Managing users in Salesforce CRM

All users in your organization with access to Salesforce CRM require a username, an e-mail address, a password, and a profile along with an active user license.

Depending on the features your organization has purchased, you may have user options such as Marketing, Service Cloud, and Mobile, which give particular users the ability to access other features that are only available with a specific user license. A user can be assigned to one or more of these options.

You can also create and manage other types of users outside your organization by applying the appropriate licenses that provide limited access to your Salesforce organization.

In association with the user license, you can govern all users' access to data using the options available in either the profile settings or the sharing features.

Profile settings control access to applications and objects while sharing features control access to specific records.

To navigate to the user detail page, go to Your Name | Setup | Administration Setup | Manage Users | Users.

The user detail page shows a list of all the users in your organization as well as any portal users:

To show a filtered list of users, select a predefined list from the View drop-down list or click on Create New View to define your own custom view.

For example, you can create a view with search criteria of Last Login, less than, LAST 28 DAYS to show all users that have not logged in for 28 days as shown in the following screenshot:

As the system administrator for Salesforce CRM, you can perform various user management actions such as creating new users, resetting passwords, and even delegating user administration tasks to other users within your organization. The following list of user actions will be covered:

  • Creating new users
  • Viewing and editing user information
  • Password management
  • Logging in as another user
  • Creating custom user fields

Creating new users

The steps for creating a new user are as follows:

  1. Click on New User.
  2. Enter fields in the General Information and Locale Settings sections.
  3. Check the box Generate new password and notify user immediately.
  4. Save the new user details.

To create a new user for your organization, navigate to the user detail page. This page displays the list of all the users in your organization. To navigate to the New User page, go to Your Name | Setup | Administration Setup | Manage Users | Users. Now click on the New User button.

Looking at the top section of the page, you will see the General Information section:

Enter the user's first name, last name, and e-mail address.

Note

The length of users' passwords cannot exceed 16,000 bytes.

The e-mail address automatically becomes the username, but you can change it if you require prior to saving.

Tip

Restricting the domain names of users' e-mail addresses

You can restrict the domain names of users' e-mail addresses to a list of values such as xxx@WidgetsXYZ.com, yyy@CompanyXYZ.com, and so on. After which, attempts to set a user's e-mail address to an unlisted domain (such as xxx@MyNonCompanyWebMail.com) will result in an error.

This feature can only be enabled by request to Salesforce customer support.

Then select a user license, noting that some further options become unavailable depending on the license type you choose. For example, the Marketing User and Allow Forecasting options are not available for Force.com user licenses because the Forecasts and Campaigns tabs are not available to users with that license. Now select a profile from the available list, which depends on the user license you have chosen.

Note

You should consider the username that is entered. After the username is saved, it becomes a unique setting throughout the Salesforce.com universe, hence you will not be able to use that same username in any other Salesforce CRM application.

You can enable additional features by selecting one or more of the following checkboxes:

  • Marketing User
  • Offline User
  • Knowledge User
  • Force.com Flow User
  • Service Cloud User
  • Site.com Publisher User
  • Mobile User (this checkbox displays if you have purchased Salesforce Mobile feature licenses)
  • Salesforce CRM Content User

You will not be able to select these features if they are not supported by your user license type. Also, you will be unable to save the new user record if you do not have any remaining licenses available for these features.

At the bottom of the page, there are further sections, which include the Locale Settings section:

Complete the required information and then check the Generate new password and notify user immediately checkbox and save the details by clicking on the Save button. Upon saving, the user's login name and a temporary password are e-mailed via Salesforce.com to the new user.

Tip

Junk e-mail folder

If you have generated the new password to be sent, but the new user cannot see the e-mail notification from Salesforce.com in his/her inbox you may need to have the user check his/her junk e-mail folder.

The following table lists the key standard user fields with the required fields shown in bold:

The Send Apex Warning Emails field is used to send an e-mail to the user when an application that invokes an Apex script experiences issues. This feature can be used during Apex script development to test the amount of resources being used at runtime.

Grant Checkout Access provides a user with access to Checkout. Using Checkout, the user can purchase Salesforce.com licenses, AppExchange application licenses, and other related products. Additionally, within Checkout, the user can view the organization's quotes, installed products, orders, invoices, payments, and contracts.

