Professional Documents
Culture Documents
Salesforce Organization
Salesforce, Summer ’23
@salesforcedocs
Last updated: August 17, 2023
© Copyright 2000–2023 Salesforce, Inc. All rights reserved. Salesforce is a registered trademark of Salesforce, Inc., as are other
names and marks. Other marks appearing herein may be trademarks of their respective owners.
CONTENTS
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1281
SET UP AND MAINTAIN YOUR SALESFORCE ORGANIZATION
1
Set Up and Maintain Your Salesforce Organization Try Out Salesforce
My Domain
Showcase your company’s brand with a customer-specific subdomain name in your Salesforce org URLs. With My Domain, you can
include your company name in your URLs, for example, https://mycompany.my.salesforce.com. With these org-specific
URLs, you can set up a custom login page, set a custom login policy, offer single sign-on, and allow users to log in with a social
account. My Domain also allows you to work in multiple Salesforce orgs in the same browser at the same time.
Protect Your Salesforce Organization
Salesforce is built from the ground up to protect your data and applications. You can also implement your own security scheme to
reflect the structure and needs of your organization. Protecting your data is a joint responsibility between you and Salesforce. The
Salesforce security features enable you to empower your users to do their jobs safely and efficiently.
Technical Requirements and Performance Best Practices
Review the recommended technical requirements and performance best practices to optimize your Salesforce implementation.
Monitor Your Organization
Salesforce provides a variety of ways to keep tabs on activity in your Salesforce organization so you can make sure you're moving in
the right direction.
Learn More About Setting Up Salesforce
In addition to online help, Salesforce creates guides and tip sheets to help you learn about our features and successfully administer
Salesforce.
Note: Features in your trial org depend on the edition that you purchase. Available in: Professional
and Enterprise Editions
2
Set Up and Maintain Your Salesforce Organization Start a New Trial
3
Set Up and Maintain Your Salesforce Organization Plan Your Salesforce Rollout
design and build your Salesforce organization to meet those needs, and test the organization before you roll it out to your teams.
Consulting partners have one goal in mind: Your success with Salesforce.
Rolling out an effective Salesforce organization takes time and thoughtful planning. Working with a partner can help your company
harness the power of Salesforce in a way that can be difficult and time-consuming without expert guidance.
Not sure if your company needs expert guidance? Consider how you would respond to the following questions about your company’s
sales goals.
• Does your company have the internal resources with the time, expertise, and experience to develop the appropriate Salesforce
features to solve your business needs?
• Is your company expanding into new business, countries, or industries?
• Do you need a decisive, objective perspective when making business decisions?
• Do you want to see results in weeks, not years?
Still on the fence? Check out this comparison between rolling out Salesforce yourself and rolling out Salesforce with a partner.
Compare Rolling out Salesforce Yourself Rolling out Salesforce with a Partner
Qualifications Sometimes companies have Consultants are Salesforce-certified.
Salesforce-certified employees who can
assist with setup.
Experience Usually employees have little or no Consultants have set up many Salesforce
Salesforce experience. organizations and are knowledgeable about
best practices.
Availability of resources for setup Usually setup competes with your Consultants commit to and deliver on a
employees’ other projects and priorities. scope of work for your Salesforce rollout.
External support Salesforce offers basic support for all Consultants are experienced and
Salesforce organizations. Support includes well-connected, and can offer personalized
access to self-help (online help articles) and support to companies during setup and
Customer Support agents (guaranteed to rollout.
respond within 2 days).
Time commitment Usually rolling out Salesforce yourself is a Usually rolling out Salesforce with a partner
significant time commitment unless is faster, because experienced resources are
experienced resources are available. fully engaged in your project.
Salesforce adoption by your sales teams When Salesforce isn’t rolled out properly, When consultants roll out Salesforce, there
companies run the risk that their sales teams is a greater chance that sales teams adopt
don’t recognize the products’ value, and the product from the start because its value
don’t adopt the product wholeheartedly. is obvious.
Training resources Companies are required to customize and Salesforce partners can offer experienced
roll out their own training plans for mentorship and pre-designed training
employees without mentorship from expert materials.
resources.
4
Set Up and Maintain Your Salesforce Organization Set Up Your Company in Salesforce
To learn more about consulting partners and how to connect with one, check out our website, Successfully Implement with Salesforce
Partners.
SEE ALSO:
Successfully Implement with Salesforce Partners
Successfully Implement with Salesforce Partners
5
Set Up and Maintain Your Salesforce Organization Manage Information About Your Company
6
Set Up and Maintain Your Salesforce Organization Manage Information About Your Company
Field Description
Admin Newsletter Allow administrators in your organization to choose whether they
want to receive administrator-targeted promotional emails from
Salesforce.
API Requests, Last 24 Hours The total number of API requests issued by the organization in the
last 24 hours. The maximum number of requests depends on your
Edition.
Created By User who signed up the organization, including creation date and
time. (Read only)
Default Language The default language that is selected for new users in the
organization. This setting determines the language used for the
user interface text and help. In all editions except Personal Edition
and Database.com, individual users can separately set the language
for their own login, which overrides the organization setting. In
Group Edition, this field is called Display Language.
This setting also determines the language in which all
customizations—such as custom fields, tabs, and user interface
options—are stored. For customizations, individual users' language
settings don’t override this setting.
If you edit or clone existing filter criteria, check that this setting
matches the default language that was configured when the filter
criteria was originally set. Otherwise, the filter criteria can be
evaluated differently than expected.
Default Locale The default country or geographic region that is selected for new
users in the organization. This setting determines the format of
dates, times, and names in Salesforce. In Contact Manager, Group,
Professional, Enterprise, Unlimited, Performance, and Developer
Edition organizations, individual users can set their personal locale,
which overrides the organization setting. In Group Edition, this
field is called Locale.
7
Set Up and Maintain Your Salesforce Organization Manage Information About Your Company
Field Description
Default Time Zone Primary time zone in which the organization is located. A user's
individual Time Zone setting overrides the organization's
Default Time Zone setting.
Note: Organizations in Arizona typically select “Mountain Standard
Time,” and organizations in parts of Indiana that don’t follow
Daylight Savings Time usually select “Eastern Standard Time.”
Division Group or division that uses the service, for example, PC Sales Group.
Up to 40 characters are allowed in this field.
Fiscal Year Starts In If using a standard fiscal year, the starting month and year for the
organization’s fiscal year. If using a custom fiscal year, the value is
“Custom Fiscal Year.”
Hide Notices About System Downtime Select this checkbox to prevent advance notices about planned
system downtime from displaying to users when they log in to
Salesforce.
Hide Notices About System Maintenance Select this checkbox to prevent advance notices about planned
system maintenance from displaying to users when they log in to
Salesforce.
Restricted Logins, Current Month Number of restricted login users who have logged in during the
current month.
This value resets to zero at the beginning of each month. The
maximum number of restricted login users for the organization is
in parentheses.
Salesforce Licenses Number of Salesforce user accounts that can be defined for access
to the service. This number represents the Salesforce user licenses
for which the organization is billed, if charges apply.
8
Set Up and Maintain Your Salesforce Organization Allow the Required Domains
Field Description
Salesforce Organization ID Code that uniquely identifies your organization to Salesforce.
Streaming API Events, Last 24 Hours The total number of Streaming API events used by the organization
in the last 24 hours. The maximum number of events depends on
your edition.
Used Data Space Amount of data storage in use. The value is expressed as a
measurement (for example, 500 MB) and as a percentage of the
total amount of data storage available (for example, 10%).
Used File Space Amount of file storage in use. The value is expressed as a
measurement (for example, 500 MB) and as a percentage of the
total amount of file storage available (for example, 10%).
SEE ALSO:
Set Up Your Company in Salesforce
Important: If you disabled third-party cookies (typically enabled by default in all major Available in: Salesforce
browsers), you must accept them for Salesforce to function properly. Classic (not available in all
orgs) and Lightning
If your users have general access to the Internet, no action is required. Experience
If you control your users’ or servers’ access to the Internet through allowlists, add these domains
Available in: All Editions.
to ensure that you receive all Salesforce content.
Domain Use
*.bluetail.salesforce.com News, account logos, and automated account fields.
*.force.com Visualforce pages, Lightning pages, and content (files) stored in Salesforce. If enhanced domains
aren’t enabled, this domain is also used for Experience Cloud sites and Salesforce Sites.
9
Set Up and Maintain Your Salesforce Organization Allow the Required Domains
Domain Use
*.force-user-content.com User content stored in Salesforce.
*.salesforce.com Salesforce login authentication, plus setup for Sales, Service, and Experience Cloud. Also used for
multiple Salesforce content sites, including Salesforce Help, Salesforce Developers, Salesforce
Admins, Trailblazer Communities, and Trailhead.
*.salesforce-communities.com Experience Builder for Experience Cloud sites in orgs without enhanced domains.
trailblazer.me Sign-up, login, and profile and settings management with multiple Salesforce-related sites,
including AppExchange, IdeaExchange, Salesforce Help, Trailhead, and Trailblazer Communities.
10
Set Up and Maintain Your Salesforce Organization Allow Network Access for News, Account Logos, and
Automated Account Fields
• test.salesforce.com
• <yourInstance>.salesforce.com
• A My Domain URL without a customized login page (for example, norns.my.salesforce.com)
Allow Network Access for News, Account Logos, and Automated Account
Fields
If your company has policies to restrict certain IP addresses or Salesforce domains, you need to
EDITIONS
allowlist the following domain and IP addresses before you can use the News, Account Logos, and
Automated Account Fields features. News, Account Logos, and
The News, Automated Account Fields, and Account Logos features are scheduled for retirement in Automated Account Fields
Winter ’24 on October 13, 2023. are available in: Essentials,
Group, Professional,
1. Allowlist the domain *.bluetail.salesforce.com.
Enterprise, Performance,
2. Allowlist the following IP addresses. Unlimited Editions
11
Set Up and Maintain Your Salesforce Organization Web Request Limits
12
Set Up and Maintain Your Salesforce Organization Customize the User Interface
Enable Hover Details Hover detail displays an interactive overlay containing record details.
Details appear when users hover over a link to that record in the Recent
Items list on the sidebar, or in a lookup field on a record detail page. Users
can quickly view information about a record before clicking to view or
edit the record. The record's mini page layout determines which fields
are included in the hover details. Users can’t customize which fields
appear. This option is enabled by default.
To view hover details for a record, users need the appropriate sharing
access, and field-level security access for the fields in the mini page layout.
Enable Related List Related list hover links display at the top of record detail pages and
Hover Links custom object detail pages in Setup. Users can hover over a related list
link to display the list and its number of records in an interactive overlay.
Users quickly view and manage the related list items from the overlay.
Users can also click a related list hover link to jump to the related list
without having to scroll down the page. This option is enabled by default.
Enable Separate When enabled, users see primary record details immediately. As the
Loading of Related related list data loads, users see a progress indicator. Separate loading
Lists can improve performance on record detail pages for orgs with large
numbers of related lists. This option applies only to Salesforce Classic and
is disabled by default. The options for separately loading related lists don’t
13
Set Up and Maintain Your Salesforce Organization Customize the User Interface
Setting Description
apply to Visualforce pages, the Self-Service portal, or other pages for which you can’t control the
layout.
Enable Separate Loading of When enabled, related lists of external objects are loaded separately from primary record details and
Related Lists of External related lists of standard and custom objects. External objects behave similarly to custom objects,
Objects except that they map to data that’s stored outside your Salesforce org. It can take a while to retrieve
data from an external system, depending on the network latency and availability of the external
system. This option applies only to Salesforce Classic and is enabled by default. The options for
separately loading related lists don’t apply to Visualforce pages, the Self-Service portal, or other pages
for which you can’t control the layout.
Enable Inline Editing Inline editing lets users quickly edit field values, right on a record’s detail page. This option is enabled
by default and applies to all users in your org.
To enable enhanced lists for profiles in particular, select Enhanced Profile List Views in User
Management Settings.
Enable Enhanced Lists Enhanced lists give you the ability to quickly view, customize, and edit list data to speed up your daily
productivity. When enabled with the Enable Inline Editing setting, users can also edit
records directly from the list, without navigating away from the page. This option is enabled by
default.
To enable enhanced lists for profiles in particular, Enable Enhanced Profile List Views available in
User Management Settings.
Enable the Salesforce Classic This option isn’t related to Lightning Experience. In this case, “Salesforce Classic” refers to the newer
2010 User Interface Theme version of Salesforce Classic, which is the interface that immediately precedes Lightning Experience.
Enabling this option turns on the updated Salesforce Classic look and feel. Disabling it turns on the
Salesforce Classic 2005 user interface theme —the classic, classic Salesforce interface.
Warning: Some features, like Chatter, require the Salesforce Classic 2010 user interface theme.
Disabling this theme automatically disables Chatter in both Salesforce Classic and Lightning
Experience.
Only users with supported browsers see the Salesforce Classic.
Salesforce Classic isn’t supported in portals or on the Console tab.
Disable Navigation Bar When selected, users can’t add or reorder the items included in the navigation bar for any app.
Personalization in Lightning However, Salesforce recommends disabling navigation personalization per app instead. From Setup
Experience in Lightning Experience, go to the App Manager. For the desired app, select App Options. Select
Disable end user personalization of nav items in this app. This option applies only to Lightning
Experience.
Clear Workspace Tabs for When selected, previously open workspace tabs aren't loaded in new console sessions. From Setup
Each New Console Session in Lightning Experience, go to the App Manager, select the console app that you want, and then
select App Options. Select Clear workspace tabs for each new console session. This option
applies only to Lightning Experience and is disabled by default.
Workspace tabs are restored when the browser page is refreshed, even when this option is enabled.
But in Safari pages, workspace tabs aren't restored upon refresh.
When this option is enabled, opening a new console session clears pinned and unpinned tabs.
14
Set Up and Maintain Your Salesforce Organization Customize the User Interface
Setting Description
Enable Tab Bar Organizer The Tab Bar Organizer arranges tabs in the main tab bar to prevent horizontal scrolling of the page.
The Organizer dynamically determines how many tabs can display based on the width of the browser
window. It puts tabs that extend beyond the browser's viewable area into a dropdown list.
• The Tab Bar Organizer isn’t available with the partner portal or Customer Portal.
• The Tab Bar Organizer is only available with the Salesforce Classic. Orgs using the Salesforce
Classic can enable the feature, but it isn’t available to users until the newer theme is also enabled.
• The Tab Bar Organizer isn’t available on Internet Explorer 6.
Enable Printable List Views Printable list views let users easily print list views. If it’s enabled, users click the Printable View link
from any list view to open a new browser window, displaying the list view in a print-ready format.
The link is located next to the Help for this Page link in the colored title bar of the page.
Enable Spell Checker on Available in all editions. Enables the Check Spelling button when users create or edit tasks or events.
Tasks and Events The spell checker analyzes the Description field on events and the Comments field on tasks.
Enable Customization of Enables administrators to customize the tabs on the Chatter user profile page. This includes adding
Chatter User Profile Pages custom tabs or removing default tabs. If disabled, users see the Feed and Overview tabs only.
Change Default Display This option isn’t related to Salesforce Classic, Experience Builder sites, or the Salesforce mobile apps.
Density Setting in Lightning The display density controls field label alignment and the amount of space between page elements.
Experience Decide what the default is for your org on the Density Settings setup page. Users can choose their
own display density at any time. You can’t override a user’s display density setting. Depending on
which edition of Salesforce you have, your org’s default display setting varies. Two settings are
available. The Comfy setting places the labels on the top of fields and has more space between page
elements. Compact is a denser view with labels to the left of fields and less space between page
elements.
Disable Lightning Experience Salesforce displays a reminder every 45 days to admins (users with Modify All Data and Customize
Transition Admin Reminders Application user permissions) working in Salesforce Classic with the countdown to the auto-activation
of the Turn on Lightning Experience critical update. The reminder continues repeating until the admin
turns on Lightning Experience or the update auto-activates. Salesforce also displays a series of
suggested actions to admins in orgs where Lightning Experience isn’t turned on to help prepare orgs
for when the Turn on Lightning Experience Critical Update is activated. When this setting is selected,
the countdown reminder and the series of recommended actions don’t appear for any of the org’s
admins.
Enable ICU formats for en_CA After enabling ICU language and locale formats through a critical update, this setting also enables
locale them for the English (Canada) locale.
Sidebar Settings
Setting Description
Enable Collapsible Sidebar The collapsible sidebar enables users to show or hide the sidebar on every page that normally includes
it. When enabled, the collapsible sidebar is available to all users in your org, but each user can choose
how to display the sidebar. Users can leave the sidebar visible, or they can collapse it and show it
only when needed by clicking the edge of the collapsed sidebar.
15
Set Up and Maintain Your Salesforce Organization Customize the User Interface
Setting Description
Call center users don't see incoming calls if they collapse the sidebar.
If your org uses divisions, we recommend that you keep the sidebar pinned and visible so you always
have access to the Divisions dropdown list.
Show Custom Sidebar If you have custom home page layouts that include components in the sidebar, this option makes
Components on All Pages the sidebar components available on all pages for all org users. If you only want certain users to view
sidebar components on all pages, grant those users the “Show Custom Sidebar On All Pages”
permission.
If the Show Custom Sidebar Components on All Pages user interface setting is selected, the Show
Custom Sidebar On All Pages permission is not available.
Calendar Settings
Setting Description
Enable Home Page Hover This option affects only Salesforce Classic. Enables hover links in the calendar section of the Home
Links for Events tab. On the Home tab, users can hover the mouse over the subject of an event to see the details of
the event in an interactive overlay. This option is enabled by default. This checkbox only controls the
Home tab; hover links are always available on other calendar views.
The fields available in the event detail and edit overlays are defined in a mini page layout.
If you create all day events, we recommend adding the All Day Event field to the events mini page
layout.
Enable Drag-and-Drop This option affects only Salesforce Classic. You can’t disable drag-and-drop in Lightning Experience.
Editing on Calendar Views Enables dragging of events on single-user, daily and weekly calendar views. Dragging allows users
to reschedule events without leaving the page. This option is enabled by default.
Calendar views can load less quickly when this checkbox is enabled.
Enable Click-and-Create This option affects only Salesforce Classic. Lets users create events on day and weekly calendar views
Events on Calendar Views by double-clicking a specific time slot and entering event details in an interactive overlay. The fields
available in the event detail and edit overlays are defined in a mini page layout.
Recurring events and multi-person events aren’t supported for click-and-create events on calendar
views.
Enable Drag-and-Drop This option affects only Salesforce Classic. Lets users create events associated with records by dragging
Scheduling on List Views records from list views to weekly calendar views and entering event details in an interactive overlay.
This option is disabled by default. The fields available in the event detail and edit overlays are defined
in a mini page layout.
Enable Hover Links for My This option affects only Salesforce Classic. Enables hover links for tasks in the My Tasks section of the
Tasks List Home tab and on the calendar day view. This option is enabled by default. Users can hover the mouse
over the subject of a task to see the details of that task in an interactive overlay.
Your administrator can configure the information presented on these overlays.
16
Set Up and Maintain Your Salesforce Organization Customize the User Interface
Setting Description
Enable Japanese Imperial This option affects Lightning Experience and the Salesforce mobile app. Enables the Japanese imperial
Calendar for the Japanese Locale calendar for users who use the Japanese locale.
Setup Settings
Setting Description
Enable Enhanced Page Layout When enabled, the enhanced page layout editor replaces the current interface for editing page
Editor layouts with a feature-rich WYSIWYG editor that includes several improvements.
Enable Streaming API Enables Streaming API, which lets you receive notifications for changes to data that match a
SOQL query that you define in a secure and scalable way. This field is selected by default. If your
Salesforce edition has API access and you don’t see this checkbox, contact Salesforce.
Enable Dynamic Streaming Enables dynamic channel creation when using the generic streaming feature of Streaming API.
Channel Creation When enabled, generic streaming channels get dynamically created when clients subscribe, if
the channel hasn’t already been created. This field is selected by default. If your Salesforce
edition has API access and you don’t see the checkbox, contact Salesforce.
Enable “Delete from Field History” Enables the user permissions that allow you to delete field history and field history archive
and “Delete from Field History records. This field isn’t selected by default.
Archive” User Permissions
Enable Custom Object Truncate Enables truncating custom objects, which permanently removes all the records from a custom
object while keeping the object and its metadata intact for future use.
Enable Improved Setup User When disabled, users with Salesforce Classic access their personal settings from the Setup
Interface menu. When enabled, users with Salesforce Classic access their personal settings from the My
Settings menu, accessible from the username menu. The Setup link is also moved from the
username menu to the App Menu. If you change this setting, be sure to notify all users in your
org.
Enable Advanced Setup Search When enabled, users can search for Setup pages, custom profiles, permission sets, public groups,
(Beta) roles, and users from the sidebar in Setup. When disabled, users can search for Setup pages
only.
• Advanced Setup Search is in beta; it’s production quality but has known limitations.
• Some searchable items (such as permission sets) aren’t available in some editions. Users
can’t search for items that aren’t included in their edition.
Use custom address fields When enabled, the Address custom field type is available in Object Manager. For more
information, see Custom Address Fields in Salesforce Help.
Before you enable custom address fields, review these important considerations.
• This feature can’t be disabled.
• This feature has limitations. For details, see Custom Address Fields Requirements and
Limitations in Salesforce Help.
17
Set Up and Maintain Your Salesforce Organization Customize the User Interface
Advanced Settings
Setting Description
Activate Extended Mail Merge Enables Extended Mail Merge for your org. When selected, the
Mass Mail Merge link is available in the Tools area on the home
pages for accounts, contacts, and leads. Also, single mail merges
requested from the Activity History related list on a record are
performed using Extended Mail Merge functionality.
Before users create mail merge documents using Extended Mail
Merge, admins must set up the feature. First, from Setup, in the
Quick Find box, enter User Interface, and then select User
Interface. Under the Advanced section, select Enable Extended
Mail Merge. Admins can indicate whether they want all users’ mail
merge documents to be saved to Salesforce Documents, or only
documents over 3 MB. After the feature is enabled, admins must
create mail merge templates in Microsoft® Word, and upload mail
merge templates to Salesforce.
Always save Extended Mail Merge documents to the Mail merge documents generated using Extended Mail Merge are
Documents tab added to the user's documents folder on the Documents tab, rather
than delivered as email attachments. Users are sent confirmation
emails when their mail merge requests have completed. Those
emails include links for retrieving generated documents from the
Documents tab. These documents count against your org's storage
limits.
• The My Settings home page includes quick links for easily accessing the most commonly used personal settings tools and tasks.
Important: When enabled, the improved Setup user interface is activated for every user in an organization. Be sure to notify your
organization before enabling or disabling this setting.
To enable the improved Setup user interface, from Setup, enter User Interface in the Quick Find box, then select User
Interface, then select Enable Improved Setup User Interface.
18
Set Up and Maintain Your Salesforce Organization Customize the User Interface
Example: For example, let’s say you want to see all the installed packages in your organization. Enter inst. As you enter letters,
the Setup menu shrinks to include only the menus and pages that match your search terms. You quickly see the link for the page
you want (Installed Packages).
Next, perhaps you want to change the password for one of your users, Jane Smith. Enter smit and click . From the Setup
Search Results page, click the Jane Smith result to go directly to her user detail page.
19
Set Up and Maintain Your Salesforce Organization Set Up the Lightning Experience Home Page
Tip: When viewing setup search results, bookmark the results page in your Web browser to easily perform the same search in the
future. For example, if you often search for “smit”, you can bookmark the results page to perform the same search again. The URL
for this bookmark would be something like
https://MyCompany.salesforce.com/ui/setup/SetupSearchResultsPage?setupSearch=smit.
SEE ALSO:
Find Items in Setup with Advanced Setup Search (Beta)
20
Set Up and Maintain Your Salesforce Organization Set Up the Lightning Experience Home Page
Note: This applies only to Lightning apps. Classic apps can be viewed in Lightning Experience, Available in: Essentials,
but you can’t display different Home pages assigned for specific apps and profiles. Upgrade Group, Professional,
Classic apps to Lightning apps in the App Manager to take advantage of Lightning Experience Enterprise, Performance,
features. Unlimited, and Developer
Editions
• From Setup, enter Lightning App Builder in the Quick Find box, then select
Lightning App Builder.
USER PERMISSIONS
After you save a page, click Activate from the Page Saved dialog, or click Activation.
• While editing a Lightning app, select the Pages tab, click Open Page, then click Activation. To create and save Lightning
Pages in the Lightning App
• In Setup—Enter Home in the Quick Find box, then select Home. Builder
• Customize Application
To view Lightning Pages in
the Lightning App Builder
• View Setup and
Configuration
21
Set Up and Maintain Your Salesforce Organization Custom Record Page Settings
For information about configuring action buttons in the Assistant, see “View Important Updates with the Assistant” in the Salesforce
Help.
22
Set Up and Maintain Your Salesforce Organization Custom Record Page Settings
Activities View
Choose a default for how activities display on record pages in Lightning Experience. The views focus on different information and
behave differently. Users can change their view preference in their personal settings.
Set the Default Activities View
You can set the default view for how users work with activities. Users can change their view preference in their personal settings.
23
Set Up and Maintain Your Salesforce Organization Custom Record Page Settings
Note: You can’t collapse sections on the record detail page on the Salesforce mobile app.
Grouped View
Groups record information across tabs and columns. This view helps users focus on what’s needed in the moment, and minimizes
scrolling.
24
Set Up and Maintain Your Salesforce Organization Custom Record Page Settings
25
Set Up and Maintain Your Salesforce Organization Custom Record Page Settings
USER PERMISSIONS
3. Click Save.
If objects have a custom default record page assignment, a window appears listing them.
4. Click Enable.
The new view applies to the objects you select and all objects that don’t have specific custom assignments. The custom pages for
the selected objects are unassigned as part of this process but you can reassign them in the Lightning App Builder.
26
Set Up and Maintain Your Salesforce Organization Custom Record Page Settings
Note: If your record page doesn't show the view you select, refresh the page.
You can assign Full view or Grouped view to specific apps, record types, or profiles by creating a new Lightning page and
cloning it from the desired view.
Activities View
Choose a default for how activities display on record pages in Lightning Experience. The views focus
EDITIONS
on different information and behave differently. Users can change their view preference in their
personal settings. Available in: Lightning
The activity timeline view shows details for each task, event, and email in an expandable timeline Experience and the
view. Salesforce mobile app for
iOS and Android
The related lists view shows details for each task, event, and email in the Open Activities and Activity History related lists.
27
Set Up and Maintain Your Salesforce Organization Custom Record Page Settings
USER PERMISSIONS
3. Click Save.
If your record page doesn't immediately show the view you select, refresh the page. For custom Lightning pages, make sure that
the relevant component for the activity view is present.
28
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Note: Single language organizations cannot change their language, although they can
change their locale.
Language User
Locale User
Administrator Settings
Administrators can edit these language settings:
• Language Preferences—Select the displayed languages for this org.
• Default Language—This Company Information setting applies to all new users until they select their personal language. This setting
also determines the language in which all customizations—such as custom fields, tabs, and user interface options—are stored. For
customizations, users' personal language settings don't override this default setting. Some setup items that are manually entered
by an administrator can be translated in the Translation Workbench.
Administrators can change this setting by editing the company information.
The Salesforce web user interface, Salesforce for Outlook, Connect Offline, and Connect for Office are available in multiple languages.
29
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
User Settings
Users can choose a personal language from the languages that the administrator selected for the org. All on-screen text, images, buttons,
and Salesforce Help display in this language.
Text entered by users remains in the language in which it was entered.
30
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
4. To make a language available to your end users, select the language in the Available Languages list. Click the right arrow under Add.
The language is added to the Displayed Language list.
5. To make a language unavailable to your end users, select the language in the Displayed Language list. Click the left arrow above
Remove.
Note: Displayed languages that appear in gray are currently used by your company, users, or both. They cannot be removed.
6. Click Save.
Locales Overview
Locales determine the display formats for date and time, users’ names, addresses, and commas and
EDITIONS
periods in numbers. The start day of the week for calendars varies per locale. For single-currency
organizations, locales also set the default currency for the organization when you select them in Available in: Lightning
the Currency Locale picklist on the Company Information page. Experience and Salesforce
Classic (not available in all
Note: For unauthenticated guest users, date and time formats on Salesforce Sites are based
orgs)
on the user’s browser settings instead of the user's personal locale.
Available in: Group,
Professional, Enterprise,
Performance, Unlimited,
Database.com, and
Developer Editions
31
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
SEE ALSO:
Autocomplete Addresses
The new locale formats are available with version 45.0 and later of the Salesforce platform API.
32
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
SEE ALSO:
Locales Overview
33
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
5. Update your Apex Classes, Apex Triggers, and Visualforce Pages to API version 45.0 or later on page 92
To avoid data integrity issues and end-user confusion, update your Apex classes, Apex triggers, and Visualforce pages to API version
45.0 or later. If these components use API version 44.0 or earlier, they return Oracle’s Java Development Kit (JDK) locale formats.
SEE ALSO:
Locales Overview
34
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
If you don’t find the release update on the Needs Action tab, click the Archived tab, and look for the Enable ICU Locale Formats
release update. If the Enable ICU Locale Formats release update is marked complete, the release update was completed and your
org is using ICU. The release update card has a green check mark and the word Completed in the upper right corner.
3. To use ICU locales, the English (Canada) locale [en_CA] requires separate activation. From Setup, in the Quick Find Box, enter User
Interface, and then select User Interface.
If your org is using JDK locale formats, we recommend that you test and adopt the ICU locale formats before they’re enforced. If the
Enable ICU formats for en_CA locale User Interface option is disabled, we recommend that you enable the option before the release
update is enforced in Spring ’24.
35
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
If your org is using ICU locale formats and the Enable ICU formats for en_CA locale User Interface option is enabled, your org is
using the latest standard. No further action is required.
SEE ALSO:
Adopt the ICU Locale Formats
Test in a Sandbox
Before you enable the ICU locale formats in your production org, try them out in a sandbox org with API version 45.0 or higher. Testing
in a sandbox can uncover any issues with custom code and third-party integrations.
36
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
To avoid these errors when ICU is enabled, ensure that your custom Visualforce pages use API version 45.0 or later.
Installed Packages
Before you start testing, check with your package providers to make sure that all your installed packages are compatible with the ICU
locale formats. If your package provider indicates that a fix for one of your installed packages is pending, factor that into your testing
and activation timeline.
If you’re a package provider, update the Apex classes, Apex triggers, and Visualforce pages in your packages to API version 45.0 or later.
Update any custom code that requires or passes data in specific locale formats. Then test your packages in an org with ICU enabled.
Verify that all changed formats appear as expected, and update your code as needed.
Custom Code
Many orgs contain custom code. Lightning Components allow you to customize Lightning Experience, the Salesforce mobile app, or to
build your own standalone apps. With Apex, the options are even broader.
Apex is often used to:
• Create Web services.
• Create email services.
• Perform complex validation over multiple objects.
• Create complex business processes that aren’t supported by workflow.
• Create custom transactional logic, which occurs over the entire transaction, not just with a single record or object.
• Attach custom logic to another operation. For example, attach custom logic to saving a record, so that it occurs whenever the
operation is executed, regardless of where it originates in the user interface.
Also consider formula fields and areas where you can customize filters, such as object lookups.
Tip: To search your Salesforce code, download the metadata. Then use a command-line interface such as Salesforce CLI.
For more information on the steps to take to review and update your custom code, see Custom Code and Locale Format Changes in
Salesforce Help. This section also provides examples of errors that can occur when custom code relies on specific date, time, and currency
formats. Use this information to understand how to test custom functionality.
If an external developer or consultant created your custom code and you don’t have a developer who can perform the assessment, start
by testing the custom functionality. If you find issues, consider contracting with an external developer or consultant to assist with the
evaluation of the custom code in your org.
37
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
SEE ALSO:
Adopt the ICU Locale Formats
API Versions for Apex Classes, Apex Triggers, and Visualforce Pages
Custom Code and Locale Format Changes
SEE ALSO:
Identify Changes to Your Locales with ICU
38
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
USER PERMISSIONS
39
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
In this example, there are 4 locales in use across 10 users: 2 users with bn_BD, 5 users with en_US, 1 user with it_IT, and 2 users with
en_HN.
40
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
41
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
To view the users who chose one of the affected locales, filter the report by locale code.
42
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
3. Search for the next locale code, en_US, for the English (United States) locale.
We find this section of the table.
Here we see that the datetime formats and the negative currency format changed. We can see that each datetime format has a
comma after the year for the ICU format, but the JDK formats don’t have that comma. Also, the negative currency format changed
from using parentheses to a negative sign.
4. Next, search for the next locale code, es_HN, for the Spanish (Honduras) locale.
We find this section of the table.
43
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
For this locale, date, datetime, time, and currency formats change with ICU. Notably, the month and the day switch positions in
dates. Also, the time zone code changes in the long datetime format.
5. Search for it_IT, the locale code for the Italian (Italy) locale.
We find this section of the table.
Similar to the en_HN locale, date, time, and currency formats change with ICU for this locale. Sometimes the changes are subtle, so
review the table carefully. In this case, the ICU locale format includes a comma after the year in datetime formats. However, a colon
(:) also replaces the period (.) in the time and datetime formats.
44
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
In this example, we don’t include the bn_BD, or Bangla (Bangladesh), locale in our testing. Based on the results, we plan to test with
the en_US, es_HN, and it_IT locales. And now we know which formats to test for each locale.
SEE ALSO:
Adopt the ICU Locale Formats
Note: We recommend viewing this information in Salesforce Help. Not all characters appear correctly in PDFs.
Date: Short / / / /
Date: Medium / / / /
Date: Long ,
Time : :
Date: Short / / / /
Date: Medium / / / /
Date: Long ,
45
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Date: Short / / / /
Date: Medium / / / /
Date: Long ,
Time : :
Date: Short / / / /
Date: Medium / / / /
Date: Long ,
Time : :
46
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
47
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
48
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
49
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
English (Canada) Date Time: Short 28/01/2008 4:30 PM 2008-01-28, 4:30 p.m.
en_CA Date Time: Medium 28-Jan-2008 4:30:05 PM Jan 28, 2008, 4:30:05 p.m.
Date Time: Long 28/01/2008 4:30:05 PST PM 2008-01-28, 4:30:05 p.m. PST
50
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
51
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
52
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
53
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
54
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
55
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
56
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Español (El Default Currency Colón salvadoreño: SVC Dólar de EE.UU.: USD
Salvador)
Date Time: Short 01-28-2008 04:30 PM 28/1/2008, 16:30
es_SV
Date Time: Medium 01-28-2008 04:30:05 PM 28 ene 2008 16:30:05
Español (Estados Date Time: Short 1/28/2008 4:30 p.m. 28/1/2008, 4:30 p. m.
Unidos)
Date Time: Medium ene 28, 2008 4:30:05 p.m. 28 ene 2008, 4:30:05 p. m.
es_US
Date Time: Long 1/28/2008 4:30:05 p.m. PST 28/1/2008, 4:30:05 p. m. PST
57
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Eesti (Eesti) Date Time: Medium 28.01.2008 16:30:05 28. jaan 2008 16:30:05
et_EE Date Time: Long 28.01.2008 16:30:05 PST 28.01.2008 16:30:05 GMT −8
58
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Time 16:30 16 h 30
59
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Français (Suisse) Date Time: Medium 28 janv. 2008 16:30:05 28 janv. 2008, 16:30:05
fr_CH Date Time: Long 28.01.2008 16:30:05 PST 28.01.2008 16:30:05 UTC−8
Français (France) Date Time: Medium 28 janv. 2008 16:30:05 28 janv. 2008, 16:30:05
fr_FR Date Time: Long 28/01/2008 16:30:05 PST 28/01/2008 16:30:05 UTC−8
60
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Hrvatski Date Time: Short 28.01.2008. 16:30 28. 01. 2008. 16:30
(Hrvatska)
Date Time: Medium 28.01.2008. 16:30:05 28. sij 2008. 16:30:05
hr_HR
Date Time: Long 28.01.2008. 16:30:05 PST 28. 01. 2008. 16:30:05 GMT -8
Hrvatski Date Time: Short 28.01.2008. 16:30 28. 01. 2008. 16:30
(Hrvatska, HRK)
Date Time: Medium 28.01.2008. 16:30:05 28. sij 2008. 16:30:05
hr_HR_HRK
Date Time: Long 28.01.2008. 16:30:05 PST 28. 01. 2008. 16:30:05 GMT -8
61
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Magyar Date Time: Short 2008.01.28. 16:30 2008. 01. 28. 16:30
(Magyarország)
Date Time: Medium 2008.01.28. 16:30:05 2008. jan. 28. 16:30:05
hu_HU
Date Time: Long 2008.01.28. 16:30:05 PST 2008. 01. 28. 16:30:05 GMT-8
62
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
63
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
64
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Latviešu (Latvija) Date Time: Medium 28.01.2008 16:30:05 2008. gada 28. janv. 16:30:05
lv_LV Date Time: Long 28.01.2008 16:30:05 PST 28.01.2008 16:30:05 GMT-8
Melayu (Malaysia) Date Time: Short 28/01/2008 4:30 PM 28/01/2008, 4:30 PTG
ms_MY Date Time: Medium 28 Januari 2008 4:30:05 PM 28 Jan 2008, 4:30:05 PTG
Date Time: Long 28/01/2008 4:30:05 PM PST 28/01/2008, 4:30:05 PTG GMT-8
Malti (Malta) Date Time: Long 28/01/2008 16:30:05 PST 28/01/2008 16:30:05 GMT-8
mt_MT
65
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
66
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Português (Brasil) Date Time: Medium 28/01/2008 16:30:05 28 de jan. de 2008 16:30:05
pt_BR Date Time: Long 28/01/2008 16h30min5s PST 28/01/2008 16:30:05 GMT-8
67
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
68
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Serbian (Latin) Date Time: Short 1/28/2008 4:30 po podne 28.1.2008. 16:30
(Bosnia and
Date Time: Medium jan 28, 2008 4:30:05 po podne 28. 1. 2008. 16:30:05
Herzegovina)
sh_BA Date Time: Long 1/28/2008 4:30:05 po podne GMT-8 28.1.2008. 16:30:05 GMT-8
Serbian (Latin) Locale Name Serbian (Latin) (Serbia)1 Serbian (Latin) (Serbia)
(Serbia)1
Date Time: Short 1/28/2008 4:30 PM 28.1.2008. 16:30
sh_CS
Date Time: Medium jan 28, 2008 4:30:05 PM 28. 1. 2008. 16:30:05
69
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Slovenščina Date Time: Short 28.1.2008 16:30 28. 01. 2008, 16:30
(Slovenija)
Date Time: Medium 28.1.2008 16:30:05 28. jan. 2008, 16:30:05
sl_SI
Date Time: Long 28.1.2008 16:30:05 PST 28. 01. 2008, 16:30:05 GMT-8
70
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Shqip (Shqipëri) Date Time: Short 2008-01-28 4.30.MD 28.1.2008, 4:30 e pasdites
sq_AL Date Time: Medium 2008-01-28 4:30:05.MD 28 jan 2008, 4:30:05 e pasdites
Date Time: Long 2008-01-28 4.30.05.MD PST 28.1.2008, 4:30:05 e pasdites, GMT-8
Serbian (Cyrillic) Locale Name Serbian (Cyrillic) (Serbia)1 Serbian (Cyrillic) (Serbia)
(Serbia)1
Date Time: Short 28.1.2008. 16.30 28.1.2008. 16:30
sr_CS
Date Time: Medium 28.01.2008. 16.30.05 28. 1. 2008. 16:30:05
71
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Svenska (Sverige) Date Time: Medium 2008-jan-28 16:30:05 28 jan. 2008 16:30:05
sv_SE Date Time: Long 2008-01-28 16:30:05 PST 2008-01-28 16:30:05 GMT−8
72
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Türkçe (Türkiye) Date Time: Medium 28.Oca.2008 16:30:05 28 Oca 2008 16:30:05
tr_TR Date Time: Long 28.01.2008 16:30:05 PST 28.01.2008 16:30:05 GMT-8
73
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
74
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
75
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
76
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
1
The CSD currency is only available in single currency orgs and orgs that activated multiple currencies when CSD was the corporate
currency. It represents the old Serbian Dinar used in Serbia and Montenegro from 2003 to 2006. Because it’s no longer a valid ISO currency
code, it can be incompatible with other systems. If your org uses this currency, we recommend moving to the current Serbian Dinar
currency, RSD. The corresponding locale is Serbian (Serbia) with the sr_RS locale code.
Time 04:30 :
Date Time: Long 28.01.2008 16:30:05 PST 28.01.2008 г., 16:30:05 ч. Гринуич-8
77
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
78
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Date Time: Long 28/1/2008 4:30:05 μμ PST 28/1/2008, 4:30:05 μ.μ. GMT-8
Eesti Date Time: Medium 28.01.2008 16:30:05 28. jaan 2008 16:30:05
et Date Time: Long 28.01.2008 16:30:05 PST 28.01.2008 16:30:05 GMT −8
79
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Français Date Time: Medium 28 janv. 2008 16:30:05 28 janv. 2008, 16:30:05
fr Date Time: Long 28/01/2008 16:30:05 PST 28/01/2008 16:30:05 UTC−8
80
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Hrvatski Date Time: Short 2008.01.28 16:30 28. 01. 2008. 16:30
hr Date Time: Medium 2008.01.28 16:30:05 28. sij 2008. 16:30:05
Date Time: Long 2008.01.28 16:30:05 PST 28. 01. 2008. 16:30:05 GMT -8
Magyar Date Time: Short 2008.01.28. 16:30 2008. 01. 28. 16:30
hu Date Time: Medium 2008.01.28. 16:30:05 2008. jan. 28. 16:30:05
Date Time: Long 2008.01.28. 16:30:05 PST 2008. 01. 28. 16:30:05 GMT-8
81
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
82
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
83
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
84
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Date Time: Long 2008/01/28 16:30:05 PST 28/01/2008, 4:30:05 PTG GMT-8
Malti Date Time: Long 28/01/2008 16:30:05 PST 28/01/2008 16:30:05 GMT-8
mt Currency: Positive ¤ 1,234,567.57 ¤1,234,567.57
85
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
86
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Date Time: Long 28.1.2008 16:30:05 PST 28. 1. 2008 16:30:05 GMT-8
Slovenščina Date Time: Short 28.1.2008 16:30 28. 01. 2008, 16:30
sl Date Time: Medium 28.1.2008 16:30:05 28. jan. 2008, 16:30:05
Date Time: Long 28.1.2008 16:30:05 PST 28. 01. 2008, 16:30:05 GMT-8
87
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Date Time: Long 2008-01-28 4.30.05.MD PST 28.1.2008, 4:30:05 e pasdites, GMT-8
88
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
89
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
90
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
SEE ALSO:
Adopt the ICU Locale Formats
91
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
After you click Enable Test Run, the same section includes the text, “This update is now enabled for testing.” Your org is using ICU
formats.
2. Activate the ICU formats for the English (Canada) [en_CA] locale.
a. In the Quick Find box, enter User Interface, and then select User Interface.
b. Select Enable ICU formats for en_CA locale, and save your changes.
SEE ALSO:
Adopt the ICU Locale Formats
Test the ICU Locale Formats
API Versions for Apex Classes, Apex Triggers, and Visualforce Pages
The International Components for Unicode (ICU) locale formats are available with API version 45.0
EDITIONS
and later. To use the ICU locale formats in your customizations, update your Apex classes, Apex
triggers, and Visualforce pages to the latest API version. If these components use API version 44.0 Available in: both Salesforce
or earlier, they return Oracle’s Java Development Kit (JDK) locale formats, which can cause data Classic (not available in all
integrity issues and end-user confusion. orgs) and Lightning
Experience
Apex, Visualforce Pages, and API Versions Available in: All editions
Apex is a programming language that enables developers to add business logic to most system
events, including button clicks, related record updates, and Visualforce pages. Apex code can be USER PERMISSIONS
initiated by Web service requests and from triggers on objects.
• An Apex class is a template or blueprint from which Apex objects are created. Classes consist To define, edit, delete, set
security, and set version
of other classes, user-defined methods, variables, exception types, and static initialization code.
settings for Apex classes:
• An Apex trigger is code that executes before or after specific data manipulation language (DML) • Author Apex
events occur. For example, before object records are inserted into the database or after records
To run Apex tests:
have been deleted. Triggers are stored as metadata in Salesforce.
• View Setup and
A Visualforce page is similar to a standard Web page, but it includes powerful features to access, Configuration
display, and update your organization’s data. You can use Visualforce pages to customize your org’s To view Apex triggers:
front-end UI and functionality. • View Setup and
Configuration
Note: Lightning Web Components (LWC) is the preferred way to build UI with Salesforce. If
you have Visualforce pages, confirm that each page is in use before you analyze and update To edit Apex triggers:
it. To learn more about LWC and complying with current web standards, go to the Migrate • Author Apex
from Visualforce to Lightning Web Components trail.
Independent software vendors (ISV) also use Apex classes, Apex triggers, and Visualforce pages to deliver functionality within their
packages. ISVs are responsible for updating the API versions of their package components.
92
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Each Visualforce page, Apex class, and Apex trigger has an API version. The initial API version is always the API version of your Salesforce
org when the component is created.
A new API version is available with each Salesforce release. However, Salesforce doesn’t update the API version of your Apex classes,
Apex triggers, and Visualforce pages because we can’t test them for any potential issues. Ideally, you update the API version for your
components and validate the code with each release, but sometimes that doesn’t happen. Therefore, for example, it’s possible for an
Apex class to use API version 21.0 in an org on API version 53.0.
Potential Errors
If you don’t upgrade your Apex classes, Apex triggers, and custom Visualforce pages to API version 45.0 or higher, your users can receive
a ParseException error. For example, "Invalid Date and Time." These errors don't cause data integrity issues, but the errors can frustrate
users.
Custom date/time fields edited in Salesforce Classic and inline edits on Visualforce pages always use the latest API version. Because of
that behavior, when ICU is enabled, these custom fields and inline edits always use the ICU locale formats, regardless of the page's API
version. Your users can experience a ParseException error in two situations:
• The user makes an inline edit on a Visualforce page on API version 44.0 or earlier and saves their changes.
• The user enters a date/time in a custom field in Salesforce Classic.
To avoid these issues when ICU is enabled, ensure that your Apex classes, Apex triggers, and custom Visualforce pages use API version
45.0 or later.
The Visualforce page uses the ICU locale short date format: dd/MM/yyyy, or 2/11/2021.
And here’s the same screen with API version 44 or earlier.
93
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Because the ICU locale formats aren’t available in API version 44, the system shows the JDK short date format: MM/dd/yyyy, or 11/2/2021.
In this example, the user expects the day of the month to be listed first. If the Visualforce page uses API version 44.0 or earlier, the user
can misinterpret the date as February 11, 2021 instead of November 2, 2021.
Note: Inline edits on Visualforce pages always use the latest API version. Because of that behavior, when ICU is enabled, inline
edits on Visualforce pages always use the ICU locale formats, regardless of the page's API version. When a user makes an inline
edit on a Visualforce page on API version 44.0 or earlier and saves their changes, the user can receive a ParseException error. For
example, "Invalid Date and Time." These errors don't cause data integrity issues, but the errors can frustrate users. To avoid this
issue when ICU is enabled, ensure that your custom Visualforce pages use API version 45.0 or later.
Sources
There are two sources for Apex classes, Apex triggers, and Visualforce pages in your org. Either someone built them directly in your org,
or they were included in a managed package that was installed.
Only package owners can edit the components included in a managed package. You can see items installed by a managed package in
your lists, but you can’t edit them. To get updates to those items, you must install a new version of the package that contains the updates.
If you’re a package owner, update your package to use the latest API version in Apex classes, Apex triggers, and Visualforce pages that
reference dates, times, integers, and currencies.
SEE ALSO:
Adopt the ICU Locale Formats
Visualforce Developer Guide
94
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
In this example, a user created the first Apex trigger in the list, SetDealPrediction, and the other triggers were included in a managed
package. How can we tell? The other triggers have a Namespace Prefix, which indicates that they’re part of an installed package.
To quickly identify the items on API version 44.0 or earlier that you can modify, create a view. This example shows creating a filter for the
Apex Triggers list. You can use the same process for the Apex Classes list and the Visualforce Pages list.
1. Click Create New View.
2. In View Name, enter a view name. For example, Non-packaged, API v44 or earlier.
95
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
3. In View Unique Name, enter a unique name to identify this view for the API. For example,
apex_triggers_nopackage_api44_or_earlier.
4. On the first line, for Field, select Api Version. For Operator, select less or equal. And for Value, enter 44.0. On the second line, for
Field, select Installed Package. For Operator, select equals, and leave Value blank.
If you’re a partner or developer who owns a managed package, for Value, enter your Installed Package name. Or you can filter on
your Namespace Prefix.
5. Optionally, select the fields to display in the list.
6. In Step 4. Restrict Visibility, specify whether you want this view to be visible to only you, to all users, or to certain groups of users.
7. Save your changes.
The list now shows items with an API version of 44.0 or earlier that aren’t part of an installed package. Or, if you specified an Installed
Package in your filter, the list shows only items included in that package.
96
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
97
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
SEE ALSO:
Adopt the ICU Locale Formats
API Versions for Apex Classes, Apex Triggers, and Visualforce Pages
98
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
• Make the transformation of data to the user’s preferred locale format the last step in handling that data. For example, when calculating
a future date in Apex, use the format() method of the Date class after the calculation.
• Apex format() methods, such as DateTime.format() return values in the context user’s locale. If subsequent code expects
data in a particular locale format, specify the format explicitly. For example, to pass a time in a format such as 10:15 a in Apex,
use DateTime.format('h:mm a'). Because this example passes the string argument 'h:mm a' to the format function, the
datetime is formatted according to the supplied format regardless of the context user’s locale.
• When constructing delimited lists, put any locale data that can contain a comma in quotes.
Here are some examples of code that return formats in the user’s preferred locale format.
