User Authentication Settings Superbadge Unit
Bring user authentication settings up to standard to secure your org.
User Authentication Settings Superbadge Unit
Ce que vous devez accomplir pour gagner ce superbadge
- Set appropriate password policies.
- Configure login requirements and limits.
- Control API access for connected apps.
- Set trusted IP addresses for users.
Concepts testés avec ce Superbadge
- User Authentication
Prework and Notes
Sign Up for a Developer Edition Org with Special Configuration
To complete this superbadge unit, you need a special Developer Edition org that contains special configuration and sample data. Note that this Developer Edition org is designed to work with the challenges in this superbadge unit.
-
Sign up for a free Developer Edition org with special configuration.
Fill out the form. For Email address, enter an active email address.
After you fill out the form, click Sign me up.
When you receive the activation email (this might take a few minutes), open it and click Verify Account.
Complete your registration by setting your password and challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.
You are logged in to your superbadge Developer Edition org.
Now, connect your new Developer Edition org to Trailhead.
Make sure you’re logged in to your Trailhead account.
In the Challenge section at the bottom of this page, select Connect Org from the picklist.
On the login screen, enter the username and password for the Developer Edition org you just set up.
On the Allow Access? page, click Allow.
On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge.
Now that you have a Salesforce org with special configuration for this superbadge unit, you’re good to go.
Use Case
Cirrus Cash Flow is a startup that provides financial services for its customers. While its information technology (IT) team is fantastic, the company was less than ready to be acquired by the financial services behemoth, Cumulus Global Bank. Cumulus Global Bank has put Cirrus Cash Flow’s systems through a thorough security audit and now needs to make changes.
As a premier Salesforce security consultant, you’ve met with the key stakeholders and compiled a comprehensive set of security change requirements.
Business Requirements
This section represents the culmination of many meetings and is the basis of your work to transform Cirrus Cash Flow’s Salesforce org into a cloud-based fortress.
Password Requirements
To comply with government financial regulations, Cumulus Global Bank has strict password policies that are in line with industry best practices. Cirrus Cash Flow hasn’t modified the default settings its org started with and will need to make the following adjustments.
Passwords have to be at least 12 characters long and include alpha, numeric, and special characters.
Users are only allowed three login attempts. After that, they will be locked out of their account for 30 minutes.
A user cannot reset their password more than once in a 24-hour period.
The answer to a user’s security question must be obscured during the password reset process.
In addition to the org-wide password policies, Cumulus Global Bank requires that privileged users have even more complex passwords. After reviewing Cirrus Cash Flow’s users, you’ve determined that those with the System Administrator profile are the only privileged users in the org with elevated levels of access. For these users, you’ve determined that the following changes need to be made.
Passwords for admin users need to be 15 characters minimum.
Passwords for admins also have to be more complex—they must include numbers, uppercase and lowercase letters, and special characters.
Login Requirements and Limits
In addition to password policies, Cumulus Global Bank has login restrictions for employees who have access to the most sensitive information. You’ve explored these restrictions in detail and have determined that they apply to Cirrus Cash Flow’s Inside Sales representatives and Call Center agents. Make the following changes in the existing custom profiles.
Login Location | Login Hours | |
---|---|---|
Inside Sales Representatives | Corporate office or the virtual private network (VPN) when working remotely | No time restrictions |
Call Center Agents | Corporate office | Only 8 AM to 5 PM Monday through Friday |
Use the following IP address or range in your configurations and be sure to set a description for the admin at Cirrus Cash Flow.
Corporate Office: 13.108.0.0
VPN: 10.0.0.0 - 10.255.255.255
These IP addresses will most likely exclude your current IP address.
Connected App Access Control
To survive in a competitive landscape, startups are required to adapt and move quickly. And as part of that “act fast and ask for forgiveness later” mentality, the admin for Cirrus Cash Flow’s Salesforce org hasn’t restricted any connected applications or the users who have access to them. As a seasoned consultant, you’re well aware of the access connected apps can have without restrictions and that it can pose a major security risk. But you don’t judge. Instead, you’ve already contacted Salesforce Support in order to enable the API Access Control feature so you can get a better handle on API users in the org.
First, Cumulus Global Bank has asked that the admin for Cirrus Cash Flow lock down all connected apps. Only grant API access to allowlisted connected apps; the administrator has to approve user access to these apps. Never allow users to self-authorize for any connected app. Note: The Trailhead Connected App has been preinstalled in your org for this superbadge unit. You do not need to make any adjustments to this app to pass the challenge.
The Cirrus Cash Flow org already has the Salesforce Mobile Apps Administration package installed. But to be compliant with Cumulus Global Bank’s mobile security policies, the only employees allowed to access the org via their mobile device are Inside Sales users. Since the company gives all Inside Sales employees the same phone model, they only need access to the Salesforce for iOS connected app.
Trusted IP Network
Wow! You’ve really brought Cirrus Cash Flow up to Cumulus Global Bank’s user authentication standards and industry best practices. Way to go! But now, employees are complaining about all the extra steps and restrictions.
You’re not willing to sacrifice security for convenience, of course. However, you do know of a way to allow employees to bypass device activation when they log in at the corporate office. You run the solution by Cumulus Global Bank’s security experts. You then configure Cirrus Cash Flow’s org to allow users to log in at the corporate IP address (13.108.0.0) without receiving a login challenge for identity verification.