Restrict Login Access by IP Address in Salesforce
Chapter Topics
- Data Security and Level of Data Access in Salesforce
- User Management (Control Access to the Organization)
- Managing Salesforce Password Policies (Control Access to Organization)
- Restrict Login Access by IP Address in Salesforce
- Restrict Login Access by Time
- Object Level Security in Salesforce
- Permission Sets in Salesforce
- Field Level Security in Salesforce
- Record Level Security in Salesforce
- Organization Wide Default (OWD) in Salesforce
- Role Hierarchy And Public Group In Salesforce
- Sharing Rules in Salesforce
- Manual Sharing in Salesforce
If you run a Salesforce org, you must be concerned about the security of your platform. Salesforce provides features that allow you to easily control login access at the user level. You can specify a range of allowed IP addresses on a user’s profile.
This setting prevents unauthorized users from accessing your Salesforce org. A login from any other IP address is denied when you define IP address restrictions for a profile. Take a look at how you can activate this feature.
Restrict Login Access By IP Address
By default, Salesforce doesn’t restrict the location for login access. However, administrators can restrict login access by IP address for added security. Administrators can specify an IP address range for the entire organization and specific user profiles. Still, the behavior is very different for each option.
If the login IP range is set to:
1. Organization Level: Users who log in outside the trusted IP range (which is set) are shown an identity verification challenge. If they complete the challenge, login access is granted by entering an activation code sent to their mobile device or email address. This method only allows full access for users outside of the IP range. Here, the set IP range is called the “trusted” IP range.
2. Profile Level: Users outside the permitted IP range are consistently denied access.
How to Restrict IP Address in Salesforce?
To restrict a particular IP address from accessing Salesforce.org, you can follow the steps given below:
- From Setup, in the Quick Find box, enter Profiles, and then select Profiles.
- Depending on which user interface you’re using, do one of the following:
- In the enhanced profile user interface, click Login IP Ranges and Add IP ranges.
- In the original profile user interface, scroll down to the Login IP Ranges related list and click New.
- Specify allowed IP addresses for the profile. Enter a valid IP address in the IP Start Address field and a higher-numbered IP address in the IP End Address field. Enter the same address in both fields to allow logins from a single IP address.
Note: The IP addresses in a range must be IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is 255.255.255.255. A range can’t include IP addresses both inside and outside of the IPv4-mapped IPv6 address space. Ranges like 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 aren’t allowed.
- Optionally enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, such as which part of your network corresponds to this range.
- Click Save.
To restrict access to only those IPs in Login IP Ranges in Salesforce, in Setup, in the Quick Find box, enter Session Settings, and then select Session Settings. Select Enforce login IP ranges on every request. This option affects all user profiles that have login IP restrictions.
This was all about restriction features for IP addresses in Salesforce.org and how to implement them.
Need more support?
Get a head start with our FREE study notes!
Learn more and get all the answers you need at zero cost. Improve your skills using our detailed notes prepared by industry experts to help you excel.
