User Setup & Login Process – Free

[SectionIntroduction]

[table id=6 /]

[NextSection]

101 thoughts on “User Setup & Login Process – Free”

  1. Hi John,
    I am in my developer org as sysAdmin, and went to create a queue (Setup | Queues) to try queues out. But there is no button to create a queue.
    Any idea why this would be? I checked the System Administrator profile and the three items Salesforce has documented are all checked.

    Thanks,
    Hank

    1. Hi Nikhil,

      That historically was the case, although the documentation isn’t crystal clear (if login ip ranges inherently are counted as trusted… seems yes):

      Salesforce then checks whether the user’s profile has IP address restrictions. If IP address restrictions are defined for the user’s profile, logins from an undesignated IP address are denied, and logins from a specified IP address are allowed. If the Enforce login IP ranges on every request session setting is enabled, the IP address restrictions are enforced for each page request, including requests from client applications.
      If profile-based IP address restrictions are not set, Salesforce checks whether the user is logging in from a device used to access Salesforce before.
      If the user’s login is from a device and browser that Salesforce recognizes, the login is allowed.
      If the user’s login is from an IP address in your organization’s trusted IP address list, the login is allowed.
      If the user’s login is not from a trusted IP address or a device and browser Salesforce recognizes, the login is blocked.

      https://help.salesforce.com/articleView?id=admin_loginrestrict.htm&language=en_US&type=0

      1. What I am struggling to understand still is below scenario.

        1. if i set up login range against a X profile lets say 10.1.1.1 – 10.1.1.5
        2. I set up trusted ip range of 10.1.1.11-10.11.15
        3. now user with profile X logs in from ip 10.1.1.11, will he be allowed to login?

        My understanding is that trusted ip is used to bypass additional authentication(like sms based token number) and hence in above scenario user will not be allowed to login.

        Regds
        Nikhil

  2. Hi John,

    i have an exam on Tuesday, so please advise.
    when a user is logged in and time expires what happens, i am getting 2 contrasting views

    thanks

  3. Hi John,
    I have question regarding users and role hierarchy for data access as manager.

    –>@any user’s edit page we can assign Manager to the user…as whom User have to report!.
    –>And when other way Role hierarchy also have one more manager whom same user have to report,.
    So this both have same access to subordinates data?
    Tejal.

  4. Took the test 2 weeks ago, one question came out like this (please dont take it literally) :

    “Jane´s profile has login hours from 8am to 5pm. She is currently working on an Opportunity and the clock has just turn to 5pm, what will happen?

    a) The session will be terminated, losing the work
    b) The session will continue until Jane logs out, and she will not be able to log back in again until next business day at 8am
    c) A pop up window will let Jane know her session is about to end
    d) The session will be terminated, but Jane will be able to keep working on the same record

    Please comment on this, especially after listening to “Who sees what: Organization Access” between 0:51 and 1:06 (link provided)
    https://www.youtube.com/watch?v=IYS9fwsZZ-s&index=2&list=PL6747B4DAE356E17C

    Thanks,

    JR

      1. I will never know. But when testing on my DEV, it actually let me keep working and session did not terminate, then I assumed the session could go on and on. (Reason why I chose B)

        When I tested again, I realized that after 6 minutes !!! (6 minutes is a lot) the session terminated. So I would blame the SF times not being too precise.

        Any clues?

        1. Any chance you had the default org time zone set differently (e.g. the default is probably PST)? 6 minutes does sound long- I did this test some time ago, but I remember it terminating my session almost down to the second.

      2. I also had this question and am stumped because I get conflicting answers – but according to Salesforce why wouldn’t it be (d) – I think to not warn people when their session is ending and just boot them out leaving unsaved work lost is a very inefficient use of time – but no where can I find mention that the “Save” function would be nulled out – so even though she may not be able to add more content, she should be able to save the record and then session is terminated. Is my thinking wrong here?

        https://help.salesforce.com/apex/HTViewHelpDoc?id=login_hours.htm&language=en_US
        Set the days and hours when users with this profile can use the system.
        To allow users to log in at any time, click Clear All Times. To prohibit users from using the system on a specific day, set the start and end times to the same value.
        ****If users are logged in when their login hours end, they can continue to view their current page, but they can’t take any further action.*****

        1. If users are logged in when their login hours end, they can continue to view their current page, but they can’t take any further action.
          –> this is misleading. If they leave the page open, the browser will continue to display CACHED information. If they REFRESHED the page after login hours expired, they would get logged out.

          Any action (save, refresh, etc.) after login hours are expired would terminate the session and would be ignored (not saved).

          1. Thanks John for getting back on this … perhaps I should add a post on the Ideas site to have some type of warning that the session is getting close to time out or allow “save” function to work on open records when login hours are enforced.

