I’m trying to restrict “Login As” access using a Transaction Security Apex policy, but it is not working as expected. My goal is to block Delegated Admin users from performing Login As for users outside a specific set of roles, including their subordinate (child) roles in the role hierarchy. However, even after defining allowed roles in the Apex condition, users are still able to Login As to users in sub-roles under the allowed roles.
I also want to understand if it is actually possible to block Delegated Admin users from logging in as their subordinate role users using Transaction Security or any other standard Salesforce configuration. Currently, it seems the logic is only evaluating the target user’s role and not fully enforcing restrictions based on Delegated Admin access and role hierarchy behavior.
Hi, sorry for the inconvenience. If you don't receive a response here, we recommend reaching out to our support team for further assistance. You can do so by visiting https://help.salesforce.com/s/articleView?id=000393090&language=en_US&type=1
