This chapter’s objectives are:
- 2.1- Identify the steps to set up and/or maintain a user (e.g., assign licenses, reset passwords, and resolve locked user accounts)
- 2.2- Given a scenario, troubleshoot common user access and visibility issues
2.1- Identify the steps to set up and/or maintain a user (e.g., assign licenses, reset passwords, and resolve locked user accounts)
- Every record in Salesforce must have an owner. Records can be owned by either users or queues.
- By default, the user that creates the record is the owner. Record owner is typically used to determine responsibilities (e.g. I manage the leads that I own), reporting (I am credited for the opportunities that I own), record security (discussed in Security Model – Free), and for a variety of other purposes.
- An active user record is required to login to Salesforce. Records can only be assigned to an active user or a queue. 1 Person = 1 User = 1 User License.
- Maximum Salesforce users per edition: Developer(2), Contact Manager(5), Group(5), Professional, Enterprise, Unlimited (all 3 unlimited)
User creation and fields
Every user is identified by:
- Personal info: name, email, title, phone
- Security: username, password license, profile, role
- Locale: timezone, locale, language and currency
- The profile determines what tasks users can perform, Role what Record they can see
User Locale (override company default locale):
- As per the above chapter, Admin can setup 4 default Organization settings: Default Locale. Default Language, Default Timezone, and Locale Currency.
- When creating new User, these fields will be filled with the default values, but can be changed
- After creation User can change his: own Locale. Language and Timezone (and currency if multi-currency is enabled).
- If you change currency, only the symbol changes, no conversion will take place!
- Multi-Currency should be a feature request to be enabled by SF team. IT is not present by default.
- Once activated, Advanced Currency Management is present now
- Conversion rate are configured by Admin, not auto generated
- 3 Language types: Fully Supported, End-USer Supported, Platform Language.
User Records cannot be deleted, but only de-activated or Frozen:
- Freezing a user account will temporarily prevent a user from logging in (ex: in a maintenance window, or if configuration prevents user deactivation), while deactivation of a user completely revokes access.
- Freezing a user – select the user and click on the Freeze button on the top next to Edit.
- De-activate: Edit a user and uncheck the Active button.
New User Window:
License vs. Edition:
- A Salesforce edition is the “type” of your Salesforce instance. The edition determines:
- What functionality is available
- The limits: for example, the maximum number of custom objects, the maximum number of tabs, the maximum number of custom fields. Note that some limits are a based on a combination of edition and user license. For example, data storage is 20 MB per licensed user on Enterprise Edition, but 120 MB per licensed user on Unlimited Edition
- Licenses are associated with individual users and make functionality available.
- For example, a Salesforce license has access to the sales cloud functionality (Leads, Opportunities)
- A platform license doesn’t have access to Salesforce functionaly
- There are also feature licenses that can be applied to a user to add functionality. For example, Mobile User is a feature license that allows a user with an existing license to use Salesforce Mobile. There are many other licenses available and it can get rather bewildering at times, especially as the license names change on occasion.
- When a company decides to purchase Salesforce to enhance their business, it will look at the functionalities of each edition, and at the respective edition prices, and then decides which edition is best suited based on the functionalities vs. price.
- Sales Cloud Editions are:
- SalesforceIQ CRM Starter: max 5 users, for very small and limited use
- Professional: does NOT include – Person Account, Sales Team, Knowledge, Advanced Forecasting and Reporting, Visual Workflow, Workflow Rule, Approval…
- Enterprise: this is the most popular Edition, it includes almost all features
- Unlimited: this is the top and most expensive Editions. On top of the Enterprise Edition, the following are added: more data storage, 24/7 support, unlimited online training, and some other features.
- Developer: FREE edition for training and light testing
- Licenses are associated with individual users and make functionality available.
- For example, a Salesforce license has access to the sales cloud functionality (Leads, Opportunities) plus any custom Object
- A Platform license doesn’t have access to Salesforce functionality, but can access any Custom Object
- A Chatter license will give access to Chatter only, without any Salesforce functionality or custom Object access.
- There are also feature licenses that can be applied to a user to add functionality. For example, Mobile User is a feature license that allows a user with an existing license to use Salesforce Mobile. There are many other licenses available and it can get rather confusing at times, especially as the license names change on occasion.