            Cheers!

          2. Had this question on my exam, but the choices included:
            Logged out – lose unsaved work
            Logged out – unsaved work kept until next login

            Now, is the correct answer still, logged out, lose unsaved work, since I can’t find any note that states the work unsaved will be kept? This was one (of many I should add) of those tricky questions on the exam that is gnawing at me as to which was correct.

          3. Logged out, lose work is correct!

            I will make a note of this for the next batch of updates.

            The reason for this is that every action in salesforce (record view, save, etc.) is predicated on a valid session. The information isn’t saved anywhere (only shown locally to the user in the browser) until the save button (clicked by the user) invokes the save action at the database level. The save action will be rejected if the session is invalidated (by login hours in this case, or by the user being deactivated, whatever).

  5. Hi John

    If I up login hours on user profile X that are matched with my org. time zone say 8:00-18:00 CET. My colleague who has the user profile X is now login our org. environment from her business trip in NYC, she logs in at 13:00PM NYC time but it is way pass the time indicated on her profile (on CET time zone) – will she be able to login?

    Regards,
    Gil

      1. Hi John,

        So in this case, I would need to change her login hours on her user record? is that the Locale field?
        Would that allow her to login outside of defined org default hours?

          1. I got a bit confused..
            1. We are able to set up Organisation login hours and even create teams that might have different login hours
            ONLY for the purpose of Escalation process?
            2. Profile: we can assign login hours on profile
            Determine the time a user can login in?
            3. User record: locale setting
            Not sure what this affect?!

          2. 1. Login hours PREVENT login at certain times of the day. Login hours are based on the organization time zone- make sure to do the time zone math accordingly. This means if you needed to enforce login hours based on region, you would need a new profile for each region in a different time zone.
            2. Yes
            3. Locale does things like change the date format (e.g. from MM/DD/YYYY to DD/MM/YYYY)- more to it than that but that’s an example.

  6. Under section: Session Security Levels
    Two-Factor Authentication — High Assurance

    John, could you please explain what two-factor auth. means?

    Regards,
    Gil

    1. Sure- for more detail: https://en.wikipedia.org/wiki/Two-factor_authentication

      2 factor is just that- 2 different ways to validate upon authentication.

      The most common form of authentication is 1 factor- password.

      If you were to add a second component (in ADDITION to the password), such as a bio-metric fingerprint scan (or token generation, or any number of other options), you would have two methods of authentication- hence 2 factors.

  7. Lock sessions to the domain in which they were first used Associates a current UI session for a user, such as a community user, with a specific domain to help prevent unauthorized use of the session ID in another domain. This preference is enabled by default for organizations created with the Spring ’15 release or later.

    I have noticed that this is not enabled at my org. – is it something I should consider? I must say i am not sure i fully understand it could you please explain or direct me to reference on this?

    Many thanks,
    Gil

    1. I believe what this setting is doing is restricting a session to a single domain upon login. For example if you logged in via the community site (e.g. community.yourorg.com) but then tried to access the full salesforce site (e.g. myorg.my.salesforce.com – with my domain enabled), you would then have to re-authenticate to facilitate access (even if you were using the same credentials).

  8. http://help.salesforce.com/apex/HTViewHelpDoc?id=users_freeze.htm&language=en_US
    “Let’s say a user just left your company. You want to deactivate the account, but the user is selected in a custom hierarchy field. Because you can’t immediately deactivate the account, you can freeze it in the meantime.”

    I am not sure i understand what “selected in a custom hierarchy field” means, could you please explain it?

    Thank you,
    Gil

  9. Hi John noticed 2 things
    1) SMS Identity Confirmation [Could / Long / Salesforce.com] this link is broken now
    2) Minor thing, the link User Authentication [Must / 6m / CertifiedOnDemand.com] refers to IP addresses and appears before the link What is an IP address?
    [Could / Long / howstuffworks.com]. Might be useful to get the IP information earlier.

    Thanks

  10. Hi John, I guess as of Summer 15 update users no longer need to grant Admins access, Admins can log in as Any user and is is now a standard feature, correct?

  11. Please confirm. When the business hours are set at the company profile level, blank = closed/no access and 12:00 AM-12:00 AM=24-hour access. When login hours are set at the user profile level, 12:00AM-12:00AM=closed/no access.
    If this is right, what does “None” mean at the user profile level? Does it mean 24-hour access?

    1. Set 24 hours checkbox for biz hours for around the clock; they are declared org wide but multiple hours can be set and referenced in case management. No login hours declared on the profile will allow 24 hour access. When login hours are set, then they are enforced.

