HELLO Salesforce Thinkers, In our previous blog we learned about List View Chart In Lightning Experience. In this blog we are going to learn about “Salesforce Data Security and Access”. We will continue our learning journey by a series of blogs to go deeper and understand the Salesforce Data Security Model, Visibility and Access.

Let’s get started, Data Security is big challenge for any cloud platform. Salesforce provides a strong Security Model to ensure security. With the Salesforce platform’s flexible, layered sharing model, it’s easy to assign different data sets to different sets of users. We can balance security and convenience, reduce the risk of stolen or misused data, and still make sure all users can easily get the data they need.

Levels of Data Access in Salesforce:-

Salesforce uses Organization level, object-level, field-level, and record-level security to secure access to object, field, and individual records.

• Organization level
• Objects level
• Record level
• Field level

In Salesforce, data is stored in three key constructions: objects, fields, and records. Objects are similar to tables in databases. Fields are similar to columns of the table. Records are similar to rows of data inside the table. By combining security controls at different levels, we can provide just the right level of data access to all the users.

Organization level:

In organizational level we decide when and from where our users can access the system. The most important thing is to give users access to our Salesforce organization. Access to an org can be control by user names and passwords as well as profiles and security settings.

We can set login IPs or login hours at profile level and trusted IP address can be set at the company level. With that it is also possible to use identity confirmation using a second form of authorization that can be sent through email, SMS or the Salesforce Authenticator app.

If IP address restrictions are defined for a user’s profile and a login originates from an unknown IP address, Salesforce does not allow the user to log in. These restrictions help protect your data from unauthorized access and phishing attacks.

For entire organization, we can keep up a list of approved users, set password approaches, and limit logins to specific hours or areas. By default Salesforce does not restrict the hours that a user can log in or the locations from which they can log in.

let’s see them one by one:

• Password Policies
• IP Restrictions 
• Login Access

Passwords:

Each user in Salesforce is provided with a unique username and password which is must be entered during login. We can configure several settings to ensure that our users’ passwords are strong and secure.

User Permissions Needed :

• “Manage Password Policies” to To set password policies.
• “Reset User Passwords and Unlock Users” To reset user passwords and unlock users.

How to make the passwords strong and secure?

Password Policies:

Password Policies can be set at an organization or profile level. We can set password history, length, and complexity requirements. We can also specify what to do when a user forgets the password.

Note :

• Profile Password Policies settings can override the Organization – Wide Password Policies for that profile’s users.
• If Password Policies are not set for profile the organization wide password policies apply.
• Changes to the organization – wide passwords polices do not affect profile – specific password polices which may be different.

Password Requirements:

Set Password Policies:

Navigate To

Setup >> Administer >> Security controls >> Password Policies.

 Salesforce login password policies setting page consists of different fields as shown below :

User passwords expires in :- 

• Here we can define the number of days that the password to exist. After the expire date we have to set new password.
• Default password expire duration is 90 days, but it can be set to 30,60,90,180,’One year’ or Never expires.
• This setting isn’t available for Self-Service portals. 
• This setting doesn’t apply to users with the Password Never Expires permission.

Enforce password history :

• This option is used to Save users’ previous passwords so that we must have to set unique and new login passwords every time we reset login password.
• Password history is not saved until we set this value.
• The default is 3 passwords remembered.
• We cannot select No passwords remembered unless we select Never expires for the User passwords expire in field.
• This setting isn’t available for Self-Service portals.

Minimum password length:

• By this option we can define the minimum number of characters required for a password. 
• Minimum password length must be 8 characters.
• Existing users aren’t affected until the next time they change their passwords. 

Password complexity requirement :

By this option we can choose the types of characters that must be used in a user’s password.

• No restriction.
• Must include alpha and numeric characters.
• Must include alpha and numeric and special characters.
• Must include numbers and uppercase and lowercase letters.
• Must include numbers, uppercase and lowercase letters, and special characters.
• Must include 3 of the following: numbers, uppercase letters, lowercase letters, special characters.

Password question requirement :

• By this option we can set password hint question to remind us in any case the password is forgotten.
• We can not set password hint question to as “PASSWORD”.
• None is used where there is no restrictions on the answer.
• The user must provide an answer to the password hint question.
• This setting is not available for Self-Service portals, Customer Portal, or partner portals.

Maximum invalid login attempts :

• The number of login failures allowed for a user before the user is locked out. 
• We can set login invalid attempts to 3, 5, 10 or ‘No Limit’.
• This setting isn’t available for Self-Service portals.

Lockout effective period :

• By this option we can define duration of the login lockout. 
• If the users account is locked out due to invalid attempts the user must wait until this lockout effective period time.
• Alternatively user with the Reset User Passwords and Unlock Users permission can unlock a user.
• The default is 15 minutes. 
• It can be set to 15 minutes, 30 minutes, 60 minutes or ‘Forever (Must be reset by admin)’.

Obscure secret answer for password resets :

• This option hides the text when a user a user types the answer to the security question.
• The default is to show the answer in plain text.

Require a minimum 1 day password lifetime :

• By this option a password can’t be changed more than once a day.

Allow use of setPassword() API for self-resets :

• When selected, apps can use the setPassword() API to change the current user’s password to a specific value.
• Deselect this option for increased security. When deselected, apps must use the changeOwnPassword() API to prompt users to set their password value.
• The changeOwnPassword() API verifies the user’s current password before allowing the change.
• When you deselect this option, you can’t select it again.

Alternative home page :

• Specify an alternative home page for users with the API Only User permission.
• After completing user management tasks such as resetting a password, API-only users are redirected to the specified URL rather than to the login page.

Resetting Passwords :

• An administrator can reset a user’s password for better protection or to unlock a user if the user is locked out.
• Permissions needed : “Reset User Passwords” and “Unlock Users” .
• It is possible to change the password of specific users or all user by clicking the ‘Reset Password’ button on the ‘Users‘ page in Setup.
• Setup >> Users >> Reset Password.
• When a user’s password is reset, the user receives an email that contains a link and instructions to reset the password.
• Resetting a locked out user’s password automatically unlocks the user’s account.

Expire all user passwords:

• An administrator can expire passwords for all users any time when wants to enforce extra security for the organization except those users with the “Password Never Expires” permission:
• Setup >> Expire All Passwords >> Expire all user passwords. .
• Permissions needed : “Reset User Passwords” and “Unlock Users” .
• After expiring passwords, all users are prompted to reset their password the next time they log in.

Hope this blog is helpful for you.