• Apex: the format() method in the Date, DateTime, and Integer classes
• Aura Lightning Components: the $Locale global variable
• Lightning Web Component Internationalization properties
SEE ALSO:
Example Code with Locale-Formatted Data
Update Your Integrations for New Locale Formats
Apex Reference Guide
Lightning Aura Components Developer Guide: $Locale
Salesforce Lightning Component Library: Access Internationalization Properties
//Simple regex not having all validations for days in months nor accounting for leap year
Pattern datePattern =
Pattern.compile('(0?[1-9]|1[0-2])\\/(0?[1-9]|[2][0-9]|3[01])\\/([0-9]{4})');
Matcher matcher = datePattern.matcher(formattedDate);
99
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
if(matcher.matches()) {
Integer day = Integer.valueOf((matcher.group(1))); //10
Integer month = Integer.valueOf((matcher.group(2))); //20
Integer year = Integer.valueOf((matcher.group(3))); //2021
// Further validation logic for max days in month/ leap year and post processing
}
Apex code formats the date according to the context user’s locale. In this example, the context user has chosen the Spanish (United
States) [es_US] locale.
When the ICU locale formats are enabled, this validation fails. The ICU format for the user’s locale is different than the corresponding
Oracle’s Java Development Kit (JDK) format.
• JDK short date format for es_US: 10/20/2021
• ICU short date format for es_US: 20/10/2021
The format() method of the Apex Date class returns the date as a string using the locale of the context user. In this case, because
the ICU locale formats are enabled and the user’s locale is es_US, it returns 20/10/2021.
The code then uses the placement in the date output to assign the month, day, and year values, assuming a format of MM/dd/yyyy. So
the code assigns 20 as the month, and because 20 is greater than 12, the pattern matching incorrectly determines that this date is invalid.
To avoid these kinds of issues, use the built-in Apex methods to extract the required values. In this case, month(), day(), and
year().
Here’s an example of using those methods to set the month, day, and year values.
Date myDate = Date.newInstance(2021, 10, 20);
To fix this issue, update the passed value to the ICU locale format. If an external system is passing the value, contact the sender to update
the format of the source data. Whenever possible, ask the sender to send the date in a locale-neutral format. It’s best to handle format
updates this way because locale-neutral formats don’t require updates to your code when the format changes.
However, it’s not always possible to have the sender update the format of the data passed to your org. If that happens, because you
know the format of the data being sent, you can reformat it. In these cases, convert the data into a locale-neutral format.
100
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Here are two common methods used to format a datetime in Apex. With both of these methods, the resulting datetime is locale-neutral:
it’s displayed in the user’s chosen locale. For more information about the methods available for all formats, see the Apex Reference Guide.
• Extract the date components to separate parameters: year, month, day, hour, minutes, and seconds. Then, to create a locale-neutral
date, use the DateTime.newInstanceGMT() method of the Datetime Apex class.
//Before using the code below, set the year, month, day, hour, minutes, and seconds
components
//by extracting values from the passed date and complete any necessary validation
• Reformat the passed data in the standard date format yyyy-MM-dd HH:mm:ss in the locale time zone. Then, to create a locale-neutral
date, use the valueOf(String dateTimeString) method of the Datetime class.
//Before using the code below, convert the passed datetime data to a string in the format
yyyy-MM-dd HH:mm:ss
//and assign that value to the stringDate parameter
This approach to converting formats works as long as the format of the data passed to your org doesn’t change. If your external source
updates their format, you must update the methods you use to extract or convert the data.
//split into event date and event time for external system
Date event1_date = event1_dt.date();
Time event1_time = event1_dt.time();
This code works if the external system expects the date and time in neutral formats. But what if the external system needs the date and
time of an event in a specific format? Let’s assume that the external system expects the date and time in these formats: 18/11/2021 and
3:30 PM.
In this case, to apply the expected formats to the event date and time, use the Datetime format() method.
//create Datetime to pass externally
DateTime event1_dt = DateTime.newInstance(2021, 11, 18, 15, 30, 0);
//split into event date and event time for external system, applying expected format
101
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
SEE ALSO:
Use Locale-Neutral Methods in Code
Update Your Integrations for New Locale Formats
Apex Reference Guide
Tip: To search your Salesforce code, download the metadata. Then use a command-line interface such as Salesforce CLI.
102
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
//Initialize object
Conference__c confObject = new Conference__c (
name = String.valueof(conferenceDetails.get('name')),
start_date_time__c =
datetime.parse(String.valueof(conferenceDetails.get('start_date_time'))),
end_date_time__c = datetime.parse(String.valueof(conferenceDetails.get('end_date_time')))
);
//insert object
insert confObject;
}
The datetime.parse() method uses the datetime format of the personal locale of the user that executes the code.
Let’s assume that the user’s personal locale is English (United States) [en_US]. The JDK and ICU datetime formats for that locale differ.
• JDK short datetime format for en_US: 10/20/2021 10:00 AM
• ICU short datetime format for en_US: 10/20/2021, 10:00 AM
When the org uses JDK locale formats, this code runs successfully. When ICU locale formats are enabled, this code throws a parse error
because the start_date_time and end_date_time values are missing the expected comma after the year.
This issue can also occur when data stored in Salesforce is passed to an external system using a locale-specific format, for example, when
using a POST call. As with the example above, the personal locale of the user that executes the code determines the format of the data.
Remediate Issues
To avoid these issues, use locale-neutral formats when receiving, passing, and processing data.
If you find an issue with data received from an external system, contact the sender to update the format of the source data. If you can’t
contact the sender, update your code to convert the received data into a locale-neutral format before processing it.
SEE ALSO:
Use Locale-Neutral Methods in Code
Example Code with Locale-Formatted Data
Salesforce Developer Center: Apex
Adopt the ICU Locale Formats
103
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
104
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
• Installed Packages—If your org has installed packages from AppExchange, verify that your data is parsed correctly with the new
formats.
For example, if an installed package provides or scrubs lead data, verify that the date, time, and currency data display as expected
with the new formats. Or, if the package provides project management tools, test any date-based calculations. If you encounter an
issue with a managed package, report the issue to the package provider.
• Custom Functionality—Validate web services, email services, formula-based fields, and any complex business workflows in Salesforce
that use custom code. Focus on the processing of date, time, number, and currency data, and include processes that are triggered
based on this data.
SEE ALSO:
Adopt the ICU Locale Formats
Custom Code and Locale Format Changes
105
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Note: Review these important details about the data in this table. Available in: Lightning
Experience and Salesforce
• We recommend viewing this information in Salesforce Help. Not all characters appear Classic (not available in all
correctly in PDFs. orgs)
• Arabic-Indic is the numeral system for certain locales and languages. If you want to use
Available in: Group,
the Hindu-Arabic numeral system for those languages and locales, contact Salesforce
Professional, Enterprise,
Customer Support.
Performance, Unlimited,
Database.com, and
LOCALE NAME AND NUMBER FORMAT NAME FORMAT ADDRESS FORMAT Developer Editions
CODE
106
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State
ZipCode City Country
107
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
108
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode City
State Country
109
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
110
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode City
State Country
English (United Arab Emirates) 1,234,567.567 Ms. FName LName Address Line 1,
English (Antigua & Barbuda) 1,234,567.567 Ms. FName LName Address Line 1,
111
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
City, State ZipCode
Country
112
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode City
State Country
113
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
English (Hong Kong SAR China) 1,234,567.567 Ms. FName LName Address Line 1,
114
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
115
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
English (Papua New Guinea) 1,234,567.567 Ms. FName LName Address Line 1,
116
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode State
Country
117
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
English (Sierra Leone, SLL) 1,234,567.567 Ms. FName LName Address Line 1,
English (Trinidad & Tobago) 1,234,567.567 Ms. FName LName Address Line 1,
118
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
City, State ZipCode
Country
English (South Africa) 1 234 567,567 Ms. FName LName Address Line 1,
119
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
Español (Costa Rica) 1 234 567,567 Ms. FName LName Address Line 1,
120
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
121
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
fa_IR − City
Address Line 1,
Address Line 2
ZipCode
Country
122
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
City, State ZipCode
Country
123
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode City
State Country
Ōlelo Hawai i ( Amelika Hui Pū 1,234,567.567 Ms. FName LName Address Line 1,
Ia) -1,234,567.567 Address Line 2
haw_US City, State ZipCode
Country
124
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
Haitian Creole (United States) 1,234,567.567 Ms. FName LName Address Line 1,
125
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
126
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
аза тілі ( аза стан) 1 234 567,567 Ms. FName LName ZipCode
127
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
128
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State
Country
129
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
130
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Português (Cabo Verde) 1 234 567,567 Ms. FName LName Address Line 1,
Português (São Tomé e Príncipe) 1 234 567,567 Ms. FName LName Address Line 1,
131
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
City, State ZipCode
Country
132
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Serbian (Latin) (Bosnia and 1.234.567,567 Ms. FName LName Address Line 1,
Herzegovina) -1.234.567,567 Address Line 2
sh_BA ZipCode City
State Country
133
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
134
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Serbian (Cyrillic) (Bosnia and 1.234.567,567 Ms. FName LName Address Line 1,
Herzegovina) -1.234.567,567 Address Line 2
sr_BA ZipCode City
State Country
135
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
136
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Uzbek (Latin, Uzbekistan) 1 234 567,567 Ms. FName LName Address Line 1,
IsiXhosa (eMzantsi Afrika) 1 234 567.567 Ms. FName LName Address Line 1,
137
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
LName FName Address Line 1,
1,234,567.567
zh_CN_PINYIN Address Line 2
-1,234,567.567
City, State ZipCode
Country
138
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
City, State ZipCode
Country
Note: We recommend viewing this information in Salesforce Help. Not all characters appear Available in: Group,
correctly in PDFs. Professional, Enterprise,
Performance, Unlimited,
Database.com, and
LOCALE NAME AND DATE AND TIME TIME WEEK
Developer Editions
CODE FORMATS FORMAT
) ) // , : : Saturday – Sunday
ar_AE / / , : :
139
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
// , : : -
) ) // , : : Saturday – Sunday
ar_BH / / , : :
// , : : -
) ) // , : : Saturday – Sunday
ar_EG / / , : :
// , : : -
) ) // , : : Saturday – Sunday
ar_IQ / / , : :
// , : : -
) ) // , : : Saturday – Sunday
ar_JO / / , : :
// , : : -
) ) // , : : Saturday – Sunday
ar_KW / / , : :
// , : : -
) ) // , : : Monday – Sunday
ar_LB / / , : :
// , : : -
140
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
) ) // , : : Saturday – Sunday
ar_OM / / , : :
// , : : -
) ) // , : : Saturday – Sunday
ar_QA / / , : :
// , : : -
) ) // , : : Sunday – Saturday
ar_SA / / , : :
// , : : -
) ) // , : : Saturday – Sunday
ar_SD / / , : :
// , : : -
) ) // , : : Saturday – Sunday
ar_SY / / , : :
// , : : -
) ) // , : : Sunday – Saturday
ar_YE / / , : :
// , : : -
141
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28.01.2008 г., 16:30:05 ч. Гринуич-8
( ) // : PM : PM Sunday – Saturday
bn_BD , : : PM
// : : PM GMT -
( ) // : PM : PM Sunday – Saturday
bn_IN , : : PM
// : : PM GMT -
142
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
dz_BT Jan : : PM
- - : PM -
143
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/01/2008, 4:30:05 pm GMT-8
144
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
English (Hong Kong SAR China) 28/1/2008, 4:30 pm 4:30 pm Sunday – Saturday
145
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/01/2008, 16:30:05 GMT-8
146
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
147
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/01/2008, 4:30:05 pm GMT-8
148
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
149
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/1/2008, 16:30:05 GMT-8
150
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
151
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/1/2008, 4:30:05 p. m. GMT-8
) ) : / / : Saturday – Friday
fa_IR : :
: : / / (− )
152
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
Ōlelo Hawai i ( Amelika Hui Pū Ia) 28/i/2008 4:30 PM 4:30 PM Sunday – Saturday
153
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/i/2008 4:30:05 PM GMT-8
Hrvatski (Hrvatska, HRK) 28. 01. 2008. 16:30 16:30 Monday – Sunday
154
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
155
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/1/2008, 4:30:05 PM -8
156
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
( ) / / , : PM : PM Sunday – Saturday
mr_IN , , : : PM
/ / , : : PM [GMT]-
( ) - - : : Sunday – Saturday
my_MM - : :
- - GMT- : :
ne_NP Jan , : :
/ / , : : GMT-
157
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28-01-2008 16:30:05 PST
ps_AF BC Nov : :
B : : / / (GMT- )
158
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
159
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28.01.2008, 16:30:05 GMT-8
160
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
161
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
sr_BA 28.1.2008. 16:30:05 GMT-8
162
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
163
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
164
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
Note: We recommend viewing this information in Salesforce Help. Not all characters appear Available in: Lightning
correctly in PDFs. Experience and Salesforce
Classic (not available in all
orgs)
LOCALE NAME AND CODE DEFAULT CURRENCY CURRENCY CURRENCY
CODE FORMAT Available in: Group,
Professional, Enterprise,
Afrikaans (Suid-Afrika) South African Rand ZAR R 1 234 567,57 Performance, Unlimited,
af_ZA -R 1 234 567,57 Database.com, and
Developer Editions
) ) AED ..
ar_AE - ..
) ) BHD ..
ar_BH - ..
) ) DZD . . 1.234.567,57
ar_DZ - . . 1.234.567,57
) ) EGP ..
ar_EG - ..
) ) IQD ..
ar_IQ - ..
) ) JOD ..
ar_JO - ..
) ) KWD ..
ar_KW - ..
165
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
) ) LBP ..
ar_LB - ..
) ) LYD . . 1.234.567,57
ar_LY - . . 1.234.567,57
) ) MAD . . 1.234.567,57
ar_MA - . . 1.234.567,57
) ) OMR ..
ar_OM - ..
) ) QAR ..
ar_QA - ..
) ) SAR ..
ar_SA - ..
) ) SDG ..
ar_SD - ..
) ) SYP ..
ar_SY - ..
) ) TND . . 1.234.567,57
ar_TN - . . 1.234.567,57
) ) YER ..
ar_YE - ..
166
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
167
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
168
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
English (Hong Kong SAR China) Hong Kong Dollar HKD HK$1,234,567.57
en_HK -HK$1,234,567.57
169
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
170
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
English (Papua New Guinea) Papua New Guinea Kina PGK K 1,234,567.57
en_PG -K 1,234,567.57
171
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
172
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
173
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
fa_IR −
174
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
175
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
) ) ILS 1,234,567.57
iw_IL -1,234,567.57
( ) 日本円 JPY
¥1,234,567.57
ja_JP -¥1,234,567.57
176
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
( ) 조선민주주의인민공화국 원 KPW
KPW1,234,567.57
ko_KP -KPW1,234,567.57
( ) 대한민국 원 KRW
₩1,234,567.57
ko_KR -₩1,234,567.57
177
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
178
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
ps_AF -
Português (São Tomé e Príncipe) Dobra de São Tomé e Príncipe STN 1 234 567,57 Db
pt_ST -1 234 567,57 Db
179
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Русский (Армения)
Армянский драм AMD 1 234 567,57 AMD
ru_AM -1 234 567,57 AMD
Русский (Беларусь)
Белорусский рубль BYN 1 234 567,57 Br
ru_BY -1 234 567,57 Br
Русский (Киргизия)
Киргизский сом KGS 1 234 567,57 сом
ru_KG -1 234 567,57 сом
Русский (Казахстан)
Казахстанский тенге KZT 1 234 567,57
ru_KZ -1 234 567,57
Русский (Литва)
Евро EUR 1 234 567,57 €
ru_LT -1 234 567,57 €
Русский (Молдова)
Молдавский лей MDL 1 234 567,57 L
ru_MD -1 234 567,57 L
Русский (Польша)
Польский злотый PLN 1 234 567,57 PLN
ru_PL -1 234 567,57 PLN
Русский (Россия)
Российский рубль RUB 1 234 567,57
ru_RU -1 234 567,57
Русский (Украина)
Украинская гривна UAH 1 234 567,57
ru_UA -1 234 567,57
180
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
181
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
182
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
中国人民币 CNY
¥1,234,567.57
zh_CN -¥1,234,567.57
中国人民币 CNY
¥1,234,567.57
zh_CN_PINYIN -¥1,234,567.57
HKD HK$1,234,567.57
zh_HK -HK$1,234,567.57
( ) HKD HK$1,234,567.57
zh_HK_STROKE -HK$1,234,567.57
MOP MOP$1,234,567.57
zh_MO -MOP$1,234,567.57
SGD $1,234,567.57
zh_SG -$1,234,567.57
台幣 TWD
$1,234,567.57
zh_TW -$1,234,567.57
中文 (台灣,筆劃順序) 台幣 TWD
$1,234,567.57
zh_TW_STROKE -$1,234,567.57
1
The CSD currency is only available in single currency orgs and orgs that activated multiple currencies when CSD was the corporate
currency. It represents the old Serbian Dinar used in Serbia and Montenegro from 2003 to 2006. Because it’s no longer a valid ISO currency
183
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
code, it can be incompatible with other systems. If your org uses this currency, we recommend moving to the current Serbian Dinar
currency, RSD. The corresponding locale is Serbian (Serbia) with the sr_RS locale code.
SEE ALSO:
Set Your Personal or Organization-Wide Currency
SEE ALSO:
Adopt the ICU Locale Formats
Note: Review these important details about the formats in the table. Available in: Lightning
Experience and Salesforce
• We recommend viewing this information in Salesforce Help. Not all characters appear Classic (not available in all
correctly in PDFs. orgs)
• Arabic-Indic is the numeral system for certain locales and languages. If you want to use
Available in: Group,
the Hindu-Arabic numeral system for those languages and locales, contact Salesforce
Professional, Enterprise,
Customer Support.
Performance, Unlimited,
Database.com, and
LOCALE NAME AND NUMBER FORMAT NAME FORMAT ADDRESS FORMAT Developer Editions
CODE
184
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
185
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
186
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
187
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State
Country
188
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
English (United Arab Emirates) 1,234,567.567 Ms. FName LName Address Line 1,
English (Antigua & Barbuda) 1,234,567.567 Ms. FName LName Address Line 1,
189
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
190
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
191
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
English (Hong Kong SAR China) 1,234,567.567 Ms. FName LName Address Line 1,
192
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode City
State Country
193
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
194
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
English (Papua New Guinea) 1,234,567.567 Ms. FName LName Address Line 1,
195
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
City
ZipCode
State Country
English (Sierra Leone, SLL) 1,234,567.567 Ms. FName LName Address Line 1,
English (Trinidad & Tobago) 1,234,567.567 Ms. FName LName Address Line 1,
196
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
197
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode City
State
Country
198
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
199
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
fa_IR − City
Address Line 1,
Address Line 2
ZipCode
Country
200
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
201
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Ōlelo Hawai i ( Amelika Hui Pū 1,234,567.567 Ms. FName LName Address Line 1,
Ia) -1,234,567.567 Address Line 2
202
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
haw_US City, State ZipCode
Country
Haitian Creole (United States) 1,234,567.567 Ms. FName LName Address Line 1,
203
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
204
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
аза тілі ( аза стан) 1 234 567,567 Ms. FName LName ZipCode
205
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
206
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
207
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
208
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
ZipCode City
State Country
Português (Cabo Verde) 1 234 567,567 Ms. FName LName Address Line 1,
Português (São Tomé e Príncipe) 1 234 567,567 Ms. FName LName Address Line 1,
209
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
210
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Serbian (Latin) (Bosnia and 1.234.567,567 Ms. FName LName Address Line 1,
Herzegovina) -1.234.567,567 Address Line 2
sh_BA ZipCode City
211
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State Country
212
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Country
Serbian (Cyrillic) (Bosnia and 1.234.567,567 Ms. FName LName Address Line 1,
Herzegovina) -1.234.567,567 Address Line 2
sr_BA ZipCode City
State Country
213
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
214
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
Uzbek (Latin, Uzbekistan) 1 234 567,567 Ms. FName LName Address Line 1,
IsiXhosa (eMzantsi Afrika) 1 234 567.567 Ms. FName LName Address Line 1,
215
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
LName FName Address Line 1,
1,234,567.567
zh_CN Address Line 2
-1,234,567.567
City, State ZipCode
Country
216
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE NUMBER FORMAT NAME FORMAT ADDRESS FORMAT
State
Country
Note: We recommend viewing this information in Salesforce Help. Not all characters appear Available in: Group,
correctly in PDFs. Professional, Enterprise,
Performance, Unlimited,
Database.com, and
LOCALE NAME AND DATE AND TIME TIME WEEK
Developer Editions
CODE FORMATS FORMAT
217
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/01/2008 4:30:05 -8
) ) // , : : Saturday – Friday
ar_AE / / , : :
// , : : -
) ) // , : : Saturday – Friday
ar_BH / / , : :
// , : : -
) ) // , : : Saturday – Friday
ar_EG / / , : :
// , : : -
) ) // , : : Saturday – Friday
ar_IQ / / , : :
// , : : -
) ) / / : : Saturday – Friday
ar_JO / / : :
/ / - : :
) ) // , : : Saturday – Friday
ar_KW / / , : :
// , : : -
) ) / / : : Saturday – Friday
ar_LB / / : :
/ / - : :
218
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
) ) // , : : Saturday – Friday
ar_OM / / , : :
// , : : -
) ) // , : : Saturday – Friday
ar_QA / / , : :
// , : : -
) ) / / : : Saturday – Friday
ar_SA / / : :
/ / - : :
) ) // , : : Saturday – Friday
ar_SD / / , : :
// , : : -
) ) / / : : Saturday – Friday
ar_SY / / : :
/ / - : :
) ) // , : : Saturday – Friday
ar_YE / / , : :
// , : : -
219
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28.1.2008 16.30.05 PST
( ) // : PM : PM Sunday – Saturday
bn_BD , : : PM
// : : PM GMT -
( ) // : PM : PM Sunday – Saturday
bn_IN , : : PM
// : : PM GMT -
220
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
dz_BT Jan : : PM
- - : PM -
221
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/01/2008 4:30:05 PM
222
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
English (Hong Kong SAR China) 28/1/2008, 4:30 pm 4:30 pm Sunday – Saturday
223
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/1/2008, 4:30:05 pm GMT-8
224
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
225
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
1/28/2008 4:30:05 PM PST
226
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
227
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/01/2008 16:30:05 PST
228
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
Español (Estados Unidos) 1/28/2008 4:30 p.m. 4:30 p.m. Sunday – Saturday
229
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/01/2008 04:30:05 PM PST
) ) : / / : Sunday – Saturday
fa_IR : :
: : / / (− )
230
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
231
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/1/2008 04:30:05 PM GMT-8
Ōlelo Hawai i ( Amelika Hui Pū Ia) 28/i/2008 4:30 PM 4:30 PM Sunday – Saturday
232
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
233
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
2008-01-28 16.30.05 GMT-8
234
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
( ) / / , : PM : PM Sunday – Saturday
mr_IN , , : : PM
/ / , : : PM [GMT]-
( ) - - : : Sunday – Saturday
my_MM - : :
- - GMT- : :
ne_NP Jan , : :
235
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
/ / , : : GMT-
ps_AF BC Nov : :
B : : / / (GMT- )
236
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
237
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28.01.2008 16:30:05 PST
Serbian (Latin) (Bosnia and 1/28/2008 4:30 po podne 4:30 po podne Sunday – Saturday
Herzegovina) jan 28, 2008 4:30:05 po podne
sh_BA 1/28/2008 4:30:05 po podne GMT-8
238
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
239
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
2008-01-28 4.30.05.MD PST
240
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
241
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
28/1/2008 16:30:05 WAT-8
242
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
LOCALE NAME AND CODE DATE AND TIME FORMATS TIME FORMAT WEEK
Note: We recommend viewing this information in Salesforce Help. Not all characters appear correctly in PDFs.
) ) AED ..
ar_AE - ..
) ) BHD ..
ar_BH - ..
) ) DZD . . 1.234.567,57
ar_DZ - . . 1.234.567,57
) ) EGP ..
ar_EG - ..
) ) IQD ..
ar_IQ - ..
) ) JOD ..
ar_JO - ..
243
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
) ) KWD ..
ar_KW - ..
) ) LBP ..
ar_LB - ..
) ) LYD . . 1.234.567,57
ar_LY - . . 1.234.567,57
) ) MAD . . 1.234.567,57
ar_MA - . . 1.234.567,57
) ) OMR ..
ar_OM - ..
) ) QAR ..
ar_QA - ..
) ) SAR ..
ar_SA - ..
) ) SDG ..
ar_SD - ..
) ) SYP ..
ar_SY - ..
) ) TND . . 1.234.567,57
ar_TN - . . 1.234.567,57
) ) YER ..
ar_YE - ..
244
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
245
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
246
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
English (Hong Kong SAR China) Hong Kong Dollar HKD HK$1,234,567.57
en_HK -HK$1,234,567.57
247
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
248
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
English (Papua New Guinea) Papua New Guinea Kina PGK K 1,234,567.57
en_PG -K 1,234,567.57
249
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
250
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
251
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
fa_IR −
252
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
253
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
( ) 日本円 JPY
¥1,234,567.57
ja_JP -¥1,234,567.57
254
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
( ) 조선민주주의인민공화국 원 KPW
KPW1,234,567.57
ko_KP -KPW1,234,567.57
( ) 대한민국 원 KRW
₩1,234,567.57
ko_KR -₩1,234,567.57
255
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
256
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
ps_AF -
Português (São Tomé e Príncipe) Dobra de São Tomé e Príncipe STN 1 234 567,57 Db
pt_ST -1 234 567,57 Db
257
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Русский (Армения)
Армянский драм AMD AMD 1 234 567,57
ru_AM -AMD
1 234 567,57
Русский (Беларусь)
Белорусский рубль BYN 1 234 567,57 Br
ru_BY -1 234 567,57 Br
Русский (Киргизия)
Киргизский сом KGS 1 234 567,57 сом
ru_KG -1 234 567,57 сом
Русский (Казахстан)
Казахстанский тенге KZT 1 234 567,57
ru_KZ -1 234 567,57
Русский (Литва)
Евро EUR € 1 234 567,57
ru_LT -€ 1 234 567,57
Русский (Молдова)
Молдавский лей MDL 1 234 567,57 L
ru_MD -1 234 567,57 L
Русский (Польша)
Польский злотый PLN PLN 1 234 567,57
ru_PL -PLN 1 234 567,57
Русский (Россия)
Российский рубль RUB 1 234 567,57 руб.
ru_RU -1 234 567,57 руб.
Русский (Украина)
Украинская гривна UAH 1 234 567,57
ru_UA -1 234 567,57
258
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
Serbian (Cyrillic) (Bosnia and Herzegovina) Convertible Marks BAM КМ. 1.234.567,57
sr_BA -КМ. 1.234.567,57
259
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
260
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
中国人民币 CNY
¥1,234,567.57
zh_CN -¥1,234,567.57
中国人民币 CNY
¥1,234,567.57
zh_CN_PINYIN -¥1,234,567.57
HKD HK$1,234,567.57
zh_HK (HK$1,234,567.57)
( ) HKD HK$1,234,567.57
zh_HK_STROKE (HK$1,234,567.57)
MOP MOP$1,234,567.57
zh_MO -MOP$1,234,567.57
SGD S$1,234,567.57
zh_SG -S$1,234,567.57
台幣 TWD
NT$1,234,567.57
zh_TW -NT$1,234,567.57
中文 (台灣,筆劃順序) 台幣 TWD
NT$1,234,567.57
zh_TW_STROKE -NT$1,234,567.57
261
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
1
The CSD currency is only available in single currency orgs and orgs that activated multiple currencies when CSD was the corporate
currency. It represents the old Serbian Dinar used in Serbia and Montenegro from 2003 to 2006. Because it’s no longer a valid ISO currency
code, it can be incompatible with other systems. If your org uses this currency, we recommend moving to the current Serbian Dinar
currency, RSD. The corresponding locale is Serbian (Serbia) with the sr_RS locale code.
262
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
USER PERMISSIONS
To view currencies:
• View Setup and
Configuration
To change currencies:
• Customize Application
USER PERMISSIONS
To view currencies:
• View Setup and
Configuration
To change currencies:
• Customize Application
263
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
USER PERMISSIONS
To view company
information:
• View Setup and
Configuration
To change company
information:
• Customize Application
The available personal
setup options vary
according to which
Salesforce Edition you have.
264
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
• Changing conversion rates causes a mass recalculation of roll-up summary fields. This recalculation can take up to 30 minutes,
depending on the number of records affected.
• You can also change a conversion rate via the API. However, if another roll-up summary recalculation for the same currency
field is in progress, the age of that job affects the recalculation job that you triggered. Here’s what happens when you request
a currency rate change via the API, and a related job is in progress.
– If the other recalculation for the same currency field was kicked off less than 24 hours ago, your currency rate change isn’t
saved. You can try again later or instead change the currency rate from Manage Currencies in Setup. Initiating the change
from Setup stops the old job and triggers your recalculation to run.
– If the other recalculation job was kicked off more than 24 hours ago, you can save your currency rate change and your job
starts.
To check the status of your recalculation job, see the Background Jobs page in Setup.
SEE ALSO:
Set Your Personal or Organization-Wide Currency
265
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
266
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
267
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
268
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
269
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
270
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
271
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
272
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
273
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
274
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
275
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
276
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
277
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
278
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
279
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
280
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
281
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
282
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
283
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
SEE ALSO:
Language, Locale, and Currency Settings
284
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
For example, you can define local name fields for a contact in Japan named Yukiko Nakamura:
Field Value
First Name Yukiko
Note: When viewed from a report, empty local name fields display different values depending on whether the report is standard
or custom. If the local name field is empty:
• Standard reports display the value from the standard name field. So if First Name (Local) is empty, the value for
First Name is displayed.
• Custom reports display an empty value. So if First Name (Local) is empty, the field is displayed empty.
285
Set Up and Maintain Your Salesforce Organization Language, Locale, and Currency Settings
286
Set Up and Maintain Your Salesforce Organization Define Your Fiscal Year
USER PERMISSIONS
The imperial calendar information is hidden for users with other locales (2).
Make sure that users who want to view the imperial calendar set their locale to Japanese (Japan) and their language to Japanese.
287
Set Up and Maintain Your Salesforce Organization Define Your Fiscal Year
If you use a common fiscal year structure, such as 4-4-5 or a 13-period structure, you can rapidly define a fiscal year. Just specify a start
date and choose an included template. If the fiscal year structure you need is not among the templates, you can easily modify a template
to suit your business. For example, if you use three fiscal quarters per year (a trimester) rather than four, delete or modify quarters and
periods to meet your needs.
Your custom fiscal periods can be named based on your standards. For example, a fiscal period could be called “P2” or “February.”
Fiscal years can be modified any time. For example, you can add an extra week to synchronize a custom fiscal year with a standard
calendar in a leap year. Changes to fiscal year structure take effect immediately upon being saved. If you use forecasting, Salesforce
recalculates your forecasts when you save changes to a fiscal year.
• You can’t use fiscal period columns in opportunity, opportunity with product, or opportunity with schedule reports.
• Opportunity list views don’t include a fiscal period column.
• When custom fiscal years are enabled, you can't use the FISCAL_MONTH(), FISCAL_QUARTER(), or FISCAL_YEAR() date functions in
SOQL.
288
Set Up and Maintain Your Salesforce Organization Define Your Fiscal Year
4. Click Save.
Warning: Changing the length of a fiscal year has an impact on forecasting and reporting. Available in: both Salesforce
For detailed information on the impact, see Define Your Fiscal Year. Classic and Lightning
Experience
If you want to return to a fiscal year template, select a template from the Reset Fiscal Year
Structure drop-down list. However, resetting the fiscal year structure to a template removes Available in: All Editions
all the customizations you made to the fiscal year. except for Database.com.
You can easily add or remove fiscal periods (such as quarters, periods, or weeks) from the fiscal year
structure. USER PERMISSIONS
1. From Setup, click Company Profile > Fiscal Year. To define or edit fiscal years:
2. Click Edit for the fiscal year you want to edit. • Customize Application
• To remove a fiscal period, select the checkbox for the period you want to delete, then click Delete.
You must have at least one quarter, one period, and one week. If you delete a fiscal period or quarter, you delete forecast
adjustments and quotas for that period or quarter.
289
Set Up and Maintain Your Salesforce Organization Define Your Fiscal Year
• To change the length of a fiscal period, choose the length from the Duration drop-down list for the fiscal week.
To change the duration of a fiscal period or quarter, insert or delete weeks, or change the length of weeks that compose the
period or quarter.
5. After you have customized your fiscal year, preview the fiscal year definition.
6. Save your work.
Customer Quarter This option allows you to set the quarter label to any name. The quarter label is set to
Names the name you select from Quarter Name . By default the order of the quarter
names is the same as the picklist order. To customize the order, select a different value
from the quarter detail drop-down list.
Period Name Scheme Numbered By Year This option allows you to set the period label based on its position in the year. The
period label is a combination of the period prefix and the period number. Period
numbers do not reset in each quarter. For example, if the period prefix is “P,” the label
for the sixth period is P6. By default the order of the period determines its number
(the first period is labeled “1”). To customize the number, select a different value from
the period detail drop-down list.
Numbered By This option allows you to set the period label based on its position in the quarter. The
Quarter period label is a combination of the period prefix and the period number. Period
numbers reset in each quarter. For example, if the period prefix is “P,” and the sixth
period is the second period in the second quarter, its label is P2. By default the number
for each period is set by their order within the quarter (the first period in a quarter is
labeled “1”); customize it by selecting a different value from the period detail
drop-down list.
Standard Month This option allows you to set the period label to the month name of the start of the
Names period. For example, if a period started on October 12 and ends on November 10, the
period label would be October.
Custom Period This option allows you to set the period label to any string. The period label is set to
Names the string you select from Period Name . By default the order of the period names
290
Set Up and Maintain Your Salesforce Organization Define Your Fiscal Year
Period Prefix The period prefix picklist is a list of options for the text that prefixes the period number or name if your fiscal
year uses the Numbered By Year period naming scheme. For example, if the fiscal quarter is called “P4,”
the “P” is the period prefix.
Quarter Name The quarter name picklist is a list of options for the quarter name if your fiscal year uses the Custom Quarter
Names quarter naming scheme. For example, if you want to name your quarters for the seasons (Spring,
Summer, Fall, and Winter), you could set the quarter name list to those values.
Period Name The period name picklist is a list of options for the quarter name if your fiscal year uses the Custom Period
Names quarter naming scheme. Similar to the quarter name picklist, you can choose meaningful names
for the period name picklist.
1. To customize a picklist, from Setup, click Company Profile > Fiscal Year.
2. Click Edit next to the appropriate picklist.
SEE ALSO:
Define Your Fiscal Year
291
Set Up and Maintain Your Salesforce Organization Define Your Fiscal Year
4-4-5 Within each quarter, period 1 has 4 weeks, period 2 has 4 weeks, and period 3 has 5 weeks
4-5-4 Within each quarter, period 1 has 4 weeks, period 2 has 5 weeks, and period 3 has 4 weeks
5-4-4 Within each quarter, period 1 has 5 weeks, period 2 has 4 weeks, and period 3 has 4 weeks
3-3-3-4 Quarter 1 has 3 periods, quarter 2 has 3 periods, quarter 3 has 3 periods, and quarter 4 has 4 periods
3-3-4-3 Quarter 1 has 3 periods, quarter 2 has 3 periods, quarter 3 has 4 periods, and quarter 4 has 3 periods
3-4-3-3 Quarter 1 has 3 periods, quarter 2 has 4 periods, quarter 3 has 3 periods, and quarter 4 has 3 periods
4-3-3-3 Quarter 1 has 4 periods, quarter 2 has 3 periods, quarter 3 has 3 periods, and quarter 4 has 3 periods
• Gregorian Calendar
12 months/year, standard Gregorian calendar.
Unlike the other template styles, you can’t do advanced customization of a fiscal year that has been created from a Gregorian calendar
template. Only use this template if you want to create a fiscal year that follows the Gregorian calendar. This template mimics the
functionality of standard fiscal years.
SEE ALSO:
Define Your Fiscal Year
Before defining or editing any custom fiscal years, be aware of its impact on forecasting, reports,
and other objects by reviewing Define Your Fiscal Year on page 287.
If your company uses forecasting, creating the first custom fiscal year deletes any quotas and adjustments in the corresponding and
subsequent standard fiscal years.
Custom fiscal years cannot be deleted.
1. To define a new custom fiscal year, navigate to Setup, click Company Profile > Fiscal Year
2. Click New. The Custom Fiscal Year template dialog opens.
3. Choose a template and click Continue to close the Custom Fiscal Year template dialog. For more information on the templates, see
Choose a Custom Fiscal Year Template on page 291.
4. Set the fiscal year start date, the fiscal year name, and choose the week start day. You can also add a description for the fiscal year.
292
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
For the first custom fiscal year, the Fiscal Year Start Date and the Week Start Date are automatically set to
today's date and day of week. If you already defined a custom fiscal year, the start dates are set to the day after the last end date of
your custom fiscal years. To change other than the start date, year name, or week start day, see Customize the Fiscal Year Structure
on page 289.
Warning: If you change the start or end date of any quarter, period, or week, you lose all forecast data that are within that date
range, including quotas, forecast history, and forecast adjustments. It also includes all forecasts for date ranges automatically
adjusted as a result of that change and end or start date changes resulting from inserting or deleting periods.
293
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
Additionally, Sales Cloud Unlimited and Performance Edition orgs with a Sales Cloud license include these Einstein features:
Feature Instructions
Sales Cloud Einstein Set Up Sales Cloud Einstein
If you can’t turn on these features without your System Administrator’s permissions, see Submitting an Order Form Supplement for
Einstein Features for instructions.
At this time, Einstein features aren’t available on the Salesforce Government Cloud.
For more information on Einstein features, see the Salesforce Trust and Compliance Documentation.
Einstein and Data Usage in Sales Cloud, Service Cloud, and Lightning Platform
Einstein intelligence is built on data. As an Einstein customer, it is important for you to know what data is being used in your Einstein
products. This table lists the data that is used by each feature.
The table lists both the Customer Data that is used, which is data submitted by the Customer to our services as defined in our Main
Services Agreement (MSA), and the usage data that is used, which is data relating to users interactions with Salesforce. Data submitted
to an Einstein feature may be used to train AI models, to improve your services and features, or to develop new features that you will
have access to without additional cost.
The table also indicates which features use global models, which are models that look for aggregated, anonymous trends across multiple
Salesforce Customers. The Customer has control over whether their data contributes to global models. For more information on how
to control how your data is used, see Salesforce Einstein: Global Model Opt-Out Process.
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
Einstein Conversation Einstein Account, Contact, Opportunity, NA Yes
Insights Conversation OpportunityHistory, OpportunityStage, User,
Insights VoiceCall, VideoCall, VideoCallRecording,
294
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
VoiceCallRecording, VideoCallParticipant,
meeting data
Einstein Article Default model doesn’t use customer data. If CandidateAnswer (stores No
Recommendations enabled, customer-specific model uses Case, all articles recommended),
Article (Knowledge__kav), and CaseArticle. EinsteinAnswerFeedback
(stores customer
interaction with
recommended articles
such as clicks and hovers)
295
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
SalesAIScoreCycle, SalesAIScoreAIFactor,
AIApplication, MLPredictionDefinition, VoiceCall,
VideoCall, VideoCallParticipant,
OpportunitySplitType, OpportunitySplit objects,
Product2, Product2History, Enterprise Territory
Management objects,
OpportunityLineItemSchedule, QuoteLineItem,
Quote, Order, OrderItem, Contract,
ContractLineItem, Invoice, InvoiceLine, Asset,
AssetTag, Product2, ProductMedia.
If Einstein Activity Capture is enabled: User
emails, email insights, meeting data (events).
If Einstein Conversation Insights is enabled:
Insights.
Einstein GPT for Sales Sales Emails Account, Contact, Lead, Product, and User Email, Engagement data No
based on send clicks
Einstein GPT for Service Einstein Work LiveChatTranscript, VoiceCall, Case, Knowledge, NA No
Summaries Email, MessagingSession, ConversationEntry
Einstein Search for Einstein Search for NA Knowledge search terms, Yes
Knowledge Knowledge knowledge search results
(record IDs, query and
document matching
metadata, and user-MRU
and document matching
296
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
metadata), and knowledge
article metadata. See
Enable Einstein Search for
Knowledge.
297
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
Profile. From Account Engagement: visitor,
visitorActivity, lifecycleStage, lifecycleHistory,
campaign, form, prospect.
Einstein Analyzes the past 90 days’ email engagement Engagement data based on No
Engagement history for all business unit level subscribers over usage (such as opens,
Frequency different frequencies. The engagement history clicks, unsubscribes) and
that Einstein Engagement Frequency analyzes timestamps associated
includes these factors: Engagement behavior with them
such as sends, clicks, opens, unsubscribes, spam
complaints, and associated timestamps. Data
and metadata about customer sending patterns,
including how campaigns are executed.
Einstein Send Time Engagement behavior (sends, clicks, opens, Engagement data based on No
Optimization unsubscribes, spam complaints) and associated usage (such as opens,
timestamps. Data and metadata about customer clicks, unsubscribes) and
sending patterns and how campaigns are timestamps associated
executed. with them
Sales Cloud Einstein Einstein Account External News, RecordRecommendation, Account insights user No
Insights AccountInsightNewsArticle, OpportunityInsight, interaction feedback such
AccountInsight, PredictionDefinition, Task, as account insights
EventRelation, Event, Contact, Lead, rendered, dismiss, undo
AccountTeamMember, EntitySubscription, dismiss, email, expand,
Account, Opportunity, OpportunityHistory, collapse, open dropdown
298
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
OpportunityContactRole, OpportunityStage, menu on Lightning
OpportunityTeamMember Organization, Platform and Record Home
PermissionSet, PermissionSetAssignment,
PermissionSetLicense,
PermissionSetLicenseAssign, User, UserRole,
Profile, OrgWideEmailAddress, RecordType,
CurrencyType
Einstein Same as Einstein Opportunity Scoring with the Forecasting prediction user No
Forecasting following additional entities: Individual, Period, interaction feedback such
ForecastingPrediction, as forecasting prediction
ForecastingPredictionElement, rendered, hover, and click
ForecastingPredictionReason, prediction cell.
ForecastingPredictionTrend, ForecastingType,
OpportunitySplit, OpportunitySplitType,
FiscalYearSettings,
ForecastingSegmentationConfig,
ForecastingTunerConfig, PeriodType,
ForecastingQuota, ForecastingSourceDefinition,
ForecastingTypeSource, ForecastingFilter,
ForecastingFilterCondition
299
Set Up and Maintain Your Salesforce Organization Einstein Terms and Data Usage
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
PermissionSetLicenseAssign, User, UserRole,
Profile, OrgWideEmailAddress, RecordType,
CurrencyType. If Einstein Activity Capture is
enabled: User email and meetings.
Lead Scoring Lead, LeadHistory, Task, Event, Account, Contact, Lead score user interaction Yes
RecordType, Organization, LeadIQConfiguration, feedback such as
AIApplication, AIModelDefinition, opportunity score
MLPredictionDefinition, MLDataDefinition rendered, hover on list
view, and record home
page.
Sales Engagement Einstein Activity See Einstein Features See Einstein Features See
Capture Einstein
(EAC)–Email Features
Insights,
EAC–Recommended
Connections,
EAC–Signature
Parser
300
Set Up and Maintain Your Salesforce Organization Set Up Einstein Search
Global
Customer Data and Salesforce Objects Model
Cloud or Package Feature Used Usage Data Used Used
Einstein See Einstein Conversation Insights See Einstein Conversation See
Conversation Insights Einstein
Insights Conversation
Insights
Lead Scoring See Sales Cloud Einstein See Sales Cloud Einstein See Sales
Cloud
Einstein
Salesforce Inbox Einstein Activity See Einstein Features See Einstein Features See
Capture Einstein
(EAC)–Email Features
Insights,
EAC–Recommended
Connections,
EAC–Signature
Parser
Available in:
Essentials, Professional, Enterprise, Performance,
and Unlimited Editions
The map image on the address is static, but clicking the map image opens Google Maps in a new Available in: Professional,
browser tab on the desktop, and opens a map app on a mobile device. Enterprise, Performance,
and Unlimited editions.
If your organization has Salesforce offline access enabled, a map doesn’t display when a user’s
device is offline.
1. From Setup, enter Maps in the Quick Find box, select Maps and Location Settings, USER PERMISSIONS
then click Edit.
To modify maps and
2. Check Enable Maps and Location Services. location settings:
• Customize Application
301
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
3. Click Save.
Autocomplete Addresses
When you enable autocomplete addresses, Salesforce app, Experience Cloud Aura, and Experience Cloud Lightning Web Runtime
(LWR) site users can enter text in address fields and see possible matching addresses in a picklist.
Let Users Select States, Countries, and Territories from Picklists
State and country/territory picklists let users select states, countries and territories from predefined, standardized lists, instead of
entering state and country/territory data into text fields. State and country/territory picklists offer faster and easier data entry. They
help to ensure cleaner data that can be harnessed for other uses—in reports and dashboards, for example. They protect data integrity
by preventing typos, alternate spellings, and junk data—even in records updated through the API.
Autocomplete Addresses
When you enable autocomplete addresses, Salesforce app, Experience Cloud Aura, and Experience
EDITIONS
Cloud Lightning Web Runtime (LWR) site users can enter text in address fields and see possible
matching addresses in a picklist. Available in: both Salesforce
Autocomplete on address picklist results are optimized for these countries: Classic (not available in all
orgs) and Lightning
• Australia
Experience
• Brazil
Available in: Professional,
• Canada
Enterprise, Performance,
• France and Unlimited editions.
• Germany
• Japan USER PERMISSIONS
• Netherlands
To modify maps and
• Russia location settings:
• Spain • Customize Application
• Sweden
• United Kingdom
• USA
Autocomplete on address fields is available for all versions of the Salesforce mobile app, Lightning Experience, Experience Cloud Aura,
and Experience Cloud LWR sites.
1. From Setup, enter Maps in the Quick Find box, select Maps and Location Settings, then click Edit.
2. Check Enable autocomplete on address fields.
3. Click Save.
302
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
303
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
• Optionally, rescan and fix customizations or records that have been created or edited since your first scan.
304
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
305
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
Edit State, Country, and Territory Details
State and Country/Territory Picklist Field-Syncing Logic
State and Country/Territory Picklist Error Messages
306
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
• State and country/territory picklists aren’t supported in Salesforce change sets or packages. However, you can move integration
value changes for state and country/territory picklists between sandbox and production orgs by using the Metadata API. To
edit the existing states and countries in a picklist, configure your state and country/territory picklists in your sandbox org. Then,
use the Metadata API to retrieve the sandbox configurations, and deploy them to your production org. You can’t deploy new
ISO codes or update ISO code values using any API.
1. From Setup, enter State and Country/Territory Picklists in the Quick Find box, then select State and
Country/Territory Picklists.
2. On the State and Country/Territory Picklists page, click Configure States, Countries, and Territories.
3. On the Configure States, Countries, and Territories page, select from the following options:
Active
Makes the country or territory available in the Metadata API so that records that contain the country or territory can be imported.
However, unless you also set it as visible, the country or territory isn’t available to users in Salesforce.
Visible
Makes the country or territory available to users in Salesforce. A country or territory must be active before you can make it visible.
4. Click Edit to view and edit details for the country, including to configure its states or provinces.
5. (Optional) Under Picklist Settings, select a Default Country/Territory. The Default Country/Territory automatically
populates country/territory picklists for new records in your org, but users can select a different country or territory. Default countries
and territories must be both active and visible.
6. To save your configuration, click Save.
Note: Active states and countries not marked Visible are still valid filter lookup values. You can use invisible states and
countries when creating filters in reports, list views, workflows, and so on.
SEE ALSO:
Edit State, Country, and Territory Details
Let Users Select States, Countries, and Territories from Picklists
Integration Values for State and Country/Territory Picklists
AF Afghanistan
AI Anguilla
307
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
AM Armenia
AO Angola
AQ Antarctica
AR Argentina
AT Austria
AU Australia*
AW Aruba
AX Aland Islands
AZ Azerbaijan
BB Barbados
BD Bangladesh
BE Belgium
BF Burkina Faso
BG Bulgaria
BH Bahrain
BI Burundi
BJ Benin
BL Saint Barthélemy
BM Bermuda
BN Brunei Darussalam
BR Brazil*
BS Bahamas
BT Bhutan
BV Bouvet Island
BW Botswana
BY Belarus
308
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
CA Canada*
CG Congo
CH Switzerland
CI Cote d’Ivoire
CK Cook Islands
CL Chile
CM Cameroon
CN China*
CO Colombia
CR Costa Rica
CU Cuba
CV Cape Verde
CW Curaçao
CX Christmas Island
CY Cyprus
CZ Czechia
DE Germany
DJ Djibouti
DK Denmark
DM Dominica
DO Dominican Republic
DZ Algeria
EC Ecuador
EE Estonia
EG Egypt
EH Western Sahara
309
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
ES Spain
ET Ethiopia
FI Finland
FJ Fiji
FO Faroe Islands
FR France
GA Gabon
GB United Kingdom
GD Grenada
GE Georgia
GF French Guiana
GG Guernsey
GH Ghana
GI Gibraltar
GL Greenland
GM Gambia
GN Guinea
GP Guadeloupe
GQ Equatorial Guinea
GR Greece
GT Guatemala
GW Guinea-Bissau
GY Guyana
HN Honduras
HR Croatia
HT Haiti
310
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
ID Indonesia
IE Ireland*
IL Israel
IM Isle of Man
IN India*
IQ Iraq
IS Iceland
IT Italy*
JE Jersey
JM Jamaica
JO Jordan
JP Japan
KE Kenya
KG Kyrgyzstan
KH Cambodia
KI Kiribati
KM Comoros
KR Korea, Republic of
KW Kuwait
KY Cayman Islands
KZ Kazakhstan
LB Lebanon
LC Saint Lucia
LI Liechtenstein
311
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
LR Liberia
LS Lesotho
LT Lithuania
LU Luxembourg
LV Latvia
LY Libya
MA Morocco
MC Monaco
MD Moldova, Republic of
ME Montenegro
MG Madagascar
MK North Macedonia
ML Mali
MM Myanmar
MN Mongolia
MO Macao
MQ Martinique
MR Mauritania
MS Montserrat
MT Malta
MU Mauritius
MV Maldives
MW Malawi
MX Mexico*
MY Malaysia
MZ Mozambique
NA Namibia
NC New Caledonia
312
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
NF Norfolk Island
NG Nigeria
NI Nicaragua
NL Netherlands
NO Norway
NP Nepal
NR Nauru
NU Niue
NZ New Zealand
OM Oman
PA Panama
PE Peru
PF French Polynesia
PH Philippines
PK Pakistan
PL Poland
PN Pitcairn
PS Palestine
PT Portugal
PY Paraguay
QA Qatar
RE Reunion
RO Romania
RS Serbia
RU Russian Federation
RW Rwanda
SA Saudi Arabia
313
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
SC Seychelles
SD Sudan
SE Sweden
SG Singapore
SI Slovenia
SK Slovakia
SL Sierra Leone
SM San Marino
SN Senegal
SO Somalia
SR Suriname
SS South Sudan
SV El Salvador
SZ Eswatini
TD Chad
TG Togo
TH Thailand
TJ Tajikistan
TK Tokelau
TL Timor-Leste
TM Turkmenistan
TN Tunisia
314
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
TR Türkiye
TV Tuvalu
TW Taiwan
UA Ukraine
UG Uganda
US United States*
UY Uruguay
UZ Uzbekistan
VN Vietnam
VU Vanuatu
WS Samoa
XK Kosovo
YE Yemen
YT Mayotte
ZA South Africa
ZM Zambia
ZW Zimbabwe
315
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
Configure State and Country/Territory Picklists
Integration Values for State and Country/Territory Picklists
State and Country/Territory Picklists and the Metadata API
State, Country, and Territory Picklist Fields
SEE ALSO:
Integration Values for State and Country/Territory Picklists
Edit State, Country, and Territory Details
316
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
SEE ALSO:
Scan State and Country/Territory Data and Customizations
Let Users Select States, Countries, and Territories from Picklists
317
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
Note: The emails are sent from noreply@salesforce.com. They have the subject line, “Salesforce Address Data Scan” or
“Salesforce Address Customization Scan.” If you don’t receive the emails, make sure that they weren’t caught in a spam filter.
