salesforce_security_impl_guide

More documents

Recommendations

Info

Securing and Sharing Data Restricting Login IP Ranges in the Enhanced Profile User Interface • Partner Portal and Customer Portal users aren’t required to activate computers to log in. • For more information on API login faults, see the Core Data Types Used in API Calls topic in the SOAP API Developer's Guide. • If single sign-on is enabled for your organization, API and desktop client users can’t log into Salesforce unless their IP address is included on your organization’s list of trusted IP addresses or on their profile, if their profile has IP address restrictions set. Futhermore, the single sign-on authority usually handles login lockout policies for users with the “Is Single Sign-On Enabled” permission. However, if the security token is enabled for your organization, then your organization’s login lockout settings determine the number of times a user can attempt to log in with an invalid security token before being locked out of Salesforce. • These events count toward the number of times a user can attempt to log in with an invalid password before being locked out of Salesforce, as defined in your organization’s login lockout settings: – Each time a user is prompted to confirm his or her identity (when a user clicks Email me a verification code for example) – Each time a user incorrectly adds the security token or time-based token to the end of their password to log into the API or a client Restricting Login IP Ranges in the Enhanced Profile User Interface You can control login access on a user’s profile by specifying a range of IP addresses. When you define IP address restrictions for a profile, any login from a restricted IP address is denied. 1. From Setup, click Manage Users > Profiles. 2. Select a profile and click its name. 3. In the profile overview page, click Login IP Ranges. 4. Use any of these methods to change login IP address ranges for the profile. • If you want to add ranges, click Add IP Ranges. Enter a valid IP address in the IP Start Address and a higher IP address in the IP End Address field. The start and end addresses define the range of allowable IP addresses from which users can log in. To allow logins from a single IP address, enter the same address in both fields. For example, to allow logins from only 125.12.3.0, enter 125.12.3.0 as both the start and end addresses. • If you want to edit or remove ranges, click Edit or Delete for that range. • Optionally, enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, such as which part of your network corresponds to this range. EDITIONS Available in: • Enterprise • Performance • Unlimited • Developer • Database.com USER PERMISSIONS To view login IP ranges: • “View Setup and Configuration” To edit and delete login IP ranges: • “Manage Profiles and Permission Sets” Both IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff , where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is 255.255.255.255. A range can’t include IP addresses inside of the IPv4-mapped IPv6 address space if it also includes IP addresses outside of the IPv4-mapped IPv6 address space. Ranges such as 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 are not allowed. You can set up IPv6 addresses in all organizations, but IPv6 is only enabled for login in sandbox organizations from the Spring ’12 release and later. Important: • Partner User profiles are limited to 5 IP addresses. If you want to increase this limit, contact salesforce.com. • The Salesforce Classic app can bypass IP range definitions set up for profiles. Salesforce Classic initiates a secure connection to Salesforce over the mobile carrier’s network, but the mobile carrier’s IP addresses might be outside of the IP ranges allowed on the user’s profile. To prevent bypassing IP definitions set on a user’s profile, “disable Salesforce Classic” in the Salesforce Help for that user. 42
Securing and Sharing Data Restricting Login IP Addresses in the Original Profile User Interface Restricting Login IP Addresses in the Original Profile User Interface You can control login access on a user’s profile by specifying a range of IP addresses. When you define IP address restrictions for a profile, any login from a restricted IP address is denied. 1. The procedure you use to restrict the range of valid IP addresses on profiles depends on your Edition: • If you’re using Enterprise, Unlimited, Performance, or Developer editions, from Setup, click Manage Users > Profiles, and select a profile. • If you’re using Professional, Group, or Personal editions, from Setup, click Security Controls > Session Settings. 