Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Salesforce CRM - The Definitive Admin Handbook

You're reading from   Salesforce CRM - The Definitive Admin Handbook A Deep-dive into the working of Salesforce CRM

Arrow left icon
Product type Paperback
Published in Dec 2016
Publisher Packt
ISBN-13 9781786468963
Length 644 pages
Edition 4th Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Paul Goodey Paul Goodey
Author Profile Icon Paul Goodey
Paul Goodey
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Setting up Salesforce CRM and the Company Profile 2. Managing Users and Controlling System Access FREE CHAPTER 3. Configuring Objects and Apps 4. Securing Access to Data and Data Validation 5. Managing Data in Salesforce CRM 6. Generating Data Analytics with Reports and Dashboards 7. Implementing Business Processes in Salesforce CRM 8. Introducing Sales Cloud, Service Cloud, and the Collaborative Features of Salesforce CRM 9. Extending and Enhancing Salesforce CRM 10. Administrating the Mobile Features of Salesforce CRM 11. Studying for the Certified Administrator Exam

User login and authorization

Organizations have several methods of accessing the Salesforce CRM application. Access can be gained from the user interface (using a web browser), the API (for example, using an integrated client application or the Apex Data Loader), a desktop client (for example, Salesforce for Outlook), or from a mobile client application.

Whenever a login attempt is made to Salesforce using any of these methods, the user's login request is authorized by the system using the following sequence of checks:

  • Does the user's profile have any login restrictions?
  • Does the user's IP address appear within the organization's trusted IP address list?
  • Has the user been activated from this IP address before?
  • Does the user's web browser have a valid browser cookie from Salesforce stored?

If the user's login is from neither a trusted IP address nor a browser with a valid Salesforce cookie, the login is denied. To gain access to Salesforce, the user's identity must be confirmed by successfully completing the computer activation process.

Now let's look at each of these login checks in more detail.

Does the user's profile have any login restrictions?

Login hours and IP address restrictions can be set for the user's profile. If these are set and there are login attempts from a user outside the specified hours or from an unknown IP address, access is denied.

Login hour restrictions

If login hour restrictions are set for the user's profile, any login attempt outside the specified hours is denied.

  1. To go to the Profile menu, navigate to Setup | Manage Users | Profiles. Now choose a profile, select the Login Hours link, and then click Edit.

    Set the days and hours when users with this profile can log in to Salesforce.com.

    Note

    The login hours that are set are based on the default time zone of the organization, as described later in this chapter.

  2. Navigate to Setup | Company Profile | Company Information, click the Edit button, and select the required time zone from the Default Time Zone picklist.

    The login hours that are set apply strictly to that exact time, even if a user has a different personal time zone or if the organization's default time zone is changed.

  3. To allow users to log in at any time, click on Clear times as shown in the following screenshot:

    Login hour restrictions

    Note

    To prevent users from accessing the system on a specific day, (say, to carry out internal system maintenance), set the Start Time and End Time to the same value. For example, you could set the Start Time to 8:00 AM and End Time to 8:00 AM (as in the Saturday and Sunday example setting in the previous screenshot).

IP address restrictions

If IP address restrictions are defined for the user's profile, any login attempt from an unknown IP address is denied.

To restrict the range of valid IP addresses through the Profile menu, navigate to Setup | Manage Users | Profiles. Now choose a profile, select the Login IP Ranges link, and then click Add IP Ranges.

Enter a valid IP address in the Start IP Address field and a higher IP address in the End IP Address field.

The start and end addresses specify the range of IP addresses from which users can log in. To allow a login from a single IP address, enter the same address in both fields.

For example, to allow a login from only 88.110.54.113, enter 88.110.54.113 as both the start and end IP addresses as shown in the following screenshot:

IP address restrictions

Does the user's IP address appear within your organization's trusted IP address list?

This check is performed if profile-based IP address restrictions are not set.

If the user's login is from an IP address listed in your organization's trusted IP address list, the login is allowed.

Trusted IP range

To go to the Trusted IP range settings, navigate to Setup | Security Controls | Network Access.

Click on New and enter a valid IP address in the Start IP Address field and a higher IP address in the End IP Address field.

The start and end addresses specify the range of IP addresses from which users can log in. To allow a login from a single IP address, enter the same address in both fields.

For example, to allow a login from only 88.110.54.100, enter 88.110.54.105 as both the start and end addresses as shown in the following screenshot:

Trusted IP range

Has the user been activated from this IP address before?

Each user has a list of IP addresses from which they've been activated. If the user has previously been activated from this IP address, then this IP address is added to the user's personal list.

To view and remove the login IP addresses that have been recorded by your users, go to Setup | Security Controls | Activations.

To remove an Activated Login IP, click the checkbox and then click the Remove button, as shown in the following screenshot:

Has the user been activated from this IP address before?