5. Click the link in each email to go to a document that contains the report of affected data or customizations.
6. On the Document detail page, click View file.
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
318
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
SEE ALSO:
Convert State and Country/Territory Data
Let Users Select States, Countries, and Territories from Picklists
Convert countries first, and then states and provinces. Available in: All Editions
except Database.com
You can convert up to 2,000 country/territory values and up to 2,000 state values. However, state
and country/territory picklists that contain more than 1,000 states or countries can degrade
performance. USER PERMISSIONS
1. From Setup, enter State and Country/Territory Picklists in the Quick Find
To convert text-based state
box, then select State and Country/Territory Picklists. and country/territory data:
2. On the State and Country/Territory Picklists page, click Convert identified data. • Modify All Data
319
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
Salesforce opens the Convert States, Countries, and Territories page. This page displays all the country and territory text values that
appear in your org and the number of times each value is used.
3. Select Change for one or more values you want to convert. For example, select Change for all the iterations of United States.
4. In the Change To area, choose the country or territory that you want to convert the text values to and click Save to Changelist.
Note: If you map states or countries to Unknown value, users see states and countries in their records. However, your
users encounter errors when they save records, unless they change each state, country, and territory to a valid value before
saving.
5. Repeat Steps 3 and 4 for other country and territory values, such as for Canada.
Salesforce tracks planned changes in the Changelist area.
6. When all the countries are mapped, click Next to convert state values.
Use the Country of Origin column to identify the country or territory associated with that state or province.
7. To convert the values and turn on state and country/territory picklists in your org, click Finish and Enable Picklists on the Confirm
Changes page. Or, to return to the State and Country/Territory Picklists page, click Finish.
A few words about undo:
• On the Convert Countries or Convert States page, click Undo at any time to revert values in the changelist.
• On the Convert States page, click Previous to return to the Convert States, Countries, and Territories page and change country and
territory mappings.
• You can convert state, country, and territory values even after clicking Finish. After picklists are enabled, however, you can no longer
edit your conversion mappings.
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
2. On the State and Country/Territory Picklists setup page, click Enable Picklists for Address Available in: All Editions
Fields to turn on the picklists. except Database.com
Note:
USER PERMISSIONS
• You can also enable state and country/territory picklists when you finish converting
existing, text-based data to picklist values. See Convert State and Country/Territory To turn state and
Data. country/territory picklists on
and off:
3. To turn off state and country/territory picklists, click Disable on the State and Country/Territory • Modify All Data
Picklists setup page.
320
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
Section Title
Field Description
Country/Territory The ISO-standard name that appears in the Salesforce user interface.
Name
Country/Territory The two-letter ISO-standard code. If you change an ISO code, the new value must be unique. Codes
Code are case insensitive and must contain only ASCII characters and numbers. You can’t edit the ISO codes
of standard states or countries. You can edit the country or territory codes of custom states, countries,
and territories only before you enable those states, countries, and territories for your users.
Country/Territory The one- to three-digit international phone number format for this country or territory without the
Phone Code plus sign or other prefix.
Integration Value A customizable text value that is linked to a state, country, or territory code. Integration values for
standard states, countries, and territories default to the full ISO-standard names. Integration values
function like the API names of custom fields and objects and enable existing integrations to continue
to work even after you set up the picklist.
You can edit integration values to match values that you use elsewhere in your organization. For
example, a workflow rule uses USA instead of the default United States as the country name.
If you manually set the integration value for country/territory code US to USA, the workflow rule
doesn’t break when you enable state and country/territory picklists.
When you update a code value on a record, that record’s State/Province (text only)
or Country (text only) column is populated with the corresponding integration value. And,
when you update a state, or country (text only) column with a valid integration value, the
corresponding state, or country/territory code column stays in sync. You can change your organization’s
integration values after you enable state and country/territory picklists. But when you update your
picklists’ state and country/territory integration values, the integration values on your records aren’t
321
Set Up and Maintain Your Salesforce Organization Provide Maps and Location Services
updated. Name values aren’t stored on records. Instead, they’re retrieved based on a record’s State
Code or Country Code value. If the states, countries, or territories in your picklists have different
field values for Name and Integration Value, make sure your report or list view filters use
the correct values. Use names in State and Country filters, and use integration values in State
(text only) and Country (text only) filters. Otherwise, your reports can fail to capture
all relevant records.
Active Makes the state, country, or territory available in the Metadata API so that records can be imported
that contain the country. But records aren’t available to users in Salesforce unless set to visible.
Visible Makes the state, country, or territory record available to users in Salesforce. To make a record visible,
first make it active.
You update a record’s state or country/territory Salesforce updates the record’s state or
integration value to a valid value. country/territory code to match the integration
value.
You remove a record’s country/territory code, Salesforce removes the record’s state code and
but don’t remove the corresponding state code. the state and country/territory integration
values.
You create or update a record with state and No changes are saved. You get an error
country/territory values. The new state isn’t in message.
the new country.
You update the state or country/territory No changes are saved. You get an error
integration and code values on an existing message.
record. The new integration and code values
don’t match.
You create a record with mismatched state or Salesforce updates your new record’s integration
country/territory integration and code values. value to match the code value.
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
Integration Values for State and Country/Territory Picklists
State and Country/Territory Picklist Error Messages
322
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
Mismatched integration value and ISO code for Your code and integration values match
field different states or countries.
A country must be specified before specifying Your record has a state code or integration value
a state value for field but no country/territory code. You can’t save a
state without a corresponding country.
The existing country doesn’t recognize the state Your state code and integration values belong
value for field to a state in a different country.
Invalid state specified for field Your state code doesn’t match an existing state.
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
Integration Values for State and Country/Territory Picklists
State and Country/Territory Picklist Field-Syncing Logic
Provide Convenience Features for Your Report and Dashboard Users Available in: All editions
You can enable or disable several user interface features that may help your users get more out except Database.com
of reports and dashboards. These settings are for convenience and ease of use; they don’t affect
the data returned in your reports and dashboards. USER PERMISSIONS
Let Users Attach Files to Report Subscriptions
To modify report and
Let users who subscribe to reports choose to receive report results as a formatted spreadsheet
dashboard settings:
(.XLSX) or a comma-separated (.CSV) file attached to the subscription email. The email itself
• Customize Application
includes the report name in the subject line, but there is no email body. Row-level record details
are included in the attached file instead.
323
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
SEE ALSO:
Upgrade the Report Wizard
324
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
325
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
USER PERMISSIONS
USER PERMISSIONS
326
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
Note: Even if your org participated in the Spring ’20 closed beta, to attach files to report subscription emails, an admin must
enable this feature from setup.
The Lightning report builder is a powerful, intuitive tool for analyzing Salesforce data. Users can group, filter, and summarize records to
answer business questions like “Which lead source generates the most closed opportunities?”
1. From Setup, enter Reports in the Quick Find box, then select Reports and Dashboards Settings.
2. Select Hide the embedded Salesforce Classic report builder in Lightning Experience.
3. Click Save.
327
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
The Salesforce Classic report builder is hidden in Lightning Experience. Users no longer see the New Report (Salesforce Classic) and
Edit (Salesforce Classic) buttons on the Reports tab in Lightning Experience.
USER PERMISSIONS
328
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
USER PERMISSIONS
1. Create a Custom Report Type
Choose the primary object you’d like your new report type to support, then give it a name and To create, update, and
a useful description. Mark it as “in development” until you’re ready to make it available for users delete custom report types:
to create reports. • Manage Custom Report
Types
2. Add Child Objects to Your Custom Report Type
To enable reports to pull data from more than just the primary object, consider adding one or
more related objects to your report type.
3. Design the Field Layout for Reports Created from Your Custom Report Type
After you define a custom report type and choose its object relationships, specify the standard and custom fields available on reports
for the custom report type.
4. Manage Custom Report Types
After you create a custom report type, you can customize, edit, and delete it.
5. Limits on Report Types
Custom report types are subject to some limits for high performance and usability.
329
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
5. Enter the Report Type Label and the Report Type Name.
The label can be up to 50 characters long. If you enter a name that is longer than 50 characters, the name gets truncated. The name
is used by SOAP API.
6. Enter a description for your custom report type, up to 255 characters long. If you enter a name that is longer than 255 characters,
the name gets truncated.
Provide a meaningful description so users have a good idea of which data is available for reports. For example: Accounts with
Contacts. Report on accounts and their contacts. Accounts without contacts are not
shown..
7. Select the category in which you want to store the custom report type.
8. Select a Deployment Status:
• Choose In Development during design and testing as well as editing. The report type and its reports are hidden from all
users except user with the “Manage Custom Report Types” permission. Only users with that permission can create and run reports
using report types in development.
• Choose Deployed when you're ready to let all users access the report type.
Note: A custom report type’s Deployment Status changes from Deployed to In Development if its primary
object is a custom or external object whose Deployment Status similarly changes.
330
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
9. Click Next.
• A developer can edit a custom report type in a managed package after it’s released, and can add new fields. Subscribers automatically
receive these changes when they install a new version of the managed package. However, developers can’t remove objects from
the report type after the package is released. If you delete a field in a custom report type that’s part of a managed package and the
deleted field is part of bucketing or used in grouping, you receive an error message.
• Custom fields that you add to a Salesforce object in Setup are added automatically to all of the custom report types that based on
that object. New fields that are deployed as part of a package aren’t added to custom report types.
5. Click Save.
Example:
• If you select A may or may not have object B records, then all subsequent objects automatically include the “may-or-may-not”
association on the custom report type. For example, assume that Accounts is the primary object and Contacts is the secondary
object. If you select that Accounts may or may not have Contacts, then any tertiary and quaternary objects included on the
custom report type default to “may-or-may-not” associations.
• When object A doesn’t have object B, blank fields appear on report results for object B. For example, if a user runs a report on
Accounts with or without Contacts, Contact fields appear as blank for the accounts that don’t have contacts.
• On reports where object A may or may not have object B, you can't use the OR condition to filter across multiple objects. For
example, if you select Account Name starts with M OR Contact First Name starts with M, an
error message informs you that your filter criteria are incorrect.
• (Salesforce Classic only) For custom report types where object A may or may not have object B, the Row Limit option on tabular
reports shows only the fields for the primary object.
331
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
Examples:
– In an Accounts with or without Contacts report, the Row Limit option shows only fields from Accounts.
– In an Accounts with Contacts with or without Cases report, the Row Limit option shows only fields from Accounts and
Contacts.
Design the Field Layout for Reports Created from Your Custom Report Type
After you define a custom report type and choose its object relationships, specify the standard and
EDITIONS
custom fields available on reports for the custom report type.
Note: Custom fields appear in custom report types only if they've been added to that report Available in: Salesforce
type’s page layout. Classic (not available in all
orgs) and Lightning
1. From Setup, enter Report Types in the Quick Find box, then select Report Types. Experience
2. If the Custom Report Type welcome page opens, click Continue.
Available in: Essentials,
3. Select the custom report type that you want to edit and click Edit Layout on the Fields Available Professional, Enterprise,
for Reports section. To preview which fields display on the Select Columns page, click Preview Performance, Unlimited,
Layout and Developer Editions
When previewing the layout, all fields and objects are displayed, including fields and objects Available in: Enhanced
that you don't have permission to access. However, you can access only the data that is stored Folder Sharing and Legacy
in the fields or objects that you have permission to access. Folder Sharing
4. Select fields from the right box and drag them to a section on the left. You can view an object’s
fields by selecting it from the View dropdown list. USER PERMISSIONS
Warning: If you add custom fields with the same API name from different objects, only To create and update
one of the fields displays in the reports. For example, adding both custom report types:
Account.Custom_Field__c and Opportunity.Custom_Field__c • Manage Custom Report
Types
results in one Custom_Field__c visible on reports.
5. Optionally, click Add fields related via lookup to display the Add Fields Via Lookup overlay
and add fields via the lookup relationship the object selected in the View dropdown list.
6. Remove a field by dragging it from the layout to the right box. When you remove a field, it’s removed from all reports based on the
report type. A report in which the removed field was used in filter logic displays an error message when viewed.
7. Arrange fields in sections as you want them to appear to users.
Fields not added to a section are unavailable to users when they generate reports from this report type.
8. Click Preview Layout and use the legend to determine which fields are included on the layout, added to the report by default, and
added to the layout via a lookup relationship.
Users can view roll-up summary fields on reports that include data from fields they don't have access to view. For example, a user
that doesn't have access to view the Price field on an opportunity product can view the Total Price field on opportunity
reports if he or she has access to the Total Price field.
9. To rename or set which fields are selected by default for users, select one or more fields and click Edit Properties.
10. To rename the sections, click Edit next to an existing section, or create a section by clicking Create New Section.
11. Click Save.
When you're working with lookup fields, consider these tips:
332
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
• A lookup field is a field on an object that displays information from another object. For example, the Contact Name field on an
account.
• A custom report type can contain fields available via lookup through four levels of lookup relationships. For example, for an account,
you can get the account owner, the account owner's manager, the manager's role, and that role's parent role.
• You can add fields via lookup that are associated with objects included in the custom report type. For example, if you add the
accounts object to the custom report type, then you can add fields from objects to which accounts have a lookup relationship.
• Selecting a lookup field on the Add Fields Via Lookup overlay lets you access additional lookup fields from other objects to which
there's a lookup relationship. For example, if you select the Contact Name field from cases, you can then select the Account
field. You can do so because accounts have a lookup relationship to contacts that have a lookup relationship to cases.
• The fields displayed in the Add Fields Via Lookup overlay don't include lookup fields to objects in the report type. For example, if
accounts are the primary object on your custom report type and contacts are the secondary object, then the Add Fields Via Lookup
overlay doesn't display lookup fields from contacts to accounts.
• Fields added to the layout via the Add fields related via lookup link are automatically included in the section of the object from
which they're a lookup field. For example, if you add the Contact field as a lookup from accounts, then the Contact field is
automatically included in the Accounts section. However, you can drag a field to any section.
• You can add up to 1000 fields to each custom report type. A counter at the top of the Page Layout step shows the current number
of fields. If you have more than 1000 fields, you can't save the layout.
• Fields added via lookup automatically display the lookup icon on the field layout of the custom report type.
• Reduce the amount of time it takes to find fields in a report by grouping similar fields together on custom report type field layouts.
You can create page sections in which to group fields that are related to one another, and you can group fields to match specific
detail pages and record types.
• If you include Activities as the primary object on a custom report type, you can only add lookup fields from Activities to Account on
the select column layout of the custom report type.
Note: Custom fields that you add to a Salesforce object are added automatically to all the custom report types based on that
object. When you create a report from the custom report type, all the custom fields are available for you to add to your report.
333
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
In Lightning Experience, the report type is displayed on the report run page in the upper left area near the report name. In Salesforce
Classic, the report type is displayed in the report builder near the report name.
Note: If the Translation Workbench is enabled for your organization, you can translate custom report types for international users.
334
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
– History fields
– The Age field on cases and opportunities
• Custom report types based on the Service Appointments object don't support these fields:
– Parent Record
– Owner
• Object references can be used as the main four objects, as sources of fields via lookup, or as objects used to traverse relationships.
Each referenced object counts toward the maximum limit even if no fields are chosen from it. For example, if you do a lookup from
account to account owner’s role, but select no fields from account owner, all the referenced objects still count toward the limit of
60.
• Reports run from custom report types that include cases don’t display the Units dropdown list, which lets users view the time values
of certain case fields by hours, minutes, or days.
• Report types associated with custom objects in the Deleted Custom Objects list count against the maximum number of custom
report types you can create.
• Reports on feed activities don’t include information about system-generated posts, such as feed tracked changes.
• Custom report type names support up to 50 characters. If you enter a name that is longer than 50 characters, the name gets truncated.
• Custom report type descriptions support up to 255 characters. If you enter a name that is longer than 255 characters, the name gets
truncated.
• When a lookup relationship is created for a standard or custom object as an Opportunity Product field, and then a custom report
type is created with that primary object, Opportunity Product isn’t available as a secondary object for that custom report type.
You would like to move ‘My Accounts Report’ to a new folder called ‘Accounts’ and “My Opty Report” to a new folder called ‘Opportunities’.
To complete this process, you
• Retrieve the packate that contains the reports
• Make the changes
• Deploy the updated reports
335
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
1. In Workbench, click info and select Metadata Types & Components to find the developer names of the reports that you want to
move.
2. Navigate to each report or dashboard and expand the listing to see the developer names.
3. Create a package.xml manifest with the following content, including the developer folder and file name as members.
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
<types>
<name>Report</name>
<members>Some_Old_Deprecated_Folder/My_Accounts_Report_eQ</members>
<members>Some_Old_Deprecated_Folder/My_Opty_Report_CO</members>
</types> <version>43.0</version>
</Package>
4. Use the Metadata API to retrieve the package that contains the reports.
a. In Workbench, click migration and select Retrieve
b. Click Choose file for Unpackaged Manifest, and select the file.
c. Click Next to retrieve the package.
6. In the unzipped package, change the folder and file structure to reflect the move that you want to make.
336
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
7. In the package.xml file manifest, change the folder structure to match the changes in that you made in the unzipped package.
<?xml version="1.0" encoding="UTF-8"?>
<Package xmlns="http://soap.sforce.com/2006/04/metadata">
<types>
<members>Accounts/My_Accounts_Report_eQ</members>
<members>Opportunities/My_Opty_Report_CO</members>
<name>Report</name>
</types>
<version>43.0</version>
</Package>
9. Create the package for deployment. The following command creates a zip file, move_reports.zip, from the contents of the
unzipped package directory (in this command, the directory name is unpackaged).
zip -r move_reports.zip unpackaged/
337
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
Note: If any of your trended objects is in danger of exceeding the data limit, your organization administrator receives an email
alert.
Note: Historical trend reports are also called historical tracking reports.
1. From Setup, enter Historical Trending in the Quick Find box, then select Historical Trending.
2. Select the object that you want to do historical trend reporting on.
You can select Opportunities, Cases, Forecasting Items, and up to 3 custom objects.
338
Set Up and Maintain Your Salesforce Organization Customize Reports and Dashboards
• Turning off historical trending for a field hides the historical data for that field. If you re-enable historical trending, historical data for
the field can be viewed again, including data created after historical trending was turned off.
• Turning off historical trending for an object causes all historical data and configuration settings to be deleted for that object. The
object’s historical trending report type and any reports that have been created with it are also deleted.
• If you turn off historical trending for a field and delete it, the field’s historical data is no longer available even if you re-enable historical
trending.
Note:
• The historical fields available to each user depend on the fields that user can access. If your permissions change and you can
no longer see a given field, that field’s historical data also becomes invisible.
• Each historical field has the same field-level security as its parent field. If the field permissions for the parent field change, the
historical field’s permissions change accordingly.
Important: Upgrading does not affect any of your existing reports. However, once you upgrade, you can't return to the old
report wizard.
339
Set Up and Maintain Your Salesforce Organization Release Updates
Release Updates
Salesforce periodically releases updates that improve the performance, security, logic, and usability
EDITIONS
of your Salesforce org, but that can affect your existing customizations. When these updates become
available, Salesforce shows them in the Release Updates node in Setup. Available in: both Salesforce
Release updates offer a more detailed view of information previously found in the Critical Updates Classic (not available in all
console. The page also contains information previously found in the Security Alerts node. orgs) and Lightning
Experience
Note: In Beta, the text Due Soon appeared at the top of the detail page for updates with upcoming enforcement dates. This
text no longer appears on the detail page.
• Check the Complete Steps By date. The test run button is a toggle that you can enable and disable before this date (sandbox org
test periods may end earlier). When you enable a test run, the update becomes immediately enabled in your org. The test run allows
you to evaluate the impact of the update before the update is enforced.
340
Set Up and Maintain Your Salesforce Organization Release Updates
• Use the Enforcement Scheduled or Enforced In information to check the release in which Salesforce enforces the update. In the Beta
release, we indicated the enforcement information with Automatically enforced in. To find out where to get the major release
upgrade date for your instance, hover over the tooltip.
Note: Some release updates contain specific dates. In these cases, use the date information in the update as guidance for
when to expect enforcement.
• Get quick information about an update without leaving the home page by clicking View Details.
• Start or stop a test run, complete update steps, and view step update history by clicking Get Started.
When you act on an update, a series of detailed steps helps you to evaluate the impact on your org. You can adopt the update early or,
depending on your org, use the recommended test run option.
Warning: Salesforce recommends testing each update by activating it in either your Available in: all editions
developer sandbox or your production environment during off-peak hours.
1. From Setup, in the Quick Find box, enter Release Updates, and then select Release USER PERMISSIONS
Updates.
To view release updates:
2. On the Release Updates page, select an update. • View Setup and
3. Get quick information about an update without leaving the home page by clicking View Details. Configuration
Use the expandable sections to see details about the changes, improvements you can expect, To enable or disable release
and impact on your org. updates:
• Manage Release
Updates OR Customize
Application
341
Set Up and Maintain Your Salesforce Organization Release Updates
4. Click Get Started to act on your update. From this page, you can enable a test run if it’s available for your update, and review the
specific steps to take.
a. If you enabled a test run and find in testing that you must disable the update, click Disable Test Run. You can enable or disable
test runs as often as needed until the Complete Steps By date on your update. On sandbox orgs, the test run periods can end
earlier than the Complete Steps By date.
SEE ALSO:
Release Updates
342
Set Up and Maintain Your Salesforce Organization Organize Data with Divisions
Security Alerts
Release updates have replaced security alerts. Information about previously released security alerts can be found in the Release Updates
node.
SEE ALSO:
Release Updates
Set Up Divisions
When setting up divisions, you must create divisions and assign records to divisions to make sure that your data is categorized
effectively.
Create and Edit Divisions
Creating logical divisions for your organization helps you segment your records to make searching and reporting easier.
Transferring Multiple Records Between Divisions
Select groups of records to move into or between divisions.
Change the Default Division for Users
If you can manage user settings, you can change a user’s default division.
Reporting With Divisions
If your organization uses divisions to segment data, you can customize your reports to show records within specific divisions.
343
Set Up and Maintain Your Salesforce Organization Organize Data with Divisions
• Default division—Users are assigned a default division that applies to their newly created accounts, leads, and custom objects that
are enabled for divisions.
• Working division—If you have the “Affected by Divisions” permission, you can set the division using a drop-down list in the sidebar.
Then, searches show only the data for the current working division. You can change your working division at any time. If you don’t
have the “Affected by Divisions” permission, you always see records in all divisions.
The following table shows how using divisions affects different areas.
Area Description
Search If you have the “Affected by Divisions” permission:
• In sidebar search, you can select a single division, or all divisions.
• In advanced search, you can select a single division or all
divisions.
• In global search, you can search a single division or all divisions.
• For searches in lookup dialogs, the results include records in
the division you select from the drop-down list in the lookup
dialog window.
All searches within a specific division also include the global
division. For example, if you search within a division called Western
Division, your results include records found in both the Western
Division and the global division.
If you do not have the “Affected by Divisions” permission, your
search results always include records in all divisions.
List views If you have the “Affected by Divisions” permission, list views include
only the records in the division you specify when creating or editing
the list view. List views that don’t include all records (such as My
Open Cases) include records in all divisions.
If you do not have the “Affected by Divisions” permission, your list
views always include records in all divisions.
Chatter Chatter doesn’t support divisions. For example, you can’t use
separate Chatter feeds for different divisions.
Reports If you have the “Affected by Divisions” permission, you can set your
report options to include records in just one division or all divisions.
Reports that use standard filters (such as My Cases or My team’s
accounts) show records in all divisions, and can’t further limited to
a specific division.
If you do not have the “Affected by Divisions” permission, your
reports always include records in all divisions.
Viewing records and related lists When viewing the detail page of a record, the related lists show
all associated records that you have access to, regardless of division.
344
Set Up and Maintain Your Salesforce Organization Organize Data with Divisions
Area Description
Creating records When you create accounts, leads, or custom objects that are
enabled for divisions, the division is automatically set to your default
division, unless you override this setting.
When you create records related to an account or other record
that already has a division, the new record is assigned to the
existing record’s division. For example, if you create a custom object
record that is on the detail side of a master-detail relationship with
a custom object that has divisions enabled, it is assigned the master
record’s division.
When you create records that are not related to other records, such
as private opportunities or contacts not related to an account, the
division is automatically set to the global division.
Editing records When editing accounts, leads, or custom objects that are enabled
for divisions, you can change the division. All records that are
associated through a master-detail relationship are automatically
transferred to the new division as well. For example, contacts and
opportunities are transferred to the new division of their associated
account. Detail custom objects are transferred to their master
record’s new division.
When editing other types of records, you can’t change the division
setting.
Custom objects When you enable divisions for a custom object, Salesforce initially
assigns each record for that custom object to the global division.
When you create a custom object record:
• If the custom object is enabled for divisions, the record adopts
your default division.
• If the custom object is on the detail side of a master-detail
relationship with a divisions-enabled custom object, the record
adopts the division of the master record.
345
Set Up and Maintain Your Salesforce Organization Organize Data with Divisions
Set Up Divisions
When setting up divisions, you must create divisions and assign records to divisions to make sure
EDITIONS
that your data is categorized effectively.
Before you can use the divisions feature for your organization, you must enable divisions. If you are Available in: Salesforce
using a standard object, contact Salesforce to enable divisions for your organization. For custom Classic (not available in all
objects, select Enable Divisions on the custom object definition page to enable divisions. orgs)
1. Plan which divisions you need based on how you want to segment your data. Available in: Professional,
For example, use one division for all the records belonging to your North American sales team Enterprise, Performance,
and one division for your European sales team. Unlimited, and Developer
100 Editions
2. Create divisions for your organization. All existing records are assigned to the “Global” division
USER PERMISSIONS
by default. You can change the default division name, create more divisions, and move user
and data records between divisions. To create or edit divisions:
3. Transfer leads, accounts, and custom objects into relevant divisions. When records are assigned • Modify All Data
to a division, associated records are assigned the same division.
For example, when you change the division assigned to an account, related records such as
contacts and opportunities are assigned to the same division.
4. Add division fields to page layouts.
5. Add divisions to field-level security.
6. Set the default division for all users. New accounts and leads are assigned to the user’s default division unless the user explicitly
assigns a different division. New records related to existing records are assigned to the existing record’s division.
7. Enable the “Affected by Divisions” permission for users.
Users with this permission can limit list views by division, search within a division, or report within a division. Users who don’t have
the “Affected by Divisions” permission still have a default user-level division. They can view division fields, change the division for a
record, and specify a division when creating records.
346
Set Up and Maintain Your Salesforce Organization Organize Data with Divisions
6. To change the order that divisions appear in the Divisions picklist, click Sort. Then to use the arrow buttons to move divisions higher
or lower in the list.
6. Click Transfer. You’ll receive an email notification when the transfer is complete. If 5,000 or
more records are being transferred, the request will be placed in a queue for processing.
If you are changing your own default division, skip step 1 and go to your personal settings. Enter To change a user’s default
Advanced User Details in the Quick Find box, then select Advanced User Details.No division:
results? Enter Personal Information in the Quick Find box, then select Personal • Manage Users
Information.
347
Set Up and Maintain Your Salesforce Organization Salesforce Upgrades and Maintenance
Read-Only Mode
Access to your data at a moment’s notice—even during our planned maintenance windows. To minimize interruption to your
business, Salesforce gives users read-only access during splits, instance migrations, instance switches, pre-scripts, and certain other
maintenance events.
5 Minute Upgrades
Salesforce reserves just five minutes of scheduled maintenance time to roll out new major versions of our service. These upgrades
to the next release occur three times per year.
Check for Desktop Client Updates
Desktop clients such as Salesforce for Outlook and Connect Offline integrate Salesforce with your PC. Your administrator controls
which desktop clients you are allowed to install.
Read-Only Mode
Access to your data at a moment’s notice—even during our planned maintenance windows. To
EDITIONS
minimize interruption to your business, Salesforce gives users read-only access during splits, instance
migrations, instance switches, pre-scripts, and certain other maintenance events. Available in: All Editions
348
Set Up and Maintain Your Salesforce Organization Salesforce Upgrades and Maintenance
5 Minute Upgrades
Salesforce reserves just five minutes of scheduled maintenance time to roll out new major versions
EDITIONS
of our service. These upgrades to the next release occur three times per year.
Although your organization should expect to experience a disruption of up to five minutes, the Available in: Salesforce
interruption is typically one minute or less. Users receive an error message letting them know that Classic (not available in all
the service is unavailable during the upgrade, and are prompted to log in again when the upgrade orgs)
is complete.
Available in: All Editions
349
Set Up and Maintain Your Salesforce Organization Permissions for UI Elements, Records, and Fields
2. From the table, review the names and version numbers of available desktop clients.
USER PERMISSIONS
3. If you are using Internet Explorer, click the correct desktop client and then click Install Now to
install a client. If you are using another browser such as Mozilla Firefox, click Download Now To view client update alerts:
to save the installer file to your computer. To run the installer program, double-click the saved • On, updates w/alerts
file. OR
After you install the update, the alert banner displays on your Home tab until you log in through On, must update
the newly updated client. w/alerts
on your profile
350
Set Up and Maintain Your Salesforce Organization Deactivate a Developer Edition Org
To edit a field: You must have the “Edit” permission on the type of record for the
field.
If you can’t edit a certain field, check field-level security and your
page layout. Field-level security can restrict access to a field. Page
layouts can set fields to not be editable.
To view a related list: You must have the “Read” permission on the type of records
displayed in the related list.
If you can’t view a certain field, check your page layout. Page layouts
can hide fields.
To view a button or link: Make sure that you have the necessary permission to perform the
action. Buttons and links only display for users who have the
appropriate user permissions to use them.
Days after DE Org Deactivation Can I Reactivate the Deactivated Org? To deactivate an org
• Modify All Data
From 1 through 30 Yes. You can change your mind and reactivate
the org via Setup.
From 31 through 60 Yes. The org is locked, but you can contact
Salesforce Customer Support to reactivate the
org.
351
Set Up and Maintain Your Salesforce Organization Developer Org Expiration
Days after DE Org Flagged as Inactive Can I Reactivate the Inactive Org?
From 1 through 14 Yes. Org admins receive an email about the pending org expiration.
You can reactivate the org by logging in.
From 15 through 44 Yes. The org is locked, but you can contact Salesforce Customer
Support to reactivate the org.
From 45 and later No. The org is permanently deleted and can’t be reactivated.
352
Set Up and Maintain Your Salesforce Organization Manage Your Salesforce Account
Give Your Billing Users Free Access to the Your Account App
Use Identity licenses to give your users access to the Your Account app if they don’t need full access to Salesforce. The editions that
support the Your Account app include 100 free Identity licenses that can be assigned as needed by the admin. Save your Salesforce
licenses for the members of your team who need them.
Launch the Your Account App
Open the Your Account app from the Setup menu or through the App Launcher.
Add Products and Licenses with the Your Account App
Purchase new products and licenses for your Salesforce org using the Your Account app. Products are pieces of Salesforce functionality,
such as Sales Cloud, Sales Dialer, or extra file storage.
Manage Your Contracts with the Your Account App
See all your contracts in one place and request updates to your Salesforce org with the Your Account app. The keys to the ignition
that keep your org running are just a few clicks away.
Manage Renewals
When your contract reaches 90 days before its renewal date, a message appears on the Your Account app home page and on the
contract details page. You can view your contract and confirm the renewal, request changes, or choose not to renew. We can’t
accommodate cancellation requests until it’s time to renew.
353
Set Up and Maintain Your Salesforce Organization Give Your Billing Users Free Access to the Your Account App
SEE ALSO:
User Permissions and Access
Give Your Billing Users Free Access to the Your Account App
Use Identity licenses to give your users access to the Your Account app if they don’t need full access
EDITIONS
to Salesforce. The editions that support the Your Account app include 100 free Identity licenses
that can be assigned as needed by the admin. Save your Salesforce licenses for the members of Available in: Salesforce
your team who need them. Classic and Lightning
Experience
Note: Admins and other Salesforce users with Manage Billing permission have access to the
Your Account app and don’t need the Your Account App Admin User permission set. Available in: Starter,
1. To provide free access to the Your Account app, create users with Identity licenses. Professional, Enterprise,
Performance, and
a. From Setup, in the Quick Find box, enter Users, and then select Users. Unlimited Editions
b. Click New User, and then enter user information.
c. For User License, select Identity. USER PERMISSIONS
354
Set Up and Maintain Your Salesforce Organization Give Your Billing Users Free Access to the Your Account App
2. Assign the Your Account App Admin User permission set to the Identity license users who need access to the Your Account app.
a. From Setup, in the Quick Find box, enter Users, and then select Users.
b. Select the user, and then navigate to the Permission Set Assignments section and click Edit Assignments.
c. Select the Your Account App Admin User permission set and move it to Enabled Permission Sets. Then save the change.
SEE ALSO:
Salesforce Help: Add a Single User
Salesforce Help: Assign Permission Sets to a Single User
Salesforce Help: Salesforce Identity Licenses
355
Set Up and Maintain Your Salesforce Organization Launch the Your Account App
USER PERMISSIONS
356
Set Up and Maintain Your Salesforce Organization Add Products and Licenses with the Your Account App
a. To buy new products, locate the All Products section, and find the product that you want
to buy. USER PERMISSIONS
b. To buy additional quantities of products you own, locate the My Products section, and find To use the Your Account
the product that you want to add licenses for. app:
• Manage Billing or the
5. To specify the products that you want, select the quantity (1) and add to your cart (2).
Your Account App
Admin User permission
set
For Marketing Cloud product subscriptions you own, you select the quantity in a popup. See the example that follows.
357
Set Up and Maintain Your Salesforce Organization Add Products and Licenses with the Your Account App
Note: If you’re preparing a purchase that requires a different signer, you must use a payment method other than a credit
card. You can assign an approver to complete the process in DocuSign.
10. Your licenses are typically available within 45 minutes of purchase. To view your licenses:
a. From Setup, in the Quick Find box, enter Company Information, and then select Company Information.
b. See the User Licenses related list.
c. If you don’t see your licenses after 45 minutes, contact Support.
358
Set Up and Maintain Your Salesforce Organization Add Products and Licenses with the Your Account App
SEE ALSO:
Get Support with the Your Account App
USER PERMISSIONS
6. Enter the new signer's email address, name, and reason for changing the signing responsibility.
7. Click ASSIGN TO SOMEONE ELSE.
Your signer receives an email with a link to complete the signing process in DocuSign. When the signer completes the process, you
both receive confirmation emails and your purchase is processed. For more information on what to expect and how to assign licenses
to users, see Add New Products and Licenses with the Your Account App.
Note: This process is available only if your payment process isn’t a credit card.
359
Set Up and Maintain Your Salesforce Organization Manage Your Contracts with the Your Account App
USER PERMISSIONS
SEE ALSO:
Salesforce Help: Manage Your Quotes with the Your Account App
Salesforce Help: Access Your Completed Quotes with the Your Account App
360
Set Up and Maintain Your Salesforce Organization Manage Renewals
Manage Renewals
When your contract reaches 90 days before its renewal date, a message appears on the Your Account
EDITIONS
app home page and on the contract details page. You can view your contract and confirm the
renewal, request changes, or choose not to renew. We can’t accommodate cancellation requests Available in: Salesforce
until it’s time to renew. Classic and Lightning
Experience
USER PERMISSIONS
Note: Renewal management is unavailable in some cases. For help with your contract, check
in with your Renewal Manager.
1. Launch the Your Account app.
2. Click View Contracts.
3. If you have more than one contract, locate the contract that you want to review or update.
4. If the contract is within 90 days of renewal, click Manage Renewal.
• To confirm that you’re authorized to cancel, modify, and renew this contract, click the checkbox.
• To confirm your renewal, click Confirm Renewal.
• To request changes, click Request Changes. Then submit a request to your Renewal Manager.
361
Set Up and Maintain Your Salesforce Organization View and Download Invoices
USER PERMISSIONS
2. In the invoice list, use the filters to display your invoices. To use the Your Account
app:
• Manage Billing or the
Your Account App
Admin User permission
set
362
Set Up and Maintain Your Salesforce Organization Get Support with the Your Account App
Note: Some past due invoices can be paid online. If the Make a Payment button isn’t available, contact Salesforce Billing for
help.
Which products work best for my business? Email your Account Contact using the email Available in: Starter,
address on the app’s home page. Professional, Enterprise,
Performance, and
I want to renew my account contract or a Contact Support through our Support form on Unlimited Editions
product subscription. the app’s home page.
I have a billing question. Contact Support through our Support form on USER PERMISSIONS
the app’s home page.
To use the Your Account
Something’s not working right. Contact Support through our Support form on app:
the app’s home page. • Manage Billing or the
Your Account App
I have a feature request or other product Fill out our feedback form. Admin User permission
observation to share. set
Locate contact information on the home page of the Your Account app:
363
Set Up and Maintain Your Salesforce Organization Turn Off the Your Account App
2. To turn off the Your Account app, click Manage your subscription with Your Account. Then Available in: Starter,
refresh the page. Professional, Enterprise,
Performance, and
Unlimited Editions
USER PERMISSIONS
364
Set Up and Maintain Your Salesforce Organization Manage Your Quotes with the Your Account App
USER PERMISSIONS
Recent quotes that were signed or approved show Processing as the status in the Pending Quotes tab until the order is completed.
6. If you’re paying by credit card, use the Open Quote button or the hyperlink to open and approve the quote. Select the terms and
conditions checkbox and save.
365
Set Up and Maintain Your Salesforce Organization Access Your Completed Quotes with the Your Account App
USER PERMISSIONS
366
Set Up and Maintain Your Salesforce Organization Update Billing Contact Access to the Your Account App
1. Launch the Your Account app, and then click View Contracts.
2. Select the contract for which you want to update the billing contact. USER PERMISSIONS
3. To change the billing contact and grant access to Your Account, click Edit. To use the Your Account
Doing so assigns the Your Account App Admin permission set, which includes the Manage app:
Billing permission. • Manage Billing
If the current billing contact doesn’t have access, you see the Give Access link. If the user doesn’t OR
exist, a user is created using an identity license. The user gets the Your Account App Admin Your Account App
permission set, which includes the Manage Billing permission. Admin permission set
Manage Users
In Salesforce, each user is uniquely identified with a username, password, and profile. Together with
EDITIONS
other settings, the profile determines which tasks a user can perform, what data the user can see,
and what the user can do with the data. Available in: both Salesforce
Classic (not available in all
User Management Administration orgs) and Lightning
As a Salesforce administrator, you manage users in your org. Besides creating and assigning Experience
users, user management includes working with permissions and licenses, delegating users, and The available user
more. management options vary
User Management Settings according to which
Salesforce Edition you have.
Manage org-wide user settings to improve user experience and increase org security.
View and Manage Users
In the user list, you can view and manage all users in your org, partner portal, and Salesforce Customer Portal.
Licenses Overview
To enable specific Salesforce functionality for your users, you must choose one user license for each user. To enable more functionality,
you can assign permission set licenses and feature licenses to your users or purchase usage-based entitlements for your organization.
367
Set Up and Maintain Your Salesforce Organization User Management Administration
Important: Salesforce recommends that you appoint a backup administrator for your org. Available in: both Salesforce
A backup administrator can keep your org running in case your primary administrator is Classic (not available in all
orgs) and Lightning
unavailable.
Experience
As an administrator, you perform user management tasks, such as:
The available user
• Create and edit users management options vary
• Reset passwords according to which
• Create Google Apps accounts Salesforce Edition you have.
• Grant permissions
• Create and manage other types of users
• Create custom fields
• Set custom links
• Run reports on users
• Delegate user administration tasks to other users
Depending on your Salesforce edition and the additional features that your company purchased, you have specific licenses, such as
Marketing or Connect Offline. The licenses let users access features that are not included in their user licenses. Assign one or more licenses
to users and set up accounts for users outside your org to access a limited set of fields and objects. You can grant access to the Customer
Portal, partner portal, or Self-Service through user licenses. Using Salesforce to Salesforce, create connections to share records with other
Salesforce users outside of your org.
Note: Starting with Spring ’12, the Self-Service portal isn’t available for new Salesforce orgs. Existing orgs continue to have access
to the Self-Service portal.
368
Set Up and Maintain Your Salesforce Organization User Management Settings
• Use the sidebar search to search for any user in your org, regardless of the user’s status. When using a lookup dialog from fields
within records, the search results return only active users. You can also run user reports in the Reports tab.
• To simplify user management in orgs with many of users, delegate aspects of user administration to non-administrator users.
SEE ALSO:
View and Manage Users
Licenses Overview
369
Set Up and Maintain Your Salesforce Organization User Management Settings
Note: Deactivation is not the same as deletion. To learn more about deactivation, refer to Available in: All Editions
Salesforce documentation about deactivating users.
1. From Setup, enter User in the Quick Find box, then select User Management Settings. USER PERMISSIONS
2. Enable User Self Deactivate. To enable external user
3. Use developer or declarative tools to provide a mechanism for users to deactivate their accounts. deactivation option:
In Experience Cloud sites built with Aura templates, the Customizable User Settings component • Customize Application
gives users the option to deactivate their account.
Note: In Experience Cloud sites using LWR or Visualforce templates, create a flow that external
users can run to deactivate their own accounts without the help of an admin.
SEE ALSO:
Delete Users
370
Set Up and Maintain Your Salesforce Organization User Management Settings
Important: To protect your users’ names from being viewed by external users, don’t remove Name, First Name, or Last Name
from the PersonalInfo_EPIM field set. If your org secures PII using Compliance Categorization, don’t remove PII Compliance
Categorization from Name, First Name, or Last Name fields.
Note: Enhanced Personal Information Management using Compliance Categorization isn’t available in orgs created in Winter
’22 or later.
For more information on this setting, see Show Nicknames Instead of Full Names in an Experience Cloud Site.
371
Set Up and Maintain Your Salesforce Organization User Management Settings
372
Set Up and Maintain Your Salesforce Organization User Management Settings
Important: We strongly recommend that you adopt this feature and test its impact as soon as possible ensure no unexpected
changes in functionality.
SEE ALSO:
Creating and Editing Field Sets
Guest User Security Policies and Timelines
By default, these fields considered PII in the PersonalInfo_EPIM field set. Applies to: LWR, Aura, and
Visualforce sites
PII Fields (Spring ’22 and After) Details
About Me USER PERMISSIONS
Department
Division
Email Signature
Employee Number
Extension
Fax
373
Set Up and Maintain Your Salesforce Organization User Management Settings
Manager
MobilePhone
Name
SAML Federation ID
Title
Username
When you use a field set to classify fields as personal information, you can specify which components of a user’s name or address
to hide. For example, if you want to make your users’ first names visible you can choose to hide Last Name only.
Before Spring ’22, admins managed personal information visibility by adding PII to fields on the user object as the Compliance
Categorization value. By default, these fields are considered PII in orgs that enabled Enhanced Personal Information Management
before or during Spring ’22.
Important: Keep name-related personal information secure by enabling the Show Nicknames preference at the site level
and using Compliance Categorization on Name fields. Unless you enable Show Nicknames and use PII as the Compliance
Categorization value for Name fields on the user object, the First Name and Last Name fields are visible to external users.
Alias
Company Name
Department
Division
374
Set Up and Maintain Your Salesforce Organization User Management Settings
Email Signature
Employee Number
Extension
Fax
Manager
Mobile
Phone
SAML Federation ID
Title
Username
When the setting is enabled, external users who search or view user records don’t see other users’ personal information fields on
Experience Cloud sites. Authenticated external users can still view and update their own personal information fields.
3. To customize the user fields that are concealed, add them to the PersonalInfo_EPIM field set.
Important: Don’t classify fields that don’t contain PII. System fields, formula fields, the Default Currency ISO Code field, and
the Information Currency field also aren’t supported.
Note: If you enabled the setting before Spring ’22, continue to use Compliance Categorization to choose which fields are
considered PII.
a. In Object Manager, select User.
b. Click Field Sets, and then select PersonalInfo_EPIM.
c. Drag the field into the PersonalInfo_EPIM field set.
d. Save your work.
4. Alternatively, to customize the user fields that are concealed, change their Compliance Categorization value.
a. In Object Manager, select User.
b. Click Fields & Relationships.
c. Click the name of the field whose value you want to hide or make visible.
d. Click Edit.
e. To hide the field from external users, select PII as the Compliance Categorization value for the field. Removing this Compliance
Categorization value exposes the field, which means that external users can see this field’s value.
Important: Don’t classify fields that don’t contain PII, such as system fields.
375
Set Up and Maintain Your Salesforce Organization User Management Settings
SEE ALSO:
Data Classification Metadata Fields
Classify Sensitive Data to Support Data Management Policies
Creating and Editing Field Sets
Personal User Information Policies and Timelines
Integrations
Integrations that rely on authentication of an external user can have errors if they sync user data classified as personal information to or
from Salesforce.
Permissions
Information classified as personal or sensitive isn’t visible to users with View All Users, Modify All Data, and View All Data permissions.
To view personally identifiable information (PII), a user must have the View Concealed Field Data permission.
Profile Pages
Profile pages in Experience Cloud sites can display blank fields for the protected information when viewed by other site users or guest
users. Authenticated external users can still see and modify their personal information when viewing their own profile pages, with some
exceptions:
• If any address field is considered PII, the whole address field is hidden. Address fields include City, State, Street, Postal Code, Country,
GeocodeAccuracy, Latitude, and Longitude.
• When the First Name or Last Name field is considered PII, a nickname is shown when nickname display is enabled. When nickname
display isn’t enabled, name fields are visible.
376
Set Up and Maintain Your Salesforce Organization User Management Settings
• When some but not all address fields are considered PII, guest users have a different experience than community or portal users. If
at least one address field is included in the PersonalInfo_EPIM field set, all address fields are blocked for guest users. But in this
scenario, community and portal users can see address fields that aren't in the field set, even if other address fields were added.
Example: An admin enables Enhanced Personal Information Management then removes these address fields from the
PersonalInfo_EPIM field set: Zip/Postal Code, Country. Next, the admin contacts a guest user and a community user to test the
setting that they enabled.
• The guest user navigates to another user's profile page in Salesforce. None of the address fields show address information.
The Zip/Postal Code and Country fields, which weren't included in the field set but are elements of the address compound
field, are hidden.
• The community user navigates to another user's profile page. Address fields that are included in the PersonalInfo_EPIM field
set, such as Street and City, are hidden. But address fields that weren't included, such as the Zip/Postal Code and Country fields,
are visible.
To ensure that User PII data is protected, the admin returns to the PersonalInfo_EPIM field set, adding the Zip/Postal Code and
Country fields to it.
• The guest user again navigates to another user's profile page. None of the address fields show address information. This
information is still hidden.
• The community user navigates to another user's profile page. Address fields such as Country are still not visible, and the
Zip/Postal Code and Country fields are no longer visible.
Supported Fields
• You can hide any standard or custom user field except for system fields, formula fields, the Default Currency ISO Code field, and the
Information Currency field.
• Don’t classify fields that don’t contain PII.
• If you classify the Name field as personally identifiable and enable the Show Nicknames preference for your Experience Cloud site,
external and guest users see Nickname in Name fields. When you use field sets, you can also choose whether to classify first and last
name as PII. If the First Name field isn’t PII, but the Last Name field is, the First Name field displays the first name. The Last Name field
displays the nickname.
• When using a field set to hide PII fields, you can classify compound fields, such as Name or Address, as personal information by
adding them to the field set. You can also configure personal information visibility for the individual component fields that are
displayed in the default PersonalInfo_EPIM field set, such as City.
• When using Compliance Categorization to hide PII fields, you can configure personal information visibility for compound fields only
that appear in Object Manager, such as Address. You can’t classify their individual component fields, such as City or Postal Code, as
personal information.
377
Set Up and Maintain Your Salesforce Organization User Management Settings
Other Considerations
• If you use a field set to hide PII fields, you can use a change set or an unlocked package to move the field set from one org to another.
If you’ve migrated from using Compliance Categorization to using a field set, add the Name field to the field set to ensure that names
are hidden.
• When you use Compliance Categorization to hide PII fields, the Setup Audit Trail includes each instance when you added or removed
the PersonalInfo value for a field. When you use field sets, the audit trail shows only that the field set was updated.
SEE ALSO:
Manage Personal User Information Visibility for External Users
378
Set Up and Maintain Your Salesforce Organization User Management Settings
SEE ALSO:
Work with List Views in Lightning Experience
379
Set Up and Maintain Your Salesforce Organization User Management Settings
USER PERMISSIONS
380
Set Up and Maintain Your Salesforce Organization User Management Settings
1. From Setup, in the Quick Find box, enter User, and then select User Management Settings. Available in: Essentials,
Professional, Enterprise,
2. Enable Profile Filtering.
Performance, Unlimited,
With Profile Filtering enabled, some users can still see profile names in specific scenarios. Profile Developer, and
names are exposed when users with permissions to perform these tasks take these actions: Database.com Editions
• View the Setup Audit Trail if they have the View Setup and Configuration permission. Custom Profiles available in:
• Create a tab or record type with a wizard step that includes the assignment of tabs and record Essentials, Professional,
types to profiles. Enterprise, Performance,
Unlimited, and Developer
• Set up delegated admins where looking up profiles is necessary to identify assignable profiles.