After saving the User Edit page, you are presented with the details page for the user where you can view the information that was entered:

In the View User Detail page, the following read-only fields and related lists can be seen:

  • Used Data Space
  • Used Data Space
  • Last Login
  • Last Password Change or Reset
  • Checkout Enabled
Tip

Do not overwrite active or inactive user records with new user data

Salesforce recommends not overwriting inactive user records with new user data. Doing so prevents you from tracking the history of past users and the records associated with them.

There are also situations where you may feel it appropriate to recycle an active user record, but it is better to deactivate users when they are no longer using Salesforce and create a new record for each new user.

A typical real-world example of recycling a user record, and one to avoid, is sometimes encountered when a sales team is organized into sales territories.

The sales team user records in Salesforce are stamped with a territory indicator and any account records that are located in their particular territory are assigned to the user record (set as the record owner). In this way, the user record simply acts as a container for the territory.

Managing user records in this way results in both audit and maintenance issues. For example, if Tina Fox changes sales territory her personal information (username, password, e-mail, address, phone number, and so on) all has to be transferred to a new user record requiring Tina to reactivate a new password, re-enter both personal details, and all her personal preferences in the Salesforce application.

The issue worsens if the user record (or territory) that Tina is reassigning to, is held by, say, Timothy Little as he would also need to reset his personal details.

This approach leads to a technically complex method of territory reassignment and a very disappointing user experience for your sales team. Fortunately, Salesforce provides features such as criteria-based sharing rules, sales teams, and territory management to better manage the organization of sales territories.

Adding multiple users

If you have several users to add, you can add more than one at a time. To add multiple users, navigate to Your Name | Setup | Administration Setup | Manage Users | Users. Now click on the Add Multiple Users button.

As you can see, this can be a quick method for creating users since not all required fields have to be entered in this page:

If, however, after the initial saving of multiple user records, you attempt to edit a user record, via the user edit screen, you will be prompted to fill up all mandatory fields.

Delegation of user management

If you have an organization with a large number of users or a complex role hierarchy, you can delegate aspects of user administration to users who are not assigned with the system administrator profile.

This allows you to focus on tasks other than managing users for every department or structure that your company has within Salesforce. This provides further benefits for global organizations that encounter time zone and cultural differences as it allows a user based in that region with local knowledge to create the users, which saves time and results in a better user experience.

For example, you may want to allow the manager of the Asia Pacific Operations team to create and edit users in the Asia Pacific Operations Team Leader role and all subordinate roles.

There are currently two options for providing this delegated user management access:

  • Create a profile with the Manage Users permission
  • Use delegated administration

Creating a profile with the Manage Users permission

This option is not recommended and should be very carefully considered as it allows a much greater range of system administration functions to be carried out by the user.

In addition to creating and managing users, the Manage Users permission also allows the user to perform the following:

  • Expire all passwords
  • Clone, edit, or delete profiles
  • Edit or delete sharing settings
  • Edit user login hours

By providing users with the Manage Users permission, as you can see, there are many other permissions that are switched on, which introduce security risks.

Using delegated administration

Delegated administration is a more secure method for providing delegated user management access as it allows you to assign limited administrative privileges to the selected non-administrator users in your organization.

Delegated administrators can perform the following tasks:

  • Creating and editing users, and resetting passwords for users in specified roles and all subordinate roles
  • Assigning users to specified profiles
  • Logging in as a user who has granted login access to his/her administrator

To create delegated groups, navigate to Your Name | Setup | Administration Setup | Security Controls | Delegated Administration. Now click on the New button or select the name of an existing delegated administration group:

Here we look at the existing group that has been named User Management:

The Delegated Administrators section allows you to select and add the users that are to be given the delegated administration permission.

The User Administration section allows you to select and add roles which the delegated administrators can assign to the users they create and edit. They can assign users for the stated roles and all subordinated roles.

The Assignable Profiles section allows you to select and add profiles which the delegated administrators can assign to the users they create and edit.

To enforce security, profiles with the Modify All Data permission (such as the System Administrator profile) cannot be assigned by a delegated administrator. See the following example message shown when attempting to allow the delegated administrator to assign the System Administrator profile:

Note

If a user is a member of more than one delegated administration group, be aware that he/she can assign any of the assignable profiles to any of the users in roles he/she can manage.

Select the Enable Group for Login Access option, if you want to allow delegated administrators in this group to log in as users who have granted login access to their administrators and are in the roles selected for the delegated administrator group:

To look at how users can grant login access to their administrators, refer to the section Logging in as another user towards the end of this chapter.