2. Click New in the Login IP Ranges related list. 3. Enter a valid IP address in the IP Start Address and a higher IP address in the IP End Address field. The start and end addresses define the range of allowable IP addresses from which users can log in. To allow logins from a single IP address, enter the same address in both fields. For example, to allow logins from only 125.12.3.0, enter 125.12.3.0 as both the start and end addresses. EDITIONS • Partner User profiles are limited to 5 IP addresses. If you want to increase this limit, contact salesforce.com. Available in all editions USER PERMISSIONS To view login IP ranges: • “View Setup and Configuration” To edit and delete login IP ranges: • “Manage Profiles and Permission Sets” • The Salesforce Classic app can bypass IP range definitions set up for profiles. Salesforce Classic initiates a secure connection to Salesforce over the mobile carrier’s network, but the mobile carrier’s IP addresses might be outside of the IP ranges allowed on the user’s profile. To prevent bypassing IP definitions set on a user’s profile, “disable Salesforce Classic” in the Salesforce Help for that user. 4. Optionally, enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, such as which part of your network corresponds to this range. 5. Click Save. Both IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff , where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is 255.255.255.255. A range can’t include IP addresses inside of the IPv4-mapped IPv6 address space if it also includes IP addresses outside of the IPv4-mapped IPv6 address space. Ranges such as 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 are not allowed. You can set up IPv6 addresses in all organizations, but IPv6 is only enabled for login in sandbox organizations from the Spring ’12 release and later. Note: Cache settings on static resources are set to private when accessed via a Force.com site whose guest user's profile has restrictions based on IP range or login hours. Sites with guest user profile restrictions cache static resources only within the browser. Also, if a previously unrestricted site becomes restricted, it can take up to 45 days for the static resources to expire from the Salesforce cache and any intermediate caches. 43
Page 1 and 2: Security Implementation Guide Versi
Page 3 and 4: CONTENTS Chapter 1: Security Overvi
Page 5 and 6: Contents Editing Lead Sharing Rules
Page 7 and 8: CHAPTER 1 Security Overview Salesfo
Page 9 and 10: Security Overview User Security Ove
Page 11 and 12: Security Overview Custom Permission
Page 13 and 14: Security Overview CAPTCHA Security
Page 15 and 16: Security Overview Auditing • Role
Page 17 and 18: Securing and Sharing Data Revoking
Page 19 and 20: Securing and Sharing Data Viewing P
Page 21 and 22: Securing and Sharing Data Cloning P
Page 23 and 24: Securing and Sharing Data App and S
Page 25 and 26: Securing and Sharing Data Working w
Page 27 and 28: Securing and Sharing Data Enable Cu
Page 29 and 30: Securing and Sharing Data Assigning
Page 31 and 32: Securing and Sharing Data Creating
Page 33 and 34: Securing and Sharing Data Editing P
Page 35 and 36: Securing and Sharing Data Searching
Page 37 and 38: Securing and Sharing Data Enable Cu
Page 39 and 40: Securing and Sharing Data Object Pe
Page 41 and 42: Securing and Sharing Data Comparing
Page 43 and 44: Securing and Sharing Data Setting F
Page 45 and 46: Securing and Sharing Data Working w
Page 47: Securing and Sharing Data Setting L
Page 51 and 52: Securing and Sharing Data Managing
Page 53 and 54: Securing and Sharing Data External
Page 55 and 56: Securing and Sharing Data Disabling
Page 67 and 68: Securing and Sharing Data Editing L
Page 69 and 70: Securing and Sharing Data Editing C
Page 71 and 72: Securing and Sharing Data Editing C
Page 73 and 74: Securing and Sharing Data Sharing R
Page 75 and 76: Securing and Sharing Data User Shar
Page 77 and 78: Securing and Sharing Data Sharing U
Page 81 and 82: Securing and Sharing Data Viewing A
Page 83 and 84: Securing and Sharing Data Granting
Page 85 and 86: Configuring Salesforce Security Fea
Page 95 and 96: CHAPTER 4 Enabling Single Sign-On S
Page 97 and 98: Enabling Single Sign-On • Before
Page 99 and 100:
Monitoring Your Organization's Secu
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Security Tips for Apex and Visualfo
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
INDEX A Access about 10 revoking 11
Page 115 and 116:
Index Profiles (continued) object p
show all

salesforce_security_impl_guide

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?