  12. Hi John, can I check for this question: If user was logged in at 4.55pm but 5pm is the restricted time frame. What will happen after 5pm? Will he be automatically logged out with his items saved?

    1. The next action they take after 5pm will log them out – that means if they don’t click ‘save’ before 5pm, then their work will not be saved. Doesn’t matter what the action is (save, view a new record, report, etc.), they will get logged out.

  13. When logged in the top navigation bar continues to display ‘Login’ instead of ‘Logout’. However when I’m leaving this message it does correctly state that I’m logged in as ……

  14. Hi , quick question on queues, when assigning a case to a queue on creation, is it best practice to use assignment rules or a workflow which changes the owner when the record is saved? Or, doesn’t it matter?!

    Many thanks,

    Katie

  15. Thanks John putting everything together. I have passed today and this site really helps a lot. Looking forward to see Advance stuff soon.

    Regards

  16. There is one question about a user’s unsuccessful attempts to login. Administrator checked and found out the user trying with incorrect password. What should Administrator do? There are two options to choose out of four options.

    a. Click reset password on users detail page.
    b. Send email with users password.
    c. Click unlock on user’s record detail page.
    d. login as user and reset password.

    Option “a” is valid one but rest don’t make any sense to me.

    i. I am not able find any unlock option (Salesforce help:Resetting locked-out users’ passwords automatically unlocks their accounts as well.).
    ii. No option to send email user’s password as this done with reset as well.
    iii. Why you need to login as user (if possible) and reset password where reset password option is there.

    I have searched the possible answers and found the options a,c everywhere but I am not convinced. So your help required hope you don’t mind

    Regards

    1. A user’s account can get locked if they attempt to login too many times with an invalid password. Check the security settings in the org- it will indicate the max # of attempts and the lockout policy. You may not see the option to unlock the account if it is not currently locked. I suspect A & C are valid- where is the question coming from?

      1. Thanks for your quick reply.

        You are right, when user locked out an “Unlock” button appears on user detail page which unlock the user and user can still use old password where as resetting password reset/change user’s password and it unlock the user as well.

        Thanks again for your help.

  17. What actually happen when user is working on something but login hours end time reached.

    Will user be forcely logged out ?
    Will user be able to continue work until he/she logged out ?

    According to salesforce help user will be able to continue work but its not clear if user can do any CRUD actions/save changes or what ?

    1. I have simulated this scenario and found that system will logged you out with the message:

      “Your login attempt has failed. The username or password may be incorrect, or your location or login time may be restricted. Please contact the administrator at your company for help.”

  18. User trying to login but after several attempts he/she failed. You as administrator checked and there is no login attempt by this user at all. What is the reason ?

    * I think he is using wrong user id but there is no option to select as wrong user id.

    1. Wrong user ID is the only possible answer unless they went to the wrong login URL. (test.salesforce.com for example)

      This question was also on my exam and wrong user ID was an option. (and the one I selected)

  19. User trying to login from an IP.

    IP is in Company trusted IP range but not in Login IP range.

    Will user be able to login or access will be denied ?

    1. Login access will be denied if they are outside the login IP range set on the profile. Think of the scenario where someone in a department that should not have access is attempting to login. They are still a part of the company, and inside the trusted range, but they are not part of the department that has been allowed access.

      *****This exact question was on my exam***** and I drew a little picture on the paper to help myself create the scenario.

      [—Trusted Range———(Login IP Range)—-{user_in_question}——]

      Hope this helps.

  20. Looks like they have removed the video entitled Securing your sales force organization as of 12/4/2014. Is there something else we should look at as a substitute?

  21. seen from the exam asking, Which Feature Restricts a user’s ability to log into Salesforce? Choose 2.
    A. Trusted IP Ranges
    B. Login Hours
    C. Login IP Ranges
    D. Password Policies.

    D is obviously out.
    Amongst options A, B and C, many people advocate that A and B are the right answers. However, according to your definition for each of these methods suggest that Login Hours and Login IP Ranges limit users to access, whereas Trust IP Ranges remove the restriction. Hence I would choose B and C as right answers against the majority of the people.

    Can you please assist?

    Thanks,

    1. I’ve added a disclaimer to the start of the guide – the Improved Setup User Interface needs to be disabled. The instructions will then work. If the enhanced setup menu is enabled, the steps will vary some.

  22. Hi!

    In the text to the right of “Understanding User License Types”.

    “Every user must be assigned one (and only one) feature license. This is their primarily license.

    Users can also optionally be assigned one or more feature licenses.”

    Should it read, “Every user must be assigned one (and only one) USER license. This is their primarily license.

    Users can also optionally be assigned one or more feature licenses.”

Leave a Reply