Editions
• Administer Salesforce as a delegated external user admin.
• Administer Salesforce as a delegated admin to view and assign profiles of the delegated group.
USER PERMISSIONS
Note: When you enable Profile Filtering, users can’t create or edit login flows. To give users
access to login flows, enable the View All Profiles permission. To enable profile filtering:
• Customize Application
SEE ALSO:
User Permissions
381
Set Up and Maintain Your Salesforce Organization User Management Settings
SEE ALSO:
USER PERMISSIONS
Restrict User Email Domains
To enable Allowed Email
Domains:
• Customize Application
382
Set Up and Maintain Your Salesforce Organization User Management Settings
Note: The View Field Accessibility page doesn’t currently support permission sets.
SEE ALSO:
Create Custom Fields
Set Field-Level Security for a Field on All Permission Sets
Note: This feature is a Beta Service. Customer may opt to try such Beta Service in its sole Available in: both Salesforce
discretion. Any use of the Beta Service is subject to the applicable Beta Services Terms provided Classic (not available in all
orgs) and Lightning
at Agreements and Terms.
Experience
1. From Setup, in the Quick Find box, enter User Management Settings, and then select
User Management Settings. Available in: Enterprise and
Unlimited editions
2. Enable User Access Policies (Beta).
If Salesforce enabled user access policies for you before the Summer ’23 release, you must
enable this feature again on the User Management Settings page.
USER PERMISSIONS
383
Set Up and Maintain Your Salesforce Organization View and Manage Users
384
Set Up and Maintain Your Salesforce Organization View and Manage Users
SEE ALSO:
Add a Single User
Delegate Administrative Duties
385
Set Up and Maintain Your Salesforce Organization View and Manage Users
deactivate a username, contact your Salesforce admin for help. If you’re unable to locate the org where the username is already in
use, try a different username to create your account.
• If your name includes non-English characters and you use Outlook, add the specified language to the mail format settings within
Outlook.
• The account verification link emailed to new users expires after 7 days, and users must change their password the first time they log
in. Users who click the account verification link but don’t set a password need an admin to reset their password before they can log
in.
• Not all options are available for all license types. For example, the Marketing User and Allow Forecasting options aren’t available for
Lightning Platform user licenses because the Forecasts and Campaigns tabs aren’t available to Lightning Platform license users.
Lightning Platform user licenses are not available for Professional, Group, or Contact Manager Editions.
• In Performance, Unlimited, Enterprise, and Developer Edition orgs, you can select Send Apex Warning Emails. This option sends
an email to the user when an application that invokes Apex uses more than half of the resources specified by the governor limits.
You can use this feature during Apex code development to test the amount of resources used at runtime.
• You can move users between profiles based on user licenses that have the same record sharing models. For example, you can move
a Lightning Platform-based profile user to a Salesforce-based profile, or vice versa. The user sometimes loses permission access
depending on what the user licenses permit. If you move a user with permission set assignments, the user is removed from the
permission set. If you try to add the user back to the permission set, you receive a licensing error unless the new license allows the
permissions.
SEE ALSO:
Add a Single User
Administrators and Separation of Duties
386
Set Up and Maintain Your Salesforce Organization View and Manage Users
a username, contact your Salesforce admin for help. If you’re unable to locate the org where the username is already in use,
try a different username to create your account.
SEE ALSO:
Guidelines for Adding Users
Add Multiple Users
Edit Users
User Fields
Licenses Overview
SEE ALSO:
Add a Single User
Edit Users
User Fields
Licenses Overview
387
Set Up and Maintain Your Salesforce Organization View and Manage Users
Edit Users
To change user details—such as a user’s profile, role, or contact information—edit the user account.
EDITIONS
1. From Setup, enter Users in the Quick Find box, then select Users.
Available in: both Salesforce
2. Click Edit next to a user’s name.
Classic (not available in all
3. Change the settings as needed. orgs) and Lightning
4. Click Save. Experience
Tip: You can perform this and other administration tasks from the SalesforceA mobile app. Available in: Contact
Manager, Essentials,
Group, Professional,
SEE ALSO: Enterprise, Performance,
Unlimited, Developer, and
User Fields
Database.com Editions
Unlock Users
SalesforceA
USER PERMISSIONS
To edit users:
• Manage Internal Users
388
Set Up and Maintain Your Salesforce Organization View and Manage Users
If a user changes their own email address, Salesforce sends a confirmation message to the user’s new email address and a verification
code to the old address. When the user receives the confirmation email, they must enter the verification code to finish updating their
email address.
If you change a user’s email address and the Generate new password and notify user immediately setting is enabled, Salesforce sends
a password reset link to the new email address. Before the new email address is active, the user must create a new password.
The Generate new password and notify user immediately setting is available by default to orgs created after Summer ’21. For orgs created
before Summer ’21, contact Salesforce customer support to enable it.
Personal information
Users can change their personal information after they log in.
User Sharing
If the organization-wide default for the user object is Private, users must have Read or Write access to the target user to access that user’s
information.
Domain Names
You can restrict the domain names of users’ email addresses to a list of specific domains. Any attempt to set an email address with
another domain results in an error message. To enable this functionality for your organization, contact Salesforce.
SEE ALSO:
Edit Users
389
Set Up and Maintain Your Salesforce Organization View and Manage Users
Unlock Users
Users can be locked out of their org when they enter incorrect login credentials too many times.
EDITIONS
Unlock users to restore their access.
To set the maximum number of failed login attempts that are allowed for all user accounts in your Available in: Salesforce
org in Password Policies, see Set Password Policies. Classic (not available in all
orgs) and Lightning
1. From Setup, enter Users in the Quick Find box, then select Users.
Experience
2. Select the locked user.
You can view the number of failed login attempts for the user’s account in the Failed Login Available in: Contact
Manager, Essentials,
Attempts field. When the maximum number of failed login attempts is reached, the counter
Group, Professional,
resets and the user’s account is locked. If there’s a successful login before the maximum number
Enterprise, Performance,
of failed login attempts is reached, the counter resets and the user’s account remains unlocked.
Unlimited, Developer, and
3. Click Unlock. Database.com Editions
This button appears only when a user is locked out.
Tip: You can perform this and other administration tasks from the Salesforce mobile app. USER PERMISSIONS
Delete Users
While you can’t completely delete a user, you can deactivate a user’s account so they can’t log in
EDITIONS
to Salesforce.
Salesforce lets you deactivate users, but not delete them outright. A user can own accounts, leads, Available in: both Salesforce
and groups, and can be on multiple teams. Removing a user from Salesforce affects many processes Classic and Lightning
in the org. After departure from the org, you obviously don’t want the user to retain access to their Experience
account. However, merely deleting a user can result in orphaned records and the loss of critical
Available in: Essentials,
business information. Contact Manager, Group,
For these reasons, deactivating rather than deleting the user is the appropriate action to take. Professional, Enterprise,
Deactivation removes the user’s login access, but it preserves all historical activity and records, Performance, Unlimited,
making it easy to transfer ownership to other users. For situations where changing ownership to Developer, and
other uses must be done before deactivation, freezing the user prevents login to the org and access Database.com Editions
to the user’s accounts.
USER PERMISSIONS
Deactivate Users
To deactivate users:
To deactivate a user’s account so they can no longer log into Salesforce, complete these steps.
• Manage Internal Users
Considerations for Deactivating Users
Note these considerations when deactivating users.
Mass Transfer Records
Use the Mass Transfer tool to transfer multiple accounts, leads, service contracts, and custom objects from one user to another.
390
Set Up and Maintain Your Salesforce Organization View and Manage Users
Deactivate Users
To deactivate a user’s account so they can no longer log into Salesforce, complete these steps.
EDITIONS
You can deactivate users, but you can’t delete them outright. Deleting a user can result in orphaned
records and the loss of critical business information. Deactivating a user prevents access but preserves Available in: both Salesforce
all historical activity and records. Classic and Lightning
Experience
1. From Setup, in the Quick Find box, enter Users, then select Users.
2. Click Edit next to a user’s name. Available in: Essentials,
Contact Manager, Group,
3. Deselect the Active checkbox, and then click Save. Professional, Enterprise,
Watch a Demo: Removing Users’ Access to Salesforce (Salesforce Classic—English only) Performance, Unlimited,
Developer, and
Tip: You can perform this and other administration tasks from the SalesforceA mobile app. Database.com Editions
SEE ALSO:
Considerations for Deactivating Users
Freeze or Unfreeze User Accounts
Mass Transfer Records
391
Set Up and Maintain Your Salesforce Organization View and Manage Users
Note: If your organization has asynchronous deletion of obsolete shares enabled, removal of manual and team shares is run
during off-peak hours between 6 PM and 4 AM based on your organization’s default time zone. For account records, manual
and team shares are deleted right after user deactivation.
Deactivated users lose access to shared records immediately. Users higher in the role hierarchy continue to have access until
that access is deleted asynchronously. If that visibility is a concern, remove the record access that’s granted to the deactivated
users before deactivation.
Chatter
If you deactivate users in an organization where Chatter is enabled, they’re removed from the Following and Followers lists. If you
reactivate the users, the subscription information in the Following and Followers lists is restored.
If you deactivate multiple users, subscription information isn’t restored for users that follow each other. For example, user A follows
user B and user B follows user A. If you deactivate users A and B, their subscriptions to each other are deleted from Following and
Followers lists. If user A and user B are then reactivated, their subscriptions to each other aren’t restored.
Salesforce Files
Files owned by a deactivated user aren’t deleted. The deactivated user is the file owner until an admin reassigns the files to an active
user. Files shared in a content library can be edited by other library members with author or delete permissions. Sharing rules remain
active until an admin modifies them.
392
Set Up and Maintain Your Salesforce Organization View and Manage Users
Created By fields
Inactive users can be listed in Created By fields even when they’re no longer active in an organization. Some system operations
create records and toggle preferences, acting as an arbitrary administrator user to complete the task. This user can be active or
inactive.
Accounts and opportunities owned by deactivated users
You can create and edit accounts, opportunities, and custom object records that are owned by inactive users. For example, you can
edit the Account Name field on an opportunity record that’s owned by an inactive user. This feature requires administrator setup.
Enterprise Territory Management
Deactivated users are no longer assigned to territories and are removed from the territories they were assigned to.
Opportunity and account teams
Deactivated users are removed from the default opportunity and account teams of other users. The deactivated users’ default
opportunity and account teams aren’t removed.
Account teams
When a user on an account team who has Read/Write access (Account Access, Contact Access, Opportunity Access, and Case Access)
is deactivated and then reactivated, access defaults to Read Only.
Opportunity teams
If you deactivate users in an orgwhere opportunity splitting is enabled, they aren’t removed from any opportunity teams where
they’re assigned a split percentage. To remove a user from an opportunity team, first reassign the split percentage.
Delegated external user administrators
When a delegated external user admin deactivates a portal user, the admin can’t remove the portal user from teams that user is a
member of.
CRM Analytics
When you deactivate a user who scheduled a dataflow, the dataflow schedule is deleted and the dataflow is unscheduled.
SEE ALSO:
Delete Users
Deactivate Users
Considerations for Deactivating Users
393
Set Up and Maintain Your Salesforce Organization View and Manage Users
• Select Keep Account Team to maintain the existing account team associated with the AND
account. If you want to remove the existing account team associated with the account, Transfer Leads
deselect this checkbox.
To mass transfer custom
• Select Keep Opportunity Team on all opportunities to maintain the existing team on objects:
opportunities associated with this account. Any opportunity splits are preserved, and split • Transfer Record
percentages are assigned to the previous owner transfer to the new one. If this box is To mass transfer leads:
unchecked, all opportunity team members and splits are deleted when the opportunity is • Transfer Leads OR
transferred. Transfer Record
Note: If you transfer closed opportunities, the opportunity team is maintained,
regardless of this setting.
7. Enter search criteria that the records you’re transferring must match. For example, search accounts in California by specifying
Billing State/Province equals CA.
8. Click Find.
Note: The 'Mass Transfer Records' tool allows up to 250 records at a time. To perform transfers over 250 records, use the Data
Loader or another tool.
9. Select the checkbox next to the records that you want to transfer. To select all currently displayed items, check the box in the column
header.
394
Set Up and Maintain Your Salesforce Organization View and Manage Users
If duplicate records are found, you must select only one of the records to transfer. Transferring duplicate records results in an error.
Duplicate records can appear if you filter leads based on Campaign Member Status and a matching lead has the same campaign
member status on multiple campaigns. For example, if you specify Campaign Member Status equals Sent, and a
matching lead named John Smith has the status Sent on two campaigns, his record displays twice.
Leads Open activities. When transferring leads to a queue, open activities aren’t transferred.
When transferring accounts and their related data in Professional, Enterprise, Unlimited, Performance, and Developer Editions, all previous
access granted by manual sharing, Apex managed sharing, or sharing rules is removed. New sharing rules are then applied to the data
based on the new owner. To grant access to certain users, the new owner must manually share the transferred accounts and opportunities
as necessary.
SEE ALSO:
Transfer Records
395
Set Up and Maintain Your Salesforce Organization View and Manage Users
Note: The contactless users feature is available only with the External Identity license, which enables access to the Salesforce
Customer Identity product.
When using contactless users, consider the following.
• You can’t use the Login As feature because it requires contacts.
• Delegated admins can’t manage contactless users.
• System for Cross-Domain Identity Management (SCIM) isn’t supported when creating contactless users.
• Contactless users have the same access to objects as users with contact information.
396
Set Up and Maintain Your Salesforce Organization View and Manage Users
397
Set Up and Maintain Your Salesforce Organization View and Manage Users
USER PERMISSIONS
To add a contact to a
contactless user:
• Manage User OR
Manage External User
OR Edit Self-Service User
2. To upgrade to a community license, from Setup, enter Users in the Quick Find box, then select Users.
3. Next to the user you want to upgrade, click Edit.
4. Select a community license and profile for the user.
5. Optionally, specify a new profile and role.
6. Save your changes.
Downgrade Experience Cloud Site Users with Community Licenses to Contactless Users
You can convert Experience Cloud site users with community licenses to contactless users. By converting site users, you can expand
your site without adding to the cost. For example, you can downgrade inactive or unqualified users and then upgrade them to full-featured
site users later on. You can downgrade users from Setup and through the API.
Note: The contactless users feature is available only with the External Identity license, which enables access to the Salesforce
Customer Identity product.
Downgrading a site user to a contactless user is a two-step process. You disable the site user and then reactivate the user as a contactless
user. When you disable users, Salesforce deactivates them and invalidates their usernames by renaming them. You restore the usernames
398
Set Up and Maintain Your Salesforce Organization View and Manage Users
when you reactivate the users. Reactivated users receive a Welcome New Member email from Salesforce. You can prevent Salesforce
from sending welcome emails from Experience Workspaces.
1. On the user’s contact detail page, save the contact’s username.
2. From the action dropdown menu, select Disable User.
3. (Optional) Disable welcome emails.
a. From Experience Workspaces, select Administration, and then select Emails.
b. Under Email Templates, deselect Send welcome email.
4. From Setup, in the Quick Find box, enter Users, then select Users.
5. Next to the user you’re downgrading, click Edit.
6. For user license, select External Identity, and then select a customer or partner profile.
7. Select Active.
8. Restore the username name by replacing the username with the one you saved.
9. Save your changes.
You can also downgrade users in bulk from the API. If you’re downgrading in bulk, assign the users to a profile. In this example, we’re
downgrading a single user.
//Disable user
String uName;
User u = [SELECT Id, UserName FROM User WHERE Id = '005xx009871TQXL'];
u.IsPortalEnabled=false;
uName = u.UserName;
Update u;
399
Set Up and Maintain Your Salesforce Organization View and Manage Users
After you've added one or more email domains, the Email field for each new user must match an allowed domain.
The Email field for existing users doesn’t have to comply with the allowlist. However, if you edit an existing user, update the Email
field to match an allowed email domain.
Note: The email domain allowlist doesn't apply to users external to your org, such as portal, Experience Cloud site, or Chatter
External users.
SEE ALSO:
Enable the Email Domain Allowlist
Add a Single User
Add Multiple Users
Edit Users
User Fields
The fields that comprise the Personal Information and other personal settings pages describe a
EDITIONS
user.
The visibility of fields depends on page layouts, user permissions, your org’s permissions, and your Available in: Salesforce
Salesforce edition. Classic (not available in all
orgs) and Lightning
Field Description Experience
App Registration: One-Time When connected, the user can verify their
Password Authenticator identity with a code from a third-party
authenticator app, such as Google
Authenticator, Microsoft Authenticator, or Authy.
For example, the user enters a code from the
app when logging in from an IP address outside
the company’s trusted IP range. This type of
400
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
verification code is sometimes called a time-based one-time
password, or TOTP.
Users with Multi-Factor Authentication for User Interface Logins
permission must provide two authentication factors when logging
in to Salesforce through the user interface: their username and
password, followed by a separate verification method. A current
verification code generated by an authenticator app counts as a
verification method.
If the user has Multi-Factor Authentication for API Logins permission
and connects an authenticator app, the user enters the current
code from the app to access the service. The user doesn’t enter
the standard security token.
App Registration: Salesforce Authenticator When connected, the user can verify their identity by responding
to a push notification with the Salesforce Authenticator mobile
app, version 2 or later. For example, the user approves a notification
when logging in from an IP address outside the company’s trusted
IP network. If the user sets a trusted location in the app and is
allowed to use location-based automated verifications, Salesforce
Authenticator can automatically verify the user’s identity from that
trusted location. Users can connect both Salesforce Authenticator
and another authenticator app to the same Salesforce account.
When connected, the user can also verify identity with a code from
Salesforce Authenticator. For example, the user enters a code from
the app when logging in from an IP address outside the company’s
trusted IP network. This type of verification code is sometimes
called a time-based one-time password, or TOTP.
Users with Multi-Factor Authentication for User Interface Logins
permission must provide two authentication factors when logging
in to Salesforce through the user interface: their username and
password, followed by a separate verification method. A manual
or automated response to a notification from Salesforce
Authenticator counts as a verification method.
If the user has Multi-Factor Authentication for API Logins permission
and connects Salesforce Authenticator, the user enters the current
code from the app to access the service. The user doesn’t enter
the standard security token.
Call Center The name of the call center to which this user is assigned.
Checkout Enabled Indicates whether the user is notified by email when the user’s
Checkout account is activated and available for login.
Enabling this option requires the Manage Billing permission.
401
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
Color-Blind Palette on Charts Indicates whether the option to set an alternate color palette for
charts has been enabled. The alternate palette has been optimized
for use by users who want high-contrast. For dashboard emails,
the alternate palette isn’t used.
Created By User who created the user including creation date and time. (Read
only)
Currency User’s default currency for quotas, forecasts, and reports. Shown
only in orgs using multiple currencies. This currency must be one
of the active currencies for the org.
Custom Links Listing of custom links for users as set up by your administrator.
Data.com User Type Enables a user to find contact and lead records from Data.com and
add them to Salesforce. Also indicates the type of Data.com user.
Data.com Users get a limited number of account, contact, and lead
records to add or export per month, and their unused additions
expire at the end of each month. Data.com List Users get a limited
number of account, contact, and lead records to add or export per
month, and their unused additions expire at the end of each month.
After the monthly limit is used, List Users draw record additions
from a pool that is shared by all List Users in the organization.
Unused pool additions expire one year from purchase.
Default Currency ISO Code User’s default currency setting for new records. Available only for
orgs that use multiple currencies.
Default Division Division that is applied, by default, to all new accounts and leads
created by the user, unless the user explicitly sets a different
division. When users create records related to an account or other
record that already has a division, the new record is assigned to
the existing record’s division. The default division isn’t used.
This setting doesn’t restrict the user from viewing or creating
records in other divisions. Users can change their default division
at any time by setting a working division.
Available only in orgs that use divisions to segment their data.
Delegated Approver User lookup field used to select a delegate approver for approval
requests. Depending on the approval process settings, this user
can also approve approval requests for the user.
402
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
Department Group that user works for, for example, Customer Support. Up to
80 characters are allowed in this field.
Development Mode Enables development mode for creating and editing Visualforce
pages.
This field is visible only to orgs that have Visualforce enabled.
Disable Auto Subscription For Feeds Disables automatic feed subscriptions to records owned by a user.
Only available in orgs with Chatter enabled.
Email Email address of user. Must be a valid email address in the form:
jsmith@acme.com. Up to 128 characters are allowed in this field.
Email Encoding Character set and encoding for outbound email sent by user from
within Salesforce. English-speaking users use ISO-8859-1, which
represents all Latin characters. UTF-8 (Unicode) represents
characters for all languages, however some older email software
doesn’t support it. Shift_JIS, EUC-JP, and ISO-2022-JP are useful for
Japanese users.
End of day Time of day that user generally stops working. Used to define the
times that display in the user’s calendar.
Federation ID The value used to identify a user for federated authentication single
sign-on.
First Name First name of user, as displayed on the user edit page. Up to 40
characters are allowed in this field.
Flow User Grants the ability to run flows. Available in Developer (with
limitations), Enterprise, Unlimited, and Performance Editions.
Enabling this option requires the Manage Flow permission.
If the user has the Run Flows permission, don’t enable this field.
Lightning Platform Quick Access Menu Enables the Lightning Platform quick access menu, which appears
in object list view and record detail pages. The menu provides
shortcuts to customization features for apps and objects.
Information Currency The default currency for all currency amount fields in the user
record. Available only for orgs that use multiple currencies.
403
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
Language The primary language for the user. All text and online help is
displayed in this language. In Professional, Enterprise, Unlimited,
and Performance Edition orgs, a user’s individual Language setting
overrides the org’s Default Language.
Not available in Personal Edition, Contact Manager, or Group
Edition™. The org’s Display Language applies to all users.
Last Login The date and time when the user last successfully logged in. This
value is updated if 60 seconds have elapsed since the user’s last
login. (Read only)
Last Name Last name of user, as displayed on the user edit page. Up to 80
characters are allowed in this field.
Last Password Change or Reset The date and time of this user’s last password change or reset. This
read-only field appears only for users with the Manage Users
permission.
Lightning Login Allows the user to enroll in and use Lightning Login, for
password-free logins. The Enroll option indicates that a Salesforce
admin has given the user the option to enroll. The Cancel option
indicates that the user has enrolled, and can cancel their enrollment
if needed.
404
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
Make Setup My Default Landing Page When this option is enabled, users land in the Setup page when
they log in.
Manager Lookup field used to select the user's manager. This field:
• Establishes a hierarchical relationship, preventing you from
selecting a user that directly or indirectly reports to itself.
• Allows Chatter to recommend people and records to follow
based on your org's reporting structure.
This field is especially useful for creating hierarchical workflow rules
and approval processes without creating more hierarchy fields.
Marketing User When enabled and the user has Read permission on contacts or
the Import permission on Leads, and Edit permission on campaigns,
the user can create, edit, and delete campaigns, configure advanced
campaign setup, and add campaign members and update their
statuses with the Data Import Wizard. Available in Professional,
Enterprise, Unlimited, and Performance Editions.
If this option isn’t selected, or the user doesn’t have the necessary
permissions, the user can only view campaigns and advanced
campaign setup, edit the Campaign History for a single lead or
contact, and run campaign reports.
Middle Name Middle name of the user, as displayed on the user edit page. Up
to 40 characters are allowed for this field.
405
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
uses it to authenticate the user when necessary. For example,
verification occurs when a user logs in from an unknown IP address.
• Enter a mobile phone number and then have it verified with
a text message containing a verification code.
• Skip entering a mobile number now, but be asked again at the
next login.
• Opt out of mobile verification. Users who select this action can
register a mobile number later in their personal information.
Chatter Free and Chatter External license users who select this
action need an administrator to set the mobile number.
Administrators can also enter users’ mobile numbers and pre-verify
them. If Enable the SMS method of device activation is enabled
when an administrator enters a mobile number for a user, or when
a mobile number is set from an API using the User object, the
mobile number is considered verified. If Enable the SMS method
of device activation isn’t enabled, the new mobile phone number
isn’t considered verified.
Modified By User who last changed the user fields, including modification date
and time. (Read only)
Monthly Contact and Lead Limit If the user’s Data.com User Type is Data.com User, the number of
Data.com contact and lead records the user can add each month.
The default number of records per license is 300, but you can assign
more or fewer, up to the org limit.
Name Combined first name, middle name (beta), last name, and suffix
(beta) of user, as displayed on the user detail page.
Offline User Administrative checkbox that grants the user access to Connect
Offline. Available in Professional, Enterprise, Unlimited, and
Performance Editions.
Partner Super User Denotes whether a partner portal user is a super user.
406
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
Profile Administrative field that specifies the user’s base-level permissions
to perform different functions within the application. You can grant
more permissions to a user through permission sets.
Receive Approval Request Emails Preference for receiving approval request emails.
This preference also affects whether the user receives approval
request notifications in the Salesforce mobile app or Lightning
Experience.
Receive Salesforce CRM Content Daily Digest Specifies that non-portal users with a Salesforce CRM Content User
license and Salesforce CRM Content subscription receive a daily
email summary if activity occurs on their subscribed content,
libraries, tags, or authors. To receive email, you must also select
the Receive Salesforce CRM Content Email
Alerts option. Portal users don’t need the Salesforce CRM
Content User license. They need only the View Content in Portals
user permission.
Receive Salesforce CRM Content Email Alerts Specifies that non-portal users with a Salesforce CRM Content User
license and Salesforce CRM Content subscription receive email
notifications if activity occurs on their subscribed content, libraries,
tags, or authors. To receive real-time email alerts, select this option
and don’t select the Receive Salesforce CRM Content
Daily Digest option. Portal users don’t need the Salesforce
CRM Content User license. They need only the View Content in
Portals user permission.
Salesforce CRM Content User Indicates whether a user can use Salesforce CRM Content. Available
in Professional, Enterprise, Unlimited, and Performance Editions.
Self-Registered via Customer Portal When enabled, specifies that the user was created via
self-registration to a Customer Portal. Available in Enterprise,
Unlimited, and Performance Editions.
Security Key (U2F) Allows the user to register and use a U2F-compatible security key
as a second factor of authentication. The Register option indicates
that a Salesforce admin has given users in the org the option to
register a security key. The Remove option indicates that the user
has registered a security key, and can remove their registration if
needed.
407
Set Up and Maintain Your Salesforce Organization View and Manage Users
Field Description
Send Apex Warning Emails Specifies that users receive an email notification whenever they
execute Apex that surpasses more than 50 percent of allocated
governor limits.
Available in Developer, Enterprise, Unlimited, and Performance
Editions only.
Show View State in Development Mode Enables the View State tab in the development mode footer for
Visualforce pages.
This field is only visible to orgs that have Visualforce enabled and
Development Mode selected.
Site.com Contributor User Allocates one Site.com Contributor license to the user, granting
the user limited access to Site.com Studio. Users with a Contributor
license can use Site.com Studio to edit site content only.
The number of user records with this checkbox enabled can’t
exceed the total number of Site.com Contributor licenses your org
has.
Available in Developer, Enterprise, Unlimited, and Performance
Editions, only if Site.com is enabled for your org.
Site.com Publisher User Allocates one Site.com Publisher license to the user, granting the
user full access to Site.com Studio. Users with a Publisher license
can build and style websites, control the layout and functionality
of pages and page elements, and add and edit content.
The number of user records with this checkbox enabled can’t
exceed the total number of Site.com Publisher licenses your org
has.
Available in Developer, Enterprise, Unlimited, and Performance
Editions, only if Site.com is enabled for your org.
Start of day Time of day that user generally starts working. Used to define the
times that display in the user’s calendar.
Suffix Name suffix of the user, as displayed on the user edit page. Up to
40 characters are allowed for this field.
To enable this field, from Setup, enter User Interface in
the Quick Find box, then select User Interface. In Lightning
Experience, the User Interface page is the last item under the
User Interface node. Then select Enable Name Suffixes for Person
Names.
408
Set Up and Maintain Your Salesforce Organization Licenses Overview
Field Description
Temporary Verification Code Users can enter a temporary code when they forget or lose the
verification method that they usually use for multi-factor
authentication. Only Salesforce admins can generate or expire a
temporary code for a user. Users can expire their own code.
SEE ALSO:
View and Manage Users
User Licenses
View Your Organization’s Feature Licenses
Restrict User Email Domains
Licenses Overview
To enable specific Salesforce functionality for your users, you must choose one user license for each
EDITIONS
user. To enable more functionality, you can assign permission set licenses and feature licenses to
your users or purchase usage-based entitlements for your organization. Available in: both Salesforce
For example, to view contracts, a user must have the Read permission on contracts. To assign a Classic (not available in all
given permission to a user, that user’s license (or licenses) must support the permission. Multiple orgs) and Lightning
licenses can support a single permission. Experience
Think of permissions as locks and of licenses as rings of keys. Before you can assign users a specific Edition requirements vary for
permission, they must have a license that includes the key to unlock that permission. Although each user, permission set,
every user must have exactly one user license, you can assign one or more permission set licenses and feature license type.
or feature licenses to incrementally unlock more permissions.
Continuing our example, the Salesforce user license includes the key to unlock the Read permission
on contracts. The Chatter Free user license doesn’t. If you try to assign that permission to a Chatter Free user, you get an error message.
You can view your Salesforce org’s licenses on the Company Information page in Setup. To learn how to check your remaining licenses,
watch How Many Licenses Have I Used? (English Only). You can also track the number of active user licenses, permission set licenses,
and feature licenses with the Active Licenses tab in the Lightning Usage App.
409
Set Up and Maintain Your Salesforce Organization Licenses Overview
User Licenses
A user license determines the baseline of features that the user can access. Every user must have exactly one user license. You assign
user permissions for data access through a profile and optionally one or more permission sets.
Permission Set Licenses
Permission set licenses entitle users to access additional features not included in their assigned user license. Users can be assigned
any number of permission set licenses.
Feature Licenses Overview
A feature license entitles a user to access an additional feature that isn’t included with his or her user license, such as Marketing or
WDC. Users can be assigned any number of feature licenses.
Usage-Based Entitlements
A usage-based entitlement is a limited resource that your organization can use on a periodic basis. For example, the allowed number
of monthly logins to a Partner Community or the record limit for Data.com list users are usage-based entitlements.
User Licenses
A user license determines the baseline of features that the user can access. Every user must have
EDITIONS
exactly one user license. You assign user permissions for data access through a profile and optionally
one or more permission sets. Available in: both Salesforce
Assign licenses for your users’ job functions, so that they’re entitled the permissions required for Classic (not available in all
their day-to-day tasks. For example: orgs) and Lightning
Experience
• Employee A needs access to custom apps, but not the full CRM functionality. Assign Employee
A a Lightning Platform user license, which supports standard object permissions for accounts Edition requirements vary for
and contacts, but not cases. each user license type.
• Employee B needs full access to standard CRM apps and objects. Assign Employee B a Salesforce
user license, which allows you to grant them standard object permissions for accounts, contacts,
and cases.
You assign licenses to users when they’re added to your org. You can change a user’s license on their User Detail page. Changing a user's
license also removes any permission sets and permission set licenses that are assigned to the user.
User licenses offered by Salesforce include:
• Standard User Licenses
• Chatter User Licenses
• Experience Cloud User Licenses
• Service Cloud Portal User Licenses
• Sites and Site.com User Licenses
• Authenticated Website User Licenses
To purchase user licenses, contact your Salesforce account representative. Your Salesforce org can also have other licenses that are
supported but no longer available for purchase.
SEE ALSO:
View Your Organization’s User Licenses
410
Set Up and Maintain Your Salesforce Organization Licenses Overview
411
Set Up and Maintain Your Salesforce Organization Licenses Overview
You can see permission set license assignments on the Company Information page. For more Create and
Customize Reports
information, see View and Manage Your Permission Set Licenses.
AND
412
Set Up and Maintain Your Salesforce Organization Licenses Overview
Knowledge Only Designed for users who only need access to the Salesforce Knowledge app. Enterprise, Unlimited, and
User This license provides access to custom objects, custom tabs, and the Performance Editions
following standard tabs.
• Articles
• Article Management
• Chatter
• Files
• Home
• Profile
• Reports
• Custom objects
• Custom tabs
The Knowledge Only User license includes a Knowledge Only profile that
grants access to the Articles tab. To view and use the Article Management
tab, a user must have the Manage Articles permission.
To view articles, a user must have the AllowViewKnowledge permission
on their profile. But this permission is off for default profiles. To give a user
the AllowViewKnowledge permission on their profile, activate the
permission on a cloned profile and assign the cloned profile to the user.
Identity Only Provides extra licenses for employees to access only identity services, such Enterprise, Unlimited,
as single sign-on (SSO). For example, some of your employees don’t need Performance, and Developer
access to all the solutions included with a Salesforce license. But you want Editions
these employees to be able to sign in to a custom Your Benefits web app Ten free Identity user licenses
directly from your Salesforce org using SSO. You can purchase the Identity are included with each new
Only license for them. This license provides access to the same identity Developer Edition org.
services that are included with your other paid licenses in the Enterprise,
Unlimited, Performance, and Developer Editions.
For more information about Salesforce identity services, see Identify Your
Users and Manage Access.
External Grants access to Salesforce Customer Identity, which enables customers Enterprise, Unlimited,
Identity and partners to self-register, log in, update their profile, and securely access Performance, and Developer
web and mobile apps with a single identity. Plus, you can customize Editions
Customer Identity to your specific business process and brand using the Five free External Identity user
power of the Salesforce Platform. For more information, see External Identity licenses are included with each
License Details and Salesforce Identity Licenses. new Developer Edition org.
413
Set Up and Maintain Your Salesforce Organization Licenses Overview
WDC Only User Designed for users who don’t have a Salesforce license and need access Professional, Enterprise,
to WDC. Unlimited, Performance, and
Developer Editions
Note: Chatter must be enabled for WDC features to fully function.
Lightning This license isn’t available for new customers. Enterprise and Unlimited
Platform - One Editions
App Designed for users who need access to one custom app but not to standard
CRM functionality. Lightning Platform - One App users are entitled to most
of the same rights as Salesforce Platform users, plus they have access to
an unlimited number of custom tabs. But they’re limited to one custom
app, which is defined as up to 10 custom objects. They’re also limited to
414
Set Up and Maintain Your Salesforce Organization Licenses Overview
Force.com - App Grants users access to a Lightning Platform Light App or Lightning Platform Enterprise, Unlimited, and
Subscription Enterprise App. CRM functionality isn’t included. Performance Editions
A Lightning Platform Light App has up to 10 custom objects and 10 custom
tabs, has read-only access to accounts and contacts, and supports
object-level and field-level security. A Lightning Platform Light App can’t
use the Bulk API or Streaming API.
A Lightning Platform Enterprise App has up to 10 custom objects and 10
custom tabs. It has the permissions of a Lightning Platform Light App, plus
it supports record-level sharing, can use the Bulk API and Streaming API,
and has read/write access to accounts and contacts.
Assign users with this license a profile or permission set that allows access
only to 10 custom objects and 10 custom tabs.
Users with this license can only view dashboards if the running user also
has the same license.
Each license provides 20 MB more data storage per user for Enterprise
Edition and 120 MB more data storage per user for Unlimited and
Performance Editions, as well as 2 GB of file storage regardless of the edition.
To view articles, a user must have the AllowViewKnowledge permission
on their profile. But this permission is off for default profiles. To give a user
the AllowViewKnowledge permission on their profile, activate the
permission on a cloned profile and assign the cloned profile to the user.
Company This license is an internal user license for employee communities. It’s Enterprise, Unlimited,
Community User designed for users to access custom tabs, Salesforce Files, Chatter (people, Performance, and Developer
groups, feeds), and an Experience Cloud site. Editions
415
Set Up and Maintain Your Salesforce Organization Licenses Overview
SEE ALSO:
User Licenses
View Your Organization’s User Licenses
416
Set Up and Maintain Your Salesforce Organization Licenses Overview
external license, they’re not aware that they’re using Salesforce. Instead, the Acme portal is a secure space just for Acme brokers, not
for Acme employees.
When Do Salesforce Customers Use Internal Licenses?
Anyone who is an employee of a company or needs employee privileges requires an internal license. For example, Acme Insurance
uses Salesforce as its CRM. The Acme sales and service teams, who are full-time employees, need an internal license to log in to
Salesforce to do their day-to-day work.
Acme uses consultants to take care of the company’s Salesforce setup and administration. The consultants also need internal licenses,
even though they aren’t Acme employees. Other users who need an internal license to the Acme org are the company’s accountants
and lawyers, who also work for other companies, to access the company’s information. The key point is that you’re treating all these
users as employees. Acme is granting the same privileges to employees and consultants and is fine with the broader data and
permission access.
When Do Customers Use External Licenses?
Use external licenses for anyone outside your company who you want to:
• Limit access to your data
• Restrict privacy or security and sharing considerations
• Provide a more limited set of permissions (for example, can’t manage other users in the org or have access to modify all data)
• Limit access to a subset of information that is contained in your org
For example, a broker could need access only to a subset of information in your org. Acme has an internal sales team, but it also has
independent brokers who sell Acme products. The brokers need to access leads and opportunities, but they don’t need to see the
company’s internal Chatter feeds or cases.
Other examples of Acme users who could need external licenses are:
• End customers (that is, customers of Acme)
• System integrators
• Franchisees
• Resellers
• Distributors
• Wholesalers
• Retailers
• Agents
• Dealers
• Anyone in the Acme sphere who isn’t an employee
These Experience Cloud licenses are only to be used by external users. Don’t assign them to internal employees or contractors.
• External Apps
• External Apps Login
• Channel Account
• Customer Community
• Customer Community Login
• Customer Community Plus
• Customer Community Plus Login
• Partner Community
• Partner Community Login
417
Set Up and Maintain Your Salesforce Organization Licenses Overview
SEE ALSO:
Standard User Licenses
Experience Cloud User Licenses
Note: The default External Identity User profile is limited to avoid unintended data leaks. This stricter default profile applies to
users assigned to this profile as of Spring ’19 and applies only to new Salesforce orgs. Users provisioned before Spring ’19 aren’t
affected.
418
Set Up and Maintain Your Salesforce Organization Licenses Overview
Documents Read
Custom Objects Ten custom objects per profile, but custom objects in managed
packages don’t count toward this limit
419
Set Up and Maintain Your Salesforce Organization Licenses Overview
Chatter Free users don’t see tabs like other Salesforce users. Chatter Free users access feeds, people, Lightning Platform Starter
groups, and files using the App Launcher in Lightning Experience. In Salesforce Classic, users access licenses are available in:
these features from links in the page sidebar. Enterprise, Performance,
Unlimited, and Developer
Salesforce administrators can upgrade a Chatter Free license to a standard Salesforce or Lightning editions
Platform Starter license at any time. You can’t convert a standard Salesforce, Lightning Platform
Starter, or Chatter Only license to a Chatter Free license.
420
Set Up and Maintain Your Salesforce Organization Licenses Overview
Note: For a detailed look at the benefits associated with a Lightning Platform Starter license, see Experience Cloud User Licenses
.
421
Set Up and Maintain Your Salesforce Organization Licenses Overview
Feeds
File sharing
Files Connect
Groups
Profiles
Chatter External users can
view profiles, but they
can’t edit them.
Global search
Search results include Chatter only users have
only those items that access to reports and
customers have access to dashboards but can’t use
via groups. global search to find
them.
Custom objects
Up to 10 custom objects
422
Set Up and Maintain Your Salesforce Organization Licenses Overview
Content library
Important: Experience Cloud sites use community user licenses. Available in: both Salesforce
Classic (not available in all
This topic is intended for Salesforce administrators who want to learn more about the differences orgs) and Lightning
between the user licenses intended for external users. Experience
Salesforce packages licenses in specific stock keeping units (SKUs) to sell to customers. SKUs contain Available in: Enterprise,
one or more licenses and capabilities. Generally, the name of the SKU and the license match, but Performance, Unlimited,
this isn’t always the case. For example, there are two SKUs that sell the Partner Community license: and Developer Editions
the Partner Relationship Management SKU and the External Apps SKU. While both SKUs sell the
Partner Community license, the External Apps SKU offers more platform capacity in the form of
custom objects, file and data storage, and APIs.
Once purchased, license names (not SKU names) appear in Setup > Company Information.
Contact your Salesforce account executive to learn which SKU and license combination is the best fit for your business needs.
A community license works like a standard Salesforce internal license: external users with a member-based license (that is, a license that
is assigned to a specific user) are able to access a community as many times as they want. However, external users do not have access
to the internal org.
The External Identity license is a standalone license that you can buy to deliver identity services, like single sign-on and passwordless
login, to your customers and partners. To expand user access and capabilities, you can upgrade your External Identity license to a
community license at any time. For more information, see External Identity License Details.
423
Set Up and Maintain Your Salesforce Organization Licenses Overview
Note: If a community license contract isn’t renewed and the license is removed from your org, existing members continue
to have access to sites they’ve been added to. Deactivate sites that you wish to discontinue to ensure security.
If you intend to use your Experience Cloud site as a public knowledge base for unauthenticated users, you don’t have to purchase
community licenses. For example, guest users can access publicly available Experience Cloud site pages to read knowledge articles.
Note: If your org has legacy portal licenses for authenticated users, you don’t have to purchase or convert to community
licenses for your authenticated users. You can use legacy portal licenses for sites created with Experience Cloud.
We highly discourage the use of internal licenses for external use cases. External user licenses are the only licenses suited to securely
access an external facing portal or site.
Are community licenses associated with users or a site?
Communities licenses are associated with users, not a specific site. If needed, you can move users with these licenses between sites,
and users with community licenses can access multiple sites simultaneously. If you have unused licenses, you can assign them to
users in any Experience Cloud site in your org.
Here's another way to think about it: Your Experience Cloud site is like an extension of your Salesforce org that allows users (external
and internal) to interact and have selected access to data and functionality. A user’s exact access depends on what the license allows.
In addition to supporting communities licenses, Experience Cloud sites support all internal and portal licenses, including existing
Customer Portal, Authenticated Website, and partner portal licenses.
Check out Experience Cloud Sites and Users in Your Salesforce Org, a quick video about how Salesforce Experiences live in an org,
the differences between licenses, and how Salesforce accounts and site users are associated with one another.
How is a license used in an employee community?
Two underlying licenses support Employee Community licenses—the Salesforce Platform user license and the Company Community
for Lightning Platform permission set license. To assign a Lightning Platform Starter or Lightning Platform Plus license to a user, first
assign the Salesforce Platform user license. Then assign them the Company Community for Lightning Platform permission set license.
(Sometimes, you have to create the permission set before you can assign the license.)
When you upgrade from Lightning Platform Starter license to Lightning Platform Plus license, you get more custom objects, and
you don’t have to make changes in Setup. Lightning Platform and Lightning Platform Plus License Details has more about what is
included with these licenses.
424
Set Up and Maintain Your Salesforce Organization Licenses Overview
Important: Users who have portal licenses can access your site as long as you include them by adding the profiles or permission
sets that they’re associated with to your site. You don’t have to purchase new licenses for them, or swap them for communities
licenses.
Customer Community Business-to-consumer experiences with High Volume Customer Portal, Service Cloud
large numbers of external users who need Portal, Authenticated Sites Portal
access to case objects or knowledge. The
Customer Community can be used with
person accounts.
Customer Community Plus Business-to-consumer experiences with Customer Portal — Enterprise Administration,
external users who need access to reports Customer Portal Manager Standard, Customer
and dashboards and need standard sharing. Portal Manager Custom
The Customer Community Plus can be used
with person accounts.
Note: Different license types can access your Experience Cloud sites. Your site isn’t limited to just one type of license.
425
Set Up and Maintain Your Salesforce Organization Licenses Overview
The ratio between the number of monthly logins you purchase and the number of login licenses that are provisioned in your org is
1–20. For example, if you purchase 1,000 monthly logins, then 20,000 login licenses are provisioned in your org. If you want to assign
more than 20,000 login licenses, purchase more logins. Why the large ratio? We want to make sure that you have enough licenses
to assign to all the login-based users you potentially create.
The timeout period for a session is configurable up to a maximum of 24 hours.
How are login overages calculated?
Login overages are calculated over a 12-month period from the start date of the contract. Entitlements roll over from month to
month. If you purchase 1,000 monthly logins, you are entitled to a total of 12,000 annual logins.
In November 2017, we introduced the concept of daily unique logins and beginning on April 1, 2018, they are used to calculate
overages.
How can you monitor your login consumption?
You can monitor your login consumption checking the LoginHistory table. In Salesforce Classic, the table is in Setup > Administer >
Manage Users. In Lightning Experience, Setup > Identity.
If you want to check your aggregated login consumption for the current month, use the Usage-based Entitlements list. In Salesforce
Classic, find it in Setup > Administer > Company Information. In Lightning Experience, it’s in Setup > Company Information.
Power Customer Community Logins The number of logins consumed by external users with a
Customer Community Plus login license during the current period.
Partner Community Logins The number of logins consumed by external users with a Partner
Community Login license during the current period.
External Apps Logins The number of logins consumed by external users with a External
Apps Login license during the current period.
Customer Community Daily Unique Logins The number of unique daily logins consumed by external users
with a Customer Community Login license during the current
period.
Power Customer Community Daily Unique Logins The number of unique daily logins consumed by external users
with a Customer Community Plus Login license during the current
period.
426
Set Up and Maintain Your Salesforce Organization Licenses Overview
External Apps Daily Unique Logins The number of unique logins consumed by external users with
a External Apps login license during the current period.
Note: Experience Cloud can support a much larger scale of users per org for any of our license types if your community, site,
or portal needs more users. Consult with your Salesforce account representative to find out if your site needs an in-depth
review. If so, we can provide performance recommendations to ensure your site scales properly to meet your demands.
Some licenses, such as Customer Community Plus and Partner Community, require roles associated with an external user record.
An increase in the number of roles in your org degrades performance, so make sure that you don’t use more roles than necessary.
The default number of roles used in an org’s portals or communities is 50,000. This limit includes roles associated with all of the
organization’s customer portals, partner portals, or communities. When you reach your portal role limit, you can’t create more users.
Salesforce emails you when you reach 95% of your limit, so you have time to make adjustments before you run out of roles. To
prevent reaching this limit, which can impact performance, review and reduce the number of roles. If you are expecting a high-volume
of users, enable account role optimization (ARO). ARO delays the account role creation process until there is a second user on an
account, and roles become necessary to support sharing data between them. You can also delete unused roles.
If you’ve enabled account role optimization and still require more roles for your site, you can increase the number of roles by
designating person account owner power users. Person account owner power users can own a large number of either customer or
partner users. They can’t change their role, look up to a parent role, or reparent their role. Person account owner power user objects
can't be created if deferred sharing is turned on for your org. Create a PersonAccountOwnerPowerUser object via API. Enter the user
ID of the power user and the type of users that they can own, Customer or Partner.
Note: Only users at the highest level of a hierarchy can be added to the PersonAccountOwnerPowerUser object.
1
If you're expecting a high-volume of users, we recommend that you enable account role optimization (ARO). From the Spring
’22 release onward, ARO optimization is enabled by default for new orgs. You can also enable it for existing orgs.
427
Set Up and Maintain Your Salesforce Organization Licenses Overview
For example, a site set up in an Enterprise Edition org can have up to 6 million page views over the course of a year. Overages will
be calculated after the annual limit has been reached. See Experience Cloud Site Usage Limits for more information about page view
and other user limits.
License Details
By design, the out-of-the-box object permissions of user profiles associated with community licenses are rather restricted. In this table,
we outline user profile settings that are available to profiles with Customer Community, Customer Community Plus, Partner Community,
External Apps, or Channel Account licenses.
Note: As a best practice, always clone the standard profile associated with a community license, and change object permissions
as needed. If you’d like to limit the number of cloned profiles, use permission sets to assign object permissions.
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
428
Set Up and Maintain Your Salesforce Organization Licenses Overview
Accounts
Read, Edit Read, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
Assets
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
Campaigns
Read, Create, and Read, Create, and
Edit5 Edit6
Cases
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
7
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
4
To view or create relationships between accounts and contacts, you must have “Read” on accounts and contacts. To edit or delete
relationships between account and contacts, you must have “Read” on accounts and “Edit” on contacts.
5
For the Partner Community license, to read, create, and edit campaigns in the user interface, the partner user also needs the
“Marketing User” permission. With these permissions, a partner user can: search for and add their contacts or leads as campaign
members, access reports on their campaigns, and mass-assign their contacts and leads on a campaign.
6
For the Channel Account license, to read, create, and edit campaigns in the user interface, the partner user also needs the
“Marketing User” permission. With these permissions, a partner user can: search for and add their contacts or leads as campaign
members, access reports on their campaigns, and mass-assign their contacts and leads on a campaign.
7
Customer Community Plus users can’t change the account or contact on a case they own. The owner of the case must be an
internal or Partner Community user to make the change.
429
Set Up and Maintain Your Salesforce Organization Licenses Overview
Contracts
Read, Create, Edit Read, Create, Edit, Read, Create, Edit, Read, Create, Edit, Read, Create, Edit,
Delete Delete Delete Delete
Dashboards
Read Only
Documents
Read Only Read Only Read Only Read Only Read Only
Entitlements
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
External Objects
(Salesforce
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
Connect)
Ideas
Read, Create, Edit Read, Create Read, Create Read, Create Read, Create
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
8
Customer Community license users can’t add invitees to calendar events.
9
Customer Community Plus license users can’t add invitees to calendar events.
430
Set Up and Maintain Your Salesforce Organization Licenses Overview
List Views
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
Notes and
Attachments
Exceptions apply
10
Opportunities
Read, Create, Edit Read, Create, Edit
Orders
Read, Create, Edit, Read, Create, Edit, Read, Create, Edit, Read, Create, Edit, Read, Create, Edit,
Delete Delete Delete Delete Delete
Price Books
Read Only Read Only Read Only Read Only Read Only
Products
Read Only Read Only Read Only Read Only Read Only
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
10
Only internal users can create notes and only in Salesforce Classic. Notes appear in the Notes & Attachment section of the record.