- Note that every user must have a license appropriate for the edition, and these get more expensive as the capability of the edition increases.
- You cannot mix different user License edition, for example: Enterprise and Unlimited licenses in an Unlimited Edition Org.
- Each user should be assigned 1 User License
- A user can be assigned one or more of Feature Licenses (checkboxes on user page interface). You can also set up accounts for users outside your organization who need to access a limited set of fields and objects. These user licenses can grant access to Customer Portal and partner portal.
- User License + Feature License = Total Licensing
- Licensing + Permission (profile) = what user can perform!
- For example, to create a campaign, a user should have User License + Marketing Feature License + Permission (profile) to create campaign
- Create new user settings: General Info, Licensing (user and feature license) / Security role and profile) / Localization (Locale, language, timezone, currency)
- User License type determine which Profile and Feature License are selectable
- Sales Cloud CRM Prices (August 2016):
- The total price to pay is determined by the unit price of a license x number of licenses/users r: for example, for an Enterprise Edition, unit price of Salesforce license is 150 USD per user per month, so if you have 20 users using such license, you will pay 150 x 20 = 3,000 USD per month. Note that payment with Salesforce is billed annually, i.e, you will have to pay 1 year in advance (3,000 x 12 = 36,000 USD) for all your users.
Standard User Licenses – check this Link from Salesforce:
- Full access, can access any standard and custom app.
- Available in: All editions
- Knowledge only User:
- Designed for users who only need access to the Salesforce Knowledge app.
- Access to the following tabs: Articles, Article Management, Chatter, Chatter Files, Home, Profiles, Reports,
- Custom objects, and custom tabs
- The Knowledge Only User license includes a Knowledge Only profile that grants access to the Articles tab.
- Note: To view articles, a user must have the “AllowViewKnowledge” permission on their profile. However, this permission is off for default profiles
- Available in: Enterprise, Unlimited, and Performance Editions
- Salesforce Platform:
- Users can access custom apps (incl. AppExchange) but not standard CRM functionality (forecasts, opportunities).
- Can use core platform functionality (Accounts, contacts, reports, dashboards, documents and custom tabs)
- Users with this license can only view dashboards if the running user also has the same license.
- Users with a Salesforce Platform user license can access all the custom apps in your organization.
- Available in: Enterprise, Unlimited, Performance and Developer Editions
- Force.com – 1 App:
- Designed for users who need access to one custom app but not to standard CRM functionality.
- Force.com – One App users are entitled to the same rights as Salesforce Platform users, plus they have access to an unlimited number of custom tabs.
- However, they are limited to the use of one custom app, which is defined as up to 10 custom objects
- Limited to read-only access to the Accounts and Contacts objects..
- Available in: Enterprise and Unlimited Editions
- Force.com – App Subscription:
- Grants users access to a Force.com Light App or Force.com Enterprise App, neither of which include CRM functionality.
- A Force.com Light App has up to 10 custom objects and 10 custom tabs, has read-only access to accounts and contacts, and supports object-level and field-level security.
- A Force.com Enterprise App supports in addition: record-level sharing, can use the Bulk API and Streaming API, and has read/write access to accounts and contacts.
- Company Community User:
- Internal user license for employee communities
- It allows read-only access to Salesforce Knowledge articles
- Access up to 10 custom objects and 10 custom tabs,
- Use Content, Ideas, Assets, and Identity features, Use activities, tasks, calendar, and events and Have access to accounts, contacts, cases, and documents.
- Available in: Enterprise, Unlimited, Performance and Developer Editions
- Communities: There are 2 community licenses available for external users: Customer Community and Partner Community
- Chatter Free: Users can access standard Chatter people, profiles, groups, and files. They can’t access any Salesforce objects or data. You can upgrade a Chatter Free license to a standard Salesforce license at any time, however, you can’t convert a standard Salesforce or Chatter Only license to a Chatter Free license.
- Chatter External: Designed to allow customers in Chatter groups. Customers are users outside of a company’s email domain.
- Customer portal: Allows contacts to log into your Customer Portal to manage customer support
- Customer Portal – Enterprise Administration: Allows contacts with unlimited logins into your Customer Portal to manage customer support Authenticated Website license: is designed to be used with Force.com Sites. It gives named sites users unlimited logins to your Platform Portal to access customer support information.
