Control Access to the Org

Learning Objectives

After completing this unit, you'll be able to:
  • Create, view, and manage users.
  • Set password policies.
  • Limit the IP addresses from which users can log in.
  • Limit the times at which users can log in.

Control Access to the Organization

When you ensure that only employees who meet certain criteria can log in to Salesforce, you're protecting your data at the broadest level. You do this by managing authorized users, setting password policies, and limiting when and where users can log in.

Manage Users

Every Salesforce user is identified by a username, a password, and a single profile. Together with other settings, the profile determines what tasks users can perform, what data they see, and what they can do with the data.

To view and manage the users in your org, use the Quick Find box in Setup to find Users. The user list shows all the users in your org.

Create a User

You can create users—even multiple users—in just a few clicks. It’s as simple as entering a username, alias, and email, and selecting a role, license, and profile. Many more options are available, of course, but that’s all you need to get started.
Salesforce auto-generates a password and notifies new users immediately. Users can change or add to their own personal information after they log in.
  1. Use the Quick Find box to find Users | Users in Setup.
  2. Click New User.
    Or you can click Add Multiple Users to add up to ten users at a time.
    Diagram of the relationship between the Position and Job Application custom objects in a record detail page
  3. Enter the user’s name, email address, and a unique username in the form of an email address. By default, the username is the same as the email address.
  4. Select the user license this user will have.
    The license determines which profiles are available for each user.
  5. Select a profile, which specifies the user’s minimum permissions and access settings.
  6. Select the option to generate a new password and notify the user, then save.

Deactivate a User

You can't delete a user, but you can deactivate an account so a user can’t log in. Deactivated users lose access to all records. (That includes records that are shared with them individually and records shared with them as team members.) However, you can still transfer this data to other users and view the names on the Users page.
  1. In Setup, use the Quick Find box to go to Users.
  2. Click Edit next to the name of the user you want to deactivate.
  3. Clear the Active checkbox and click Save.
    If you can’t immediately deactivate an account (for example, when the user is selected in a custom hierarchy field), you can freeze their account. That prevents the user from logging in to your organization while you’re working on deactivating them.
    1. On the Users page in Setup, click the username of the user whose account you want to freeze.
    2. Click Freeze.

Set Password Policy

You can configure several settings to ensure that your users’ passwords are strong and secure.
Password policies
Set password and login policies, such as specifying an amount of time before all users’ passwords expire and the level of complexity required for passwords.
User password expiration
Expire the passwords for all the users in your org, except for users with “Password Never Expires” permission.
User password resets
Reset the password for specified users.
Login attempts and lockout periods
If a user is locked out due to too many failed login attempts, you can unlock the person’s access.
  1. Use the Quick Find box to find Password Policies in Setup.
    Diagram of the relationship between the Position and Job Application custom objects in a record detail page
  2. Customize the password settings.
    1. How long should passwords be?
      Longer is usually better, within reason.
    2. How complex do you want your passwords?
      You can require alphabetical, numeric, uppercase, lowercase, or special characters.
    3. How many days is a password valid?
    4. How many times can someone try to log in with invalid credentials before being locked out?
  3. Choose what to do about forgotten passwords and locked accounts.
  4. Click Save.

Restrict Login Access by IP Address

You can control where your users can log in from. For example, maybe some users shouldn’t be able to log in if they’re using an IP address that’s outside your corporate firewall. The IP range you choose is called your “trusted” IP range.
  • If you set your trusted IP range for your whole org, users with addresses outside that range aren't completely excluded. They can log in if they complete a challenge question, typically by entering an activation code sent to their phone or email.
  • If you set your trusted IP range only for a given user profile, all users with that profile who are outside the trusted range are locked out.

By default, Salesforce doesn't restrict locations for login access. If you do nothing, users can log in from any IP address.

  1. Go to your Setup panel.
    • If you're doing this for your whole org, use the Quick Find box to find Network Access.
    • If you're doing this for a profile, find Profiles instead, then click the name of the profile you want to edit.
  2. Click New in the Login IP Range related list.
    Trusted IP range selection
  3. Enter the start and end point of the range of trusted IP addresses, and save.

Restrict Login Access by Time

For each profile, you can specify the hours when users can log in. For example, if you decide your call center employees really only need to look at customer data while they're taking phone calls nine to five, you can make it so they can't log in during evenings and weekends.
  1. In Setup, use the Quick Find box to find Profiles.
  2. Click the profile you want to change.
  3. Under Login Hours, click Edit.
  4. Set the days and hours when users with this profile can log in to the organization.
    • To allow users to log in at any time, click Clear all times.
    • To prohibit users from using the system on a specific day, set the start and end times to the same value.


If users are logged in when their login hours end, they can continue to view their current page, but they can’t take any further action.