salesforce_security_impl_guide

More documents

Recommendations

Info

Configuring Salesforce Security Features Setting Session Security • Two-Factor Authentication — High Assurance • Authentication Provider — Standard • SAML — Standard Note: The security level for a SAML session can also be specified using the SessionLevel attribute of the SAML assertion sent by the identity provider. The attribute can take one of two values, STANDARD or HIGH_ASSURANCE . To change the security level associated with a login method: 1. From Setup, click Security Controls > Session Settings. 2. Under Session Security Levels, select the login method. 3. Click the Add or Remove arrow to move it to the proper category. Currently, the only features that use session-level security are connected apps, reports, and dashboards. You can set policies requiring High Assurance on these types of resources and specify an action to take if the session used to access the resource is not High Assurance. The two supported actions are: • Block — This blocks access to the resource by showing an insufficient privileges error. • Raise session level — This redirects you to a Two-Factor Authentication flow for raising the session’s security level to High Assurance. Once you complete the flow successfully, you can access the resource. To set a High Assurance required policy for accessing a connected app: 1. From Setup, go to Administer > Manage Apps > Connected Apps. 2. Click Edit next to the connected app. 3. Select High Assurance session required. 4. Select one of the two actions presented. 5. Click Save. To set a High Assurance required policy for accessing reports and dashboards: 1. From Setup, go to Build > Customize > Reports & Dashboards > Access Policies. 2. Select the High Assurance session required. 3. Select one of the two actions presented. 4. Click Save. The session levels have no impact on any resources in the app other than connected apps, reports, and dashboards for which explicit security policies have been defined. 86
Configuring Salesforce Security Features Setting Two-Factor Authentication Login Requirements Setting Two-Factor Authentication Login Requirements Administrators can require users to enter a time-based token generated from an authenticator app when they log into Salesforce. To require this verification every time users log into Salesforce, select the “Two-Factor Authentication for User Interface Logins” permission in the user profile or permission set. Note: Enhancing Security with Two-Factor Authentication (6:56 minutes) See a demonstration of Two-Factor Authentication for Salesforce, and when to use it. Users are prompted to add a time-based token the next time they log into Salesforce. They must enter the changing token from their mobile app every time they log in. Note: Users aren’t asked for a verification code the first time they log in to Salesforce. Once users add a time-based token to their account they can also use the token to confirm their identity when they activate their computer. Partner Portal and Customer Portal users aren’t required to activate computers to log in. EDITIONS Available in: • Enterprise • Performance • Unlimited • Developer • Database.com USER PERMISSIONS To edit profiles and permission sets: • “Manage Profiles and Permission Sets” IN THIS SECTION: Adding a Time-Based Token You can add a time-based token to your account to use a mobile authenticator app to activate your computer. Removing or Resetting Time-Based Token Keys Only one time-based token can be stored on a user’s account. The user must use the authenticator app on the same mobile device to retrieve the token. If a user can’t access the mobile authenticator app used to add the time-based token, administrators can remove the key used to generate the token to deactivate it. Adding a Time-Based Token You can add a time-based token to your account to use a mobile authenticator app to activate your computer. Once you add a time-based token to your account, you’ll be prompted to enter the changing token stored in the mobile app whenever Salesforce needs to confirm your identity, such as when you log in from an unknown IP address. EDITIONS Available in all editions Note: If you have the “Two-Factor Authentication for User Interface Logins” permission, you must enter this token every time you log into Salesforce through the user interface. If you have the “Two-Factor Authentication for API Logins” permission, you must enter this token to access the service instead of the standard security token. 1. Download the supported authenticator app for the type of mobile device you’re using. 2. From your user detail page in Salesforce, click Add next to Time-Based Token. 3. For security purposes, you’re prompted to log into your account. 4. Scan the QR code with the authenticator app on your mobile device. Alternatively, you can manually enter your username and the key displayed when you click Can’t scan the QR code into the app. 5. Enter the token generated from the mobile app into the Token field in Salesforce. 87
Page 1 and 2:
Security Implementation Guide Versi
Page 3 and 4:
CONTENTS Chapter 1: Security Overvi
Page 5 and 6:
Contents Editing Lead Sharing Rules
Page 7 and 8:
CHAPTER 1 Security Overview Salesfo
Page 9 and 10:
Security Overview User Security Ove
Page 11 and 12:
Security Overview Custom Permission
Page 13 and 14:
Security Overview CAPTCHA Security
Page 15 and 16:
Security Overview Auditing • Role
Page 17 and 18:
Securing and Sharing Data Revoking
Page 19 and 20:
Securing and Sharing Data Viewing P
Page 21 and 22:
Securing and Sharing Data Cloning P
Page 23 and 24:
Securing and Sharing Data App and S
Page 25 and 26:
Securing and Sharing Data Working w
Page 27 and 28:
Securing and Sharing Data Enable Cu
Page 29 and 30:
Securing and Sharing Data Assigning
Page 31 and 32:
Securing and Sharing Data Creating
Page 33 and 34:
Securing and Sharing Data Editing P
Page 35 and 36:
Securing and Sharing Data Searching
Page 37 and 38:
Securing and Sharing Data Enable Cu
Page 39 and 40:
Securing and Sharing Data Object Pe
Page 41 and 42: Securing and Sharing Data Comparing
Page 43 and 44: Securing and Sharing Data Setting F
Page 45 and 46: Securing and Sharing Data Working w
Page 47 and 48: Securing and Sharing Data Setting L
Page 49 and 50: Securing and Sharing Data Restricti
Page 51 and 52: Securing and Sharing Data Managing
Page 53 and 54: Securing and Sharing Data External
Page 55 and 56: Securing and Sharing Data Disabling
Page 57 and 58: Securing and Sharing Data Creating
Page 67 and 68: Securing and Sharing Data Editing L
Page 69 and 70: Securing and Sharing Data Editing C
Page 71 and 72: Securing and Sharing Data Editing C
Page 73 and 74: Securing and Sharing Data Sharing R
Page 75 and 76: Securing and Sharing Data User Shar
Page 77 and 78: Securing and Sharing Data Sharing U
Page 81 and 82: Securing and Sharing Data Viewing A
Page 83 and 84: Securing and Sharing Data Granting
Page 85 and 86: Configuring Salesforce Security Fea
Page 91: Configuring Salesforce Security Fea
Page 95 and 96: CHAPTER 4 Enabling Single Sign-On S
Page 97 and 98: Enabling Single Sign-On • Before
Page 99 and 100: Monitoring Your Organization's Secu
Page 107 and 108: Security Tips for Apex and Visualfo
Page 113 and 114: INDEX A Access about 10 revoking 11
Page 115 and 116: Index Profiles (continued) object p
show all

salesforce_security_impl_guide

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?