- Gold Partner user license: can only access Salesforce using the Partner Portal. Specific permissions to different objects can be given.
- High Volume Customer Portal license: gives contacts unlimited logins to your Service Cloud Portal to access customer support information. They can have access to accounts, assets, cases, contacts, custom objects, documents, ideas and questions depending on permission settings. Data.com: Add, export Duns & Bradstreet Company data delivered through data.com per month. Default is 300.
- Database.com User Licenses: Divided in 3 license types (admin, user and Light User). Grants access to database.com schemas or metadata.
|Standard User Licenses – Salesforce, Force.com and Knowledge|
|Salesforce||Salesforce Platform||Force.com – One App||Force.com App Subscription (Light)||Force.com App Subscription (Enterprise)||Knowledge Only User|
|Description||CRM and AppExchange users. Standard and custom apps.||Access to custom apps but not CRM.||Access to one custom app. All other access mirrors Platform.||Access to a Force.com Light App. No CRM.||Access to a Force.com Enterprise App, No CRM.||For users who only need access to the Salesforce Knowledge app + Custom Objects and Tabs|
|Editions||All||Enterprise, Unlimited, Performance Developer||Enterprise, Unlimited||Enterprise, Unlimited, Performance||Enterprise, Unlimited, Performance||Enterprise, Unlimited, Performance|
|Available Standard Objects||All CRM depending on which cloud purchased||Accounts, Contacts [RW]||Accounts, Contacts [R]||Accounts, Contacts [R]||Accounts, Contacts||Articles, Article Management, Chatter, Chatter Files, Home, Profiles, Reports, custom objects, and custom tabs|
|– Object-level and Field-Level Security||– Object-level and Field-Level Security
– Bulk and streaming API
– Record sharing
|Standard User Licenses – Chatter|
|Chatter Free||Chatter External||Chatter only AKA Chatter Plus|
|Description||For users that don’t have Salesforce licenses but need access to Chatter||Designed to allow customers in Chatter groups. Customers are users outside of a company’s email domain. Customers can access information and interact with users only in the groups they’re invited to||For users that don’t have Salesforce licenses but need access to some Salesforce objects in addition to Chatter|
|Editions||Group, Professional, Enterprise, Performance, Unlimited, Contact Manager, and Developer||Professional, Enterprise Unlimited, and Performance|
|Available Standard Objects||None [N]||None [N]||Account, Contacts [R]|
|– Standard Chatter features: Chatter people, profiles, groups, and files
– Can be Chatter moderator
|– CRM Content, Ideas, and Answers
– Access dashboards and reports
– Use and approve workflows
– Use the calendar to create and track activities
– Activities: Tasks and Events
– Add records to groups
|Notes:||– An administrator must expose the tabs for accounts, contacts, dashboards, and reports as they are hidden by default
– Content, Ideas, and Answers are disabled for Chatter Only users by defaul
|Custom Objects||None [N]||None [N]||10 [RW]|
|Custom Tabs||None [N]||None [N]|
What is a Queue?
- A queue can include multiple users, and is assigned to one or more objects, and can contain Records of that object.
- Members of the queue can then take ownership of a queue’s records.
- For instance, leads generated from the company’s website are routed to a lead queue “Inside Sales”. Members of the inside sales team then take ownership of leads owned by the queue
- Queues are used for cases, leads, orders, custom objects, service contracts, knowledge article versions
- Create queues: Setup | Manage Users | Queue | New – select name (LeadQueue) – select objects that this queue will hold (Lead) | select members in this queue (You can add individuals, roles, public groups, territories, connections, or partner users).
- After you create a queue for cases or leads, you can set up assignment rules to route cases or leads to it
- Go to Setup | Build | Customize | Leads | Leads Assignment Rules | create new rules there and assign to User or Queue.
- Test it by creating a new lead with the criteria you chose in the Assignment Rule. The new lead should have new owner as per the Assignment Rule.
- Note: Before you can delete a queue, reassign its records to another owner and remove it from any assignment rules.
Two factor authentication
- Two factor authentication refers to requiring two independent mechanisms to successfully authenticate.