After a note is created, both internal and Experience Cloud site users can access it. The site user's level of access on the note
depends on their level of access on the record.
Both internal and Experience Cloud site users (with Customer Community, Customer Community Plus, and Partner Community
licenses) can create Enhanced Notes using the New Note quick action on the record detail page in Experience Builder sites. Notes
are available in the Notes related list. Enhanced Notes aren’t available in sites created using Salesforce Tabs +Visualforce.
431
Set Up and Maintain Your Salesforce Organization Licenses Overview
Reports11
Create and Manage Create and Manage Create and Manage
Return Orders
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
Salesforce CMS
Functionality 12
Service
Appointment
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
Work Order
Read, Create, Edit Read, Create, Edit Read, Create, Edit Read, Create, Edit
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
11
To create and edit reports, the user also needs the “Create and Customize Reports,” “Report Builder,” and “Edit My Reports”
permissions. For more information see, Set Up Report Management for External Users—Create and Edit Reports. The Customer
Community Plus license doesn't include support for report subscriptions.
12
Functionality includes creating new content types, previewing headless content in the site, scheduling headless content, and
the Micosites LWR site template and its associated components.
432
Set Up and Maintain Your Salesforce Organization Licenses Overview
Extra Data Storage 10 MB per user 2 MB per user When purchased 5 MB per user
(member-based (member-based with the PRM SKU: (member-based
license) license) license)
• 5 MB per user
1 MB per user (member-based 1 MB per user
(login-based license) license) (login-based license)
• 1 MB per user
(login-based
license)
When purchased
with the External
Apps SKU:
• 45 MB per user
(member-based
license)
• 20 MB per login
(login based
license)
API Calls per Day (by • 200 calls per 0 • 200 calls per day When purchased • 200 calls per day
Org) day per user per user with the PRM SKU: per user
(member-based (member-based • 200 calls per day (member-based
license) license) per user license)
• 400 calls per • 10 calls per day (member-based • 10 calls per day
day per user per user license) per user
(login-based (login-based • 10 calls per day (login-based
license) license) per user license)
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
433
Set Up and Maintain Your Salesforce Organization Licenses Overview
Chatter (People,
Groups, Feeds,
Private Messages)
Custom Objects
100 custom objects 10 custom objects per 10 custom objects When purchased 10 custom objects
per license (custom license (custom per license (custom with the PRM SKU: per license (custom
objects in managed objects in managed objects in managed 10 custom objects objects in managed
packages don’t packages don’t count packages don’t per license packages don’t
count towards this towards this limit, as count towards this When purchased count towards this
limit, as long as they long as they are made limit, as long as they with the External limit, as long as they
are made publicly publicly available on are made publicly Apps SKU: 100 are made publicly
available on AppExchange) available on custom objects per available on
AppExchange) AppExchange) license AppExchange))
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
434
Set Up and Maintain Your Salesforce Organization Licenses Overview
Delegated
Administration
Files1314
Content Libraries Content Libraries Create, Read, Edit, Create, Read, Edit, Create, Read, Edit,
aren't available with aren't available with Delete Delete Delete
External Apps Customer Community
licenses. licenses.
Knowledge
Market
Development Funds
Sharing Sets15
Salesforce App
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
13
Salesforce Files with Chatter enabled lets you share files in a group, feed, and post a file to a record. With Salesforce CRM Content
enabled, Files gives you access to Libraries, content deliveries, and file tagging.
14
Library administrators can manage library permissions to determine the level of access users have to content libraries.
15
Sharing sets are not supported by reports and dashboards. Permission sets can be used in tandem with sharing sets to allow
customers to access reports and dashboards.
435
Set Up and Maintain Your Salesforce Organization Licenses Overview
Territory
Management
Recognition
Badges18
19
Workflow Approvals
Note: Starting with Summer ’13, the Customer Portal user license isn’t available for new orgs. You can create a customer portal
using the Customer Account Portal Lightning template in Experience Builder.
Existing orgs using Customer Portal licenses may continue to use their licenses.
2
The External Apps license can be purchased using a variety of SKUs, including the Commerce Portals SKU. After
purchasing the Commerce Portals SKU, you see External Apps licenses in your org. A SKU includes licenses and
additional functionality.
3
The Partner Community license can be purchased using a variety of SKUs, including the External Apps SKU. After
purchasing the External Apps SKU, you see Partner Community licenses in your org. A SKU includes licenses and
additional functionality.
16
Partner users can’t see emails in the case feed.
17
Channel Account users can’t see emails in the case feed.
18
Recognition Badges is only available in Lightning Communities.
19
Customer Community license holders can submit for approval and can be assigned as the approver, but they can’t be assigned
tasks or email alerts via approval workflows.
436
Set Up and Maintain Your Salesforce Organization Licenses Overview
If you’re still working with the Customer Portal, see the Customer Portal Guide for more information.
SEE ALSO:
User Licenses
When to Use an Internal or External License
Upgrade Experience Cloud User Licenses
Create Experience Cloud Site Users
Authenticated Website User Licenses
Partner Portal User Licenses
Customer Portal User Licenses
Lightning Platform Starter and Lightning Platform Plus Details
Note: The Channel Account license offers the same permission structure as the Partner license. For more information, see
Experience Cloud User Licenses .
437
Set Up and Maintain Your Salesforce Organization Licenses Overview
Accounts
Read, Create, Edit, Delete, View Read, Create, Edit, Delete, View
All Data, Manage All Data All Data, Manage All Data
Assets
Read, Create, Edit, Delete Read, Create, Edit, Delete
Campaigns
Cases
Read, Create, Edit, Delete 21 Read, Create, Edit, Delete 22
Contacts
Read, Create, Edit, Delete, View Read, Create, Edit, Delete, View
All Data, Manage All Data All Data, Manage All Data
Contracts
Dashboards
Documents
Read, Create, Edit, Delete, View Read, Create, Edit, Delete, View
All Data, Manage All Data All Data, Manage All Data
Entitlements
20
To view or create relationships between accounts and contacts, you must have “Read” on accounts and contacts. To edit or delete
relationships between account and contacts, you must have “Read” on accounts and “Edit” on contacts.
21
For Lightning Platform Starter licenses, using cases for customer service purposes, even internally, requires a Service Cloud license.
22
For Lightning Platform Plus licenses, using cases for customer service purposes, even internally, requires a Service Cloud license.
438
Set Up and Maintain Your Salesforce Organization Licenses Overview
Ideas
Read, Create Read, Create
Leads
List Email
List Views
Read, Create, Edit, Delete Read, Create, Edit, Delete
Opportunities
Orders
Price Books
Products
Quotes
Reports23
Read, Create, Edit, Delete Read, Create, Edit, Delete
Service Appointment
Task
Read, Create, Edit, Delete Read, Create, Edit, Delete
Work Order
Read, Create, Edit, Delete Read, Create, Edit, Delete
(Can be used for employees, but not external (Can be used for employees, but not external
users (e.g. customers, partners) users (e.g. customers, partners)
23
To create and edit reports, the user also needs the “Create and Customize Reports,” “Report Builder,” and “Edit My Reports”
permissions. For more information see, Set Up Report Management for External Users—Create and Edit Reports. Report creation
is available only in Salesforce Tabs + Visualforce communities.
439
Set Up and Maintain Your Salesforce Organization Licenses Overview
API Calls per Day (by Org) 200 per member for Enterprise Edition 1000 per member for Enterprise Edition orgs
or Unlimited Edition orgs 5000 per member for Unlimited Edition orgs
Custom Objects
10 custom objects per license (custom 110 custom objects per license (custom
objects in managed packages don’t count objects in managed packages don’t count
towards this limit, as long as they are made towards this limit, as long as they are made
publicly available on AppExchange)) publicly available on AppExchange))
Delegated Administration
Knowledge
Read Only Read Only
Sharing Sets28
Salesforce App
Send Email
Territory Management
Recognition Badges29
Tokens
Create, Read, Edit, Delete Create, Read, Edit, Delete
Workflow Approvals
24
For the Lightning Platform Starter license, the data storage limit is 20 MB per user license, and the file storage limit is 2 GB per
user license.
25
For the Lightning Platform Plus license, the data storage limit is 20 MB per user license for EE editions, and 120 MB per user license
for UE editions. File storage limit is 2 GB per user license.
26
Salesforce Files with Chatter enabled lets you share files in a group, feed, and post a file to a record. With Salesforce CRM Content
enabled, Files gives you access to Libraries, content deliveries, and file tagging.
27
Library administrators can manage library permissions to determine the level of access users have to content libraries.
28
Sharing sets are not supported by reports and dashboards. Permission sets can be used in tandem with sharing sets to allow
customers to access reports and dashboards.
29
Recognition Badges is only available in Lightning Communities.
440
Set Up and Maintain Your Salesforce Organization Licenses Overview
Note: Assign Lightning Platform Starter and Lightning Platform Plus users a profile or permission set that allows access only to
the allowed objects and the number of custom objects indicated in the table.
Lightning Platform Starter and Lightning Platform Plus users must be internal employees or contractors. These users can’t complete
internal or external customer service work without a Service Cloud license.
SEE ALSO:
Experience Cloud User Licenses
Database.com Light User Designed for users who need only Database.com
Database.com access to data, need to belong Edition: 0
to Database.com groups (but no other groups), Enterprise,
and don't need to belong to roles or queues. Unlimited, and
Access to data is determined by Database.com
organization-wide sharing defaults. Edition: 0
Contact
Database.com
to obtain
Database.com
441
Set Up and Maintain Your Salesforce Organization Licenses Overview
SEE ALSO:
User Licenses
Assets
Cases
Contacts
Custom Objects
Documents
Ideas
Knowledge
Price Books
Products
Solutions
Work Orders
SEE ALSO:
User Licenses
442
Set Up and Maintain Your Salesforce Organization Licenses Overview
Site.com Designed for Performance, Unlimited, and Enterprise Edition users who need
Only access to Site.com but not to standard CRM functionality. Site.com Only users are
entitled to the same rights as Lightning Platform - One App users, plus they have
access to the Content app. However, they don't have access to the Accounts and
Contacts objects. Users have access to an unlimited number of custom tabs but
are limited to the use of one custom app, which is defined as up to 20 custom
objects.
Each Site.com Only user also needs either a Site.com Contributor or Site.com
Publisher feature license to access Site.com.
SEE ALSO:
User Licenses
Note: When orders are enabled, standard profiles automatically include all object permissions Available in: Enterprise,
for orders, as well as read access for products and price books. If your external users are Performance, Unlimited,
assigned to a standard profile and these object permissions aren't appropriate for them, and Developer Editions
consider creating custom profiles that don't include these object permissions.
This table lists the permissions that can be given to Authenticated Website users.
443
Set Up and Maintain Your Salesforce Organization Licenses Overview
Ideas
Knowledge
Orders
Price Books
Products
Custom Objects
SEE ALSO:
User Licenses
Note: When orders are enabled, standard profiles automatically include all object permissions Available in: Salesforce
for orders, as well as read access for products and price books. If your external users are Classic (not available in all
orgs)
assigned to a standard profile and these object permissions aren't appropriate for them,
consider creating custom profiles that don't include these object permissions. Available in: Enterprise,
Take a look at this table, which shows the equivalent current communities licenses for legacy portal Performance, Unlimited,
licenses. and Developer Editions
444
Set Up and Maintain Your Salesforce Organization Licenses Overview
Customer Community Business-to-consumer experiences with large High Volume Customer Portal, Service Cloud
numbers of external users who need access Portal, Authenticated Sites Portal
to case objects or knowledge. The Customer
Community can be used with person
accounts.
Customer Community Plus Business-to-consumer experiences with Customer Portal — Enterprise Administration,
external users who need access to reports Customer Portal Manager Standard, Customer
and dashboards and need standard sharing. Portal Manager Custom
The Customer Community Plus can be used
with person accounts.
Refer to the permissions table found in the Experience Cloud User Licenses to see the permissions allowed by your equivalent license.
445
Set Up and Maintain Your Salesforce Organization Licenses Overview
The Overage Customer Portal Manager Standard license is the same as the Customer Portal Manager Standard license, except that users
are limited to one login per month.
Note: When orders are enabled, standard profiles automatically include all object permissions for orders, as well as read access
for products and price books. If your external users are assigned to a standard profile and these object permissions aren't appropriate
for them, consider creating custom profiles that don't include these object permissions.
Take a look at this table, which shows the equivalent current communities licenses for legacy portal licenses.
Customer Community Business-to-consumer experiences with large High Volume Customer Portal, Service Cloud
numbers of external users who need access Portal, Authenticated Sites Portal
to case objects or knowledge. The Customer
Community can be used with person
accounts.
Customer Community Plus Business-to-consumer experiences with Customer Portal — Enterprise Administration,
external users who need access to reports Customer Portal Manager Standard, Customer
and dashboards and need standard sharing. Portal Manager Custom
The Customer Community Plus can be used
with person accounts.
Refer to the permissions table found in the Experience Cloud User Licenses to see the permissions allowed by your equivalent license.
446
Set Up and Maintain Your Salesforce Organization Licenses Overview
Note: Once orders are enabled, standard profiles automatically include all object permissions for orders, as well as read access
for products and price books. If your external users are assigned to a standard profile and these object permissions aren’t appropriate
for them, consider creating custom profiles that don’t include these object permissions.
Take a look at this table, which shows the equivalent current communities licenses for legacy portal licenses.
Customer Community Business-to-consumer experiences with large High Volume Customer Portal, Service Cloud
numbers of external users who need access Portal, Authenticated Sites Portal
to case objects or knowledge. The Customer
Community can be used with person
accounts.
Customer Community Plus Business-to-consumer experiences with Customer Portal — Enterprise Administration,
external users who need access to reports Customer Portal Manager Standard, Customer
and dashboards and need standard sharing. Portal Manager Custom
The Customer Community Plus can be used
with person accounts.
447
Set Up and Maintain Your Salesforce Organization Licenses Overview
Refer to the permissions table found in the Experience Cloud User Licenses to see the permissions allowed by your equivalent license.
448
Set Up and Maintain Your Salesforce Organization Licenses Overview
SEE ALSO:
Permission Sets
USER PERMISSIONS
4. To view users already assigned to this permission set license, click View Users.
5. To assign users to the license, click Assign Users. You can assign multiple users at the same time.
449
Set Up and Maintain Your Salesforce Organization Licenses Overview
6. Optionally, to enable this permission set license for integrations and allow Salesforce integration features to access data, click Enable
for Integrations.
Note: If integrations are required for feature functionality and the license isn't enabled for integrations, you receive an error
when setting up the session-based permission set or executing the feature. Only enable integrations if necessary for the feature.
For information on purchasing permission set licenses, contact your Salesforce account representative.
SEE ALSO:
Permission Set Licenses
Assign a Permission Set License to a User
1. From Setup, enter Company Information in the Quick Find box, then select Available in: Professional,
Company Information and scroll down to Permission Set Licenses. Enterprise, Performance,
Unlimited, and Developer
2. From Setup, enter Permission Sets in the Quick Find box, then select Permission Sets.
Editions
3. Click New.
4. Enter your permission set information. USER PERMISSIONS
5. For License, select the license to associate with this permission set.
To assign a permission set
license:
• Manage Users
To assign a permission set
to users:
• Assign Permission Sets
450
Set Up and Maintain Your Salesforce Organization Licenses Overview
When you select a specific permission set license, any user assigned to the permission set is auto-assigned the permission set license.
If you select --None--, you must manually assign the permission set license to users before you can add them to the new permission
set.
6. Select the feature permissions to enable for your permission set. Use Find Settings to search for them quickly. Refer to the
documentation for your feature to see which permissions are available with a specific permission set license.
Example: Let’s say you purchased an Identity Connect permission set license. This permission set license contains a permission
that grants access to the Identity Connect product features, such as providing Active Directory integration. To grant a user access
to this permission:
• Ensure that the user has the Identity Connect permission set license. Users who don’t have the associated permission set
license for a permission set you create can’t use the permission set. You can check which permission set licenses a user has
by viewing the Permission Set License Assignments section of the user detail page.
• Create a permission set and name it something like “Identity Connect Permissions.” From License, choose Identity Connect.
While still in the permission set, go to Find Settings, search for Identity Connect, and select the Use Identity Connect
system permission.
• Assign a user to the permission set.
SEE ALSO:
Permission Set Licenses
Permission Sets
451
Set Up and Maintain Your Salesforce Organization Licenses Overview
Add the related permission to a permission set and then assign that permission set to the user.
SEE ALSO:
Permission Set Licenses
Remove a Permission Set License from a User
Permission Sets
Assign Permission Sets to a Single User
452
Set Up and Maintain Your Salesforce Organization Licenses Overview
a. From Setup, in the Quick Find box, enter Company Information, and then select Company Information. Scroll down
to the Permission Set Licenses section.
b. Click the name of the permission set license you want to remove.
c. On the permission set license’s detail page, click View Users.
d. Select the users that you want to remove assignments for. Click Remove Assignments and then click OK.
SEE ALSO:
Permission Set Licenses
View and Manage Your Permission Set Licenses
Assign a Permission Set License to a User
SEE ALSO:
View and Manage Users
453
Set Up and Maintain Your Salesforce Organization Licenses Overview
SEE ALSO:
Edit Users
USER PERMISSIONS
Add a Single User To enable feature licenses:
Feature Licenses Overview • Manage Internal Users
Available Feature Licenses
View Your Organization’s Feature Licenses
454
Set Up and Maintain Your Salesforce Organization Licenses Overview
Site.com Publisher User Create and style websites, control the layout
and functionality of pages and page elements,
and add and edit content on Site.com Studio.
For information on purchasing feature licenses, contact your Salesforce account representative.
SEE ALSO:
View Your Organization’s Feature Licenses
Enable a Feature License for a User
View and Manage Users
Feature Licenses Overview
455
Set Up and Maintain Your Salesforce Organization Licenses Overview
Usage-Based Entitlements
A usage-based entitlement is a limited resource that your organization can use on a periodic basis.
EDITIONS
For example, the allowed number of monthly logins to a Partner Community or the record limit for
Data.com list users are usage-based entitlements. Available in: both Salesforce
Some entitlements are persistent. These entitlements give your Salesforce org a set number of the Classic (not available in all
resource, and the amount allowed doesn’t change unless your contract changes. For example, if orgs) and Lightning
your company purchases monthly subscriptions for 50 members to access a Partner Community, Experience
you can assign up to 50 individuals the ability to log into the community as many times as they Available in: Enterprise,
want. Performance, Unlimited,
Other entitlements are not persistent; these entitlements work like credit. Your org can use up to and Professional with API
the amount allowed of that entitlement over the time indicated by the resource’s frequency. If the Access Editions
entitlement has a frequency of Once, your org must purchase more of the resource to replenish
the allowance. If the entitlement has a frequency of Monthly, then your contract (not the calendar
month) determines the start and end of the month.
For example:
• Company A purchases 50 monthly logins for a Partner Community, and on January 15 that org has a pool of 50 logins. Each time
someone logs in, one login is used. On February 15, no matter how many were used in the previous month, the pool is refreshed
and 50 logins are available through March 14.
• Company B purchases 2,000 records for Data.com list users with an end date of May 15. That org’s list users can add or export up to
2,000 records until that date. If the org reaches that limit before May 15, the Data.com list users won’t be able to add or export more
records. To unblock users, Company B can purchase more records.
Note: If your org has multiple contracts with the same Resource and the Resource ID is (tenant), you still only see
one row for that entitlement, but the data in that row reflects your combined contracts. In this case, Start Date reflects the
earliest start date among those contracts, and End Date reflects the latest end date among those contracts.Like feature licenses,
usage-based entitlements don’t limit what you can do in Salesforce; they add to your functionality. If your usage exceeds the
allowance, Salesforce will contact you to discuss additions to your contract.
456
Set Up and Maintain Your Salesforce Organization Licenses Overview
USER PERMISSIONS
SEE ALSO:
Usage-Based Entitlements To view usage-based
entitlements:
Usage-Based Entitlement Fields • View Setup and
Configuration
457
Set Up and Maintain Your Salesforce Organization Delegate Administrative Duties
Amount Used The amount of this resource that your org is using. This field is
updated only on active production orgs. Sandbox and trial orgs
aren’t updated.
Last Updated The most recent date and time when Salesforce took a snapshot
of your org’s usage for this resource. This field is updated only on
active production orgs. Sandbox and trial orgs aren’t updated.
For more information about resources your org is entitled to, contact your Salesforce account representative.
SEE ALSO:
Usage-Based Entitlements
View Your Salesforce Org’s Usage-Based Entitlements
• Create and edit users in specified roles and all subordinate roles. User editing tasks include Available in: Enterprise,
resetting passwords, setting quotas, creating default opportunity teams, and creating personal Performance, Unlimited,
groups for those users. Developer, and
• Unlock users. Database.com Editions
Note: When delegating administration, keep the following in mind. Delegated administrators:
• Can’t assign profiles or permission sets with the “Modify All Data” permission
• Don’t see the None Specified option when selecting a role for new users
458
Set Up and Maintain Your Salesforce Organization Define Delegate Administrators
• Need access to custom objects to access the merge fields on those objects from formulas
• Can’t modify permission sets
• Must be assigned the "Manage Roles" permission to change the role of portal account owners
To delegate administration of particular objects, use object permissions, such as “View All” and “Modify All,” instead.
459
Set Up and Maintain Your Salesforce Organization Topics and Tags Settings
SEE ALSO:
Configure Topics for Records in Lightning Experience
Enable and Configure Topics for Objects in Salesforce Classic
Enable Tags
Allow users to add personal or public tags to most records. Tags are words or short phrases that
EDITIONS
users associate to records to describe and organize data in a personalized way.
1. From Setup, enter Tag Settings in the Quick Find box, then select Tag Settings. Available in: Salesforce
Classic (not available in all
2. Select Enable Personal Tags and Enable Public Tags to allow users to add personal and
orgs)
public tags to records. Deselect both options to disable tags.
3. Specify which objects and page layouts display tags in a tag section at the top of record detail Tag settings available in: All
pages. The tag section is the only place where a user can add tags to a record. Editions
For example, if you select only account page layouts, users in your org can only tag account
records. If you select only account page layouts for personal tags and not public tags, users can USER PERMISSIONS
tag account records only with personal tags.
To modify tag settings:
4. Click Save. • Customize Application
SEE ALSO:
Topics and Tags Settings
460
Set Up and Maintain Your Salesforce Organization Topics and Tags Settings
SEE ALSO:
Topics and Tags Settings
SEE ALSO:
USER PERMISSIONS
Topics and Tags Settings
To delete personal tags for
deactivated users:
• Customize Application
461
Set Up and Maintain Your Salesforce Organization Manage Data Access
462
Set Up and Maintain Your Salesforce Organization Control Who Sees What
Scoping Rules
Scoping rules let you control the records that your users see based on criteria that you select. You can set up scoping rules for different
users in your Salesforce org so that they can focus on the records that matter to them. Users can switch the set of records they’re
seeing as needed.
Note: With some exceptions, search results aren’t returned for records with fields that an admin or end user can't access
because of field level security. For example, a user searches for Las Vegas in Accounts, but doesn't have access to the Account
fields Billing Address and Shipping Address. Salesforce does a keyword search, matching the terms Las Vegas, Las, and Vegas
in the searchable fields. No results are returned for records that match only the Billing and Shipping Address fields because
the user doesn't have access to these fields. There are some fields that don’t enforce field level security and return search
results.
Record-Level Security (Sharing)
After setting object- and field-level access permissions, you can configure access settings for records. Record-level security lets you
give users access to some object records, but not others. Every record is owned by a user or a queue. The owner has full access to
463
Set Up and Maintain Your Salesforce Organization Control Who Sees What
the record. In a hierarchy, users higher in the hierarchy always have the same access to users below them in the hierarchy. This access
applies to records owned by users and records shared with them.
To specify record-level security, set your organization-wide sharing settings, define a hierarchy, and create sharing rules.
• Organization-wide sharing settings
The first step in record-level security is to determine the organization-wide sharing settings for each object. Organization-wide
sharing settings specify the default level of access that users have to each others’ records.
You use organization-wide sharing settings to lock your data to the most restrictive level. Use the other record-level security and
sharing tools to selectively give access to other users. For example, users have object-level permissions to read and edit
opportunities, and the organization-wide sharing setting is Read-Only. By default, those users can read all opportunity records,
but can’t edit any unless they own the record or are granted other permissions.
• Role hierarchy
After you specify organization-wide sharing settings, the first way to give wider access to records is with a role hierarchy. Similar
to an organization chart, a role hierarchy is the level of data access that a user or group of users needs. The role hierarchy ensures
that users higher in the hierarchy can always access the same data as users who are lower, regardless of the organization-wide
default settings. Each role in the hierarchy can represent a level of data access that a user or group of users needs rather than
matching your organization chart.
Similarly, you can use a territory hierarchy to share access to records. See Define Default User Access for Territory Records.
Note: Although it’s easy to confuse permission sets and profiles with roles, they control two different things. Permission
sets and profiles control a user’s object and field access permissions. Roles primarily control a user’s record-level access
through role hierarchy and sharing rules.
• Sharing rules
With sharing rules you can make automatic exceptions to organization-wide sharing settings for sets of users. Use sharing rules
to give these users access to records they don’t own or can’t normally see. Sharing rules, like role hierarchies, are only used to
give more users access to records—they can’t be stricter than your organization-wide default settings.
• Manual sharing
Sometimes it’s impossible to define a consistent group of users who need access to a particular set of records. Record owners
can use manual sharing to give read and edit permissions to users who don’t have access any other way. Manual sharing isn’t
automated like organization-wide sharing settings, role hierarchies, or sharing rules. But it gives record owners the flexibility to
share records with users that must see them.
• User sharing
With user sharing, you can show or hide an internal or external user from another user in your organization. User sharing rules
are based on membership to a public group, role, or territory, so you must create the appropriate public groups, roles, or territories
before creating user sharing rules. Each sharing rule shares members of a source group with members of the target group. Users
inherit the same access as users below them in the role hierarchy.
• Restriction rules
464
Set Up and Maintain Your Salesforce Organization User Permissions and Access
When a restriction rule is applied to a user, the data that they had read access to via your sharing settings is further scoped to
only records matching the record criteria that you set. This behavior is similar to how you can filter results in a list view or report,
except that it’s permanent.
• Scoping rules
With scoping rules you can set criteria to help your users see only records that are relevant to them. Scoping rules don’t restrict
the record access that your users already have. They scope the records that your users see. Your users can still open and report
on all records that they have access to per your sharing settings.
SEE ALSO:
Financial Services Cloud Administrator Guide: Control Who Sees What with Compliant Data Sharing
Profiles
Permission Sets
Field-Level Security
Sharing Settings
Object permissions
Field permissions
465
Set Up and Maintain Your Salesforce Organization User Permissions and Access
Custom permissions
Login hours
Login IP ranges
SEE ALSO:
Profiles
Permission Sets
Revoke Permissions and Access
User Permissions
User permissions specify what tasks users can perform and what features users can access. For
EDITIONS
example, users with the “View Setup and Configuration” permission can view Setup pages, and
users with the “API Enabled” permission can access any Salesforce API. Available in: Salesforce
You can enable user permissions in permission sets and custom profiles. In permission sets and the Classic (not available in all
enhanced profile user interface, these permissions—as well as their descriptions—are listed in the orgs) and Lightning
App Permissions or System Permissions pages. In the original profile user interface, user permissions Experience
are listed under Administrative Permissions and General User Permissions. The user permissions
To view permissions and their descriptions, from Setup, enter Permission Sets in the Quick available vary according to
Find box, then select Permission Sets, then select or create a permission set. Then from the which edition you have.
Permission Set Overview page, click App Permissions or System Permissions.
SEE ALSO:
Profiles
Permission Sets
Standard Profiles
466
Set Up and Maintain Your Salesforce Organization User Permissions and Access
Object Permissions
Object permissions specify the base-level access users have to create, read, edit, and delete records
EDITIONS
for each object. You can manage object permissions in permission sets and profiles.
Object permissions either respect or override sharing rules and settings. The following permissions Available in: Salesforce
specify the access that users have to objects. Classic (not available in all
orgs) and Lightning
Permission Description Respects or Experience
Overrides Sharing? Available in: Professional,
Read Users can only view records of this type. Respects sharing Enterprise, Performance,
Unlimited, Developer, and
Create Users can read and create records. Respects sharing Database.com Editions
Edit Users can read and update records. Respects sharing
Delete Users can read, edit, and delete records. Respects sharing
View All Users can view all records associated with this Overrides sharing
object, regardless of sharing settings.
Modify All Users can read, edit, delete, transfer, and Overrides sharing
approve all records associated with this object,
regardless of sharing settings.
“Modify All” on documents allows access to all
shared and public folders, but not the ability to
edit folder properties or create folders. To edit
folder properties and create folders, users must
have the “Manage Public Documents”
permission.
Note: A profile or a permission set can have an entity, such as Account, with a master-detail relationship. A broken permission
dependency exists if the child entity has permissions that the parent must have. Salesforce updates the parent entity for a broken
permission dependency on the first save action for the profile or permission set.
If the child entity has these permissions These permissions are enabled on the parent entity
Modify All OR View All View All
SEE ALSO:
“View All” and “Modify All” Permissions Overview
Comparing Security Models
Field Permissions
467
Set Up and Maintain Your Salesforce Organization User Permissions and Access
View All Delegation of object permissions. Delegated administrators who Available in: All Editions
View All Users Viewing all users in the organization. Users who need to see all users in the
Grants Read access to all users, so that organization. Useful if the
you can see their user record details, organization-wide default for the user
see them in searches, list views, and object is Private. Administrators with
so on. the Manage Users permission are
automatically granted the View All
Users permission.
View All Lookup Viewing record names in all lookup Administrators and users who need
Record Names and system fields. to see all information about a record,
such as its related records and the
Owner, Created By, and Last Modified
By fields. This permission only applies
to lookup record names in list views
and record detail pages.
View All and Modify All are not available for ideas, price books, article types, and products.
View All and Modify All allow for delegation of object permissions only. To delegate user administration and custom object administration
duties, define delegated administrators.
468
Set Up and Maintain Your Salesforce Organization User Permissions and Access
View All for a given object doesn't automatically give access to its detail objects. In this scenario, users must have Read access granted
via sharing to see any associated child records to the parent record.
View All Users is available if your organization has User Sharing, which controls user visibility in the organization.
SEE ALSO:
Object Permissions
Where managed “Read,” “Create,” “Edit,” and “Delete” object “View All” and “Modify All”
permissions;
Sharing settings
Record access levels Private, Read-Only, Read/Write, “View All” and “Modify All”
Read/Write/Transfer/Full Access
Ability to transfer Respects sharing settings, which vary by Available on all objects with “Modify All”
object
Ability to approve records, or edit and None Available on all objects with “Modify All”
unlock records in an approval process
Ability to report on all records Available with a sharing rule that states: the Available on all objects with “View All”
records owned by the public group “Entire
Organization” are shared with a specified
group, with Read-Only access
Object support Available on all objects except products, Available on most objects via object
documents, solutions, ideas, notes, and permissions
attachments
Note: View All and Modify All are
not available for ideas, price books,
article types, and products.
469
Set Up and Maintain Your Salesforce Organization User Permissions and Access
Ability to manually share records Available to the record owner and any user Available on all objects with “Modify All”
above the record owner in the role hierarchy
Ability to manage all case comments Not available Available with “Modify All” on cases
Field Permissions
Field permissions specify the access level for each field in an object. In permission sets and the
EDITIONS
enhanced profile user interface, the setting labels differ from those in the original profile user
interface and in field-level security pages for customizing fields. Available in: Salesforce
Classic (not available in all
Access Level Enabled Settings in Enabled Settings in orgs) and Lightning
Permission Sets and Original Profile and Experience
Enhanced Profile User Field-Level Security
Interface Interfaces Available in: Professional,
Enterprise, Performance,
Users can read and edit the Read and Edit Visible Unlimited, Developer, and
field. Database.com Editions
Users can read but not edit the Read Visible and Read-Only
field.
SEE ALSO:
Field-Level Security
Object Permissions
470
Set Up and Maintain Your Salesforce Organization User Permissions and Access
Set Assignment Expiration Details for Users in Permission Sets and Permission Set Groups
Set assignment expiration dates and assign permissions that expire to users via permission sets and
EDITIONS
permission set groups. Assigned users receive access to all aggregate permissions until the expiration
date. Available in: Salesforce
To assign users to permission set groups, create the permission set group with the permission sets Classic (not available in all
and permissions that you want to assign to users before you begin. orgs) and Lightning
Experience
1. To activate this feature, enable Permission Set & Permission Set Group Assignments with
Expiration Dates in User Management Settings. Available in: Essentials,
Contact Manager,
2. Access the Permission Sets or Permission Set Groups Setup page.
Professional, Group,
a. To edit a permission set, from Setup, in the Quick Find box, enter Permission Sets, Enterprise, Performance,
and then select Permission Sets. Unlimited, Developer, and
b. To edit a permission set group, from Setup, in the Quick Find box, enter Permission Database.com Editions
Set Groups, and then select Permission Set Groups.
USER PERMISSIONS
3. In the list view, click the name of the permission set or permission set group name that you
want to update. To assign a permission set:
• Assign Permission Sets
Note: If a permission set or permission set group contains any of the following
permissions, it can’t have an expiration date associated with it: To enable the beta:
• Customize Application
• Assign Permission Set
• Manage Profiles
• Manage Users
• Permission Sets
471
Set Up and Maintain Your Salesforce Organization User Permissions and Access
c. Click a time frame, such as 30 days, or to enter a custom date, click Custom Date.
d. Select a time zone. Assignments expire at 11:59 PM on the date and in the time zone that you specify.
If you select My Local Time Zone, expiration occurs at 11:59 PM in your time zone. For example, if you have a user with an
assigned expiration who uses Japan Standard Time. You use Pacific Daylight Time as your time zone. If you select My Local
Time Zone as the time zone expiration option, the user’s assignment expires at 11:59 PM Pacific Daylight Time.
9. Click Assign.
Example: Suppose you need consultants in the San Francisco office to evaluate language used in sales contracts. Assign the
consultants to a permission set group that contains the permissions that they need. When you assign the consultants to the group,
specify that the assignment expires in 30 days (GMT-07:00) Pacific Daylight Time (America/Los Angeles). If you assign the permissions
on June 1, the assignments expire on June 30 at 11:59 PM Pacific Time.
When you have permission set groups with user assignments that expire, you can make updates to the permission sets in the group. If
you update the permission sets by adding or removing permissions, the assigned users receive or lose permissions after the permission
set group recalculation occurs. When the assignment expiration date is reached, assigned users lose access to the permissions in the
group.
SEE ALSO:
Permission Set and Permission Set Group Assignment Expiration
Manage Assignment Expiration Details for Users in Permission Sets and Permission Set Groups
Remove User Assignments in Permission Sets and Permission Set Groups
Permission Assignment Expiration Considerations
472
Set Up and Maintain Your Salesforce Organization User Permissions and Access
Manage Assignment Expiration Details for Users in Permission Sets and Permission Set Groups
Update or remove assignment expiration dates permission sets and permission set groups.
EDITIONS
1. Access the Permission Sets or Permission Set Groups Setup page.
Available in: Salesforce
a. To edit a permission set, from Setup, in the Quick Find box, enter Permission Sets,
Classic (not available in all
and then select Permission Sets.
orgs) and Lightning
b. To edit a permission set group, from Setup, in the Quick Find box, enter Permission Experience
Set Groups, and then select Permission Set Groups.
Available in: Essentials,
2. In the list view, click the name of the permission set or permission set group name that you Contact Manager,
want to update. Professional, Group,
Enterprise, Performance,
3. Click Manage Assignments. Unlimited, Developer, and
4. Select the assignments to modify. Database.com Editions
5. To modify the selected assignments, click
a. If you don’t want the assignments to expire, select No expiration date. USER PERMISSIONS
b. To choose an expiration date and time zone, select Specify the expiration date. To assign a permission set:
c. Click a time frame, such as 30 days, or to enter a custom date, click Custom Date. • Assign Permission Sets
d. Select a time zone. Assignments expire at 11:59 PM on the date and in the time zone that
you specify.
If you select My Local Time Zone, expiration occurs at 11:59 PM in your time zone. For example, if you have a user with an
assigned expiration who uses Japan Standard Time. You use Pacific Daylight Time as your time zone. If you select My Local
Time Zone as the time zone expiration option, the user’s assignment expires at 11:59 PM Pacific Daylight Time.
6. Select Assign.
SEE ALSO:
Permission Set and Permission Set Group Assignment Expiration
Set Assignment Expiration Details for Users in Permission Sets and Permission Set Groups
Remove User Assignments in Permission Sets and Permission Set Groups
Permission Assignment Expiration Considerations
473
Set Up and Maintain Your Salesforce Organization User Permissions and Access
SEE ALSO:
Permission Set and Permission Set Group Assignment Expiration
Manage Assignment Expiration Details for Users in Permission Sets and Permission Set Groups
Remove User Assignments in Permission Sets and Permission Set Groups
Set Assignment Expiration Details for Users in Permission Sets and Permission Set Groups
474
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
To resolve the consequence in either case, consider all possible options. For example, you can clone the assigned profile or any assigned
permission sets where the permission or access setting is enabled. Then, disable the permission or access setting, and assign the cloned
profile or permission sets to the user. Another option is to create a base profile with the least number of permissions and settings that
represents the largest number of users possible. Then create permission sets that grant more access.
SEE ALSO:
User Permissions and Access
Assign Permission Sets to a Single User
475
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
476
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
Example:
Have the Consumer Key and Consumer Secret values ready for creating an authentication provider, then continue to Create an
Authentication Provider for the Tooling API on page 477.
477
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
Example:
(1) the Default Scopes. (2) the Callback URL value to copy.
With the value of the Callback URL in the authentication provider, update the callback URL in the connected app. Continue to Update
the Callback URL in the Connected App on page 478.
478
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
Example:
(1) The URL with the domain value. (2) The scope.
Continue to Create a Permission Set to Use the Named Credential on page 480.
479
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
480
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
Create a Permission Set with Required Permissions for the User Access and Permissions Assistant
Create a permission set to assign to users so that they can use the User Access and Permissions
EDITIONS
Assistant. These permissions are included in the System Admin standard profile. Users with that
profile don’t require access to this permission step. Available in: all editions
1. From Setup, in the Quick Find box, enter Permission, and then select Permission Sets. except Starter
2. Click New.
3. Enter a label and API name, and then save. USER PERMISSIONS
4. On the page for your new permission set, select System Permissions. To create permission sets
5. Click Edit. • Manage Profiles and
Permission Sets
6. Enable these permissions.
a. API Enabled
b. Assign Permission Sets
c. Customize Application
d. Manage Custom Permissions
e. Manage Profiles and Permission Sets
f. Manage Session Permission Set Activations
g. View Roles and Role Hierarchy
h. View Setup and Configuration
2. In the Quick Find box, enter Authentication, and then select Authentication Settings USER PERMISSIONS
for External Systems.
To store authentication
3. Click New. settings for a named
4. Complete the fields. credential:
• The named credential
a. External System Definition: Named Credential enabled under Named
b. Named Credential: Tooling API Credential Credential Access
481
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
Example:
For example, you want to find a list of all staff with the Manage Users permission. Use Analyze by Permission to filter by the Manage
Users permission and review the information on each user with that permission.
Analyze Permission Set Group Details
These details include combined user, standard object, custom object, and setup entity access permissions. You can also view the
permission sets in each permission set group and the users the group is assigned to.
482
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
For example, you want to see what permissions are enabled as part of a specific permission set group. Use Analyze by Permission
Set Group to view all combined permissions included in the permission set group and the users who are assigned the permissions.
1. In the User Access and Permissions Assistant, select Permissions Analyzer. To use the User Access and
Permissions Assistant:
2. Under Analyze by, select User. • API Enabled AND Assign
3. Enter or search for a user. Permission Sets AND
Customize Application
4. Optionally, to filter the list of associated permission sets, enter a permission set name. AND Manage Custom
5. In the results, select the permissions to review. To see permission origin information, click Permissions AND
next to the entry. Manage Profiles and
Permission Sets AND
Manage Session
Permission Set
Activations AND View
Roles and Role
Hierarchy AND View
Setup and Configuration
483
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
1. In the User Access and Permissions Assistant, select Permissions Analyzer. To use the User Access and
Permissions Assistant:
2. In the Analyze by picklist, select Permission. • API Enabled AND Assign
3. In the Object picklist, select the object type to search on. Permission Sets AND
Customize Application
4. In the Permission picklist, select the permission type to filter on. AND Manage Custom
Permissions AND
Manage Profiles and
Permission Sets AND
Manage Session
Permission Set
Activations AND View
Roles and Role
Hierarchy AND View
Setup and Configuration
1. In the User Access and Permissions Assistant, select Permissions Analyzer. To use the User Access and
Permissions Assistant:
2. In the Analyze by picklist, select Permission Set Groups. • API Enabled AND Assign
3. For each permission set group that you want to analyze, select View Details. Permission Sets AND
Customize Application
a. To view all permissions associated with the permission set group, select Combined AND Manage Custom
Permissions. Filter by enabled or muted permissions, or both. Permissions AND
b. To view details about the permission sets included in the permission set group, select Manage Profiles and
Permission Sets AND
Permission Sets.
Manage Session
c. To view users who are assigned this permission set group and details about them, select Permission Set
Assigned Users. Activations AND View
Roles and Role
Hierarchy AND View
Setup and Configuration
484
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
1. In User Access and Permissions Assistant, select Converter. To use the User Access and
Permissions Assistant:
2. Select the profile to convert. • API Enabled AND Assign
3. Select Convert to Permission Set. Permission Sets AND
Customize Application
4. Name the permission set. AND Manage Custom
Record types and tab access aren’t included in the conversion. Permissions AND
Manage Profiles and
5. To view the conversion's status, click View Batch Jobs. Permission Sets AND
6. To view the new permission set, click View Permission Set. Manage Session
Permission Set
Activations AND View
Roles and Role
Hierarchy AND View
Setup and Configuration
485
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
1. In the User Access and Permissions Assistant, select Report. To use the User Access and
Permissions Assistant:
2. Select the permission to report on. These permission types are available. • API Enabled AND Assign
a. User Permissions Permission Sets AND
Customize Application
b. Object Permissions AND Manage Custom
c. Field Permissions Permissions AND
Manage Profiles and
3. Optionally, filter on the user attributes to narrow your report results. Permission Sets AND
Manage Session
4. Click Run Report. The report returns a maximum of 5,000 rows. Permission Set
5. To export as a CSV file, click Export Report. Activations AND View
Roles and Role
Note: To add additional filters, you must reload the page and reselect the permission to Hierarchy AND View
report on. Setup and Configuration
486
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
1. In the User Access and Permissions Assistant, select Manage. To use the User Access and
Permissions Assistant:
2. Select Assignments. • API Enabled AND Assign
3. Select based on the assignment action. Permission Sets AND
Customize Application
a. To assign a permission set group, select Assign Permission Set Groups to Users. AND Manage Custom
b. To unassign a permission set group, select Unassign Permission Set Groups from Users. Permissions AND
Manage Profiles and
4. Select the users to receive permission set group assignments or have the groups unassigned. Permission Sets AND
Manage Session
5. Click Next. Permission Set
6. Finalize the action. Activations AND View
Roles and Role
a. To assign the permission set group, click Assign. Hierarchy AND View
b. To unassign the permission set group, click Unassign. Setup and Configuration
Create a Permission Set Group with the User Access and Permissions Assistant
Create a permission set group with the User Access and Permissions Assistant.
EDITIONS
Permission Sets Needed Available in: all editions
To access the User Access and Permissions User Access & Permissions Assistant Access except Starter
Assistant:
USER PERMISSIONS
1. In the User Access and Permissions Assistant, select Manage. To use the User Access and
Permissions Assistant:
2. Click Create Permission Set Group. • API Enabled AND Assign
3. Enter a label and an API name. The API name auto-populates. Permission Sets AND
Customize Application
4. Optionally, enter a description, and click Next. AND Manage Custom
5. From the Available Permission Sets, select the permission sets to add to the group, then click Permissions AND
Next. Manage Profiles and
Permission Sets AND
6. Click Finish. Manage Session
Users are added to a permission set group when the group status is Updated. Permission Set
Activations AND View
Roles and Role
Hierarchy AND View
Setup and Configuration
487
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
Modify a Permission Set Group with the User Access and Permissions Assistant
Edit the details of a permission set group with the User Access and Permissions Assistant.
EDITIONS
Permission Sets Needed Available in: all editions
To access the User Access and Permissions User Access & Permissions Assistant Access except Starter
Assistant:
USER PERMISSIONS
1. In the User Access and Permissions Assistant, select Manage. To use the User Access and
Permissions Assistant:
2. From the picklist for the selected entry, select View Permission Set Group. • API Enabled AND Assign
3. Select the action to perform. Permission Sets AND
Customize Application
a. To edit the permission set group, click Edit. AND Manage Custom
b. To clone the permission set group, click Clone. Permissions AND
Manage Profiles and
c. To delete the permission set group, click Delete. Permission Sets AND
Manage Session
4. If editing or cloning the permission set group, modify or add a name, API name, and description Permission Set
as needed. Activations AND View
5. To save an edit or clone, click Save. To confirm deletion, click Delete. Roles and Role
Hierarchy AND View
Setup and Configuration
1. In the User Access and Permissions Assistant, select Manage. To use the User Access and
Permissions Assistant:
2. From the picklist for the selected entry, select View Permission Set Group. • API Enabled AND Assign
3. Click Mute Permissions. Permission Sets AND
Customize Application
4. Next to each permission to mute, select the checkbox. AND Manage Custom
5. Save your work. Permissions AND
Manage Profiles and
Permission Sets AND
Manage Session
Permission Set
Activations AND View
Roles and Role
Hierarchy AND View
Setup and Configuration
488
Set Up and Maintain Your Salesforce Organization User Access and Permissions Assistant
489
Set Up and Maintain Your Salesforce Organization User Access Policies (Beta)
The User Access and Permissions Assistant only supports converting profiles with a Salesforce license.
SEE ALSO:
Analyze Your Permission Assignments
Converting Profiles to Permission Sets
Manage Permission Set Groups
490
Set Up and Maintain Your Salesforce Organization User Access Policies (Beta)
Note: This feature is a Beta Service. Customer may opt to try such Beta Service in its sole Available in: both Salesforce
discretion. Any use of the Beta Service is subject to the applicable Beta Services Terms provided Classic (not available in all
orgs) and Lightning
at Agreements and Terms.
Experience
These instructions describe how to create user access policies that you run manually, such as for a
user access migration or one-time user access update. If you want to create user access policies Available in: Enterprise and
that automatically run whenever qualified user records are created or updated, see Automatically Unlimited editions
Grant or Revoke Access with a User Access Policy (Beta).
1. From Setup, in the Quick Find box, enter User Access Policies, and then select User USER PERMISSIONS
Access Policies.
To modify user access
If Salesforce enabled user access policies for you before the Summer ’23 release, you must policies:
enable this feature again on the User Management Settings page. • Manage User Access
Policies
2. In the Quick Find box, enter User Access Policies, and then select User Access
Policies.
3. Click New.
4. Enter a value for the Label and leave the Status as Design. The API name auto-populates.
5. Set the Trigger Type to None.
6. Click Save.
7. On the user access policy’s detail page, click Edit to configure the policy’s user criteria filters and actions.
8. Add at least one user criteria filter. You can have:
a. Up to three filters for applicable users
b. Any number of filters on standard and custom user fields of type Checkbox, Number, or Text
c. Multiple roles or profiles referenced in the same filter
9. Select Grant or Revoke from the Actions picklist, then select the access mechanism that the action applies to. Access options are:
a. Permission sets
b. Permission set groups
c. Permission set licenses
d. Managed package licenses
e. Groups
f. Queues
User access policies support up to 20 actions.
10. If the access is for more than 1,000 users, change the Status to Migrate to run the update as an asynchronous process. Otherwise,
leave the Status as None.
11. Save your changes.
12. If the policy doesn’t use the Migrate status, click Preview Users. You can select a subset of users to apply the policy to, or click Apply
to All.
491
Set Up and Maintain Your Salesforce Organization User Access Policies (Beta)
Note: If you try to apply the policy to a very large amount of users, the operation can time out before it completes. If you
experience this issue, we recommend that you run the update as an asynchronous process as described in a previous step.
SEE ALSO:
User Access Policies (Beta)
Automatically Grant or Revoke Access with a User Access Policy (Beta)
User Access Policy Considerations (Beta)
Note: This feature is a Beta Service. Customer may opt to try such Beta Service in its sole Available in: both Salesforce
discretion. Any use of the Beta Service is subject to the applicable Beta Services Terms provided Classic (not available in all
orgs) and Lightning
at Agreements and Terms.
Experience
These instructions describe how to create user access policies that automatically run whenever
qualified user records are created or updated. If you want to create user access policies that you Available in: Enterprise and
run manually, such as for a user access migration or one-time user access update, see Manually Unlimited editions
Grant or Revoke Access with a User Access Policy (Beta).
1. From Setup, in the Quick Find box, enter User Access Policies, and then select User USER PERMISSIONS
Access Policies.
To modify user access
If Salesforce enabled user access policies for you before the Summer ’23 release, you must policies:
enable this feature again on the User Management Settings page. • Manage User Access
Policies
2. In the Quick Find box, enter User Access Policies, and then select User Access
Policies.
3. Click New.
4. Enter a value for the Label and leave the Status as Design. The API name auto-populates.
5. Set the Trigger Type:
a. Create—The user access policy runs when a user who matches the policy criteria is created.
b. Update—The user access policy runs when a user who matches the policy criteria is updated.
c. Create and Update—The user access policy runs when a user who matches the policy criteria is either created or updated.
6. Click Save.
7. On the user access policy’s detail page, click Edit to configure the policy’s user criteria filters and actions.
8. Add at least one user criteria filter. You can have:
a. Up to three filters for applicable users
b. Any number of filters on standard and custom user fields of type Checkbox, Number, or Text
c. Multiple roles or profiles referenced in the same filter
492
Set Up and Maintain Your Salesforce Organization User Access Policies (Beta)
9. Select Grant or Revoke from the Actions picklist, then select the access mechanism that the action applies to. Access options are:
a. Permission sets
b. Permission set groups
c. Permission set licenses
d. Managed package licenses
e. Groups
f. Queues
User access policies support up to 20 actions.
