salesforce_security_impl_guide

More documents

Recommendations

Info

Securing and Sharing Data Viewing and Editing Desktop Client Access in the Original Profile User Interface Viewing and Editing Desktop Client Access in the Original Profile User Interface Connect for Outlook, Connect Offline, Connect for Office, and Connect for Lotus Notes are desktop clients that integrate Salesforce with your PC. As an administrator, you can control which desktop clients your users can access as well as whether users are automatically notified when updates are available. Note: To access desktop clients, users must also have the “API Enabled” permission. 1. From Setup, click Manage Users > Profiles. 2. Click Edit next to a profile name, and scroll to the Desktop Integration Clients section at the bottom of the page. EDITIONS Available in: • Enterprise • Performance • Unlimited • Developer USER PERMISSIONS To view desktop client access settings: • “View Setup and Configuration” To edit desktop client access settings: • “Manage Profiles and Permission Sets” Setting Login Restrictions To help protect your organization’s data against unauthorized access, you have several options for setting login restrictions. Login Hours For each profile, you can set the hours when users can log in. See: • Viewing and Editing Login Hours in the Enhanced Profile User Interface • Viewing and Editing Login Hours in the Original Profile User Interface EDITIONS Available in all editions Two-Factor Authentication for User Interface Logins For each profile, you can require users to enter a time-based token as a second form of authentication when they log in via the user interface. See Setting Two-Factor Authentication Login Requirements on page 87. Two-Factor Authentication for API Logins For each profile, you can allow the use of a time-based token to access the service instead of the standard security token. If users add a time-based token to their account and this permission is enabled, they must use this token instead of the standard security token whenever it’s requested, such as when resetting the account’s password. See “Using Time-Based Tokens to Access the API” in the Salesforce Help. Login IP Address Ranges For each profile, you can set the IP addresses from which users can log in. See: • Restricting Login IP Ranges in the Enhanced Profile User Interface • Restricting Login IP Addresses in the Original Profile User Interface 40
Securing and Sharing Data Setting Login Restrictions Organization-Wide Trusted IP Address List For all users, you can set a list of IP address ranges from which they can always log in without receiving a login challenge. See Restricting Login To Trusted IP Ranges for Your Organization. When users log in to Salesforce, either via the user interface, the API, or a desktop client such as Connect for Outlook, Salesforce for Outlook, Connect Offline, Connect for Office, Connect for Lotus Notes, or the Data Loader, Salesforce confirms that the login is authorized as follows: 1. Salesforce checks whether the user’s profile has login hour restrictions. If login hour restrictions are specified for the user’s profile, any login outside the specified hours is denied. 2. If the user has the “Two-Factor Authentication for User Interface Logins” permission, Salesforce prompts the user for a time-based token (which the user may also be prompted to create if it hasn’t already been added to the account) upon logging in. 3. If the user has the “Two-Factor Authentication for API Logins” permission and a time-based token has been added to the account, Salesforce returns an error if a time-based token is not used to access the service in place of the standard security token. 4. Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, any login from an undesignated IP address is denied, and any login from a specified IP address is allowed. 5. If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from an IP address they have not used to access Salesforce before: • If the user’s login is from a browser that includes a Salesforce cookie, the login is allowed. The browser will have the Salesforce cookie if the user has previously used that browser to log in to Salesforce, and has not cleared the browser cookies. • If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed. • If the user’s login is from neither a trusted IP address nor a browser with a Salesforce cookie, the login is blocked. Whenever a login is blocked or returns an API login fault, Salesforce must verify the user’s identity: • For access via the user interface, the user is prompted toenter a token (also called a verification code) to confirm the user’s identity. Note: Users aren’t asked for a verification code the first time they log in to Salesforce. • For access via the API or a client, users must add their security token (or time-based token if Two-Factor Authentication on API Logins is set on the user’s profile and the user has added a time-based token to his or her account) to the end of their password in order to log in. A security token is an automatically-generated key from Salesforce. For example, if a user’s password is mypassword , and the security token is XXXXXXXXXX , then the user must enter mypasswordXXXXXXXXXX to log in. Users can obtain their security token by changing their password or resetting their security token via the Salesforce user interface. When a user changes their password or resets their security token, Salesforce sends a new security token to the email address on the user’s Salesforce record. The security token is valid until a user resets their security token, changes their password, or has their password reset. Tip: We recommend that you obtain your security token using the Salesforce user interface from a trusted network prior to attempting to access Salesforce from a new IP address. Tips on Setting Login Restrictions Consider the following when setting login restrictions: • When a user’s password is changed, the security token is automatically reset. The user may experience a blocked login until he or she adds the automatically-generated security token to the end of his or her password when logging in to Salesforce via the API or a client. 41
Page 1 and 2: Security Implementation Guide Versi
Page 3 and 4: CONTENTS Chapter 1: Security Overvi
Page 5 and 6: Contents Editing Lead Sharing Rules
Page 7 and 8: CHAPTER 1 Security Overview Salesfo
Page 9 and 10: Security Overview User Security Ove
Page 11 and 12: Security Overview Custom Permission
Page 13 and 14: Security Overview CAPTCHA Security
Page 15 and 16: Security Overview Auditing • Role
Page 17 and 18: Securing and Sharing Data Revoking
Page 19 and 20: Securing and Sharing Data Viewing P
Page 21 and 22: Securing and Sharing Data Cloning P
Page 23 and 24: Securing and Sharing Data App and S
Page 25 and 26: Securing and Sharing Data Working w
Page 27 and 28: Securing and Sharing Data Enable Cu
Page 29 and 30: Securing and Sharing Data Assigning
Page 31 and 32: Securing and Sharing Data Creating
Page 33 and 34: Securing and Sharing Data Editing P
Page 35 and 36: Securing and Sharing Data Searching
Page 37 and 38: Securing and Sharing Data Enable Cu
Page 39 and 40: Securing and Sharing Data Object Pe
Page 41 and 42: Securing and Sharing Data Comparing
Page 43 and 44: Securing and Sharing Data Setting F
Page 45: Securing and Sharing Data Working w
Page 49 and 50: Securing and Sharing Data Restricti
Page 51 and 52: Securing and Sharing Data Managing
Page 53 and 54: Securing and Sharing Data External
Page 55 and 56: Securing and Sharing Data Disabling
Page 67 and 68: Securing and Sharing Data Editing L
Page 69 and 70: Securing and Sharing Data Editing C
Page 71 and 72: Securing and Sharing Data Editing C
Page 73 and 74: Securing and Sharing Data Sharing R
Page 75 and 76: Securing and Sharing Data User Shar
Page 77 and 78: Securing and Sharing Data Sharing U
Page 81 and 82: Securing and Sharing Data Viewing A
Page 83 and 84: Securing and Sharing Data Granting
Page 85 and 86: Configuring Salesforce Security Fea
Page 95 and 96: CHAPTER 4 Enabling Single Sign-On S
Page 97 and 98:
Enabling Single Sign-On • Before
Page 99 and 100:
Monitoring Your Organization's Secu
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Security Tips for Apex and Visualfo
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
INDEX A Access about 10 revoking 11
Page 115 and 116:
Index Profiles (continued) object p
show all

salesforce_security_impl_guide

Create successful ePaper yourself

Delete template?

Save as template?