To remove an Activated Login IP, click the checkbox and then click the Remove button, as shown in the screenshot above.

Does the user's web browser have a valid cookie stored from Salesforce?

A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. Whenever you visit the website again, the cookie allows that site to recognize your web browser.

The browser will have the Salesforce cookie if the user has previously used that browser to log in to Salesforce and has not cleared the browser cookies.

So, if the user's login is from a browser that includes a Salesforce.com cookie, the login is allowed

Computer activation process

If the user's login is from neither a trusted IP address nor a browser with a Salesforce cookie, the login is denied and becomes blocked, and Salesforce must verify the user's identity.

A trusted, genuine user can access the Salesforce CRM application using the following means:

  • User interface (using a web browser)
  • API (for example, using an integrated client application or the Apex Data Loader)
  • Desktop client (for example, Salesforce for Outlook)

User interface

For access through the user interface for the first time, the user is prompted to select how they would like to receive the verification code. Here, the verification code can be received by either an SMS text message or an e-mail message depending on whether the company-wide SMS-based identity confirmation is enabled.

Note

For new organizations, an SMS text message is the default method for the computer activation process and can only be disabled by a request to Salesforce support. For existing organizations, SMS text message activation can be enabled by you as the system administrator, but once enabled it requires a request to Salesforce support is required to deactivate it.

SMS text message verification code

To receive the SMS text message verification code requires the setting SMS-Based Identity Confirmation setting to be enabled (since Spring '2014, it has been enabled by default). This feature enables users to receive a one-time PIN delivered via SMS. This is set by navigating to Setup | Security Controls | Session Settings and then enabling Enable SMS-Based Identity Confirmation.

Once enabled, users must verify their mobile phone number before taking advantage of this feature, which will present the following screenshot:

SMS text message verification code

Email message verification code

To receive an email verification code, users must have the setting Email-Based Identity Confirmation Option enabled on their profile or included as a permission set.

Note

The Email-Based Identity Confirmation option is only available to set if the Enable SMS-Based Identity Confirmation option is enabled.

Once enabled, and if verification is required, users will automatically receive an activation e-mail to the address specified in the user's Salesforce user record. Users are notified within the Salesforce, and can enter the verification code as shown in the following screenshot:

Email message verification code

Salesforce sends the verification code e-mail to the e-mail address associated with the user's record in Salesforce. Here, the following screenshot shows an e-mail example:

Email message verification code

The e-mail instructs the user to enter the verification code into the browser window, which activates the device for verified login into the Salesforce CRM platform.

The activation code within the e-mail is valid for up to 24 hours from the time the E-mail me a verification code button was clicked. After 24 hours, the activation link will expire and the user must repeat the activation process.

Confusion can occur if your company has remote users that connect to Salesforce away from the company network, such as from home or from public Internet connections. The Remote users are likely to have dynamically assigned IP addresses set as their computer identity. Because of this, whenever they attempt to log in, Salesforce will identify it as an unknown IP address, prompt for verification, and the remote user will have to re-verify the device.

The remote user will then have to access the e-mail associated with their Salesforce user record to retrieve the activation e-mail, and it is here where confusion can occur. If the remote user has to access corporate web e-mail using a Virtual Private Network (VPN) connection, the clicking of the activation link may not work because the IP address that is being validated may now no longer be the same IP address used by the browser. This is because the VPN connection may likely be using a web proxy.

Note

It is recommended that you establish a policy to ensure that the user verifies the login while connected to the VPN, or can access non-VPN-based web mail (if this is permitted in your company) to ensure that the validated IP addresses are the same.

(This is covered in more detail in the Session settings section in Chapter 2, Managing Users and Controlling System Access.)

API or a desktop client

For access using the API or a desktop client (for example, using the Apex Data Loader), the user must add their security token at the end of the password in order to log in. A security token is an automatically generated key from Salesforce. For example, if a user's password is pa$$word, and their security token is XXXXXX, then the user must enter pa$$wordXXXXXX.

Users can obtain their security token by changing their password, or by resetting their security token via the Salesforce.com user interface by navigating to Your Name | My Settings | Personal | Reset My Security Token and then clicking on the Reset Security Token button.

When a user changes their password or resets their security token, Salesforce sends a new security token to the e-mail address associated with their Salesforce user record. The security token is valid until a user resets their security token, changes their password, or has their password reset by a system administrator.

Tip

Do not enter a security token within your password when accessing Salesforce from a web browser. It is recommended that you obtain your security token via the Salesforce user interface from a trusted network prior to attempting access from a new IP address. When a user's password is changed, the user's security token is automatically reset. The user will experience a blocked login until they add the security token to the end of their password or enter the new password after you have added their IP address to the organization's trusted IP range.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image