SEE ALSO:
User Access Policies (Beta)
Manually Grant or Revoke Access with a User Access Policy (Beta)
User Access Policy Considerations (Beta)
Active Policies
You can have up to 20 active user access policies at a time.
493
Set Up and Maintain Your Salesforce Organization Profiles
If a user record creation or update triggers more than one user access policy, the most recently modified user access policy that matches
the criteria is applied.
SEE ALSO:
User Access Policies (Beta)
Manually Grant or Revoke Access with a User Access Policy (Beta)
Automatically Grant or Revoke Access with a User Access Policy (Beta)
Profiles
Profiles define how users access objects and data, and what they can do within the application.
EDITIONS
When you create users, you assign a profile to each one.
Available in: Salesforce
Watch how you can grant users access to objects using profiles. Classic (not available in all
Who Sees What: Object Access (English only) orgs) and Lightning
Experience
Standard Profiles
Every Salesforce org includes standard profiles that you can assign to users. Edits to standard profiles are limited to certain settings.
Manage Profile Lists
Profiles define how users access objects and data, and what they can do within the application. When you create users, you assign
a profile to each one. To view the profiles in your organization, from Setup, enter Profiles in the Quick Find box, then
select Profiles.
Work in the Enhanced Profile User Interface Page
In the enhanced profile user interface, the profile overview page provides an entry point for all settings and permissions for a profile.
Work in the Original Profile Interface
To view a profile on the original profile page, from Setup, enter Profiles in the Quick Find box, then select Profiles, then
select the profile you want.
Create or Clone Profiles
Create custom profiles using the API, or clone existing profiles and customize them to fit your business’s needs.
494
Set Up and Maintain Your Salesforce Organization Profiles
SEE ALSO:
Edit Multiple Profiles with Profile List Views
Standard Profiles
Every Salesforce org includes standard profiles that you can assign to users. Edits to standard profiles
EDITIONS
are limited to certain settings.
Every org includes standard profiles. In Professional, Enterprise, Unlimited, Performance, and Available in: Salesforce
Developer Editions, you can use standard profiles or create, edit, and delete custom profiles. In orgs Classic (not available in all
where you can’t create custom profiles, such as Contact Manager and Group Editions, you can orgs) and Lightning
assign standard profiles to your users, but you can’t view or edit them. Experience
While you can’t edit standard profile permissions, you can edit the following settings: Your edition determines
which standard profiles are
• Custom App Settings
available.
• Tab Settings
• Desktop Integration Clients options
• Session Settings
• Password Policies
The following table lists commonly used permissions in standard profiles.
495
Set Up and Maintain Your Salesforce Organization Profiles
Standard Platform User Can use custom AppExchange apps developed in your org or
installed from AppExchange. In addition, can use core platform
functionality such as accounts, contacts, reports, dashboards, and
custom tabs.
Standard Platform One App User Can use one custom AppExchange app developed in your org or
installed from AppExchange. The custom app is limited to five tabs.
In addition, can use core platform functionality such as accounts,
contacts, reports, dashboards, and custom tabs.
Standard User Can create and edit most major types of records, run reports, and
view the org's setup. Can view, but not manage, campaigns. Can
create, but not review, solutions.
Salesforce API Only System Integrations Grants access to Salesforce only through the API. Assign more
permissions to a user though permission sets. For more information
about using this profile for integration users, see Give Integration
Users API Only Access.
Customer Community User Can log in via an Experience Cloud site. Your site settings and
sharing model determine their access to tabs, objects, and other
Customer Community Plus User
features. For more information, see Experience Cloud User Licenses
Partner Community User .
Partner User Can log in via a partner portal or an Experience Cloud site.
Solution Manager Can review and publish solutions. Also has access to the same
functionality as the Standard User.
Marketing User Can manage campaigns, create letterheads, create HTML email
templates, manage public documents, and add campaign members
and update their statuses with the Data Import Wizard. Also has
access to the same functionality as the Standard User.
Contract Manager Can create, edit, activate, and approve contracts. This profile can
also delete contracts as long as they aren’t activated.
Read Only
Note: The Read Only standard profile was converted to a
custom profile in existing Salesforce orgs with the rollout
of the Summer ’21 release. This change allows you to edit
permissions and rename the profile. New orgs created in
Spring ’21 and later don’t have the Read Only standard
profile, but these orgs can use the Minimum Access profile
and assign custom permission sets to grant users read
access as required. For more information, see the knowledge
article, Read Only Profile Conversion to Custom Profile.
Can view the org’s setup, run and export reports, and view, but
not edit, other records.
496
Set Up and Maintain Your Salesforce Organization Profiles
Minimum Access - Salesforce Grants the least privileges in the Salesforce platform. It includes
Access Activities, Chatter Internal User, Lightning Console User,
and View Help Link permissions. Follow data security best practices
to assign this profile, and then add more permissions for the user
through permission sets and permission set groups.
Site.com Only User Can only log in to the Site.com app. Each Site.com Only user also
needs a Site.com Publisher feature license to create and publish
sites, or a Site.com Contributor feature license to edit the site’s
content.
This user can also:
• Use one custom app with up to 20 custom objects
• Access the Content app, but not the Accounts and Contacts
objects
• Create unlimited custom tabs
Only available with the Site.com Only user license.
SEE ALSO:
Profiles
User Permissions
497
Set Up and Maintain Your Salesforce Organization Profiles
Note: You can’t delete a profile that’s assigned to a user, even if the user is inactive. To view profiles, and print
profile lists:
• View Setup and
Configuration
Viewing the Basic Profile List To delete profile list views:
• Create a profile. • Manage Profiles and
Permission Sets
• View or edit a profile by clicking its name.
• Delete a custom profile by clicking Del next to its name. To delete custom profiles:
• Manage Profiles and
Permission Sets
Create and Edit Profile List Views
If enhanced profile list views are enabled for your organization, you can create profile list views
to view a set of profiles with the fields that you choose. For example, you can create a list view of all profiles with Modify All Data
enabled.
Edit Multiple Profiles with Profile List Views
If enhanced profile list views are enabled for your organization, you can change permissions in up to 200 profiles directly from the
list view, without accessing individual profile pages.
SEE ALSO:
Edit Multiple Profiles with Profile List Views
Profiles
498
Set Up and Maintain Your Salesforce Organization Profiles
To remove a filter condition row and clear its values, click the remove row icon.
USER PERMISSIONS
4. Under Select Columns to Display, specify the profile settings that you want to appear as columns
To create, edit, and delete
in the list view.
profile list views:
a. From the Search dropdown list, select the type of setting you want to search for. • Manage Profiles and
Permission Sets
b. Enter part or all of a word in the setting you want to add and click Find.
Note: If the search finds more than 500 values, no results appear. Use the preceding
steps to refine your search criteria and show fewer results.
c. To add or remove columns, select one or more column names and click the Add or Remove arrow.
d. Use the Top, Up, Down, and Bottom arrows to arrange the columns in the sequence you want.
You can add up to 15 columns in a single list view.
5. Click Save, or if you're cloning an existing view, rename it and click Save As.
SEE ALSO:
Edit Multiple Profiles with Profile List Views
Limit Profile Details to Required Users
499
Set Up and Maintain Your Salesforce Organization Profiles
5. To change multiple profiles, select All n selected records (where n is the number of profiles you selected).
6. Click Save.
Note:
• For standard profiles, inline editing is available only for the “Single Sign-On” and “Affected By Divisions” permissions.
• If you edit multiple profiles, only those profiles that support the permission you are changing will change. For example, if you
use inline editing to add “Modify All Data” to multiple profiles, but because of its user license the profile doesn't have “Modify
All Data,” the profile won't change.
If any errors occur, an error message appears, listing each profile in error and a description of the error. Click the profile name to open
the profile detail page. The profiles you've clicked appear in the error window in gray, strike-through text. To view the error console, you
must have pop-up blockers disabled for the Salesforce domain.
Any changes you make are recorded in the setup audit trail.
SEE ALSO:
Profiles
500
Set Up and Maintain Your Salesforce Organization Profiles
SEE ALSO:
Enable Enhanced Profile List Views
Enable the Enhanced Profile User Interface
501
Set Up and Maintain Your Salesforce Organization Profiles
Assign Record Types and Page Layouts in the Enhanced Profile User Interface
In the enhanced profile user interface, Record Types and Page Layout Assignments settings determine
EDITIONS
the record type and page layout assignment mappings that are used when users view records.
They also determine which record types are available when users create or edit records. Available in: Salesforce
To specify record types and page layout assignments: Classic (not available in all
orgs) and Lightning
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
Experience
2. Select a profile.
Available in: Enterprise,
3. In the Find Settings... box, enter the name of the object you want and select it from the list. Performance, Unlimited,
4. Click Edit. and Developer Editions
5. In the Record Types and Page Layout Assignments section, make changes to the settings as Record types available in:
needed. Professional, Enterprise,
Performance, Unlimited,
and Developer Editions
Setting Description
Record Types Lists all existing record types for the object.
--Master-- is a system-generated record type that's used
USER PERMISSIONS
when a record has no custom record type associated with it. To edit record type and
When --Master-- is assigned, users can't set a record page layout access settings:
type to a record, such as during record creation. All other • Manage Profiles and
record types are custom record types. Permission Sets
Page Layout Assignment The page layout to use for each record type. The page layout
determines the buttons, fields, related lists, and other elements
that users with this profile see when creating records with the
associated record type. Since all users can access all record
types, every record type must have a page layout assignment,
even if the record type isn't specified as an assigned record
type in the profile.
Assigned Record Types Record types that are checked in this column are available
when users with this profile create records for the object. If
--Master-- is selected, you can't select any custom record
types; and if any custom record types are selected, you can't
select --Master--.
Default Record Type The default record type to use when users with this profile
create records for the object.
The Record Types and Page Layout Assignments settings have some variations for the following objects or tabs.
502
Set Up and Maintain Your Salesforce Organization Profiles
Home You can't specify custom record types for the home tab. You can only select a page
layout assignment for the --Master-- record type.
6. Click Save.
SEE ALSO:
How Is Record Type Access Specified?
Assign Custom Record Types in Permission Sets
Work in the Enhanced Profile User Interface Page
Note: Regardless of the currently selected app, all of a user's permissions are respected. For example, although the “Import Leads”
permission is under the Sales category, a user can import leads even while in the Service app.
System Settings
Some system functions apply to an organization and not to any single app. For example, login hours and login IP ranges control a user's
ability to log in, regardless of which app the user accesses. Other system functions apply to all apps. For example, the “Run Reports” and
503
Set Up and Maintain Your Salesforce Organization Profiles
“Manage Dashboards” permissions allow managers to create and manage reports in all apps. In some cases, such as with “Modify All
Data,” a permission applies to all apps, but also includes non-app functions, like the ability to download the Data Loader.
SEE ALSO:
Enable the Enhanced Profile User Interface
App and system Permission name Type api, then select API Enabled.
permissions
All other categories Category name To find Apex class access settings, type apex,
then select Apex Class Access. To find
custom permissions, type cust, then select
Custom Permissions. And so on.
SEE ALSO:
Enable the Enhanced Profile User Interface
504
Set Up and Maintain Your Salesforce Organization Profiles
View and Edit Login Hours in the Enhanced Profile User Interface
For each profile, you can specify the hours when users can log in.
EDITIONS
1. From Setup, enter Profiles in the Quick Find box, then select Profiles.
Available in: Salesforce
2. Select a profile, and click its name.
Classic (not available in all
3. In the profile overview page, scroll down to Login Hours and click Edit. orgs) and Lightning
4. Set the days and hours when users with this profile can log in to the org. Experience
To let users log in at any time, click Clear all times. To prohibit users from logging in on a Available in: Essentials,
specific day, set Start Time to 12 AM and End Time to 12 AM. Professional, Enterprise,
Performance, Unlimited,
If users are logged in when their login hours end, they can continue to view their current page,
Developer, and
but they can’t take any further action.
Database.com Editions
Note: The first time login hours are set for a profile, the hours are based on the org’s default Custom Profiles available in:
time zone as specified on the Company Information page in Setup. After that, changes to the Essentials, Professional,
org’s default time zone on the Company Information page don’t affect the time zone for the Enterprise, Performance,
profile’s login hours. The profile login hours remain the same, even when a user is in a different Unlimited, and Developer
time zone or the org’s default time zone changes. Editions
Depending on whether you’re viewing or editing login hours, the hours can be different. On
the Login Hours edit page, hours appear in your specified time zone. On the profile overview USER PERMISSIONS
page, hours appear in the org’s original default time zone.
To view login hour settings:
• View Setup and
SEE ALSO: Configuration
Enable the Enhanced Profile User Interface To edit login hour settings:
• Manage Profiles and
Permission Sets
505
Set Up and Maintain Your Salesforce Organization Profiles
• To edit or remove ranges, click Edit or Delete for that range. Custom Profiles available in:
Essentials, Professional,
Important: Enterprise, Performance,
• The IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist Unlimited, and Developer
in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, Editions
where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is
255.255.255.255. A range can’t include IP addresses both inside and outside USER PERMISSIONS
of the IPv4-mapped IPv6 address space. Ranges like 255.255.255.255 to
::1:0:0:0 or :: to ::1:0:0:0 aren’t allowed. To view login IP ranges:
• Partner User profiles are limited to five IP addresses. To increase this limit, contact • View Setup and
Configuration
Salesforce.
To edit and delete login IP
5. Optionally enter a description for the range. If you maintain multiple ranges, use the Description ranges:
field to provide details, like which part of your network corresponds to this range. • Manage Profiles and
Permission Sets
Note: You can further restrict access to Salesforce to only those IPs in Login IP Ranges. To
enable this option, in Setup, enter Session Settings in the Quick Find box, then
select Session Settings and select Enforce login IP ranges on every request. This option
affects all user profiles that have login IP restrictions.
506
Set Up and Maintain Your Salesforce Organization Profiles
Edit Profiles in the Original Profile Interface Custom Profiles available in:
Profiles define how users access objects and data and what they can do within the application. Essentials, Professional,
In standard profiles, you can edit a limited number of settings. In custom profiles, you can edit Enterprise, Performance,
all available permissions and settings, except the user license. Unlimited, and Developer
Editions
Profile Settings in the Original Profile Interface
Profiles define how users access objects and data and what they can do within the application.
View or edit these settings from the original profile detail page.
Assign Page Layouts in the Original Profile User Interface
If you’re already working in an original profile user interface, you can access, view, and edit all page layout assignments easily in one
location.
Assign Record Types to Profiles in the Original Profile User Interface
After you create record types and include picklist values in them, add record types to user profiles. If you assign a default record type
to a profile, users with that profile can assign the record type to records that they create or edit.
View and Edit Login Hours in the Original Profile User Interface
Specify the hours when users can log in based on the user profile.
Restrict Login IP Addresses in the Original Profile User Interface
Control login access at the user level by specifying a range of allowed IP addresses on a user’s profile. When you define IP address
restrictions for a profile, a login from any other IP address is denied.
SEE ALSO:
Assign a Default Experience to a User Profile
507
Set Up and Maintain Your Salesforce Organization Profiles
508
Set Up and Maintain Your Salesforce Organization Profiles
Record types Record Type Settings section. You see the Edit
link only if record types exist for the object.
SEE ALSO:
Edit Profiles in the Original Profile Interface
509
Set Up and Maintain Your Salesforce Organization Profiles
• Selected page layout assignments are highlighted. Record types available in:
Professional, Enterprise,
• Page layout assignments you change are italicized until you save your changes.
Performance, Unlimited,
6. If necessary, select another page layout from the Page Layout To Use drop-down list and Developer Editions
and repeat the previous step for the new page layout.
7. Click Save. USER PERMISSIONS
510
Set Up and Maintain Your Salesforce Organization Profiles
6. If your organization uses person accounts, set default record type options for both person accounts and business accounts. From
the Business Account Default Record Type and then the Person Account Default Record Type
drop-down list, choose a default record type.
These settings are used when defaults are needed for both kinds of accounts, such as when converting leads.
7. Click Save.
Options in the Record Type Settings section are blank wherever no record types exist. For example, if you have two record types for
opportunities but no record types for accounts, the Edit link only displays for opportunities. In this example, the picklist values and
default value for the master are available in all accounts.
Note: If your organization uses person accounts, you can view the record type defaults for business accounts and person accounts.
Go to Account Record Type Settings in the profile detail page. Clicking Edit in the Account Record Type Settings is another way
to begin setting record type defaults for accounts.
SEE ALSO:
How Is Record Type Access Specified?
Work in the Original Profile Interface
Assign Custom Record Types in Permission Sets
View and Edit Login Hours in the Original Profile User Interface
Specify the hours when users can log in based on the user profile.
EDITIONS
1. From Setup, enter Profiles in the Quick Find box. Select Profiles, and then select a profile.
Available in: Salesforce
2. In the Login Hours related list, click Edit.
Classic (not available in all
3. Set the days and hours when users with this profile can log in to the org. orgs) and Lightning
To let users log in at any time, click Clear all times. To prohibit users from logging in on a Experience
specific day, set Start Time to 12 AM and End Time to End of Day. Available in: Enterprise,
If users are logged in when their login hours end, they can continue to view their current page, Performance, Unlimited,
but they can’t take any further action. Developer, and
Database.com Editions
4. Click Save.
Note: The first time login hours are set for a profile, the hours are based on the org’s default USER PERMISSIONS
time zone as specified on the Company Information page in Setup. After that, changes to the
org’s default time zone on the Company Information page don’t affect the time zone for the To set login hours:
profile’s login hours. The profile login hours remain the same, even when a user is in a different • Manage Profiles and
Permission Sets
time zone or the org’s default time zone changes.
Depending on whether you’re viewing or editing login hours, the hours appear differently.
On the profile detail page, hours appear in your specified time zone. On the Login Hours edit
page, the hours appear in the org’s default time zone.
SEE ALSO:
Work in the Original Profile Interface
Restrict Login IP Addresses in the Original Profile User Interface
511
Set Up and Maintain Your Salesforce Organization Profiles
• In a Professional Edition, the location of IP ranges depends on whether you have the "Edit
Profiles & Page Layouts" org preference enabled as an add-on feature. USER PERMISSIONS
With the "Edit Profiles & Page Layouts" org preference enabled, IP ranges are on individual To view login IP ranges:
profiles. • View Setup and
Without the "Edit Profiles & Page Layouts" org preference enabled, IP ranges are on the Configuration
Session Settings page. To edit and delete login IP
ranges:
2. Click New in the Login IP Ranges related list. • Manage Profiles and
Permission Sets
3. Enter a valid IP address in the IP Start Address field and a higher-numbered IP address
in the IP End Address field.
The start and end addresses define the range of allowable IP addresses from which users can log in. To allow logins from a single IP
address, enter the same address in both fields.
• The IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space
::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is
255.255.255.255. A range can’t include IP addresses both inside and outside of the IPv4-mapped IPv6 address space.
Ranges like 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 aren’t allowed.
• Partner User profiles are limited to five IP addresses. To increase this limit, contact Salesforce.
4. Optionally enter a description for the range. If you maintain multiple ranges, use the Description field to provide details, such as
which part of your network corresponds to this range.
5. Click Save.
Note: Cache settings on static resources are set to private when accessed via a Salesforce Site whose guest user's profile has
restrictions based on IP range or login hours. Sites with guest user profile restrictions cache static resources only within the browser.
Also, if a previously unrestricted site becomes restricted, it can take up to 45 days for the static resources to expire from the Salesforce
cache and any intermediate caches.
Note: You can further restrict access to Salesforce to only those IPs in Login IP Ranges. To enable this option, in Setup, enter
Session Settings in the Quick Find box, then select Session Settings and select Enforce login IP ranges on every
request. This option affects all user profiles that have login IP restrictions.
SEE ALSO:
Set Trusted IP Ranges for Your Organization
View and Edit Login Hours in the Original Profile User Interface
Work in the Original Profile Interface
512
Set Up and Maintain Your Salesforce Organization Profiles
Tip: If you clone profiles to enable certain permissions or access settings, consider using Available in: Salesforce
permission sets. Also, if your profile name contains more than one word, avoid extraneous Classic (not available in all
orgs) and Lightning
spacing. For example, “Acme User” and “Acme User” are identical other than spacing between
Experience
“Acme” and “User.” Using both profiles in this case can result in confusion for admins and
users. Available in: Essentials,
To create an empty custom profile without any base permissions included, use the Profile SOAP Professional, Enterprise,
API object. On the Profile Setup page, you must first clone an existing profile to create a custom Performance, Unlimited,
Developer, and
profile.
Database.com Editions
1. To clone a profile, from Setup, in the Quick Find box, enter Profiles, and then select Profiles.
Custom Profiles available in:
2. In the Profiles list page, do one of the following: Essentials, Professional,
• Click New Profile, then select an existing profile that’s similar to the one you want to create. Enterprise, Performance,
Unlimited, and Developer
• If enhanced profile list views are enabled, click Clone next to a profile that’s similar to the
Editions
one you want to create.
• Click the name of a profile that’s similar to the one you want to create, then in the profile
page, click Clone. USER PERMISSIONS
A new profile uses the same user license as the profile it was cloned from. To create profiles:
• Manage Profiles and
3. Enter a profile name.
Permission Sets
4. Click Save.
SEE ALSO:
SOAP API Developer Guide: Profile
Profiles
513
Set Up and Maintain Your Salesforce Organization Profiles
514
Set Up and Maintain Your Salesforce Organization Profiles
515
Set Up and Maintain Your Salesforce Organization Profiles
Tab Settings
Tab settings specify whether a tab is visible in its associated app. They also determine whether a
EDITIONS
tab appears in the All Tabs page in Salesforce Classic and whether objects appear in the Lightning
Experience App Launcher and navigation menus. Tab settings labels in permission sets differ from Available in: Salesforce
the labels in profiles. Classic and Lightning
Experience (not available in
Enabled Settings in Enabled Setting in Profiles Description all orgs)
Permission Sets
Tab settings available in: All
Available Default Off The tab doesn’t appear in an Editions except
app’s navigation bar, but it’s Database.com
available in the App Launcher
Permission sets available in:
in Lightning Experience and on
Essentials, Contact
the All Tabs page in Salesforce
Manager, Professional,
Classic.
Group, Enterprise,
Individual users can customize Performance, Unlimited,
their display to make the tab Developer, and
visible in any app. Database.com Editions
If a user has another permission set or profile with enabled settings for the same tab, the most permissive setting applies. For example,
let’s say permission set A has no settings enabled for the Accounts tab and permission set B enables the Available setting for the
Accounts tab. If permission sets A and B are assigned to a user, the user sees the Accounts tab on the All Tabs page.
SEE ALSO:
View and Edit Tab Settings in Permission Sets and Profiles
516
Set Up and Maintain Your Salesforce Organization Profiles
4. Select one default app. The default app appears when users log in for the first time. Custom Profiles available in:
Essentials, Professional,
5. Select Visible for any other apps you want to make visible.
Enterprise, Performance,
Unlimited, and Developer
SEE ALSO: Editions
Profiles
USER PERMISSIONS
517
Set Up and Maintain Your Salesforce Organization Profiles
USER PERMISSIONS
To enable custom
permissions in profiles:
• Manage Profiles and
Permission Sets
518
Set Up and Maintain Your Salesforce Organization Profiles
It’s possible that users are prompted to verify their identity with multi-factor authentication
twice during the OAuth approval flow. The first challenge is on the UI session. The second USER PERMISSIONS
challenge happens when the access token is bridged into the UI because the High Assurance
To edit session and
session security level isn’t transferred to the access token.
password settings in
6. Enable different login policies for your org’s employees depending on whether they log in to profiles:
Salesforce or an Experience Cloud site. • Manage Profiles and
Permission Sets
a. To give employees less restrictive access to a site as compared to logging in to Salesforce,
select Separate Experience Cloud site and Salesforce login authentication for
employees.
Employees are often required to log in to Salesforce from the corporate network or VPN. If you don’t select this option, employees
have the same policies for logging in to Salesforce and to their Experience Cloud sites.
When you select this option, Salesforce and Experience Cloud sites are treated as separate apps, so you can loosen site login
policies for employees. As a result, employees with an active Salesforce session can be required to log in again when accessing
a site. And employees who log in to a site can be required to log in to Salesforce.
When employees who have these options enabled in their profile navigate to Experience Cloud site workspaces, they’re prompted
to log in to the site again. Users who have these options enabled and the required permissions can still create Experience Cloud
sites.
Note: External customers and partners can typically log in to Experience Cloud sites without such restrictive login policies.
b. To ignore IP address restrictions for this user profile, select Relax login IP restrictions.
c. To make it easier for Salesforce Customer Support representatives to troubleshoot issues, select Skip Device Activation at
Login. Enabling this permission allows only a Customer Support rep to skip device activation when they log in to the account.
Users with the permission still must verify their identity when they log in from an unrecognized browser, device, or IP address.
d. To support authorization with OAuth for employees who have Separate Experience Cloud site and Salesforce login
authentication for employees enabled on their profile, select Allow OAuth for employees.
7. If you’re working with a customer or partner’s profile, these extra settings appear.
519
Set Up and Maintain Your Salesforce Organization Profiles
a. Note: This feature is a Beta Service. Customer may opt to try such Beta Service in its sole discretion. Any use of the Beta
Service is subject to the applicable Beta Services Terms provided at Agreements and Terms.
To extend customer or partner user sessions to last up to 7 days, for Session Times Out After select a timeout value from the
dropdown list (beta).
Extend the session length to make it easy for your customers and partners to stay in your Experience Cloud site. This option
applies only to the External Identity license, which enables access to the Salesforce Customer Identity product, and the High
Volume Customer Portal user license, which enables limited access for users in orgs that have thousands to millions of users.
b. To prevent customers or partners from being logged out when they close the browser, select Keep users logged in when
they close the browser (beta).
This setting lets customer or partner user sessions remain active until users log out of the site or when the session times out. If
unselected, customers or partners are logged out when they close their browser. This option applies only to the External Identity
license, which enables access to the Customer Identity product, and the High Volume Customer Portal user license, which enables
limited access for users in orgs that have thousands to millions of users.
c. To add more security when customers or partners log in, select Enable device activation for customers. This option applies
to users with community licenses or the External Identity license.
When selected, Salesforce requires customers or partners to verify their identity when they log in from a different browser or
device.
d. To allow employees within your org to bypass device activation when they log in to an Experience Cloud site, select Skip
employee device activation during Experience Cloud site login.
This setting doesn't allow employees to skip device activation when they log in to your org.
520
Set Up and Maintain Your Salesforce Organization Profiles
Field Description
User passwords expire in The length of time until a user password expires and must be
changed. The default is 90 days. This setting isn’t available for
Self-Service portals. Enabling the Password never expires policy
overrides the User passwords expire in policy.
You can change this setting to an expiration date that is earlier or
later than the previous expiration date. To remove an expiration
date, select Never expires.
Enforce password history Save users’ previous passwords so that they must use a new, unique
password when changing passwords. Password history is not saved
until you set this value. The default is 3 passwords
521
Set Up and Maintain Your Salesforce Organization Profiles
Field Description
remembered. You cannot select No passwords
remembered unless you select Never expires for the
User passwords expire in field. This setting isn’t
available for Self-Service portals.
Minimum password length The minimum number of characters required for a password. When
you set this value, existing users aren’t affected until the next time
they change their passwords. The default is 8 characters.
Password complexity requirement The types of characters that must be used in a user’s password.
• No restriction—Has no requirements and is the least
secure option.
• Must include alpha and numeric
characters—The default setting. Requires at least one
alphabetic character and one number.
• Must include alpha, numeric, and special
characters—Requires at least one alphabetic character,
one number, and one of the following characters: ! " # $
% & ' ( ) * + , - . / : ; < = > ? @ [ \
] ^ _ ` { | } ~.
• Must include numbers and uppercase and
lowercase letters—Requires at least one number,
one uppercase letter, and one lowercase letter.
• Must include numbers, uppercase and
lowercase letters, and special
characters—Requires at least one number, one uppercase
letter, one lowercase letter, and one of the following characters:
! " # $ % & ' ( ) * + , - . / : ; < = >
? @ [ \ ] ^ _ ` { | } ~.
• Must include 3 of the following:
numbers, uppercase letters, lowercase
letters, special characters—Requires at least
three of the following options: one number, one uppercase
letter, one lowercase letter, and one special character (! "
# $ % & ' ( ) * + , - . / : ; < = > ? @
[ \ ] ^ _ ` { | } ~).
Password question requirement The restrictions to place on the password hint’s answer. This setting
isn’t available for Self-Service portals.
Maximum invalid login attempts The number of login failures allowed for a user before the user is
locked out. This setting isn’t available for Self-Service portals.
522
Set Up and Maintain Your Salesforce Organization Profiles
Field Description
Lockout effective period The duration of the login lockout. The default is 15 minutes. This
setting isn’t available for Self-Service portals.
When a user is logged in to an active session but is later locked
out, the user remains logged in to the active session.
Obscure secret answer for password resets Hide answers to security questions as the user types. The default
is to show the answer in plain text.
Require a minimum 1 day password lifetime A password can’t be changed more than once in a 24-hour period.
This policy applies to all password changes, including password
resets by Salesforce admins.
Don’t immediately expire links in forgot When you select this option, a password reset link in a forgot
password emails password email doesn’t expire the first time it’s clicked. Instead,
the link stays active until the user confirms the password reset
request on an interstitial page.
A user has 24 hours to reset a password. After 24 hours, the user
must submit another request.
SEE ALSO:
View and Edit Password Policies in Profiles
523
Set Up and Maintain Your Salesforce Organization Permission Sets
Permission Sets
A permission set is a collection of settings and permissions that give users access to various tools
EDITIONS
and functions. Permission sets extend users’ functional access without changing their profiles and
are the recommended way to manage your users’ permissions. Available in: Salesforce
Users can have only one profile but, depending on the Salesforce edition, they can have multiple Classic (not available in all
permission sets. You can assign permission sets to various types of users, regardless of their profiles. orgs) and Lightning
Experience
Create permission sets to grant access for a specific job or task, regardless of the primary job function
or title of the users they’re assigned to. For example, let’s say you have several users who must Available in: Essentials,
delete and transfer leads. You can create a permission set based on the tasks that these users must Contact Manager,
perform and include the permission set within permission set groups based on the users’ job Professional, Group,
functions. Enterprise, Performance,
Unlimited, Developer, and
If a permission isn’t enabled in a profile but is enabled in a permission set, users with that profile
Database.com Editions
and permission set have the permission. For example, if Manage Password Policies isn’t enabled in
a user’s profile but is enabled in one of their permission sets, they can manage password policies.
A permission set's overview page provides an entry point for all of the permissions in a permission set. To open a permission set overview
page, from Setup, enter Permission Sets in the Quick Find box, then select Permission Sets and select the permission
set you want to view.
524
Set Up and Maintain Your Salesforce Organization Permission Sets
525
Set Up and Maintain Your Salesforce Organization Permission Sets
• To set field-level security on permission sets instead of profiles, enable Field-Level Security for Permission Sets During Field
Creation.
• To set assignments to end on a specific date, enable Permission Set & Permission Set Group Assignments with Expiration
Dates. For short-term tasks or projects with a fixed end date, you can limit user permissions to match and save time cleaning up
your users’ access after the work ends.
Example: You’re setting up access for your IT Help Desk team. This team views and edits accounts and contacts and creates,
views, and edits cases. The team also creates and manages reports. Assign all members on this team the Minimum Access -
Salesforce profile. To configure the permissions required to complete these tasks, create these permission sets.
• View and Edit Accounts, which includes read and edit permissions for accounts. You also set the account field permissions so
that the team can view and edit the fields required for their work.
• View and Edit Contacts, which includes read and edit permissions for contacts. You also set the contact field permissions so
that the team can view and edit the fields required for their work.
• Create, View, and Edit Cases, which includes create, read, and edit permissions for cases. You also set the case field permissions
so that the team can view and edit the fields required for their work.
• Create and Manage Reports, which includes the Create and Customize Reports, Report Builder, and Run Reports permissions.
Then you add all four permission sets to a new permission set group named IT Help Desk Team Member. If other personas on
other teams perform the same tasks, you can reuse these permission sets in different permission set groups designated for these
users.
526
Set Up and Maintain Your Salesforce Organization Permission Sets
Before you assign users to the permission set group, you review the fields visible via the included permission set. You realize that
you don’t want this team to see the Account Revenue field on account records. But you don’t want to remove the read access for
this field from the View and Edit Accounts permission set because other personas who are assigned this permission set through
other permission set groups still need this field. You create a muting permission set in the IT Help Desk Team Member permission
set group.
527
Set Up and Maintain Your Salesforce Organization Permission Sets
Your company is making some changes, so you expect higher than usual cases for a few weeks and want more users to assist the
IT Help Desk team during this time. You assign these users the IT Help Desk Team Member permission set group as well, but you
set an expiration date for the assignment. After the expiration date, these users are automatically unassigned from the permission
set group and no longer have the included permissions.
528
Set Up and Maintain Your Salesforce Organization Permission Sets
529
Set Up and Maintain Your Salesforce Organization Permission Sets
5. Add the required permissions and settings to the permission set. For more information, see App and System Settings in Permission
Sets in Salesforce Help.
Example: You have several Sales Users who are currently allowed to read, create, and edit leads. But you need some users to
also delete and transfer leads. You create a new permission set for this specific task. Under Object Settings, select Leads and enable
delete. Under App Permissions, find and enable the Transfer Leads permission. Assign the permission set to users who need these
permissions.
SEE ALSO:
Permission Sets
Standard Permission Sets
Create a Permission Set Associated with a Permission Set License
Permission Set Licenses
Permission Set Groups
530
Set Up and Maintain Your Salesforce Organization Permission Sets
Note: Some permissions require users to have a permission set license before you can grant Available in: Salesforce
the permissions. For example, if you add the Use Identity Connect user permission to the Classic (not available in all
orgs) and Lightning
Identity permission set, you can assign only users with the Identity Connect permission set
Experience
license to the permission set.
1. From Setup, in the Quick Find box, enter Users, and then select Users. Available in: Essentials,
Contact Manager,
2. Select a user. Professional, Group,
3. In the Permission Set Assignments related list, click Edit Assignments. Enterprise, Performance,
Unlimited, Developer, and
4. To assign a permission set, select it under Available Permission Sets and click Add. To remove
Database.com Editions
a permission set assignment, select it under Enabled Permission Sets and click Remove.
5. Click Save.
USER PERMISSIONS
531
Set Up and Maintain Your Salesforce Organization Permission Sets
532
Set Up and Maintain Your Salesforce Organization Permission Sets
Custom Permission Set Created by administrators Users who perform the same Available in: Essentials,
based on tasks that users tasks but have different job Contact Manager,
perform. functions. For example, Professional, Group,
Enterprise, Performance,
sometimes users who create
Unlimited, Developer, and
and edit contracts are in
Database.com Editions
separate departments. Create
a permission set for the tasks,
and then include the
permission set in appropriate
permission set groups based
on job functions.
Integration Permission Set Offered by Salesforce for You connect to the cloud to
specific integrations. Only exchange data with integration
certain permission types can be partners. Integration
modified by your org. The permission sets define the
editability is based on the scope of data access by
specific integration’s use case. Salesforce integration-related
features and services.
Depending on the integration
features, integration permission
sets can:
• be predefined by Salesforce
but aren’t editable by your
org.
• have no initial permissions
and be fully controlled by
your org.
• come with on-premises
permissions but can be
modified by you.
533
Set Up and Maintain Your Salesforce Organization Permission Sets
Standard Permission Set Includes common permissions for a feature Users who require permissions for a
associated with a permission set license. permission set license.
Using standard instead of custom
permission sets saves time and facilitates
administration.
SEE ALSO:
Permission Sets
534
Set Up and Maintain Your Salesforce Organization Permission Sets
Standard permission sets don’t count against your org’s permission set limits. You can clone a standard permission set as many times
as you want, but you can’t edit it. Clones do count against your org’s permission set limits.
Example: Let’s say you purchased 10 Sales Console User permission set licenses. You can do any of the following.
• Assign all 10 users to the Salesforce Console User permission set.
• Assign some of the users to the Salesforce Console User permission set, and assign the remainder to a clone of Salesforce
Console User.
• Clone the Salesforce Console User permission set and assign different users to each clone, based on your org’s structure.
535
Set Up and Maintain Your Salesforce Organization Permission Sets
System Settings
Some system functions apply to an organization and not to any single app. For example, “View Setup and Configuration” allows users
to view setup and administrative settings pages. Other system functions apply to all apps. For example, the “Run Reports” and “Manage
Dashboards” permissions allow managers to create and manage reports in all apps. In some cases, such as with “Modify All Data,” a
permission applies to all apps, but also includes non-app functions, like the ability to download the Data Loader.
SEE ALSO:
Permission Sets
536
Set Up and Maintain Your Salesforce Organization Permission Sets
Or perhaps you have a web application that accesses confidential information. For security reasons, Available in: Essentials,
you want to limit user access to a predetermined length of time. You can create a session-based Contact Manager,
permission set that activates only when users authenticate into your environment using a token. Professional, Group,
When the token expires, the user must reauthenticate to access the application again. Enterprise, Performance,
Unlimited, Developer, and
You can also use session-based permission sets in Flow Builder. For example, you have a junior
Database.com Editions
buyer in your org who occasionally requires access to your Contracts object. Create a session-based
permission set with access to the object, and then create a flow that uses the Activate Session-Based
Permission Set action available in Flow Builder. In the flow, pass the permission name to the action. During runtime, the action checks
who’s running the flow. When the flow runs, the activation process fires. After the flow completes, the buyer has access to the Contracts
object for the current session.
To activate session-based permission sets via REST API or SOAP API, see the SessionPermSetActivation object in the Object Reference.
You need the Manage Session Permission Set Activation permission.
Before assigning session-based permission sets to users, ensure that they can meet the conditions of the permission set. For example,
grant user access to appropriate tools, such as authenticators. As a best practice, inform users of the conditions in which they can access
certain applications and tools. User assignment information appears on the user detail page in a related list called Permission Set
Assignments: Activation Required.
537
Set Up and Maintain Your Salesforce Organization Permission Sets
Tip: When you create your permission set list view, select columns to include Session Activation Required to view which
permission sets are session-based.
SEE ALSO:
Permission Sets
Create a Flow That Can Activate or Deactivate a Session-Based Permission Set
Tip: Make sure that users who run your flow have the Run Flows permission.
When the flow activates the session-based permission set, the running user obtains access to the permissions specified in your permission
set during the current user session. If the flow deactivates the session-based permission set, the permissions are no longer available to
the user.
SEE ALSO:
Permission Sets
What Are Session-Based Permission Sets?
Flow Core Action: Activate Session-Based Permission Set
Flow Core Action: Deactivate Session-Based Permission Set
538
Set Up and Maintain Your Salesforce Organization Permission Sets
If the child entity has these permissions These permissions are enabled on the parent entity
Modify All OR View All View All
539
Set Up and Maintain Your Salesforce Organization Permission Sets
Profiles
In API version 25.0 and later, every profile is automatically associated with a permission set, whether you explicitly assign it to one
or not. This permission set stores the profile’s user, object, and field permissions, plus setup entity access settings. You can query on
these profile-owned permission sets but not modify them. They’re not visible in the user interface.
User license restrictions
Some user licenses restrict the number of custom apps or tabs that a user can access. In this case, you can assign only the allotted
number through the user’s assigned profile and permission sets. For example, a user with the App Subscription user license with
access to one Light App can access only that app’s custom tabs.
SEE ALSO:
Permission Set Groups
How Is Record Type Access Specified?
Object Permissions
Salesforce Features and Edition Allocations
540
Set Up and Maintain Your Salesforce Organization Permission Sets
Objects Object name Let’s say you have an Albums custom object. USER PERMISSIONS
Type albu, then select Albums.
To search permission sets:
Parent object name Let’s say your Albums object contains a • View Setup and
• Fields
Description field. To find the Description Configuration
• Record types
field for albums, type albu, select Albums,
and scroll down to Description under
Field Permissions.
App and system Permission name Type api, then select API Enabled.
permissions
All other categories Category name To find Apex class access settings, type apex,
then select Apex Class Access. To find
custom permissions, type cust, then select
Custom Permissions. And so on.
If you don’t get any results, don’t worry. Here’s some tips that can help:
• Check if the search term has at least three consecutive characters that match the object, setting, or permission name.
• The permission, object, or setting you're searching for might not be available in the current Salesforce org.
• The item you’re searching for might not be available for the user license that’s associated with the current permission set. For example,
a permission set with the Standard Platform User license doesn’t include the “Modify All Data” permission.
• The permission set license associated with the permission set doesn’t include the object, setting, or permission name you’re searching
for.
SEE ALSO:
Permission Sets
541
Set Up and Maintain Your Salesforce Organization Permission Sets
542
Set Up and Maintain Your Salesforce Organization Permission Sets
This chart includes examples of what happens when users create records with different combinations of record type assignments.
Record Type Assigned on Profile Custom Record Types in Permission What Happens When a User Creates
Set (or Permission Set Group) a Record
Assigned
--Master-- None The new record is associated with the
Master record type.
When working with record type assignments, keep the following considerations in mind:
• Page layout assignments are specified in profiles only, not in permission sets. When a permission set specifies a custom record type,
users with that permission set get the page layout assignment that’s specified for that record type in their profile. In profiles, page
layout assignments are specified for every record type, even when record types aren’t assigned.
• Lead conversion default record types are specified in a user’s profile for the converted records. During lead conversion, the display
of the user's available record types is unsorted.
543
Set Up and Maintain Your Salesforce Organization Permission Sets
• Record type assignment on a user’s profile or permission set (or permission set group) doesn’t determine whether a user can view
a record with that record type. The record type assignment simply specifies that the user can use that record type when creating or
editing a record.
SEE ALSO:
Assign Record Types and Page Layouts in the Enhanced Profile User Interface
Assign Record Types to Profiles in the Original Profile User Interface
Assign Custom Record Types in Permission Sets
Assign Page Layouts in the Original Profile User Interface
Set Record Type Preferences
USER PERMISSIONS
To enable custom
permissions in permission
sets:
• Manage Profiles and
Permission Sets
544
Set Up and Maintain Your Salesforce Organization Permission Set Groups
With permission set groups, you create a single group based on the tasks that your sales
employees regularly perform. You can call it Sales Staff Users. Then, assign the group to the
sales employees. The permission set group contains the combined permissions of all three
permission sets.
545
Set Up and Maintain Your Salesforce Organization Permission Set Groups
546
Set Up and Maintain Your Salesforce Organization Permission Set Groups
547
Set Up and Maintain Your Salesforce Organization Permission Set Groups
548
Set Up and Maintain Your Salesforce Organization Permission Set Groups
USER PERMISSIONS
1. From Setup, in the Quick Find box, enter Permission Set Groups, and then select Available in: Professional,
Permission Set Groups. Click the permission set group name in the list view. Enterprise, Performance,
Unlimited, and Developer
2. Click Manage Assignments and then Add Assignments.
Editions
3. Select each user to whom you want to assign the group, and then click Next.
4. Optionally, select an expiration date for the user assignment to expire. For more information, USER PERMISSIONS
see Permission Set and Permission Set Group Assignment Expiration in Salesforce Help.
5. Click Assign. When the update is complete, the permission set group status changes to Updated. To assign permission sets:
• Assign Permission Sets
You can also remove permission set group assignments from the Manage Assignments page.
549
Set Up and Maintain Your Salesforce Organization Permission Set Groups
Instead of creating another permission set, create a muting permission set. Mute Delete on
Accounts and Opportunities, and assigned group users no longer have the permission for
these objects. However, users assigned to the permission set outside of the group retain
ability to delete on the objects. You can add up to one muting permission set per permission
set group.
550
Set Up and Maintain Your Salesforce Organization Permission Set Groups
551
Set Up and Maintain Your Salesforce Organization Permission Set Groups
8. A confirmation message displays. Review your changes and click Save or Cancel.
SEE ALSO:
Permission Set Groups
Permission Set Group Muting Dependencies
Example: The Sales Staff Users permission set group contains three permission sets and a muting permission set. The muting
permission set mutes Delete on Accounts and Opportunities.
When you mute Delete on an object, Modify All is automatically muted (even if you didn’t enable it for that object). Modify All becomes
disabled because it depends on full object access, which is no longer available when you mute Delete.
552
Set Up and Maintain Your Salesforce Organization Permission Set Groups
Similarly, if you mute Read on the object, then Create, Edit, Delete, View All, and Modify All are muted. If you can’t read object data, then
you can’t perform actions such as delete on it.
Example: Let’s examine how the object changes that you make can affect a user permission. Say that one of the permission sets
in your group enables the Activate Orders user permission. Because Activate Orders requires Edit and Read permissions on the
Orders object, these object permissions are enabled when you enable Activate Orders.
However, let’s say that users in the group no longer need Edit on the Orders object. When you mute Edit, notice that the permission
set group no longer grants the Activate Orders user permission either, even though you didn’t mute it. And, group users can no
longer delete orders. Because both Activate Orders and Delete depend on Edit, these permissions are automatically muted.
SEE ALSO:
Permission Set Groups
Mute a Permission in a Permission Set Group
Users assigned to the permission set group retain the combined permissions available in the group Available in: Professional,
as of the last completed calculation. Enterprise, Performance,
Unlimited, and Developer
Valid permission set group statuses and meanings:
Editions
553
Set Up and Maintain Your Salesforce Organization Permission Set Groups
Outdated Changes are captured and Unable to modify Allowed Users assigned to the group don’t yet have
system is updating the user assignments the updated permissions.
permission set group for the group
Updating The permission set group Not Allowed Not Allowed Users assigned to the group don’t yet have
is recalculating because the updated permissions.
of recent changes to one When the recalculation is complete, the
or more of its permission group status changes to Updated or Failed.
sets.
The recalculating process
is quick, so you rarely see
this status.
Failed The permission set group Not Allowed Allowed Verify if a recent addition of a component
recalculation failed. to one of the permission sets in the
permission set group is causing the failure.
Remove the recently added component
and see if the error persists.
If your permission set group references a
managed package component, and the
managed package gets into an inactive
state, the permission set group fails
recalculation. If you use managed
packages, verify that they aren’t expired.
While a permission set group is in a failed
state, changes aren’t propagated to the
combined permission page. Users assigned
to the group don’t have updated
permissions.
554
Set Up and Maintain Your Salesforce Organization Permission Set Groups
SEE ALSO:
Permission Set Groups
555
Set Up and Maintain Your Salesforce Organization Permission Set Groups
SEE ALSO:
What Are Session-Based Permission Set Groups?
Create Session-Based Permission Set Groups
Allow Users to Activate or Deactivate a Session-Based Permission Set Group
Important: If you include a regular permission set in your session-based permission set group, the permission set group makes
the permission set session-based. Users assigned to the permission set group have access to the permission set for the duration
of the session. If a user is separately assigned permissions from a different permission set, those permissions remain effective for
that user, even when the permission set group session ends. For example, you assign a session-based permission set group that
contains View All Data. The user is assigned View All Data from a separate permission set outside the session-based permission
556
Set Up and Maintain Your Salesforce Organization Permission Set Groups
set group. When the session ends for the permission set group, the user still has the View All Data permission from the regular
permission set.
1. Create a permission set group and make sure to select Session Activation Required. Available in: Professional,
Enterprise, Performance,
2. Assign permission sets to the permission set group.
Unlimited, and Developer
If you include a regular permission set in your session-based permission set group, the permission editions
set group makes the permission set session-based. Users assigned to the permission set group
have access to the permission set for the duration of the session.
USER PERMISSIONS
3. Assign the permission set group to users.
Before assigning session-based permission set groups to users, ensure that they can meet the To create permission sets:
conditions of the permission sets in the permission set group. • Manage Profiles and
Permission Sets
The session-based permission set group isn’t in effect until a session is activated for it. To activate To assign permission sets:
a session, provide a value for the PermissionSetGroupId field on the • Assign Permission Sets
SessionPermSetActivation SOAP API. Or, you can create a flow that activates and deactivates the
To create a permission set
session-based permission set group. group:
• Manage Profiles and
Permission Sets
557
Set Up and Maintain Your Salesforce Organization Permission Set Groups
When the flow activates the session-based permission set group, the running user obtains access to the permissions specified in your
permission set group during the current user session. If the flow deactivates the session-based permission set group, the permissions
are no longer available to the user.
558
Set Up and Maintain Your Salesforce Organization What Determines Field Access?
When Do I Use a Permission Set Group Instead of a Permission Set? Available in: Salesforce
Classic (not available in all
Can I Assign a User to a Permission Set Group That Has Permissions from a Permission Set
orgs) and Lightning
License?
Experience
Can I Include a Session-Based Permission Set in a Permission Set Group?
Available in: Professional,
Enterprise, Performance,
When Do I Use a Permission Set Group Instead of a Permission Set? Unlimited, and Developer
Editions
Use a permission set group to bundle permission sets based on logical user groups and the tasks
users perform. For example, you can group three permission sets together for users in a sales org:
Sales Cloud Einstein, Survey Creator, and a permission set based on the Standard User profile. Assign the single group to your users
instead of the three different permission sets.
Partners can organize permissions into groups and include them in managed packages. Upgrade the package with updated permissions
when needed. Partners can still allow subscriber administrators to extend the groups without creating more permission sets.
Can I Assign a User to a Permission Set Group That Has Permissions from a Permission Set License?
Yes. Let's say you have a group that contains the Sales Cloud Einstein and the Survey Creator permission sets. Ensure that the users
assigned to the group are also assigned the associated permission set licenses. If you try to assign a group to a user who doesn’t have
a license needed for the permissions in the group, you receive an assignment error.
559
Set Up and Maintain Your Salesforce Organization What Determines Field Access?
After setting these items, confirm users’ access to specific fields using the field accessibility grid.
SEE ALSO:
Modifying Field Access Settings
To verify field accessibility by a specific profile, record type, or field, from Setup, enter Field
Accessibility in the Quick Find box, then select Field Accessibility. From this page, USER PERMISSIONS
choose a particular tab to view and then select whether you want to check access by profiles, record
To view field accessibility:
types, or fields.
• View Setup and
Note: In this user interface, you can’t check access for permission sets. Configuration
SEE ALSO:
What Determines Field Access?
560
Set Up and Maintain Your Salesforce Organization What Determines Field Access?
SEE ALSO:
What Determines Field Access?
Field-Level Security
Field-level security settings let you restrict users' access to view and edit specific fields.
