Logic...
to change the default AND relationship between each filter.
Note: To use a field thats not supported by criteria-based sharing rules, you can create a workflow rule or Apex trigger
to copy the value of the field into a text or numeric field, and use that field as the criterion.
8. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
9. Select the sharing access setting for users. For owner-based rules or criteria-based rules with ownership as criteria, the Opportunity
Access level applies to opportunities owned by the group, role, or territory members, regardless of the associated account.
DescriptionAccess Setting
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
10. Click Save.
123
Sharing RulesSalesforce Security Guide
Creating Case Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Case sharing rules can be based on the record owner or on other criteria, including record type and
certain field values. You can define up to 300 case sharing rules, including up to 50 criteria-based
sharing rules.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Case Sharing Rules related list, click New.
4. Enter the Label Name and Rule Name. The Label is the sharing rule label as it appears on the
user interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
6. Select a rule type.
7. Depending on the rule type you selected, do the following:
Based on record ownerIn the owned by members of line, specify the users whose records will be shared:
select a category from the first drop-down list and a set of users from the second drop-down list (or lookup field, if your organization
has over 200 queues, groups, roles, or territories).
Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a literal number or string. Click Add Filter Logic...
to change the default AND relationship between each filter.
Note: To use a field thats not supported by criteria-based sharing rules, you can create a workflow rule or Apex trigger
to copy the value of the field into a text or numeric field, and use that field as the criterion.
8. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
9. Select the sharing access setting for users.
DescriptionAccess Setting
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
10. Click Save.
124
Sharing RulesSalesforce Security Guide
Creating Campaign Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs)
Available in: Professional
Edition for an additional cost,
and Enterprise,
Performance, Unlimited,
and Developer Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Campaign sharing rules can be based on the record owner or on other criteria, including record
type and certain field values. You can define up to 300 campaign sharing rules, including up to 50
criteria-based sharing rules.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Campaign Sharing Rules related list, click New.
4. Enter the Label Name and Rule Name. The Label is the sharing rule label as it appears on the
user interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
6. Select a rule type.
7. Depending on the rule type you selected, do the following:
Based on record ownerIn the owned by members of line, specify the
users whose records will be shared: select a category from the first drop-down list and a set of users from the second drop-down
list (or lookup field, if your organization has over 200 queues, groups, roles, or territories).
Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a literal number or string. Click Add Filter Logic...
to change the default AND relationship between each filter.
Note: To use a field thats not supported by criteria-based sharing rules, you can create a workflow rule or Apex trigger
to copy the value of the field into a text or numeric field, and use that field as the criterion.
8. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
9. Select the sharing access setting for users.
DescriptionAccess Setting
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
Any user in the selected group, role, or territory can view, edit, transfer, delete, and
share the record, just like the records owner.
With a Full Access sharing rule, users can also view, edit, delete, and close activities
associated with the record if the organization-wide sharing setting for activities is
Controlled by Parent.
Full Access
10. Click Save.
125
Sharing RulesSalesforce Security Guide
Creating Custom Object Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Enterprise,
Performance, Unlimited,
Developer, and
Database.com Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Custom object sharing rules can be based on the record owner or on other criteria, including record
type and certain field values. You can define up to 300 custom object sharing rules, including up
to 50 criteria-based sharing rules.
1. If you plan to include public groups in your sharing rule, confirm that the appropriate groups
have been created.
2. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
3. In the Sharing Rules related list for the custom object, click New.
4. Enter the Label and Rule Name. The Label is the sharing rule label as it appears on the user
interface. The Rule Name is a unique name used by the API and managed packages.
5. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
6. Select a rule type.
7. Depending on the rule type you selected, do the following:
Based on record ownerIn the owned by members of line, specify the
users whose records will be shared: select a category from the first drop-down list and a set of users from the second drop-down
list (or lookup field, if your organization has over 200 queues, groups, roles, or territories).
Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a literal number or string. Click Add Filter Logic...
to change the default AND relationship between each filter.
Note: To use a field thats not supported by criteria-based sharing rules, you can create a workflow rule or Apex trigger
to copy the value of the field into a text or numeric field, and use that field as the criterion.
8. In the Share with line, specify the users who get access to the data: select a category from the first drop-down list and a set of
users from the second drop-down list or lookup field.
9. Select the sharing access setting for users.
DescriptionAccess Setting
Users can view, but not update, records.Read Only
Users can view and update records.Read/Write
10. Click Save.
126
Sharing RulesSalesforce Security Guide
Creating User Sharing Rules
EDITIONS
Available in: Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Available in: Professional,
Enterprise, Performance,
Unlimited, and Developer
Editions
USER PERMISSIONS
To create sharing rules:
Manage Sharing
Share members of a group to members of another group, or share users based on criteria.
User sharing rules can be based on membership to public groups, roles, or territories, or on other
criteria such as Department and Title. By default, you can define up to 300 user sharing rules,
including up to 50 criteria-based sharing rules. Contact Salesforce for information about increasing
these limits.
User sharing rules based on membership enable user records belonging to members of one group
to be shared with members of another group. Before you can create a membership-based user
sharing rule, confirm that the appropriate groups have been created.
Users inherit the same access as users below them in the role hierarchy.
1. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing
Settings.
2. In the User Sharing Rules related list, click New.
3. Enter the Label Name and click the Rule Name field to auto-populate it.
4. Enter the Description. This field describes the sharing rule. It is optional and can contain up to
1000 characters.
5. Select a rule type.
6. Depending on the rule type you selected, do the following:
a. Based on group membershipUsers who are members of a group can be shared with members of another group.
In the Users who are members of line, select a category from the first drop-down list and a set of users from the
second drop-down list (or lookup field, if your organization has over 200 groups, roles, or territories).
b. Based on criteriaSpecify the Field, Operator, and Value criteria that records must match to be included in the sharing
rule. The fields available depend on the object selected, and the value is always a l