- The most common example of this is a username/password combined with a randomly generated number (similar to computer activation – however, the randomly generated number may be generated by another system or device, and is required for every authentication)
- To set it up, go to Setup | Administer | Manage Users | Permission Sets – New
- Search for “Two-Factor Authentication for User Interface Login” – Select it – Click on Manage Assignment – Add Assignment – Select the users to assign it to.
- Now this user who has 2 factor authentication should download the phone App Salesforce Authenticator. Then he should connect it to his SF login and password. Now every time he tried to login via Web, the App will prompt him to accept or deny.
Note: Resolve locked accounts is in the below section.
2.2- Given a scenario, troubleshoot common user access and visibility issues
Login to Salesforce:
Ways to login to SF:
- Website: The standard Salesforce user interface.
API: Used for programmatic access, such as the data loader – needs token to be appended to the password to login through API.
- The security token is a mechanism designed to prevent unauthorized access via the API.
- A user must append their security token to their password when authenticating via the API (for example, Data Loader), unless they are connecting within a Trusted IP range.
- Access the Token through the My Settings | Personal page
- Single Sign On (SSO): Login to company network, and automatically login to SF
OAuth: allows external apps to ask user permission to access Salesforce data (no need to security token, but need user interaction) ex. Chatter Desktop.
- you can check the Login history of each user in his User page Reacted List bottom
To see all, Login History under Manage Users filter and display up to 20,000 of the most recent login records
- You can reset a user password by going to the Users page – he will receive an email to reset it
- Bulk reset passwords: go to Users, select users to bulk rest, click on Rest button
- If no incorrect attempt then the user was using an invalid email/username to login
Other potential issues:
- Does user profile have any login restriction? (Login Hours, Login IP)
- Does user IP address in organization’s trusted IP range?
- Has user been activated from this IP before? (if in non-Trusted IP Range)
- Does user’s web browser have valid cookies from Salesforce?
Login Hours: access outside of the hrs. login is denied
- Set it up in Profile: Administer | Manage users | Profiles | Login Hours
Login IP: access outside of the IP. login is denied
- Set it up in Profile: Administer | Manage users | Profiles | Login IP Ranges
Computer activation is designed to prevent unauthorized access to Salesforce.com, particularly in the event of a hijacked username and password. Computer activation is required when all of the following conditions are True:
1. The user is logging in from OUTSIDE a Trusted IP range.
2. No browser cookie is present indicating a prior login is present.
- In conclusion, you will get a challenge to authenticate when you login from a new IP address (outside the trusted range) AND a new device / browser.
- Challenge can be through email or sms
To setup Trusted IP Ranges :
- Setup | Security Controls | Network Access | Trusted IP Ranges
To monitor and revoke computer activations:
- Setup | Security Controls | Activations
- There you can see all activated session (IP based and browser based). You can remove these activations so that users will need to activate again – A user who logs in from a deactivated browser is prompted to verify identity, unless the login IP address is within a trusted IP range.
To setup session timeout value and other session options like (force re-login after Login-As-Use, Enable the SMS method of identity confirmation (cant disable), “enforce login IP range on every request”, etc.:
- Setup |Security Controls | Session Settings
Password policies: password type, age, expiry, lockout when…etc.
- Setup | Security Controls | Password Policies
To view audit :
- Setup | Security Controls | View Set up Audit Trail (To check the security changes made to the organization by the administrator
- What happens when a profile is logged in and login hr passes: Nothing will happen until your session expires and you will not be able to re-login after the session. If your admin hasn’t set a session setting the user will be able to stay in the system till he closes the browser.
- That login restriction is for user who will try logging in after 5:00 pm for example, applicable only when the users are trying to log in and will not end the current session.
- To solve thism in the session setting: “enforce login IP ranges on every request“.
If a user is locked (because of many failed login attempts – set up in the password policies), then admin can unlock him from his User detail page:
Login as another User:
Grant Login access: so that Admin can login as your user and check the problem
- My settings | Personal | Grant Account Login Access
Choose the Admin or Salesforce and Set the access expiration date by choosing a value from the picklist.
- Salesforce Org Admin can allow himself to Login as any Account, when this is setup, you as a user, you don’t see the option in the screenshot above. To make SF Admin Login as any user go to Administer | Security Control | Login Access Policies