EDITIONS
Note: Who Sees What: Field-Level Security (English only)
Available in: Salesforce
Watch how you can restrict access to specific fields on a profile-by-profile basis. Classic (not available in all
orgs) and Lightning
Your Salesforce org contains lots of data, but you probably don’t want every field accessible to
Experience
everyone. For example, your payroll manager probably wants to keep salary fields accessible only
to select employees. You can restrict user access in: Available in: Professional,
Enterprise, Performance,
• Detail and edit pages
Unlimited, Developer, and
• Related lists Database.com Editions
• List views
• Reports
• Connect Offline
561
Set Up and Maintain Your Salesforce Organization What Determines Field Access?
Tip: Use field-level security to restrict users' access to fields, and then use page layouts to organize detail and edit pages within
tabs. This approach reduces the number of page layouts for you to maintain.
Note: Roll-up summary and formula fields are read-only on detail pages and not available on edit pages. They can also be visible
to users even though they reference fields that your users can’t see. Einstein Insights can also be visible to the user even though
the insight references fields that your users can’t see. Universally required fields appear on edit pages regardless of field-level
security.
The relationship group wizard allows you to create and edit relationship groups regardless of field-level security.
562
Set Up and Maintain Your Salesforce Organization What Determines Field Access?
USER PERMISSIONS
563
Set Up and Maintain Your Salesforce Organization What Is a Group?
SEE ALSO:
Create Custom Fields
Enable Field-Level Security for Permission Sets during Field Creation
What Is a Group?
A group consists of a set of users. A group can contain individual users, other groups, or the users
EDITIONS
in a particular role or territory. It can also contain the users in a particular role or territory plus all the
users below that role or territory in the hierarchy. Available in: both Salesforce
There are two types of groups. Classic (not available in all
orgs) and Lightning
Public groups
Experience
Administrators and delegated administrators can create public groups. Everyone in the
organization can use public groups. For example, an administrator can create a group for an Available in: Professional,
employee carpool program. All employees can then use this group to share records about the Enterprise, Performance,
program. Unlimited, Developer, and
Database.com Editions
Personal groups
Each user can create groups for their personal use. For example, users might need to ensure
that certain records are always shared within a specified workgroup.
Tip: Permission set groups consist of permission sets rather than users. Permission set groups bundle permission sets based on
job functions or tasks. To learn more about permission set groups and why you use them, see Permission Set Groups.
You can use groups in the following ways.
• To set up default sharing access via a sharing rule
• To share your records with other users
• To specify that you want to synchronize contacts owned by other users
• To add multiple users to a Salesforce CRM Content library
564
Set Up and Maintain Your Salesforce Organization What Is a Group?
SEE ALSO:
Group Member Types
Create and Edit Groups
Viewing Group Lists
Sharing Records with Manager Groups
Public Group Considerations
SEE ALSO:
What Is a Group?
565
Set Up and Maintain Your Salesforce Organization What Is a Group?
Portal Roles All roles defined for your organization’s site or USER PERMISSIONS
portal. This includes all users in the specified
role, except high-volume users. To create or edit a public
group:
Note: A site or portal role name includes • Manage Users
the name of the account that it’s To create or edit another
associated with, except for person user’s personal group:
accounts, which include the user • Manage Users
Alias.
Portal Roles and Subordinates All roles defined for your organization’s site or
portal. This includes all of the users in the
specified role plus all of the users below that
role in the site or portal role hierarchy, except
for high-volume users.
Roles and Internal Subordinates Adding a role and its subordinate roles includes
all of the users in that role plus all of the users
in roles below that role. This doesn't include site
or portal roles or users.
566
Set Up and Maintain Your Salesforce Organization What Is a Group?
Roles, Internal and Portal Subordinates Adding a role and its subordinate roles includes all of the users in
that role plus all of the users in roles below that role. This is only
available when Salesforce Experiences or portals are enabled for
your organization. This includes site and portal users.
Users All users in your organization. This doesn't include site or portal
users.
SEE ALSO:
What Is a Group?
Sharing Records with Manager Groups
567
Set Up and Maintain Your Salesforce Organization What Is a Group?
2. Click New, or click Edit next to the group you want to edit.
3. Enter this information: USER PERMISSIONS
Grant Access Using To allow automatic access to records using your role
Hierarchies (public groups hierarchies, select Grant Access Using Hierarchies.
only) When selected, any records shared with users in this
group are also shared with users higher in the hierarchy.
Deselect Grant Access Using Hierarchies if you’re
creating a public group with All Internal Users as
members, which optimizes performance for sharing
records with groups.
568
Set Up and Maintain Your Salesforce Organization What Is a Group?
Selected Members Select members from the Available Members box, and click Add to add them
to the group.
If your group contains more than 10,000 members, for improved performance,
adjust group membership using the GroupMember API object instead of the
group's detail page in Setup.
Selected Delegated Groups In this list, specify any delegated administration groups whose members can
add or remove members from this public group. Select groups from the
Available Delegated Groups box, and then click Add. This list appears only
in public groups.
Note: When you edit groups, roles, and territories, sharing rules are recalculated to add or remove access as needed.
SEE ALSO:
What Is a Group?
You can also view the public groups that a user is a member of. From Setup, in the Quick Find box, enter Users, then select Users and
select the user. In the Public Group Membership related list, you can:
569
Set Up and Maintain Your Salesforce Organization What Is a Group?
SEE ALSO:
What Is a Group?
Every user has two manager groups—Managers Group (1) and Manager Subordinates Group (2)— where Managers Group includes a
user’s direct and indirect managers, and Manager Subordinates Group includes a user and the user’s direct and indirect reports. On a
sharing rule Setup page, these groups are available on the Share with dropdown list.
To find out who a user’s manager is, from Setup, in the Quick Find box, enter Users, then select Users. Click a user’s name. The
Manager field on the user detail page displays the user’s manager.
To enable users to share records with the manager groups, follow these steps.
1. From Setup, in the Quick Find box, enter Sharing Settings, then select Sharing Settings.
570
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: You can’t disable manager groups if your organization uses WDC or has any sharing rules that use manager groups.
With manager groups, you can share records to these groups via manual sharing, sharing rules, and Apex managed sharing. Apex sharing
reasons isn’t supported. For Apex managed sharing, include the row cause ID, record ID, and the manager group ID. For more information,
see the Lightning Platform Apex Code Developer's Guide.
Inactive users remain in the groups of which they’re members, but all relevant sharing rules and manual sharing are retained in the
groups.
Note: If your organization has User Sharing enabled, you can’t see the users whom you don’t have access to. Additionally, a
querying user who doesn’t have access to another user can’t query that user’s groups.
Example: You might have a custom object for performance reviews whose organization-wide default is set to Private. After
deselecting the Grant Access Using Hierarchies checkbox, only the employee who owns the review record can
view and edit it. To share the reviews up the management chain, administrators can create a sharing rule that shares to a user’s
Managers Group. Alternatively, the employee can share the review record with the user’s Managers Group by using manual sharing.
SEE ALSO:
Sharing Settings
Sharing Rules
Sharing Rule Categories
Sharing Settings
In Salesforce, you can control access to data at many different levels. For example, you can control
EDITIONS
the access your users have to objects with object permissions. Within objects, you can control the
access users have to fields using field-level security. To control access to data at the record level, Available in: both Salesforce
use sharing settings and restriction rules. Classic (not available in all
orgs) and Lightning
Note: Who Sees What: Overview (English only)
Experience
Watch how you can control who sees what data in your organization.
Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
Database.com Editions
Teams are not available in
Database.com
571
Set Up and Maintain Your Salesforce Organization Sharing Settings
There are several sharing mechanisms that you can use to configure record access for your users.
Organization-Wide Defaults
Your organization-wide default sharing settings give you a baseline level of access for each object. Organization-wide sharing settings
specify the default level of access that users have to each others’ records. For example, you can set the organization-wide default for
leads to Private if you only want users to view and edit the leads they own. Then, you can create lead sharing rules to extend access of
leads to particular users or groups.
Role Hierarchy
The role hierarchy automatically grants record access to users above the record owner in the hierarchy. You can control sharing access
using hierarchies for any custom object, but not standard objects.
Sharing Rules
Sharing rules represent the exceptions to your organization-wide default settings. They allow you to extend record access to users
regardless of their place in the role hierarchy. If you have organization-wide sharing defaults of Public Read Only or Private, you can
define rules that give additional users access to records they don’t own. You can create sharing rules based on record owner or field
values in the record.
Manual Sharing
Sometimes it’s impossible to define a consistent group of users who need access to a particular set of records. Record owners can use
manual sharing to give read and edit permissions to users who don’t have access any other way. Manual sharing isn’t automated like
organization-wide sharing settings, role hierarchies, or sharing rules. But it gives record owners the flexibility to share records with users
that must see them.
572
Set Up and Maintain Your Salesforce Organization Sharing Settings
The record owner adds team members and specifies the level of access each team member has to the record, so that some team
members can have read-only access and others can have read/write access. The record owner can also specify a role for each team
member, such as “Executive Sponsor.” In account teams, team members also have access to any contacts, opportunities, and cases
associated with an account.
Note: A team member can have a higher level of access to a record for other reasons, such as a role or sharing rule. In this
case, the team member has the highest access level granted, regardless of the access level specified in the team.
Restriction Rules
When a restriction rule is applied to a user, the data that they had read access to via your sharing settings is further scoped to only
records matching the record criteria that you set. This behavior is similar to how you can filter results in a list view or report, except
that it’s permanent.
SEE ALSO:
Organization-Wide Sharing Defaults
Sharing Rules
Create a User Role
Sharing Considerations
Restriction Rules
573
Set Up and Maintain Your Salesforce Organization Sharing Settings
Sharing Considerations
Learn how sharing models give users access to records they don’t own.
EDITIONS
The sharing model is a complex relationship between role hierarchies, user permissions, sharing
rules, and exceptions for certain situations. Review the following notes before setting your sharing Available in: both Salesforce
model. For considerations on sharing rules specifically, see Sharing Rule Considerations. Classic (not available in all
orgs) and Lightning
Experience
Exceptions to Role Hierarchy-Based Sharing
Available in: Professional,
Users can always view and edit all data owned by or shared with users below them in the role Enterprise, Performance,
hierarchy. Exceptions to role hierarchy sharing include: Unlimited, and Developer
• Disabling the Grant Access Using Hierarchies setting in your organization-wide default settings editions
allows you to ignore the hierarchies when determining access to data. You can only modify
this setting for custom objects.
• Contacts that aren’t linked to an account are always private. Only the owner of the contact and administrators can view it. Contact
sharing rules don’t apply to private contacts.
• Notes and attachments marked as private via the Private checkbox are accessible only to the person who attached them and
to administrators.
• Events marked as private via the Private checkbox are accessible only by the event owner. Other users can’t see the event details
when viewing the event owner’s calendar. However, users with the “View All Data” or “Modify All Data” permission can see private
event details in reports and searches, or when viewing other users’ calendars.
• Users above a record owner in the role hierarchy can only view or edit the record owner’s records if they have the “Read” or “Edit”
object permission for the type of record.
• Visibility to users as a result of the Site User Visibility preference isn’t inherited through the role hierarchy. If a manager in the role
hierarchy isn’t a member of a site, but their subordinate is, the manager doesn’t gain access to other members of the site. This only
applies if Salesforce Experiences are enabled in your organization.
574
Set Up and Maintain Your Salesforce Organization Sharing Settings
Deleting Records
• The ability to delete individual records is controlled by administrators, the record owner, users in a role hierarchy above the record
owner, and any user who has been granted “Full Access.”
• If the org-wide default is set to Public Read/Write/Transfer for cases or leads, only the record owner or administrator can delete the
record.
Account Sharing
• To restrict users' access to records they don’t own that are associated with accounts they do own, set the appropriate access level
on the role. For example, you can restrict a user's access to opportunities they don’t own yet are associated with accounts they do
own using the Opportunity Access option.
Apex Sharing
The organization-wide default settings can’t be changed from private to public for a custom object if Apex code uses the sharing entries
associated with that object. For example, if Apex code retrieves the users and groups who have sharing access on a custom object
Invoice__c (represented as Invoice__share in the code), you can’t change the object’s organization-wide sharing setting from
private to public.
Campaign Sharing
• In Professional, Enterprise, Unlimited, Performance, and Developer Editions, designate all users as Marketing Users when enabling
campaign sharing. This designation simplifies administration and troubleshooting because access can be controlled using sharing
and profiles.
• To segment visibility between business units while maintaining existing behavior within a business unit:
575
Set Up and Maintain Your Salesforce Organization Sharing Settings
• When a single user, such as a regional marketing manager, owns multiple campaigns and must segment visibility between business
units, share campaigns individually instead of using sharing rules. Sharing rules apply to all campaigns owned by a user and don’t
allow segmenting visibility.
• Create all campaign sharing rules before changing your organization-wide default to reduce the effect the change has on your users.
• To share all campaigns in your organization with a group of users or a specific role, create a sharing rule that applies to campaigns
owned by members of the “Entire Organization” public group.
• Minimize the number of sharing rules by using the “Roles and Subordinates” option instead of choosing a specific role.
• If campaign hierarchy statistics are added to the page layout, a user can see aggregate data for a parent campaign and all the
campaigns below it in the hierarchy regardless of whether that user has sharing rights to a particular campaign within the hierarchy.
Therefore, consider your organization's campaign sharing settings when enabling campaign hierarchy statistics. If you don’t want
users to see aggregate hierarchy data, remove any or all of the campaign hierarchy statistics fields from the Campaign Hierarchy
related list. These fields are still available for reporting purposes.
• If the sharing model is set to Public Full Access for campaigns, any user can delete those types of records.
Contact Sharing
See: Business Contact Sharing for Orgs That Use Person Accounts
SEE ALSO:
Sharing Rules
Sharing Settings
Customize Who Has Access to Paused Flow Interviews
576
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: If the Sharing Hierarchy or Sharing buttons don’t appear, the organization-wide sharing defaults may have been set to
Controlled by Parent or Public Read. Otherwise, only the record owner, an administrator, or a user above the owner in the role
hierarchy can see the Sharing Detail page.
Implicit access Corresponds to the “Associated record owner or sharing” entry in the Reason column of the Sharing Detail
page. The user may have access to a child record of an account (opportunity, case, or contact), which grants
them Read access on that account. You can’t overwrite this access. For example, if the user has access to a case
record, he or she has implicit Read access to the parent account record.
Organization-wide Check if the defaults for the account object are set to Private. If it is, the user may have gained access via other
sharing default methods listed here. It must be set to Private if at least one of your users shouldn’t see a record.
Role hierarchy The user may have inherited Read access from a subordinate in the role hierarchy. You can’t override this
behavior for non-custom objects. If the user who has access is on a different branch of the hierarchy from the
account owner, check the sharing rules, account teams, and account territory.
Sharing rules The user may have gotten access because he or she has been included in a relevant sharing rule. If the sharing
rule uses public groups (or other categories such as roles) to grant access, check your public groups to see if
the user has been included in the group.
Manual shares The user may have gotten access through the Sharing button of the record. Only the record owner, an
administrator, or a user above the owner in the role hierarchy can create or remove a manual share on the
record.
Account Teams and The user may have been added to an Account Team by the account owner, an administrator, a user above the
Territory owner in the role hierarchy, or an account team member. If your organization uses territory management,
check if the user who has access is higher in the territory hierarchy than the account owner. Managers gain
577
Set Up and Maintain Your Salesforce Organization Sharing Settings
SEE ALSO:
Control Who Sees What
Financial Services Cloud Administrator Guide: Who Has Access to Account Records with Compliant Data Sharing?
Resolving Insufficient Privileges Errors
Note: Who Sees What: Org-Wide Defaults (English only) Available in: both Salesforce
Classic (not available in all
Watch how you can restrict access to records owned by other users. orgs) and Lightning
Experience
1. From Setup, in the Quick Find box, enter Sharing Settings, then select Sharing
Settings. Available in: Professional,
Enterprise, Performance,
2. Click Edit in the Organization-Wide Defaults area.
Unlimited, and Developer
3. For each object, select the default internal access that you want to use. For information on Editions
setting the default external access, see External Organization-Wide Defaults Overview.
4. To disable automatic access using your hierarchies for custom objects, deselect Grant Access USER PERMISSIONS
Using Hierarchies. You can only deselect this setting for custom objects that don’t have a
default access of Controlled by Parent. For more information, see Controlling Access Using To set default sharing
Hierarchies in Salesforce Help. access:
• Manage Sharing
578
Set Up and Maintain Your Salesforce Organization Sharing Settings
When you update organization-wide defaults, sharing recalculation applies the access changes to your records. If you have a lot of data,
the update can take longer.
If you’re increasing the default access, such as from Public Read Only to Public Read/Write, your changes take effect immediately. All
users get access based on the updated default access. Sharing recalculation is then run asynchronously to ensure that all redundant
access from manual or sharing rules is removed. When the default access for contacts is Controlled by Parent and you increase the default
access for accounts, opportunities, or cases, the changes take effect after recalculation is run. If you’re decreasing the default access, such
as from Public Read/Write to Public Read Only, your changes take effect after recalculation is run.
You’ll receive a notification email when the recalculation completes. Refresh the Sharing Settings page to see your changes. To view the
update status, from Setup, in the Quick Find box, enter View Setup Audit Trail, then select View Setup Audit Trail.
The organization-wide sharing default setting can’t be changed for some objects:
• Service contracts are always Private.
• User provisioning requests are always Private.
• The ability to view or edit a document, report, or dashboard is based on a user’s access to the folder in which it’s stored.
• Users can view forecasts only of users and territories below them in the forecast hierarchy, unless forecast sharing is enabled.
• When a custom object is on the detail side of a master-detail relationship with a standard object, its organization-wide default is set
to Controlled by Parent and it is not editable.
• The organization-wide default settings can’t be changed from private to public for a custom object if Apex code uses the sharing
entries associated with that object. For example, if Apex code retrieves the users and groups who have sharing access on a custom
object Invoice__c (represented as Invoice__share in the code), you can’t change the object’s organization-wide sharing
setting from private to public.
Note: Also, if the default access for Account is set to Private, the default access for Opportunity and Case must be set to Private
as well. The default access for Contact must be set to Private or Controlled by Parent.
SEE ALSO:
Organization-Wide Default Access Settings
Organization-Wide Sharing Defaults
Note: The external access level for an object can’t be more permissive than the internal Available in: Professional,
access level. Enterprise, Performance,
Unlimited, and Developer
You can set external organization-wide defaults for these objects. Your org might have other objects Editions
whose external organization-wide defaults can be modified.
• Account
• Asset
• Case
• Campaign
579
Set Up and Maintain Your Salesforce Organization Sharing Settings
• Contact
• Individual
• Lead
• Opportunity
• Order
• User
• Custom Objects
External organization-wide defaults aren’t available for some objects, but you can achieve the same behavior with sharing rules. Set the
default access to Private and create a sharing rule to share records with all internal users.
External users include:
• Authenticated website users
• Chatter external users
• Site users
• Customer Portal users
• High-volume Experience Cloud site users
• Partner Portal users
• Service Cloud Portal users
Note: Chatter external users have access to only the User object.
Guest users aren't considered external users. Guest users’ org-wide defaults are set to Private for all objects, and this access level can’t
be changed.
Learn more about external org-wide default settings in this video.
Watch a video
SEE ALSO:
Organization-Wide Sharing Defaults
Set Your External Organization-Wide Sharing Defaults
Organization-Wide Default Access Settings
580
Set Up and Maintain Your Salesforce Organization Sharing Settings
[other]: Where possible, we changed noninclusive terms to align with our company value Available in: both Salesforce
of Equality. We maintained certain terms to avoid any effect on customer implementations. Classic (not available in all
orgs) and Lightning
Before you set the external organization-wide defaults, make sure that they’re enabled. From Setup, Experience
in the Quick Find box, enter Sharing Settings, then select Sharing Settings, and click the
Enable External Sharing Model button. External organization-wide defaults are automatically Available in: Professional,
enabled in all orgs created in Spring ’20 or after and in all orgs where Salesforce Experiences or Enterprise, Performance,
portals are enabled. Unlimited, and Developer
Editions
Important: After it’s enabled, the External Sharing Model can't be disabled. You can still
manually set Default External Access and Default Internal Access to the same access
USER PERMISSIONS
level for each object.
When you first enable external organization-wide defaults, the default internal access and default To set default sharing
external access are set to the original default access level. For example, if your organization-wide access:
default for contacts is Private, the default internal access and default external access are Private as • Manage Sharing
well. To secure access to your objects, we recommend that you set your external organization-wide
defaults to Private.
Private Only users who are granted access by ownership, permissions, role
hierarchy, manual sharing, or sharing rules can access the records.
Public Read Only All users can view all records for the object.
Public Read/Write All users can view and edit all records for the object.
581
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: The default external access level must be more restrictive or equal to the default internal access level. For example, you
can have a custom object with default external access set to Private and default internal access set to Public Read Only.
4. Click Save.
SEE ALSO:
External Organization-Wide Defaults Overview
Calendar Hide Details and Add Hide Details and Add Hide Details and Add
Events Events Events
582
Set Up and Maintain Your Salesforce Organization Sharing Settings
Object Default Internal Access Default External Access (in Default External Access (in
orgs created before Spring orgs created after Spring
’20) ’20)
Opportunity Public Read Only Public Read Only Private
SEE ALSO:
Organization-Wide Sharing Defaults
Set Your Internal Organization-Wide Sharing Defaults
Private Only the record owner, and users above that To set default sharing
role in the hierarchy, can view, edit, and report access:
on those records. • Manage Sharing
Public Read Only All users can view and report on records but not
edit them. Only the owner, and users above that
role in the hierarchy, can edit those records.
For example, Sara is the owner of ABC Corp. Sara
is also in the role Western Sales, reporting to
583
Set Up and Maintain Your Salesforce Organization Sharing Settings
Field Description
Carol, who is in the role of VP of Western Region Sales. Sara and
Carol have full read/write access to ABC Corp. Tom (another
Western Sales Rep) can also view and report on ABC Corp, but can’t
edit it.
Public Read/Write All users can view, edit, and report on all records.
For example, if Tom is the owner of Trident Inc., all other users can
view, edit, and report on the Trident account. However, only Tom
can alter the sharing settings or delete the Trident account.
Public Read/Write/Transfer All users can view, edit, transfer, and report on all records. Only
available for cases or leads.
For example, if Alice is the owner of ACME case number 100, all
other users can view, edit, transfer ownership, and report on that
case. But only Alice can delete or change the sharing on case 100.
Public Full Access All users can view, edit, transfer, delete, and report on all records.
Only available for campaigns.
For example, if Ben is the owner of a campaign, all other users can
view, edit, transfer, or delete that campaign.
Note: To use cases effectively, set the organization-wide default for Account, Contact, Contract, and Asset to Public Read/Write.
Field Description
Hide Details Others can see whether the user is available at given times, but
can’t see any other information about the nature of events in the
user’s calendar.
Hide Details and Add Events In addition to the sharing levels set by Hide Details, users can insert
events in other users’ calendars.
Show Details Users can see detailed information about events in other users’
calendars.
Show Details and Add Events In addition to the sharing levels set by Show Details, users can
insert events in other users’ calendars.
Full Access Users can see detailed information about events in other users’
calendars, insert events in other users’ calendars, and edit existing
events in other users’ calendars.
Note: Regardless of the organization-wide defaults that have been set for calendars, all users can invite all other users to events.
584
Set Up and Maintain Your Salesforce Organization Sharing Settings
Field Description
Use All users can view price books and add them to opportunities.
Users can add any product within that price book to an opportunity.
View Only All users can view and report on price books but only users with
the “Edit” permission on opportunities or users that have been
manually granted use access to the price book can add them to
opportunities.
No Access Users can’t see price books or add them to opportunities. Use this
access level in your organization-wide default if you want only
selected users to access selected price books. Then, manually share
the appropriate price books with the appropriate users.
Field Description
Private Only the activity owner, and users above the activity owner in the
role hierarchy, can edit and delete the activity; users with read
access to the record to which the activity is associated can view
and report on the activity.
Controlled by Parent A user can perform an action (such as view, edit, transfer, and
delete) on an activity based on whether he or she can perform that
same action on the records associated with the activity.
For example, if a task is associated with the Acme account and the
John Smith contact, then a user can only edit that task if he or she
can also edit the Acme account and the John Smith record.
Field Description
Private All users have read access to their own user record and those below
them in the role hierarchy.
Public Read Only All users have read access on one another. You can see all users’
detail pages. You can also see all users in lookups, list views,
ownership changes, user operations, and search.
SEE ALSO:
Set Your Internal Organization-Wide Sharing Defaults
585
Set Up and Maintain Your Salesforce Organization Sharing Settings
[other]: Where possible, we changed noninclusive terms to align with our company value Available in: both Salesforce
of Equality. We maintained certain terms to avoid any effect on customer implementations. Classic (not available in all
orgs) and Lightning
Beyond setting the organization-wide sharing defaults for each object, you can specify whether Experience
users have access to the data owned by or shared with their subordinates in the hierarchy. For
example, the role hierarchy automatically grants record access to users above the record owner in Available in: Professional,
the hierarchy. By default, the Grant Access Using Hierarchies option is enabled for Enterprise, Performance,
most standard objects, and it can only be changed for custom objects. Unlimited, Developer, and
Database.com Editions
To control sharing access using hierarchies for any custom object, from Setup, in the Quick Find
Territories aren’t available in
box, enter Sharing Settings, then select Sharing Settings. Next, click Edit in the
Database.com
Organization Wide Defaults section. The Grant Access Using Hierarchies is enabled
for most standard objects, but not all of them. You can modify this option for custom objects by
deselecting it. USER PERMISSIONS
• If the Grant Access Using Hierarchiesoption is deselected, users that are higher
in the role or territory hierarchy don’t receive automatic access. But some, such as those users
with the View All and Modify All object permissions and the View All Data and Modify All Data system permissions can still access
records that they don’t own.
• If you disable the Grant Access Using Hierarchies option, sharing with a role or territory and subordinates only shares
with the users directly associated with the role or territory selected. Users in roles or territories above them in the hierarchies don’t
gain access.
• If your organization disables the Grant Access Using Hierarchies option, activities that are associated with a custom
object are still visible to users above the activity’s assignee in the role hierarchy.
• If a master-detail relationship is broken by deleting the relationship, the former detail custom object's default setting is automatically
reverted to Public Read/Write and Grant Access Using Hierarchies is selected by default.
• The Grant Access Using Hierarchies option affects which users gain access to data when something is shared with
public groups, personal groups, queues, roles, or territories. For example, the View All Users option displays group members and
people above them in the hierarchies when a record is shared with them using a sharing rule or manual sharing and the Grant
Access Using Hierarchies option is selected. When the Grant Access Using Hierarchies option isn’t
selected, some users in these groups no longer have access. This list covers the access reasons that depend on the Grant Access
Using Hierarchies option.
These reasons always gain access:
Group Member
Queue Member
Role Member
Member of Subordinate Role
Territory Member
586
Set Up and Maintain Your Salesforce Organization Sharing Settings
• When you deselect Grant Access Using Hierarchies, always notify users of the changes in report results that they
can expect due to losing visibility of their subordinates' data. For example, selecting My team's... in the View dropdown list returns
records owned by the user. It doesn’t include records owned by their subordinates. To be included in this type of report view, records
from subordinates must be explicitly shared with that user by some other means such as a sharing rule or a manual share. So if no
records are shared with you manually, the My... and My team's... options in the View dropdown list return the same results.But
choosing the Activities with... any custom object report type when creating a custom report returns activities assigned to you as
well as your subordinates in the role hierarchy.
• Record access granted to users via sharing sets isn’t extended to their superiors in the role hierarchy.
SEE ALSO:
Create a User Role
4. Add a Label for the role. The Role Name field autopopulates. To view roles and role
hierarchy:
5. Specify who the role reports to. The field is already populated with the role name under which
• View Roles and Role
you added the new role, but you can also edit the value here. Hierarchy
6. Optionally, specify how the role name is displayed in reports. If the role name is long, consider To create, edit, and delete
using an abbreviation for reports. roles:
7. Specify the role’s access to contacts, opportunities, and cases. • Manage Roles
For example, you can set the contact access so that users in a role can edit all contacts associated To assign users to roles:
with accounts that they own. This access applies regardless of who owns the contacts. And you • Manage Internal Users
can set the opportunity access so that users in a role can edit all opportunities associated with
accounts that they own. This access also applies regardless of who owns the opportunities.
587
Set Up and Maintain Your Salesforce Organization Sharing Settings
8. Click Save.
Portal user roles aren’t included on the role hierarchy setup page.
Note: After you share a folder with a role, it’s visible only to users in that role, not to superior roles in the hierarchy.
3. Make a selection from the dropdown list to show the available users. Available in: Professional,
Enterprise, Performance,
4. Select a user on the left, and click Add to assign the user to this role. Unlimited, and Developer
5. Click Save. Editions
Note: Removing a user from the Selected Users list deletes the role assignment for that user.
USER PERMISSIONS
588
Set Up and Maintain Your Salesforce Organization Sharing Settings
• To view a user's details, click the user's full name, alias, or username. To edit and delete roles:
• Manage Roles
When Active is selected, the user can log into Salesforce. Deactivated users, such as employees
To view users:
who are no longer with your company, can’t log in to Salesforce.
• View Setup and
• To show a filtered list of items, select a predefined list from the View dropdown list, or click Configuration
Create New View to define your own custom views. To edit or delete any view you created, To edit users:
select it from the View dropdown list and click Edit. • Manage Internal Users
Note: When you edit groups, roles, and territories, sharing rules are recalculated to add or
remove access as needed.
SEE ALSO:
Sharing Considerations
589
Set Up and Maintain Your Salesforce Organization Sharing Settings
• Don’t create individual roles for each title at your company. Instead, define a hierarchy of roles to control access of information
entered by users in lower-level roles.
• Create roles only for your current requirements. Don’t create temporary placeholder roles in anticipation of future needs.
• Don’t use reporting requirements to determine what hierarchy levels you need.
• When you change a user’s role, the sharing rules for the new role are applied.
• Salesforce Knowledge users can modify category visibility settings on the role detail page.
• When an account owner isn’t assigned a role, the sharing access for related contacts is Read/Write, provided the organization-wide
default for contacts isn’t Controlled by Parent. Sharing access on related opportunities and cases is No Access.
• If your organization uses Territory Management, forecasts are based on the territory hierarchy rather than the role hierarchy.
• To prevent disruptions, avoid changing the role hierarchy during business hours.
Performance
• To avoid performance issues, we recommend that no single user owns more than 10,000 records of an object. For users who must
own more than that number of objects, don't assign them a role or place them in a separate role at the top of the hierarchy. It’s also
important to keep that user out of public groups potentially used as the source for sharing rules.
• To improve performance, minimize the number of levels in your role hierarchy. Eliminate roles that aren't needed, and delete sharing
rules that grant access to records already shared via the role hierarchy.
Role Fields
The fields that comprise a role entry have specific purposes. Refer to this table for descriptions of
EDITIONS
each field and how it functions in a role.
The visibility of fields depends on your organization’s permissions and sharing settings. Available in: both Salesforce
Classic (not available in all
Field Description orgs) and Lightning
Experience
Case Access Specifies whether users can access other users’
cases that are associated with accounts the users Available in: Professional,
own. This field isn’t visible if your organization’s Enterprise, Performance,
sharing model for cases is Public Read/Write. Unlimited, Developer, and
Database.com Editions
Contact Access Specifies whether users can access other users’
contacts that are associated with accounts the
USER PERMISSIONS
users own. This field isn’t visible if your
organization’s sharing model for contacts is To create or edit roles:
Public Read/Write or Controlled by Parent. • Manage Roles
Label The name used to refer to the role or title of
position in any user interface pages, for example,
Western Sales VP.
590
Set Up and Maintain Your Salesforce Organization Sharing Settings
Field Description
organization’s sharing model for opportunities is Public Read/Write.
Partner Role Indicates whether this role is associated with a partner account.
This field is available only when a customer or partner site or portal
is enabled for the organization.
If this checkbox is selected, you can’t edit the role. The default
number of roles in site and portal accounts is three. You can reduce
the number of roles or add roles to a maximum of three.
Role Name The unique name used by the API and managed packages.
Role Name as displayed on reports A role name that appears in reports. When editing a role, if the
Role Name is long, you can enter an abbreviated name in this
field.
Sharing Groups These groups are automatically created and maintained. The Role
group contains all users in this role plus all users in roles above this
role. The Role and Subordinates group contains all users in this role
plus all users in roles above and below this role in the hierarchy.
The Role and Internal Subordinates group (available if Salesforce
Experiences or portals are enabled for your organization) contains
all users in this role. It also contains all users in roles above and
below this role, excluding site and portal users.
This role reports to The role above this role in the hierarchy.
SEE ALSO:
Create a User Role
591
Set Up and Maintain Your Salesforce Organization Sharing Settings
USER PERMISSIONS
To view users:
• View Setup and
Configuration
To edit users:
• Manage Internal Users
2. Scroll down to see the Managers in the Role Hierarchy related list. Available in: Professional,
Enterprise, Performance,
Unlimited, Developer, and
SEE ALSO:
Database.com Editions
Personalize Your Salesforce Experience
592
Set Up and Maintain Your Salesforce Organization Sharing Settings
Sharing Rules
Use sharing rules to extend sharing access to users in public groups, roles, or territories. Sharing
EDITIONS
rules give particular users greater access by making automatic exceptions to your org-wide sharing
settings. Available in: both Salesforce
Note: Who Sees What: Record Access via Sharing Rules (English only) Classic (not available in all
orgs) and Lightning
Watch how you can grant access to records using sharing rules. Experience
Like role hierarchies, a sharing rule can never be stricter than your org-wide default settings. It simply Available in: Professional,
allows greater access for particular users. Enterprise, Performance,
Unlimited, and Developer
You can base a sharing rule on record ownership or other criteria. After you select which records
Editions
to share, you define which groups or users to extend access to and what level of access they have.
See Sharing Rule
Note: You can define up to 300 total sharing rules for each object, including up to 50 Considerations for more
criteria-based or guest user sharing rules, if available for the object. information on availability.
You can create these types of sharing rules. Your org could have other objects that are available for
sharing rules.
Asset sharing rules Asset owner or other criteria, including asset Individual assets
record types or field values
Campaign sharing rules Campaign owner or other criteria, including Individual campaigns
campaign record types or field values
Case sharing rules Case owner or other criteria, including case Individual cases and associated accounts
record types or field values
Contact sharing rules Contact owner or other criteria, including Individual contacts and associated accounts
contact record types or field values
Custom object sharing rules Custom object owner or other criteria, Individual custom object records
including custom object record types or
field values
Data privacy sharing rules Data privacy record owner or other criteria, Individual data privacy records
including field values. Data privacy records
are based on the Individual object.
Knowledge article sharing rules Knowledge article owner or other criteria, Individual article versions
including Knowledge object record types
or field values
Flow interview sharing rules Flow interview owner or other criteria, such Individual flow interviews
as the pause reason
Lead sharing rules Lead owner or other criteria, including lead Individual leads
record types or field values
593
Set Up and Maintain Your Salesforce Organization Sharing Settings
Maintenance plan sharing rules Maintenance plan owner or other criteria Individual maintenance plans
Opportunity sharing rules Opportunity owner or other criteria, Individual opportunities and their associated
including opportunity record types or field accounts
values
Order sharing rules Order owner or other criteria, including Individual orders
order record types or field values
Product item sharing rules Product item owner or other criteria Individual product items
Product request sharing rules Product request owner only; criteria-based Individual product requests
sharing rules aren’t available
Product transfer sharing rules Product transfer owner only; criteria-based Individual product transfers
sharing rules aren’t available
Return order sharing rules Return order owner or other criteria Individual return orders
Service appointment sharing rules Service appointment owner or other criteria Individual service appointments
Service contract sharing rules Service contract owner or other criteria Individual service contracts
Service crew sharing rules Service crew owner only; criteria-based Individual service crews
sharing rules aren’t available
Service resource sharing rules Service resource owner or other criteria Individual service resources
Service territory sharing rules Service territory owner or other criteria Individual service territories
Shipment sharing rules Shipment owner only; criteria-based sharing Individual shipments
rules aren’t available
Time sheet sharing rules Time sheet owner only; criteria-based Individual time sheets
sharing rules aren’t available
User provisioning request sharing rules User provisioning request owner, only; Individual user provisioning requests
criteria-based sharing rules aren’t available
Work order sharing rules Work order owner or other criteria, including Individual work orders
work order record types or field values
Work type sharing rules Work type owner or other criteria Individual work types
594
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: Developers can use Apex to programmatically share custom objects based on record owners but not other criteria.
SEE ALSO:
Sharing Rule Considerations
Note:
• A criteria-based sharing rule is based on record values and not the record owners. However,
a role or territory hierarchy still allows users higher in the hierarchy to access the records.
• You can’t use Apex to create a criteria-based sharing rule. And you can’t test criteria-based
sharing using Apex.
• Starting with API version 24.0, you can use the Metadata API SharingRules type to create
criteria-based sharing rules.
You can create criteria-based sharing rules for accounts, assets, campaigns, cases, contacts, leads, opportunities, work orders, and custom
objects. For the sharing criteria, record types and these field types are supported.
• Auto Number
• Checkbox
• Date
• Date/Time
• Email
• Lookup Relationship (to user ID or queue ID)
• Number
• Percent
• Phone
• Picklist
• Text
• Text Area
595
Set Up and Maintain Your Salesforce Organization Sharing Settings
• URL
Note: Text and Text Area are case-sensitive. For example, a criteria-based sharing rule that specifies “Manager” in a text field
doesn’t share records that have “manager” in the field. To create a rule with several common cases of a word, enter each value
separated by a comma.
Warning: The guest user sharing rule type grants access to guest users without login credentials. By creating a guest user sharing
rule, you're allowing immediate and unlimited access to all records matching the sharing rule's criteria to anyone. To secure your
Salesforce data and give your guest users access to what they need, consider all the use cases and implications of creating this
type of sharing rule. Implement security controls that you think are appropriate for the sensitivity of your data. Salesforce is not
responsible for any exposure of your data to unauthenticated users based on this change from default settings.
You can also create sharing rules based on group membership.
SEE ALSO:
Sharing Rules
596
Set Up and Maintain Your Salesforce Organization Sharing Settings
8. Specify the users who get access to the data. For Share with, select a category from the first To create sharing rules:
dropdown list and a set of users from the second dropdown list or lookup field. • Manage Sharing
9. Select sharing access settings for users. Some access settings aren’t available for some objects
or in some situations.
Full Access Users in the selected group, role, or territory can view, edit,
transfer, delete, and share the record, just like the record’s owner.
With a Full Access sharing rule, users can also view, edit, delete,
and close activities associated with the record if the org-wide
sharing setting for activities is Controlled by Parent.
Available for campaigns only.
Note: Contact Access isn’t available when the organization-wide default for contacts is set to Controlled by Parent.
597
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: You can use a field that’s not supported by criteria-based sharing rules. Create a
workflow rule or Apex trigger to copy the value of the field into a text or numeric field.
Then use that field as the criterion.
8. If available, select whether to include records owned by users who can’t have an assigned role, such as high-volume users and
system users. This setting is enabled by default and can’t be edited after you save the rule.
Note: To include these users in criteria-based sharing rules that were created before Spring `22, delete the rule and select
Include records owned by users who can't have an assigned role when you recreate it.
9. Specify the users who get access to the data. For Share with, select a category from the first dropdown list and a set of users from
the second dropdown list or lookup field.
10. Select sharing access settings for users. Some access settings aren’t available for some objects or in some situations.
Full Access Users in the selected group, role, or territory can view, edit,
transfer, delete, and share the record, just like the record’s owner.
With a Full Access sharing rule, users can also view, edit, delete,
and close activities associated with the record if the org-wide
sharing setting for activities is Controlled by Parent.
Available for campaigns only.
598
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: Contact Access isn’t available when the organization-wide default for contacts is set to Controlled by Parent.
Note: To use a field that’s not supported by criteria-based sharing rules, create a workflow rule or Apex trigger to copy the
value of the field into a text or numeric field. Then use that field as the criterion.
7. If available in your org, select whether to include records owned by high-volume community or site users. By default, sharing rules
include only records owned by authenticated users, guest users, and queues.
Tip: High-volume users don’t have roles and include the External Apps, Customer Community, High Volume Customer Portal,
and Authenticated Website license types. For more information, see About High-Volume Community or Site Users in Salesforce
Help.
SEE ALSO:
About High-Volume Community or Site Users
599
Set Up and Maintain Your Salesforce Organization Sharing Settings
8. Specify the users who get access to the data. For Share with, select a category from the first To create sharing rules:
dropdown list and a set of users from the second dropdown list or lookup field. • Manage Sharing
9. Select sharing access settings for users.
600
Set Up and Maintain Your Salesforce Organization Sharing Settings
Category Description
These groups include all partner or customer users, respectively, allowed to access your site or
portal, except for high-volume users.
Roles All roles defined for your organization, excluding site and portal roles. This includes all of the
users in the specified role.
Portal Roles All roles defined for your organization’s site or portal. This includes all users in the specified role,
except high-volume users.
A site or portal role name includes the name of the account that it’s associated with, except for
person accounts, which include the user Alias.
Roles and Subordinates All roles defined for your organization. This includes all of the users in the specified role plus all
of the users in roles below that role. This is only available when no Salesforce Experience sites
or portals are enabled for your organization.
Portal Roles and Subordinates All roles defined for your organization’s site or portal. This includes all of the users in the specified
role plus all of the users below that role in the site or portal role hierarchy, except for high-volume
users.
A site or portal role name includes the name of the account that it’s associated with, except for
person accounts, which include the user Alias.
Roles and Internal Subordinates All roles defined for your organization. This includes all of the users in the specified role plus all
of the users in roles below that role, excluding site and portal roles.
This category is displayed only if Salesforce Experiences or portals are enabled for your
organization.
Roles, Internal and Portal All roles defined for your organization. This includes all of the users in the specified role plus all
Subordinates of the users in roles below that role, including site and portal roles.
Territories and Subordinates All territories defined for your organization. This includes the specified territory plus all territories
below it.
SEE ALSO:
Sharing Rules
Sharing Records with Manager Groups
601
Set Up and Maintain Your Salesforce Organization Sharing Settings
5. Select sharing access settings for users. Some access settings aren’t available for some objects or in some situations.
Full Access Users in the selected group, role, or territory can view, edit,
transfer, delete, and share the record, just like the record’s owner.
With a Full Access sharing rule, users can also view, edit, delete,
and close activities associated with the record if the org-wide
sharing setting for activities is Controlled by Parent.
Available for campaigns only.
Note: Contact Access isn’t available when the organization-wide default for contacts is set to Controlled by Parent.
602
Set Up and Maintain Your Salesforce Organization Sharing Settings
6. Click Save.
SEE ALSO:
Sharing Rules
• Availability
– Account, campaign, case, contact, lead, opportunity, and custom object sharing rules are available for Enterprise, Performance,
Unlimited, and Developer Editions.
– Only account, asset, campaign, and contact sharing rules are available in Professional Edition.
– Only custom object sharing rules are available in Database.com
– Criteria-based sharing rules aren’t available for all objects.
– Your org can have other objects that are available for sharing rules. To see which sharing rules are available, see the Sharing
Settings setup page.
• Updating
– Creating an owner-based sharing rule with the same source and target groups as an existing rule overwrites the existing rule.
– After a sharing rule is saved, you can’t change the Share with field settings when you edit the sharing rule.
– Sharing rules apply to all new and existing records that meet the definition of the source dataset.
– Sharing rules apply to active and inactive users.
– When you change the access levels for a sharing rule, all records automatically are updated to reflect the new access levels.
603
Set Up and Maintain Your Salesforce Organization Sharing Settings
– When you delete a sharing rule, the sharing access created by that rule is removed.
– When you modify which users are in a group, role, or territory, the sharing rules are reevaluated to add or remove access as
necessary.
– When you transfer records from one user to another, the sharing rules are reevaluated to add or remove access to the transferred
records as necessary.
– Changing sharing rules can require changing a large number of records at once. If your request is queued to process these
changes efficiently, you receive an email notification when the process has completed.
– Lead sharing rules don’t automatically grant access to lead information after leads are converted into account, contact, and
opportunity records.
Watch a video
• Managed Package Fields If a criteria-based sharing rule references a field from a licensed managed package whose license has
expired, (expired) is appended to the label of the field. The field label appears in the field dropdown list on the rule’s definition
page in Setup. Criteria-based sharing rules that reference expired fields aren't recalculated, and new records aren't shared based on
those rules. But the sharing of existing records before the package's expiration is preserved.
SEE ALSO:
Sharing Rules
Considerations for the Convert External User Access Wizard
Sharing Rules for Communities
604
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: The Recalculate button is disabled when group membership or sharing rule
calculations are deferred. USER PERMISSIONS
When sharing is recalculated, Salesforce also runs all Apex sharing recalculations. During sharing To recalculate sharing rules:
rule recalculation, related object sharing rules are calculated as well. For example, when recalculating • Manage Sharing
sharing rule for opportunities, account sharing rules are recalculated since opportunity is a detail
of an account object. You receive an email notification when the recalculation is completed for all
affected objects.
Automatic sharing rule calculation is enabled by default. You can defer sharing rule calculation by suspending and resuming at your
discretion.
SEE ALSO:
Sharing Rules
Defer Sharing Calculations
Monitoring Background Jobs
Record-Level Access: Under the Hood Developer Guide
605
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: To improve performance, we recommend that you enable faster account sharing recalculation. Instead of storing implicit
share records between accounts and their child case, contact, and opportunity records, the system dynamically determines whether
users can access these records when they try to access them. For more information, see the Faster Account Sharing Recalculation
knowledge article.
SEE ALSO:
Recalculate Sharing Rules
Asynchronous Parallel Recalculation of Sharing Rules
Parallel sharing rule recalculation is also run if you click the Recalculate button on the Sharing Available in: Professional,
Settings or Defer Sharing Calculations pages. Enterprise, Performance,
Unlimited, and Developer
You can monitor the progress of your parallel recalculation on the Background Jobs page or view
Editions
your recent sharing operations on the View Setup Audit Trail page.
See Sharing Rule
Note: If the number of impacted records from an owner-based sharing rule insert or update Considerations for more
is less than 25,000, recalculation runs synchronously and you won’t receive an email notification information on availability.
when it’s completed. Owner-based sharing rule inserts and updates impacting less than
25,000 records are not available on the Background Jobs page.
Recalculation of sharing rules maintains implicit sharing between accounts and child records. In the Background Jobs page, these
processes correspond to these job sub types: Account — Extra Parent Access Removal and Account — Parent Access Grant.
Additionally, deleting a sharing rule corresponds to the job sub type Object — Access Cleanup, denoting that irrelevant share rows
are removed.
Note: To improve performance, we recommend that you enable faster account sharing recalculation. Instead of storing implicit
share records between accounts and their child case, contact, and opportunity records, the system dynamically determines whether
users can access these records when they try to access them. For more information, see the Faster Account Sharing Recalculation
knowledge article.
SEE ALSO:
Monitoring Background Jobs
Recalculate Sharing Rules
Built-in Sharing Behavior
606
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: Starting in the Summer ’22 release, asynchronous deletion of obsolete shares is enabled Available in: both Salesforce
by default. Classic (not available in all
orgs) and Lightning
Many sharing operations have an immediate impact on the visibility of records within the system. Experience
For example, deleting a group revokes the access granted to that group via sharing rules or manual
shares. Available in: Professional,
Enterprise, Performance,
Members of these groups lose access to records immediately. Users higher than these members Unlimited, and Developer
in the role hierarchy also lose access to the records. Editions
• Public groups
• Queues
• Roles
• Territories
When deleting a group, the shares to the group become obsolete. Obsolete shares are deleted asynchronously during off-peak hours
to minimize wait time during this operation.
When deactivating a user, the user’s manually assigned shares and their team shares are deleted asynchronously. Until the obsolete
shares are deleted, users higher in the role hierarchy retain access to the records associated with these shares. If that visibility is a concern,
remove the record access granted to the user before deactivating the account. All other user-related share types are deleted immediately
when the user is deactivated.
If You can
Group membership and sharing rule calculation • Suspend, update, and resume group
are enabled membership calculation. This suspends
sharing rule calculation and requires a full
recalculation of sharing rules.
• Suspend, update, and resume sharing rule
calculation.
Group membership calculation is enabled and Suspend, update, and, resume group
sharing rule calculation is suspended membership calculation.
607
Set Up and Maintain Your Salesforce Organization Sharing Settings
If You can
Group membership calculation is suspended and sharing rule Suspend, update, resume, and recalculate sharing rule calculation.
calculation is enabled
To suspend or resume group membership calculation, see Manage Group Membership Calculations.
To suspend, resume, or recalculate sharing rule calculation, see Defer Sharing Rule Calculations.
Note: To improve performance, we recommend that you enable faster account sharing recalculation. Instead of storing implicit
share records between accounts and their child case, contact, and opportunity records, the system dynamically determines whether
users can access these records when they try to access them. For more information, see the Faster Account Sharing Recalculation
knowledge article.
SEE ALSO:
Recalculate Sharing Rules
Record-Level Access: Under the Hood Developer Guide
Note: If sharing rule calculations are enabled, suspending group membership calculations To defer (suspend and
also suspends sharing rule calculations. Resuming group membership calculations also resume) sharing
calculations:
requires full sharing rule recalculation.
• Manage Users
3. Make your changes to roles, territories, groups, users, or portal account ownership. AND
4. To enable group membership calculation again, click Resume. Group membership recalculation Manage Sharing
begins automatically. Calculation Deferral
5. To recalculate sharing rules, select Yes when asked if you want to automatically recalculate
sharing rules. Or, in the Sharing Rule Calculations related list, click Recalculate.
Important: After you resume group membership calculations, you must do a full sharing rule recalculation. Otherwise,
changes that you made while calculations were suspended aren’t reflected in your sharing rules.
SEE ALSO:
Defer Sharing Calculations
608
Set Up and Maintain Your Salesforce Organization Sharing Settings
609
Set Up and Maintain Your Salesforce Organization Sharing Settings
When recalculation for an owner-based sharing rule is in progress, you can’t create, edit, or delete owner-based sharing rules for
that object targeting the same group of users. For example, let’s say you’re creating an owner-based lead sharing rule targeting the
All Internal Users group. While recalculation is in progress, you can create another owner-based sharing rule for leads targeting any
other public group except the All Internal Users group. You can create, update, or delete owner-based sharing rules for leads targeting
all internal users only after the recalculation finishes. You receive an email notification when the recalculation is complete.
