News & Resources — Tips & Tricks

Buan’s Tip of the Month: Enabling User Access Without Prior Access Permission

Todd DrexlerThis month we would like to give you a little insight into salesforce.com’s newest feature, allowing easy user access without first having access granted. Learn how to utilize this new feature with one of our Senior Consultants, Todd Drexler.

A year ago salesforce.com released an enhancement to the Grant Login-as screens that changed how long a user could grant access to an administrator or salesforce.com customer support representative. Instead of being able to set an expiration date sometime in the far away future, we began to limit it to no longer than one year of login access.

Nov2012_1

This had a significant impact on administrators and implementation consultants alike who use the login access feature to:

  • troubleshoot user issues
  • train users
  • phase-in new configurations

In the past, administrators and consultants would work around the fact that users had the right to grant and revoke access. In some cases, they would change a user’s email to their own, reset the password, login as the user, and grant login access indefinitely. In other cases, administrators would just instruct their users during on-boarding to set grant login access as far into the future as possible. Finally, some would create videos and tutorials explaining to end-users how to grant login access. In any case, the process of granting access could be an obstruction for administrators who just wanted to help their users as quickly as possible.

Login access is such a critical tool for administrators and consultants that providing the ability and security settings for a user to grant or revoke access was secondary to helping their users out when critical issues would arise. In some situations, it is appropriate for these administrators and consultants to have login access regardless of whether their users granted it or not. In fact, because explaining the steps to grant login access could be such a time-consuming exercise, administrators were resetting email addresses and passwords to do this for their users before any issue came up, which in itself is a security issue.

As a result, salesforce.com developed a feature in the Summer ’12 release that allows an organization to opt-in to the ability for organization administrators to login as any standard user without first having the user grant access. By having this feature enable in your organization, an administrator with Manage Users permission can then enable or disable it as it applies to them through the Login Access Policies page using an organization preference that they control. When enabled, their end-users lose the ability to grant access and administrators can automatically login as them. When disabled, their end-users can once again choose whether to grant or revoke login access to their administrators.

From a segregation of duties perspective, users with Modify All Data or Delegated Administrators can login as other users, but because Manage Users permission is required to enable the organization preference on the Login Access Policies page, these login-as proxy users cannot control whether this policy applies to all users in the organization.

For more information on the user access feature or to be added to our email distribution list, please contact: info@buanconsulting.com


Posted in Tips & Tricks