Start tracking your progress
Trailhead Home
Trailhead Home

Manage Access to Your Connected App

How Can I Manage Access to a Connected App?

Now that you’ve delivered the Customer Order Status connected app, you need to manage access to it. Because you already built the connected app in the org, you don’t need to worry about installing it. But as a Salesforce admin, do you know what settings to define for managing access to the app? Not sure? Ask yourself these questions.
  • What’s the app being used for? In this scenario, the app allows an external web service to access customer order status data from the Salesforce instance.
  • Who needs to use the app? The only employees who need access to this app are Help Desk users in the Customer Service department.
  • Where do they access the app from? Mostly, the Help Desk users access the connected app from their Help Desk station. However, they might need to access this connected app from outside the company network, for instance, if they are at a customer’s site.

Using this information, let’s get to work managing the connected app.

Define Which Users Can Access the Connected App

As your first step in managing connected app access, define who can use the Customer Order Status connected app. There are three steps you need to complete to define these users.

  1. Configure the Permitted Users policy. The Permitted Users policy defines whether users are pre-authorized to run the connected app. The Admin approved users are pre-authorized option allows only users with the associated profile to access the app without first authorizing it. The All Users may self-authorize option enables anyone in the org to authorize the app after successfully signing in. But you want only pre-authorized users to run the app.
    1. From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
    2. Next to the Customer Order Status connected app, click Edit.
    3. Under OAuth policies, click the Permitted Users dropdown and select Admin approved users are pre-authorized. Admin approved users are pre-authorized selection displays for the connected app’s Permitted Users option on the Manage Connected Apps page.
    4. Click Save.
  2. Assign the Support Profile to the Customer Order Status connected app. You just defined that admin approved users are pre-authorized to use the Customer Order Status connected app. Now you need to define the users who are pre-authorized. You can use profiles or permission sets to define pre-authorized users. In this step, we’re going to use the Custom: Support Profile, which is already set up in your Trailhead Playground. You need to give this profile pre-authorization to use the Customer Order Status connected app.
    1. From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
    2. Click the Customer Order Status connected app.
    3. Scroll to Profiles, and click Manage Profiles.
    4. In the display list, find Custom: Support Profile and select its check box.
    5. Click Save. The Custom: Support Profile assigned to the Customer Order Status connected app. Now all users with the Custom: Support Profile are pre-authorized to use the Customer Order Status connected app.

Define Where Users Can Access the Connected App From

Now that you’ve defined who can use the app, configure where they can use the app from. You can define location access with the IP Relaxation policy.

  1. From Setup, enter Connected Apps in the Quick Find box, then select Manage Connected Apps.
  2. Next to the Customer Order Status connected app, click Edit.
  3. Under OAuth policies, click the IP Relaxation dropdown. These are the options you can choose from:
    • Enforce IP restrictions—This option enforces the IP restrictions configured for the org, such as the IP ranges assigned to a user profile.The Help Desk User profile has an IP range restricting access to the company’s network. So Help Desk users can log in to the org only when they are at their workstation or connected to the network through the corporate VPN. So this option isn’t ideal for Help Desk users that are trying to access the app from a customer’s site.
    • Enforce IP restrictions, but relax for refresh tokens—Like the Enforce IP restrictions option, this option enforces the IP restrictions configured for the org, such as the IP ranges assigned to a user profile. However, this option bypasses these restrictions when the connected app uses refresh tokens to get access tokens. The Customer Order Status connected app doesn’t use refresh tokens, though. So this option doesn’t help you out any more than the first option.
    • Relax IP restrictions for activated devices—This option allows a user running the app to bypass the org’s IP restrictions when either of these conditions is true.
      • The app has a list of allowed IP ranges and is using the web server OAuth authorization flow. Only requests coming from these IPs are allowed.
      • The app doesn’t have a list of allowed IP ranges. But it uses the web server authentication flow, and the user successfully completes identity verification if accessing Salesforce from a new browser or device.
    • This option just might work for the Customer Order Status connected app. It’s not really feasible to create a list of allowed IP ranges for all customer sites, but the connected app does use the web server flow. Help Desk users could run the app from a customer’s site by logging in to their Salesforce org from their mobile device.
    • Relax IP restrictions—This option allows a user to run this app without org IP restrictions.Although this option would allow Help Desk users to run the Customer Order Status App from a customer’s site, the user wouldn’t have to verify their identity to Salesforce. You want to maintain the security that authentication provides, so you don’t want to use this option for the connected app.
  4. Select Relax IP restrictions for activated devices. Help Desk users can run the Customer Order Status app from any location as long as they verify their identity to their Salesforce org.
  5. Click Save and then confirm that the correct access policies have been assigned to the connected app. OAuth policies assigned to the Customer Order Status connected app.

Success

You’ve successfully configured the connected app so that it can only be used when:
  • Users are assigned the Custom: Support Profile profile.
  • Users verify their identity to the org when they first access the app.

Thanks to you, Help Desk users can access the Customer Order Status website. And you’re one step closer to being a connected app ace!

Resources