Tip

Agreement in using active user licenses by delegated user administrators

If you have established delegated user management in your organization, you will need to have some agreement between yourself and the delegated user administrators about how many of the available licenses can be used for each area of the organization. You cannot automatically limit the number of active users that can be created by users with these permissions.

Viewing and editing user information

To view or edit user information, navigate to Your Name | Setup | Administration Setup | Manage Users | Users. Now, click on Edit next to a user's name. Change the necessary information and click on Save.

Users can also change or add to their own personal information after they log in.

If you change a user's e-mail address and do not select the Generate new password and notify user immediately option, a confirmation message will be sent to the new e-mail address that you entered to verify the change of e-mail. The user must click on the link provided in that message for the new e-mail address to take effect.

If you change a user's e-mail and reset the password for a user at the same time, the new password is automatically sent to the user's new e-mail address, and e-mail verification is not required.

Click on Unlock to unlock a user that is locked out of Salesforce.

Note

The Unlock button is only available when a user is locked out.

Searching for users

You can use the search features (described in the previous chapter) to search for any user in your organization, regardless of the user's status. However, when using a lookup dialog from fields within records, the search results return active users only.

Deactivating users

You cannot remove users from the system, but you can deactivate their records so that they can no longer access the application. To deactivate users, navigate to Your Name | Setup | Administration Setup | Manage Users | Users. Now, click on Edit next to a user's name, disable the Active checkbox, and then click on Save.

If the user is a member of account, sales, or case teams, you are prompted to remove the user from those teams:

When deactivating users, there are some considerations that ought to be made, such as:

  • Deactivating users with Run as specified user dependencies set on dashboards causes those dashboards to stop displaying. Each dashboard has a running user, whose security settings determine which data to display in a dashboard. You need to reassign Run as specified user to an active user with the appropriate permissions.
  • As mentioned in Chapter 1, Getting Started with the Salesforce CRM Application: Organization Administration, in the License information section, Salesforce bills an organization based on the total number of licenses and not on active users.
  • If Chatter is enabled and a user who has been included in either the Following or Followers list is deactivated and the user is removed from the list. However, he/she is restored to the lists if he/she is re-activated.

Password management

You have the following options for resetting passwords for users in Salesforce CRM:

  • Resetting passwords
  • Expiring passwords
Resetting passwords

If users have forgotten their password, they can click on the Forgot your password? link on the Salesforce CRM login page to have a new password link e-mailed to them:

The user will need to answer a previously set security question such as Where were you born? before their password is reset and they can log in to Salesforce.

To reset a user's password, navigate to Your Name | Setup | Administration Setup | Manage Users | Users. Now select the checkbox next to the user's name.

Optionally, to change the passwords for all currently displayed users, check the box in the column header to select all rows.

Click on Reset Password to have a new password e-mailed to the user(s).

Note

After you reset users' passwords, some users may need to re-activate their computers to successfully log in to Salesforce (see the previous chapter).

Expiring passwords

You can expire passwords for all users any time to enforce extra security for your organization. After you expire passwords, users may need to activate their computers to successfully log in to Salesforce (see the previous chapter).

Note

This includes system administrators if they don't have Password Never Expires on their profile (or permission set), however, the standard System Administrator profile has the Password Never Expires setting activated by default.

To expire passwords for all users, except those with the Password Never Expires permission, navigate to Your Name | Setup | Administration Setup | Security Controls | Expire All Passwords. Now, select the Expire all user passwords checkbox and then click on Save.

The next time each user logs in, he/she will be prompted to reset their password.

Note

After you expire passwords, some users may need to reactivate their computers to successfully log in to Salesforce (see the previous chapter).

Password policies

There are several password and login policy features that help you to improve your organization's security. To set these password policies, navigate to Your Name | Setup | Administration Setup | Security Controls | Password Policies. Select the required settings and then click on Save:

Let's look at each of the policies.

User passwords expire in

This sets the length of time until all user passwords expire and must be changed. Users with the Password Never Expires permission are not affected by this setting.

Note

The options are 30 days, 60 days, 90 days, 180 days, One Year, and Never Expires.

Enforce password history

This setting is used to remember users' previous passwords so that they must always enter a previously unused password. Password history is not saved until you set this value. You cannot select the No passwords remembered option unless you select the Never expires option for the User passwords expire in field.

Note

The options are either No passwords remembered or a number between one and fifteen passwords remembered.

Minimum password length

This sets the minimum number of characters required for a password. When you set this value, existing users are not affected until the next time they change their passwords.

Note

The options are five characters, eight characters, or ten characters.

Password complexity requirement

This sets a restriction on which types of characters must be used in a user's password. The options are No Restriction and Must mix alpha and numeric, which requires at least one alphabetic character and one number.

Note

The Must mix alpha and numeric option is the default option.

Password question requirement

This setting requires that a user's answer to the password hint question does not contain the password itself. The option is either set or not set.

Note

The policy that a user's answer to the password hint question does not contain the password itself is the default setting.

Maximum invalid login attempts

This sets the number of incorrect login attempts allowed by a user before they become locked out. The options are No limit, 3, 5, and 10.

Note

The default number of invalid login attempts is 10.

Lockout effective period

This sets the duration of the login lockout. The options are 15 minutes, 30 minutes, 60 minutes, and Forever (must be reset by admin).

Note

The default lockout effective period is 15 minutes.

If a user becomes locked out, he/she can either wait until the lockout effective period expires or you can view the user's information and click on Unlock. The Unlock button is only displayed when a user is locked out.

Forgot Password or Locked Account Assistance

The following sections discuss the available options.

Message

By setting this message, the text will appear in the lockout e-mail that users receive whenever they need you to reset their password. Your users will also see the message text in the confirm identity screen and e-mail that they receive whenever their password is reset. This is useful to add your contact details and a personal message.

Help link

Setting this link results in the text above this option appearing as a web URL, which when clicked will allow your users to navigate to a separate page such as a custom help page, which you have available.

API Only User settings

API Only Users will be redirected to this URL after they have confirmed a user management change (such as resetting a password).

Logging in as another user

To assist other users, you can log in to Salesforce as another user. If you have been granted access, you will see a Login button on their user record if they have granted login access to their administrator.

System administrators can also log in as any user in their organization without asking users to grant login access.

Note

This feature is only available by request to Salesforce.com support to have this in your organization.

If you have had this feature activated by Salesforce, you can enable login access by navigating to Your Name | Setup | Administration Setup | Security Controls | Login Access Policies. On the Login Access Policies page, enable Administrators Can Log in as Any User. Finally, click on Save.

To log in as another user, navigate to Your Name | Setup | Administration Setup | Manage Users | Users. Now click on the Login link next to the user who has granted you access:

You can also log in as another user from the User Detail page using the Login button as shown in the following screenshot:

The Login link or button only appears for users who have granted login access to an administrator. After you have logged in as another user, you will notice a message at the top-right corner of all Salesforce pages that display the message You are currently logged in as.

To return to your administrator account, click on the logged in user's name (the user who has granted you access, Trevor Howard in this example). Then click on the Logout option:

Note

Regardless of the login access policy, whenever an administrator logs in as another user, the login and logout events are recorded in the setup audit trail.

How-to guide to help users grant login access to you

There are many occasions when it is useful for you to log in as one of the users in your organization. This could be, say, to check data access from their role or profile or to check reports or dashboards and so on.

Rather than instructing individuals one-by-one, you can save time for both yourself and the users in your organization by preparing a how-to guide to help users grant login access to you. Produce a how-to guide that lists the steps that they need to take to make the required setting; the following is an example:

When the Administrators Can Log in as Any User feature is enabled, users will no longer have the option to grant login access to administrators, but they can still grant login access to Salesforce.com support.

Where additional apps have been installed, the list of entities that users can select to grant access may increase. For example, if your organization has installed the Non Profit Starter Pack app published by the Salesforce.com Foundation (see http://www.salesforcefoundation.org/nonprofitstarterpack), you will see the option to grant access to this organization's support team as shown in the following screenshot:

Creating custom user fields

You can create custom fields for users and set custom links that appear on the user detail page. To navigate to the user field's page, go to Your Name | Setup | App Setup | Customize | Users | Fields and then scroll down to the User Custom Fields section:

The User object can be considered as a special object in Salesforce as there are restrictions on what can be configured. For example, there can be only one record type and page layout for the User object.

本周热推:
计算机组装与维护项目化教程(第二版)PIC系列单片机的流码编程计算机应用与维护基础教程单片机原理及应用系统设计Spring Cloud 微服务分布式架构开发实战
上一章目录下一章