When recalculation for a criteria-based sharing rule is in progress, you can’t edit or delete that rule. But you can create, edit, or delete
any other criteria-based or owner-based sharing rule for that object regardless of the target group of users.
Note: You can’t modify the org-wide defaults when a sharing rule recalculation for any object is in progress. Similarly, you
can’t modify sharing rules when recalculation for an org-wide default update is in progress.
Account, cases, contacts, and opportunities
Sharing rules can affect accounts and the associated account children—cases, contacts, and opportunities—so they’re locked
together to ensure that recalculation runs properly. For example, creating or editing an account sharing rule prevents you from
creating or editing a case, contact, or opportunity sharing rule. Similarly, creating or editing an opportunity sharing rule prevents
you from creating or editing a case, contact, or account sharing rule before recalculation is complete. Locks aren’t shared across
objects, except across accounts and associated account children.
Note: Clicking the Recalculate button for any of these four objects’ sharing rules prevents anyone from making changes to
sharing rules for those objects until recalculation finishes.
In the following example, an owner-based account sharing rule has been deleted and recalculation is in progress. Although you
can’t create, edit, or delete another ownership-based sharing rule for any of these objects, you can make changes to a criteria-based
sharing rule (2) for those objects.
610
Set Up and Maintain Your Salesforce Organization Sharing Settings
SEE ALSO:
Sharing Rules
Recalculate Sharing Rules
Defer Sharing Calculations
Manual Sharing
Manual sharing gives other users access to certain types of records, including accounts, contacts,
EDITIONS
and leads.
Sometimes, granting access to one record includes access to all its associated records. For example, Available in: both Salesforce
if you grant another user access to an account, the user automatically has access to all the Classic (not available in all
opportunities and cases associated with that account. orgs) and Lightning
Experience
To grant access to a record, you must be one of the following users.
• The record owner Available in: Professional,
Enterprise, Performance,
• A user in a role above the owner in the hierarchy (if your organization’s sharing settings control Unlimited, and Developer
access through hierarchies) Editions
• Any user granted Full Access to the record
• An administrator
If a user transfers ownership of a record, Salesforce deletes any manual shares created by the original record owner, which can cause
users to lose access. When account ownership is transferred, manual shares created by the original account owner on child records, such
as opportunities and cases, are also deleted.
611
Set Up and Maintain Your Salesforce Organization Sharing Settings
When the parent account for a contact associated with a portal or community user changes, manual shares for custom object records
that were shared with the portal or community user are deleted.
Note: When the parent account for an opportunity changes, manual shares for the opportunity are deleted if the user making
the change isn’t allowed to share the new parent account. But when the new parent account owner, someone above them in the
role hierarchy, or a Salesforce admin changes the parent account, the manual shares aren’t deleted.
Manager Subordinates Groups Managers and all the direct and indirect
reports that they manage.
Roles and Subordinates All users in the role plus all users in roles below
that role in the hierarchy. Only available when
no portals are enabled for your org.
After enabling Salesforce Experiences, manual
shares accessible to Roles and Subordinates
are automatically converted to be shared with
Roles, Internal, and Portal Subordinates. To
secure external users’ access, remove Roles,
Internal, and Portal Subordinates from the
Share With list of your manual shares. Add
Roles and Internal Subordinates instead.
612
Set Up and Maintain Your Salesforce Organization Sharing Settings
Type Description
Roles and Internal Subordinates All roles defined for your org. Includes all users in the specified
role and all users in roles below that role. Doesn’t include partner
portal and Customer Portal roles.
Roles and Internal and Portal Subordinates Adds a role and its subordinate roles. Includes all users in that
role plus all users in roles below that role. Only available when
a partner or Customer Portal is enabled for your org. Includes
portal roles and users.
Territories For orgs that use territory management, all territories defined for
your org, including all users in each territory. Only the territories
in the active territory model are available.
Territories and Subordinates For orgs that use territory management, all users in the territory
plus the users below that territory. Only the territories in the
active territory model are available.
3. Choose the access level for the record that you’re sharing and any associated records that you own.
Read/Write User can view and edit the record, and add associated records,
notes, and attachments to it.
Read Only User can view the record, and add associated records to it. They
can’t edit the record or add notes or attachments.
Note:
• If you’re sharing an opportunity or case, the users you share it with must have at least Read access to the account (unless
you’re sharing a case via a case team). If you also have privileges to share the account itself, the users you share it with are
automatically given Read access to the account. If you don’t have privileges to share the account, you must ask the account
owner to give others Read access to it.
• Contact Access isn’t available when the org-wide default for contacts is set to Controlled by Parent.
613
Set Up and Maintain Your Salesforce Organization Sharing Settings
Manager Subordinates Groups Managers and all the direct and indirect
reports they manage.
Roles and Subordinates All users in the role plus all users in roles below
that role in the hierarchy. Only available when
no portals are enabled for your org.
After enabling Salesforce Experiences, manual
shares accessible to Roles and Subordinates
are automatically converted to be shared with
Roles, Internal, and Portal Subordinates. To
secure external users’ access, remove Roles,
Internal and Portal Subordinates from the
Share With list of your manual shares, and add
Roles and Internal Subordinates instead.
Roles and Internal Subordinates All roles defined for your org, including all
users in the specified role, all the users in roles
below that role. However, it doesn’t include
partner portal and Customer Portal roles.
Roles and Internal and Portal Subordinates Adds a role and its subordinate roles. Includes
all users in that role plus all users in roles
below that role. Only available when a partner
or Customer Portal is enabled for your org.
Includes portal roles and users.
614
Set Up and Maintain Your Salesforce Organization Sharing Settings
Type Description
Territories For organizations that use territory management, all territories
defined for your org, including all users in each territory. Only
the territories in the active territory model are available.
Territories and Subordinates For orgs that use territory management, all users in the territory
plus the users below that territory. Only the territories in the
active territory model are available.
Note: With more than 2,000 users, roles, and groups, if your query doesn’t match any items in a particular category, that
category doesn’t show up in the Search dropdown menu. For example, if none of your group names contain the string CEO,
after searching for CEO, the Groups option no longer appears in the dropdown. If you enter a new search term, all categories
are still searched even if they don’t appear in the list. You can repopulate the dropdown by clearing your search terms and
pressing Find.
4. Choose the specific groups, users, roles, or territories whom you want to give access by adding their names to the Share With list.
Use the Add and Remove arrows to move the items from the Available list to the Share With list.
Note: You can't grant access to unauthenticated guest users with manual sharing.
5. Choose the access level for the record you’re sharing and any associated records that you own.
Read/Write User can view and edit the record, and add associated records,
notes, and attachments to it.
Read Only User can view the record, and add associated records to it. They
can’t edit the record or add notes or attachments.
Note:
• If you’re sharing an opportunity or case, the users you share it with must have at least Read access to the account (unless
you’re sharing a case via a case team). If you also have privileges to share the account itself, the users you share it with are
automatically given Read access to the account. If you don’t have privileges to share the account, you must ask the account
owner to give others Read access to it.
• Contact Access isn’t available when the org-wide default for contacts is set to Controlled by Parent.
6. Select the reason you’re sharing the record so users and administrators can understand.
7. Save your changes.
615
Set Up and Maintain Your Salesforce Organization Sharing Settings
616
Set Up and Maintain Your Salesforce Organization Sharing Settings
– Serialized Product
– Service Appointment
– Service Contract
– Service Crew
– Service Resource
– Service Territory
– Shift
– Shift Pattern
– Survey
– Survey Invitation
– Time Sheet
– Travel Mode
– Video Call
– Warranty Term
– Work Order
– Work Plan
– Work Plan Selection Rule
– Work Plan Template
– Work Step Template
– Work Type
– Work Type Group
617
Set Up and Maintain Your Salesforce Organization Sharing Settings
Reason Description
Account Guest Sharing Rule The guest user has access via an account guest user sharing rule
created by the administrator.
Account Sharing Rule The user has access via an account sharing rule created by the
administrator.
Account Sharing The user was granted access via the Sharing button on the
associated account.
Account Territory The account has been assigned to a territory to which the user
has access.
Administrator The user has the “Modify All Data” or “View All Data”
administrative permission, or the “Modify All” or “View All” object
permission.
Asset Guest Sharing Rule The guest user has access via an asset guest user sharing rule
created by the administrator.
Asset Sharing Rule The user has access via an asset sharing rule created by the
administrator.
Associated Guest User Sharing The guest user has sharing access to a record associated with
the account. To view which associated records the user owns or
has been given sharing access to, click the link
Associated Portal User or Role The portal or site user, or any role above the portal or site user's
role, has access to the account for which the portal or site user
is a contact.
Associated Record Owner or Sharing The user owns or has sharing access to a contact or contract
associated with the account. To view which associated records
the user owns or has been given sharing access to, click the link.
Associated Record Sharing The user is a member of a share group that has access to a
contact or contract that's associated with the account owned
by high-volume Experience Cloud site users.
Campaign Guest Sharing Rule The guest user has access via a campaign guest user sharing rule
created by the administrator.
Campaign Sharing Rule The user has access via a campaign sharing rule created by the
administrator.
Case Guest Sharing Rule The guest user has access via a case guest user sharing rule
created by the administrator.
Case Sharing Rule The user has access via a case sharing rule created by the
administrator.
Contact Guest Sharing Rule The guest user has access via a contact guest user sharing rule
created by the administrator.
618
Set Up and Maintain Your Salesforce Organization Sharing Settings
Reason Description
Contact Sharing Rule The user has access via a contact sharing rule created by the
administrator.
Group Member The user has access via a group, such as a Managers Group or
Manager Subordinates Group.
Individual Guest Sharing Rule The guest user has access via an individual guest user sharing
rule created by the administrator.
Individual Sharing Rule The user has access via an individual sharing rule created by the
administrator.
Lead Guest Sharing Rule The guest user has access via a lead guest user sharing rule
created by the administrator.
Lead Sharing Rule The user has access via a lead sharing rule created by the
administrator.
Manager of Territory Member The user has a subordinate in the role hierarchy who is assigned
to the territory with which the account is associated.
Manual Sharing The user has access that was granted via the Sharing button on
the record.
Manual Territory Sharing The account has been manually assigned to a territory to which
the user has access.
Opportunity Guest Sharing Rule The guest user has access via an opportunity guest user sharing
rule created by the administrator.
Opportunity Sharing Rule The user has access via an opportunity sharing rule created by
the administrator.
Order Guest Sharing Rule The guest user has access via an order guest user sharing rule
created by the administrator.
Order Sharing Rule The user has access via an order sharing rule created by the
administrator.
Owner The user owns the record, or the user is a member of the queue
that owns the record or above the queue member in the role
hierarchy.
Portal Share Group The user is a member of a share group that has access to records
owned by high-volume Experience Cloud site users.
Related Portal User The portal or site user is a contact on the case.
Role Above Owner or Shared User (Portal Only) The user's role is above the role of a portal or site user who has
access to the record via ownership or sharing.
User Sharing Rule The user has access via a user sharing rule created by the
administrator.
619
Set Up and Maintain Your Salesforce Organization Sharing Settings
Reason Description
User Guest Sharing Rule The guest user has access via a user guest user sharing rule
created by the administrator.
View All Forecasts Permission The forecasts user has the View All Forecasts permission.
If a user has access to a record as a result of multiple sharing reasons, some reasons are compressed into a single record. That record
contains the highest level of permission. The compressed reasons are: Associated Portal User or Role, Associated Record Owner or Sharing,
Manual Sharing, and Owner. For example, if a user owns opportunities associated with an account and was also manually given access
to that account, the user is listed only one time on sharing pages.
Note: In editions that support restriction rules, this list can include users who don’t have access due to a restriction rule.
2. To see the reason the user has or doesn’t have access to the record, click View next to a user’s name.
If multiple sharing reasons give a user access to a record, some sharing reasons can be compressed into a single reason, which shows
the most permissive access level, on the Sharing Hierarchy page. These sharing reasons can be compressed.
• Associated Portal User or Role
• Associated Record Owner or Sharing
• Manual Sharing
• Owner
When you click View, all applicable sharing reasons appear. If a restriction rule blocks access to the record, a message is shown to
confirm that access is blocked.
The possible reasons are:
Reason Description
Account Guest Sharing Rule The guest user has access via an account guest user sharing rule
created by the administrator.
Account Sharing Rule The user has access via an account sharing rule created by the
administrator.
620
Set Up and Maintain Your Salesforce Organization Sharing Settings
Reason Description
Account Sharing The user was granted access via the Sharing button on the
associated account.
Account Territory The account has been assigned to a territory to which the user
has access.
Administrator The user has the “Modify All Data” or “View All Data”
administrative permission, or the “Modify All” or “View All” object
permission.
Asset Guest Sharing Rule The guest user has access via an asset guest user sharing rule
created by the administrator.
Asset Sharing Rule The user has access via an asset sharing rule created by the
administrator.
Associated Guest User Sharing The guest user has sharing access to a record associated with
the account. To view which associated records the user owns or
has been given sharing access to, click the link.
Associated Portal User or Role The portal or site user, or any role above the portal or site user's
role, has access to the account for which the portal or site user
is a contact.
Associated Record Owner or Sharing The user owns or has sharing access to a contact or contract
associated with the account. To view which associated records
the user owns or has been given sharing access to, click the link.
Associated Record Sharing The user is a member of a share group that has access to a
contact or contract that's associated with the account owned
by high-volume Experience Cloud site users.
Campaign Guest Sharing Rule The guest user has access via a campaign guest user sharing rule
created by the administrator.
Campaign Sharing Rule The user has access via a campaign sharing rule created by the
administrator.
Case Guest Sharing Rule The guest user has access via a case guest user sharing rule
created by the administrator.
Case Sharing Rule The user has access via a case sharing rule created by the
administrator.
Contact Guest Sharing Rule The guest user has access via a contact guest user sharing rule
created by the administrator.
Contact Sharing Rule The user has access via a contact sharing rule created by the
administrator.
Group Member The user has access via a group, such as a Managers Group or
Manager Subordinates Group.
621
Set Up and Maintain Your Salesforce Organization Sharing Settings
Reason Description
Individual Guest Sharing Rule The guest user has access via an individual guest user sharing
rule created by the administrator.
Individual Sharing Rule The user has access via an individual sharing rule created by the
administrator.
Lead Guest Sharing Rule The guest user has access via a lead guest user sharing rule
created by the administrator.
Lead Sharing Rule The user has access via a lead sharing rule created by the
administrator.
Manager of Territory Member The user has a subordinate in the role hierarchy who is assigned
to the territory with which the account is associated.
Manual Sharing The user has access that was granted via the Sharing button on
the record.
Manual Territory Sharing The account has been manually assigned to a territory to which
the user has access.
Opportunity Guest Sharing Rule The guest user has access via an opportunity guest user sharing
rule created by the administrator.
Opportunity Sharing Rule The user has access via an opportunity sharing rule created by
the administrator.
Order Guest Sharing Rule The guest user has access via an order guest user sharing rule
created by the administrator.
Order Sharing Rule The user has access via an order sharing rule created by the
administrator.
Owner The user owns the record, or the user is a member of the queue
that owns the record or above the queue member in the role
hierarchy.
Portal Share Group The user is a member of a share group that has access to records
owned by high-volume Experience Cloud site users.
Related Portal User The portal or site user is a contact on the case.
Role Above Owner or Shared User (Portal Only) The user's role is above the role of a portal or site user who has
access to the record via ownership or sharing.
User Sharing Rule The user has access via a user sharing rule created by the
administrator.
User Guest Sharing Rule The guest user has access via a user guest user sharing rule
created by the administrator.
View All Forecasts Permission The forecasts user has the View All Forecasts permission.
622
Set Up and Maintain Your Salesforce Organization Sharing Settings
User Sharing
User Sharing enables you to show or hide an internal or external user from another user in your
EDITIONS
organization.
Watch a demo: Who Sees What: User Sharing (English only) Available in: both Salesforce
Classic (not available in all
With User Sharing, you can:
orgs) and Lightning
• Assign the “View All Users” permission to users who need to see or interact with all users. This Experience
permission is automatically enabled for users who have the “Manage Users” permission.
Available in: Enterprise,
• Set the organization-wide default for user records to Private or Public Read Only. Performance, Unlimited,
• Create user sharing rules based on group membership or other criteria. and Developer Editions
• Create manual shares for user records to open up access to individual users or groups.
• Control the visibility of external users.
SEE ALSO:
Understanding User Sharing
Control Which Users Experience Cloud Site Users Can See
4. Click Save.
623
Set Up and Maintain Your Salesforce Organization Sharing Settings
Users have Read access to those below them in the role hierarchy and full access on their own user record.
SEE ALSO:
Control Which Users Experience Cloud Site Users Can See
User Sharing
624
Set Up and Maintain Your Salesforce Organization Sharing Settings
• Standard Report Types—If the organization-wide default for the user object is Private and the Standard Report Visibility checkbox
is selected, a person viewing the report can see the names of users that are listed in the report. To see details such as username
and email address, the viewer must have access to the users.
User sharing in Chatter
In Chatter, there are exceptions where users who aren’t shared can still see and interact with each other. For example, regardless of
user sharing, in a public Chatter group, everyone with access to the group can see all posts. They can also see the names of the users
who post and mention users who commented on a post.
For example, you set up user sharing so Mary and Bob can’t see or interact with each other. Mary posts on a public Chatter group.
She can’t mention Bob, because user sharing prevents Bob’s name from showing up in the mention dropdown list. However, Bob
can see Mary’s post and he comments on her post. Now Mary can actually mention Bob in her next comment on her post.
There are also exceptions where users who aren't shared can still see each other in the mention dropdown list. For example, Sue
has interacted with Edgar in Chatter (by liking or commenting on his post or mentioning him). Then you set up user sharing so Sue
can’t see Edgar. Sue posts on a public Chatter group. She can mention Edgar because, due to their previous interaction, his name
shows up on the mention dropdown list. However, if Sue clicks the Edgar mention, she gets an error because, due to user sharing,
she can’t see him.
SEE ALSO:
User Sharing
625
Set Up and Maintain Your Salesforce Organization Sharing Settings
SEE ALSO:
Control Standard Report Visibility
Differences Between User Sharing with Manual Sharing and Sharing Sets
Manual sharing and sharing sets provide access to different groups of users.
EDITIONS
You can control who sees whom in the organization, including internal and external users, if your
organization has User Sharing enabled. Manual sharing and sharing sets provide additional access Available in: both Salesforce
beyond the organization-wide defaults and sharing rules. Some external users, such as high-volume Classic (not available in all
Experience Cloud site users, don’t have roles and can’t be used in sharing rules. orgs) and Lightning
Experience
Example: Grant internal and most external users access to a user by creating a manual share
Manual sharing available in:
using the Sharing button on the user detail page of that user. Grant high-volume users access
Salesforce Classic
to other users by creating a sharing set.
The following table shows when to use manual sharing and sharing sets. Available in: Professional,
Enterprise, Performance,
Users Getting Access Unlimited, and Developer
Editions
Internal External High-volume users
(Non-high-volume
users)
626
Set Up and Maintain Your Salesforce Organization Sharing Settings
SEE ALSO:
User Sharing
627
Set Up and Maintain Your Salesforce Organization Sharing Settings
SEE ALSO:
Control Which Users Experience Cloud Site Users Can See
628
Set Up and Maintain Your Salesforce Organization Sharing Settings
• When you deselect the Standard Report Visibility checkbox, users with the “View All Users” permission can still see all reports
based on standard report types. All users can also see these reports if the organization-wide default for the user object is Public Read
Only.
• If the organization-wide default for the user object is Public, the data that is exposed in standard report types includes data from
fields on records that other users own. All information from the secondary records is exposed, including information that isn’t directly
related to the current user. For example, if user object sharing is set to Public, the standard Accounts with Assets report exposes user
data from the Accounts object and the Assets object.
• Visibility behavior also differs for standard and custom report types:
– Standard Report types operate on the primary object's sharing settings. For example, the Accounts and Assets standard report
type respects only the Accounts sharing settings.
– Custom Report Types respect both primary and secondary object sharing. For example, the Accounts and Assets custom report
types respect the sharing settings of both Accounts and Assets.
Important: When Analytics sharing is in effect, all users in the organization get Viewer access to report and dashboard folders
that are shared with them. Users who have been designated Manager or Editor on a folder, and users with extra administrative
permissions, can have more access. Each user’s access to folders is based on the combination of folder access and user permissions.
To ensure that standard report folders are hidden as needed, remove sharing for all users from the folders. Then deselect the View
Dashboards in Public Folders and View Reports in Public Folders checkboxes for the users’ profiles.
SEE ALSO:
User Sharing
Report Types Support for User Sharing
Note: The View All Lookup Record Name permission only applies to lookup record names USER PERMISSIONS
in list views and record detail pages.
To modify sharing settings:
Example: After the Require permission to view record names in lookup fields setting is • Manage Sharing
enabled, in Lightning Experience, users who don’t have Read access or the View All Lookup
Record Names permission see the lookup field labels, but not the data in the fields.
629
Set Up and Maintain Your Salesforce Organization Sharing Settings
In Salesforce Classic, users who don’t have Read access or the View All Lookup Record Names permission see an underscore in
system user lookup fields. They also see the record ID in custom user lookup and non-user lookup fields.
Note: In Lightning Experience, a parent record's name is visible in lookup fields if the user has access to its child record via
a "View All" permission. This behavior applies even if the user doesn't have access to the parent record. In Salesforce Classic,
the parent record's ID is displayed instead of its name.
SEE ALSO:
“View All” and “Modify All” Permissions Overview
630
Set Up and Maintain Your Salesforce Organization Sharing Settings
• Account and contact access—An account’s portal or site user has Read Only access to Sharing for cases and
the parent account and to all of the account’s contacts. opportunities is available in
Enterprise, Performance,
• Management access to data owned by Service Cloud portal users—Since Service
Unlimited, and Developer
Cloud portal users don't have roles, portal account owners can't access their data via the
Editions
role hierarchy. To grant them access to this data, you can add account owners to the portal’s
share group where the Service Cloud portal users are working. This step provides access to
all data owned by Service Cloud portal users in that portal.
• Case access—If a portal or site user is a contact on a case, then the user has Read and Write access on the case.
Group membership operations and sharing recalculation
Simple operations such as changing a user’s role, moving a role to another branch in the hierarchy, or changing a site or portal
account’s owner can trigger a recalculation of sharing rules. Salesforce must check access to user’s data for people who are above
the user’s new or old role in the hierarchy, and either add or remove shares to any affected records.
631
Set Up and Maintain Your Salesforce Organization Sharing Settings
Note: These sharing behaviors simplify administration for data access but can make mass inserts and mass updates slow. For best
practices on designing record access in a large organization, see Designing Record Access for Enterprise Scale.
SEE ALSO:
Control Who Sees What
You can obtain access to a record or object by contacting your Salesforce org’s admin or the record owner of the record you’re trying
to access.
If you’re a user (1), determine if you have access to other records of the same object.
• Have access to other records of the same object: For example, you have access to account record A but not account record B. Contact
your Salesforce admin or the record owner to request access.
• Don’t have access to other records of the same object: Contact your Salesforce admin to request access.
If you’re an admin (2), determine if the user has read access to the record.
• Have read access: Grant more access using sharing mechanisms such as sharing rules, manual sharing, or sharing sets. Also, the
Sharing button on the record detail page can grant users record access on a one-time basis and gives you the flexibility to remove
that access later.
• Don’t have read access: Grant read access using a profile or permission set.
If you must share a report or dashboard folder, share the folder it’s in. Recall that when you create a folder, only you and users with
administrative permissions can see it.
632
Set Up and Maintain Your Salesforce Organization Sharing Settings
SEE ALSO:
Sharing Rules
Manual Sharing
Share a Report or Dashboard Folder in Salesforce Classic
Schedule and Track Your Tasks and Events
Record owners can resolve most cases by using the Sharing button on the record detail page, which Available in: All Editions
enables them to share the record to another user. Salesforce admins can also resolve this issue
using the API, such as querying the UserRecordAccess object to check a user’s access to a set of
records. For more information, see the REST API Developer Guide and the SOAP API Developer Guide.
If these tools can’t help you resolve the issue, your Salesforce org’s admin can try to diagnose it with this troubleshooting flow.
• Resolve object-level access errors by reviewing the user profiles and permission sets.
• Resolve record-level access errors by reviewing the sharing settings, such as organization-wide defaults and sharing rules.
• Resolve process-level errors by reviewing validation rules and Apex triggers.
It’s a good idea for an admin to log in to the application using your login to help you resolve an issue.
Note: Watch this video series to understand how to grant users the access they need. Who Sees What: Overview (English
only)
633
Set Up and Maintain Your Salesforce Organization Sharing Settings
4. If needed, assign the necessary permission using a permission set or by updating the profile. Permission sets provide access on an
individual basis. Assign permissions on the user profile only if all users of this profile require access. Be sure you're aware of your
organization's security policy and act accordingly.
SEE ALSO:
Resolving Insufficient Privileges Errors
Permission Sets
User Permissions and Access
Profiles
634
Set Up and Maintain Your Salesforce Organization Sharing Settings
3. Review your teams to determine if the user is supposed to have access through a team.
If your organization uses teams for accounts, opportunities, or cases, verify that you didn’t miss the user when you set up the teams.
a. From Setup, in the Quick Find box, enter the team that you want to check, such as Account Teams, then select the team.
Add the user to the team, if appropriate.
b. If the user must gain access via a manual share, create a manual share using the Sharing button on the record.
Note: In Lightning Experience, manual sharing isn’t available for all objects. Find the list of available objects in Manual Sharing
Considerations.
635
Set Up and Maintain Your Salesforce Organization Sharing Settings
SEE ALSO:
Resolving Insufficient Privileges Errors
Create a User Role
Sharing Rules
Create a Sharing Set
Use Share Groups to Share Records Owned by High-Volume Experience Cloud Site Users
2. From your object management settings, find the object that you want to check, and then scroll
down to Validation Rules. USER PERMISSIONS
3. Verify that none of the validation rules are causing the error or fix the validation rule. To view and change
validation rules:
• View Setup and
SEE ALSO: Configuration
Resolving Insufficient Privileges Errors AND
Define Validation Rules Customize Application
636
Set Up and Maintain Your Salesforce Organization Sharing Settings
Managing Folders
USER PERMISSIONS EDITIONS
To create, edit, or delete public document Manage Public Documents Available in: both Salesforce
folders: Classic (not available in all
orgs) and Lightning
To create, edit, and delete public email Manage Public Classic Email Templates (in
Experience
template folders in Salesforce Classic: Salesforce Classic only)
Available in: All editions
To create, edit, and delete public email Manage Public Lightning Email Templates
except Database.com
templates in Lightning Experience: (in Lightning Experience only)
Report folders not available
To create, edit, and delete enhanced email Create Folders for Lightning Email Templates in: Contact Manager,
template folders in Lightning Experience: Essentials, Group, and
Personal Editions
To create, edit, and delete public report Manage Reports in Public Folders
folders:
To create, edit, and delete public dashboard Manage Dashboards AND View All Data
folders:
A folder is a place where you can store reports, dashboards, documents, or email templates. Folders can be public, hidden, or shared,
and can be set to read-only or read/write. You control who has access to its contents based on roles, permissions, public groups, and
license types. You can make a folder available to your entire organization, or make it private so that only the owner has access.
• To access report and dashboard folders, click the Reports or Dashboards tab.
• To access document folders in Salesforce Classic, click the Documents tab.
• To access library folders in Lightning Experience, click the Files tab, and then click Libraries.
• To access Classic email template folders, from Setup, in the Quick Find box, enter Classic Email Templates, then select
Classic Email Templates.
• To access Lightning email template folders, click the Email Templates tab.
Considerations
You can modify the contents of a folder only if the folder access level is set to read/write. Only users with the “Manage Public Documents”
or “Manage Public Templates” permission can delete or change a read-only folder. Regardless of permissions or folder settings, users
can’t edit unfiled or personal folders. Users with the “Manage Reports in Public Folders” permission can edit all reports in public folders
but not reports in other users’ personal folders.
SEE ALSO:
Creating and Editing Folders
Moving Documents and Email Templates in Folders
637
Set Up and Maintain Your Salesforce Organization Sharing Settings
Warning: After enabling digital experiences, folders shared with Roles and Subordinates are automatically converted
to grant access to Roles, Internal and Portal Subordinates. If you don't want external users to access the data inside
folders, updates your folders to be shared with Roles and Internal Subordinates instead. You can use the Convert
External User Access Wizard to convert any publicly accessible report, dashboard, and document folders to folders
that are accessible by all users except for external users.
Note: When you share a folder with a group, managers of the group members have no access to the folder unless
those managers are also members of the group.
b. If the Available for Sharing list doesn’t immediately display the desired value, enter search criteria and click
Find.
c. Select the desired value from the Available for Sharing list and click Add to move the value to the Shared
To list.
638
Set Up and Maintain Your Salesforce Organization Sharing Settings
5. Click Save.
SEE ALSO:
Managing Folders
Considerations for Using Public and Private Email Templates in Lightning Experience
Considerations for Email Template Folders and Sharing
639
Set Up and Maintain Your Salesforce Organization Restriction Rules
Restriction Rules
Restriction rules let you enhance your security by allowing certain users to access only specified
EDITIONS
records. They prevent users from accessing records that can contain sensitive data or information
that isn’t essential to their work. Restriction rules filter the records that a user has access to so that Available in: Lightning
they can access only the records that match the criteria you specify. Experience
Restriction rules are available for custom objects, external objects, contracts, tasks, and events. You
Available in: Enterprise,
can create up to two active restriction rules per object in Enterprise and Developer editions and up
Performance, Unlimited,
to five active restriction rules per object in Performance and Unlimited editions. Restriction rules and Developer Editions
are applied to the following Salesforce features:
• List Views
• Lookups
• Related Lists
• Reports
• Search
• SOQL
• SOSL
When a restriction rule is applied to a user, the records that the user is granted access to via org-wide defaults, sharing rules, and other
sharing mechanisms are filtered by criteria that you specify. For example, if users navigate to the Today’s Tasks tab or to a list view for
activities, they see only the records that meet the restriction rule’s criteria. If a user has a link to a record that is no longer accessible after
a restriction rule is applied, the user sees an error message.
Note: Before setting up a restriction rule on an external object, review these considerations.
• Restriction rules for external objects don’t include organization-wide defaults or sharing mechanisms.
• Only external objects created using the Salesforce Connect: OData 2.0, OData 4.0, and Cross-Org adapters support restriction
rules.
• External objects created using the Cross-Org adapter don’t support search or SOSL when a rule is applied to a user. Salesforce
returns only search results that match the most recently viewed records.
• Disabling search on external objects is recommended.
• External objects created using the Salesforce Connect: Custom Adapter aren’t supported.
640
Set Up and Maintain Your Salesforce Organization Restriction Rules
641
Set Up and Maintain Your Salesforce Organization Restriction Rules
When a restriction rule is applied to users, the data that they had read access to via your sharing settings is further scoped to only records
matching the record criteria. This behavior is similar to how you can filter results in a list view or report, except that it’s permanent. The
number of records visible to the user can vary greatly depending on the value that you set in the record criteria.
642
Set Up and Maintain Your Salesforce Organization Restriction Rules
Tip: Set the Type field as Current User when the rule applies to the currently logged-in user.
• If the rule applies to a subset of users with a custom permission, select Permission Criteria.
Note:
• To filter records for users with the custom permission, set the Boolean value to True.
• To filter records for users who don’t have the custom permission, set the Boolean value to False.
6. Under Record Criteria, select which records the specified users are allowed to see. For the Field value, you can reference another
object’s field using dot notation.
To designate more than one field value in the record criteria, specify a list of comma-separated string or ID field type values.
• Add values separated by a comma in the Value field.
• Include an ID field and type a comma-separated list of 15-character ID values in the Value field.
Tip: To include a single value that contains a comma, surround the value with double quotes (”).
643
Set Up and Maintain Your Salesforce Organization Restriction Rules
Note: Salesforce doesn’t validate that only one active rule applies for a given user. If you create two active rules, and both
rules apply to a given user, only one of the active rules is observed. In this case, records that the user shouldn’t have access to
could be accessible.
SEE ALSO:
Enable Custom Permissions in Permission Sets
Restriction Rule Considerations
Applicable Features
• Restriction rules are applied to the following Salesforce features:
644
Set Up and Maintain Your Salesforce Organization Restriction Rules
– List Views
– Lookups
– Related Lists
– Reports
– Search
– SOQL
– SOSL
• Restriction rules support custom picklist values in record and user criteria. If you delete a custom picklist value used in a restriction
rule, the rule no longer works as intended.
• Use the Activity Timeline instead of Open Activities or Activity History. If you use Open Activities and Activity History related lists,
create rules on task or event objects using fields that are only available on the OpenActivity and ActivityHistory objects.
• If you use Open Activities and Activity History related lists, when restriction rules are applied, it’s possible that fewer than 50 records
are displayed when more activities exist that the user has access to. This behavior occurs because these lists display at most 50
records, and restriction rules are applied after. This behavior is related to the known issue, Limit of Fifty Records Visible in Related
List View.
• After restriction rules are applied, users can still see records that they previously had access to in the search box shortcuts list or in
the Recently Viewed list view. When users click the record name, they can't access the record and get an error.
• Users can see their subordinates' events in calendars even if the users have an active restriction rule applied.
• If a user creates an event or a task record using the Chatter publisher, the record name is visible in the related Chatter post. Restriction
rules don’t restrict visibility to these record names.
• Users can’t clone records that have a lookup to a record that they can’t see due to a restriction rule. For example, you have a restriction
rule that prevents a user from seeing a specific contract record, and the user tries to clone an order record that has a lookup to the
contract record. The user gets an error, preventing the clone operation from succeeding.
• Restriction rules aren’t applied for code executed in System Mode.
• Users with the View All or View All Data permissions can view all records regardless of restriction rules. Users with the Modify All or
Modify All Data permissions can view, edit, and delete all records regardless of restriction rules.
• A user with a restriction rule applied might not find all possible matching results when searching for a record. For performance
reasons, search crowding applies limits to the number of search results. The record the user is looking for can fall outside those limits.
Learn how to adjust your searches for the best results at How Search Crowding Affects Search Results.
• The UserRecordAccess object doesn’t consider whether a user’s access is blocked due to a restriction rule. If a user’s access is blocked
even though query results state that they should have access, check to see if a restriction rule on the object prevents the user’s
access.
645
Set Up and Maintain Your Salesforce Organization Restriction Rules
– boolean
– date
– dateTime
– double
– int
– reference
– string
– time
– single picklist
Note: Comma-separated ID or string values are supported in the Record Criteria field.
• Restriction rules support only the EQUALS operator. The use of AND and OR operators isn't supported.
• The use of formulas isn’t supported.
• Don't create rules on Event.IsGroupEvent, which indicates whether the event has invitees.
• You can use a change set or unlocked package to move restriction rules from one org to another.
• Some IDs are specific to your Salesforce org, such as role, record type, or profile IDs. If you include these IDs in your User Criteria or
Record Criteria fields, keep this consideration in mind when deploying rules between sandboxes or to a production org. You must
modify these IDs in the target org if the restriction rules were originally created somewhere else.
• When you reference the Owner field, you must specify the object type in your syntax. For example, the Owner field on an Event
object can contain a user or a queue, but queues aren’t supported in restriction rules. So it’s necessary to specify Owner:User in the
record criteria syntax when the criteria should allow only users.
Important:
– Editing or deleting a restriction rule on an external object causes an additional database call, which can result in additional
billing when the external data source bills per call.
– When search is enabled for external object records, searching requires additional database calls each time. Avoid additional
charges by turning off search for external object records.
As with all restriction rules, using only object fields that are indexed is recommended, especially in record criteria.
• Using external IDs in record criteria isn’t recommended.
• Restriction rules for external objects don’t include organization-wide defaults or sharing mechanisms.
• External objects don’t appear in Object Manager. To navigate to an external object, enter External Data Sources in the
Quick Find box in Setup, then select External Data Sources. Select an external object from the list view on this page.
Note: You can also find external objects in the Most Recently Used list in Setup.
646
Set Up and Maintain Your Salesforce Organization Restriction Rules
Performance Considerations
Restriction rules were built to support sharing needs in a performant way. Your data volume and architecture are also factors in rule
performance.
• To test a rule’s performance impact, take the record criteria to your API client of choice and run the query. If it’s fast for a given user,
the rule is likely to run efficiently. For objects with large data volumes, add three to five percent overhead to the record filter’s
performance.
• If it isn’t performant, isolate the field that is slowing performance. Work with Salesforce customer support to get the field indexed.
SEE ALSO:
Knowledge Article: Improve Performance of SOQL Queries using a Custom Index
Allow Users to See Only Specified Record Type Available in: Enterprise,
Performance, Unlimited,
This restriction rule allows the designated users to see only the records that have a specified record
and Developer Editions
type.
647
Set Up and Maintain Your Salesforce Organization Restriction Rules
Note: Only external objects created using the Salesforce Connect: OData 2.0, OData 4.0, and Cross-Org adapters support restriction
rules. Find out more in Restriction Rule Considerations.
648
Set Up and Maintain Your Salesforce Organization Scoping Rules
This restriction rule allows active users to see records owned by two different managers. In this example, the rule’s record criteria contains
ID’s separated by a comma.
SEE ALSO:
Restriction Rule Considerations
Scoping Rules
Scoping rules let you control the records that your users see based on criteria that you select. You
EDITIONS
can set up scoping rules for different users in your Salesforce org so that they can focus on the
records that matter to them. Users can switch the set of records they’re seeing as needed. Available in: Lightning
Scoping rules are available for custom objects and the account, case, contact, event, lead, opportunity, Experience in
and task standard objects. Any partner, ISV, or customer can test scoping rules using a Developer Performance,Unlimited,
Edition org. Scoping rules are turned on in Developer editions created after April 2022. and Developer editions.
This table shows how scoping rules work with other Salesforce features.
Feature Description
List Views Applied in Lightning Experience if Filter by scope is selected
649
Set Up and Maintain Your Salesforce Organization Scoping Rules
650
Set Up and Maintain Your Salesforce Organization Scoping Rules
SEE ALSO:
Metadata API Guide: RestrictionRule
Tooling API Guide: RestrictionRule
Salesforce Help: Flow Builder
Tip: Set the Type field as Current User when the rule should apply to the currently logged-in user.
• If the rule applies to a subset of users with a custom permission, select Permission Criteria.
Note:
• To filter records for users with the custom permission, set the Boolean value to True.
• To filter records for users who don’t have the custom permission, set the Boolean value to False.
6. Under Record Criteria, select which records the specified users see by default. For the Field value, you can reference another object’s
field using dot notation.
To designate more than one field value in the record criteria, specify a list of comma-separated string or ID field type values.
• Add values separated by a comma in the Value field.
• Include an ID field and type a comma-separated list of 15-character ID values in the Value field.
Tip: To include a single value that contains a comma, surround the value with double quotes (”).
651
Set Up and Maintain Your Salesforce Organization Scoping Rules
Note: Salesforce doesn’t validate that only one active rule applies for a given user. If you create two active rules, and both
rules apply to a given user, only one of the active rules is observed.
After you activate a scoping rule, users select the filter option Filter by Scope to update their list view or report filter and focus on a
filtered set of records.
SEE ALSO:
Enable Custom Permissions in Permission Sets
652
Set Up and Maintain Your Salesforce Organization Scoping Rules
Tip: Make sure that users who want to run your flow have the Run Flows permission.
After updating their division, users select the filter option Filter by Scope to update their list view or report filter and focus on a different
set of records.
SEE ALSO:
Salesforce Help: Flow Builder
Salesforce Help: Add a Flow to a Utility Bar
653
Set Up and Maintain Your Salesforce Organization Scoping Rules
• You can reference another object’s field using dot notation in the record criteria field. You can use only one “dot” (one lookup level
from the target entity). For example, Owner.UserRoleId.
• These data types are supported in the record and user criteria fields.
– boolean
– date (yyyy-MM-dd)
– dateTime (yyyy-MM-dd HH:mm:ss)
– double
– int
– reference
– string
– time
– single picklist
Note: Comma-separated ID or string values are supported in the Record Criteria field.
• Don't create rules on Event.IsGroupEvent, which indicates whether the event has invitees.
• Scoping rules on Open Activity or Activity History related lists aren't supported. Instead use the Activity Timeline or create a rule on
the Task or Event object that uses fields available in the OpenActivity or ActivityHistory object.
• For list views and reports, you can apply the scope through Metadata API (using the filterScope field on the ListView type
and the scope field on the Report type “scope”).
• Unless you use SOQL, scoping rules support only the EQUALS operator. The AND and OR operators aren’t supported.
• When using the SOQL operator in the record criteria, the SELECT statement, including nested SELECT statements, must include
USING SCOPE EVERYTHING. USING SCOPE EVERYTHING is the only valid scope clause syntax for scoping rules.
• The SOQL operator doesn't support $User syntax except for $User.Id. Dynamic queries within the SOQL operator aren't supported,
including on other user object fields.
• Using the same object as the SOQL Query object and the Scoping Rule object isn’t supported.
• The left operand in the SOQL type RecordCriteria must query a single ID (primary key) or reference (foreign key) field. See Comparison
Operators for a list of valid operators that you can use in the field expression of a WHERE clause, which you use in a SELECT
statement.
• If you include an ID in your record or user criteria field that is specific to your Salesforce org (such as a role, record type, or profile ID),
you must modify the ID in the target org if it’s different from the org where the scoping rule was originally created. Keep this
consideration in mind when deploying rules between sandboxes or to a production org.
654
Set Up and Maintain Your Salesforce Organization Scoping Rules
Performance Considerations
Scoping rules were built to support sharing needs in a performant way. Your data volume and architecture are factors in rule performance.
Salesforce reserves the right to disable a scoping rule if a rule you create is inefficient or if your data model has so much data that scoping
rules cause slowness when applied. To prevent throttling or deactivation, test the scoping rules that you plan to apply in a sandbox
environment before enabling them in production.
• To test the performance impact of a rule that uses a SOQL operator, take the SOQL statement and run it in your API client of choice.
If it’s fast for a given user, the rule is likely to run efficiently.
• If a rule isn’t performant, isolate the field that is slowing performance. Work with Salesforce customer support to find out if the field
can be indexed.
SEE ALSO:
Knowledge Article: Improve Performance of SOQL Queries using a Custom Index
SOQL and SOSL Reference: Comparison Operators
655
Set Up and Maintain Your Salesforce Organization Scoping Rules
656
Set Up and Maintain Your Salesforce Organization Import Data Into Salesforce
This scoping rule allows active users to see records owned by two different managers. In this example, the rule’s record criteria contains
ID’s separated by a comma.
Important: Salesforce has replaced the individual import wizards for accounts, contacts, Available in: Salesforce
and other objects with the Data Import Wizard. Individual import wizards open in small Classic (not available in all
orgs) and Lightning
windows, while the Data Import Wizard opens in a full browser with dataimporter.app at the
Experience
end of the URL. From Setup, enter Data Import Wizard in the Quick Find box,
then select Data Import Wizard. The options you see depend on your permissions. Your edition determines the
You can import data from ACT!, Outlook, and any program that can save data in comma-delimited types of objects you can
text format (.csv), such as Excel or GoldMine. import.
Note: If commas aren’t appropriate for your locale, use a tab or other delimiter. Specify your
delimiter in Data Loader Settings (Settings | Settings).
The number of records you can import depends on your permissions and the type of data that you import. You can import as many
records as allowed, as long as you don’t exceed the overall data storage limits for your Salesforce org.
For information on field accessibility and how to import field value types, see Notes on Importing Data on page 669.
• About Data Loader • Video: Series: Managing Data Using the Data Loader
• Perform Mass Updates • Developer Guide: Data Loader Guide: When to Use Data Loader
657
Set Up and Maintain Your Salesforce Organization Import Data Into Salesforce
• Import Limits • Salesforce Developer Limits and Allocations Quick Reference: Bulk API
Allocations
658
Set Up and Maintain Your Salesforce Organization Import Data Into Salesforce
SEE ALSO:
Data Import Wizard
Choosing a Method for Importing Data
Undoing an Import
What permissions do I need to import records?
659
Set Up and Maintain Your Salesforce Organization Importing Records
Importing Records
The number of records you can import depends on your permissions and the type of data you’re
EDITIONS
importing. You can import as many records as allowed, as long as you don’t exceed the overall data
storage limits for your org. Available in: Salesforce
Classic (not available in all
Which records can be imported? orgs) and Lightning
Type of record Import record limit Users permissions Learn more Experience
needed Available in: Essentials,
Business accounts and 50,000 at a time via the Import Personal What Is Imported for Group, Professional,
Enterprise, Performance,
contacts owned by Data Import Wizard Contacts Business Accounts and
Unlimited, and Developer
you Contacts?
Editions
Business accounts and 50,000 at a time Modify All Data What Is Imported for
contacts owned by Business Accounts and
other users Contacts?
Edit on accounts
AND
Import Personal
Contacts
• Existing contacts
• Existing leads
• Existing person
accounts
• New contacts
• New leads
660
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
Assets You can’t import these records via the Data Import Wizard.
Cases
Campaigns
Contracts
Documents
Opportunities
Products
For information on field accessibility and how different field type values are imported, see Notes on Importing Data on page 669.
Data Import All, except Up to 50,000 Yes No Internal An in-browser wizard that imports
Wizard Personal and your org’s accounts, contacts,
Database.com leads, solutions, campaign
Editions members, and custom objects.
Read more.
661
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
SEE ALSO:
Data Import Wizard
Import Data Into Salesforce
Matching by Salesforce ID
You can also choose to match contacts and business accounts by Salesforce ID. With this option, the Salesforce ID is the criteria for
de-duplication. That is, if you are matching by ID and a record in your source file has the same ID as a record in Salesforce, that record is
updated in Salesforce. Record IDs are case-sensitive and must match exactly.
662
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
Matching by External ID
An external ID is a custom field that has the External ID attribute, meaning that it contains unique record identifiers from a system outside
of Salesforce. When you select this option, the Data Import Wizard detects existing records in Salesforce with external IDs that match
those values in the import file.
• This operation isn’t case-sensitive. For example, “ABC” is matched with “abc”. However, if the external ID field also has the case-sensitive
Unique attribute, matching by external ID does not consider uppercase and lowercase letters identical.
• External IDs can be of type text, number, email, or auto-number. If the external ID type is auto-number, it isn’t available for matching,
but you can use it to look up the parent record if it contains the external ID.
• Standardize External ID values before performing the import to prevent unintended matches.
• Multiple records with the same External ID within a file aren’t uploaded.
• Multiple external ID fields can find matching records in Salesforce when you use the Data Import Wizard.
• Only unique External ID fields are available to match by.
SEE ALSO:
Data Import Wizard
Choosing a Method for Importing Data
Import Data Into Salesforce
663
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
Matching by Email
This option matches records in your import file with existing records in Salesforce according to the exact value in the Email field.
Matching by External ID
An external ID is a custom field that has the External ID attribute, meaning that it contains unique record identifiers from a system outside
of Salesforce. When you select this option, the Data Import Wizard detects existing records in Salesforce with external IDs that match
those values in the import file.
• This operation isn’t case-sensitive. For example, “ABC” is matched with “abc”. However, if the external ID field also has the case-sensitive
Unique attribute, matching by external ID does not consider uppercase and lowercase letters identical.
• External IDs can be of type text, number, email, or auto-number. If the external ID type is auto-number, it isn’t available for matching,
but you can use it to look up the parent record if it contains the external ID.
• Standardize External ID values before performing the import to prevent unintended matches.
• Multiple records with the same External ID within a file aren’t uploaded.
• Multiple external ID fields can find matching records in Salesforce when you use the Data Import Wizard.
• Only unique External ID fields are available to match by.
664
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
• Add new and update existing records—If records in your file are new and don’t match existing records, insert them into Salesforce.
If records in your file match existing records, update the existing records.
Matching by Name
When you select this option, the Data Import Wizard detects existing records in Salesforce that have the same name. This type of matching
is case-sensitive. If necessary, scan and standardize your record names before performing the import to prevent unintended matches.
Matching by Email
This option matches records in your import file with existing records in Salesforce according to the exact value in the Email field.
Matching by Salesforce ID
A Salesforce ID is a system-generated, case-sensitive string of 15 or 18 letters and numbers that uniquely identifies each Salesforce record.
When you select this option, the Data Import Wizard detects existing records in Salesforce that have the same Salesforce ID. You can
obtain Salesforce IDs by running reports that include the ID field of the record.
Matching by External ID
An external ID is a custom field that has the External ID attribute, meaning that it contains unique record identifiers from a system outside
of Salesforce. When you select this option, the Data Import Wizard detects existing records in Salesforce with external IDs that match
those values in the import file.
• This operation isn’t case-sensitive. For example, “ABC” is matched with “abc”. However, if the external ID field also has the case-sensitive
Unique attribute, matching by external ID does not consider uppercase and lowercase letters identical.
• External IDs can be of type text, number, email, or auto-number. If the external ID type is auto-number, it isn’t available for matching,
but you can use it to look up the parent record if it contains the external ID.
• Standardize External ID values before performing the import to prevent unintended matches.
• Multiple records with the same External ID within a file aren’t uploaded.
665
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
• Multiple external ID fields can find matching records in Salesforce when you use the Data Import Wizard.
• Only unique External ID fields are available to match by.
SEE ALSO:
Data Import Wizard
Choosing a Method for Importing Data
Matching by External ID
An external ID is a custom field that has the External ID attribute, meaning that it contains unique record identifiers from a system outside
of Salesforce. When you select this option, the Data Import Wizard detects existing records in Salesforce with external IDs that match
those values in the import file.
• This operation isn’t case-sensitive. For example, “ABC” is matched with “abc”. However, if the external ID field also has the case-sensitive
Unique attribute, matching by external ID does not consider uppercase and lowercase letters identical.
• External IDs can be of type text, number, email, or auto-number. If the external ID type is auto-number, it isn’t available for matching,
but you can use it to look up the parent record if it contains the external ID.
• Standardize External ID values before performing the import to prevent unintended matches.
• Multiple records with the same External ID within a file aren’t uploaded.
• Multiple external ID fields can find matching records in Salesforce when you use the Data Import Wizard.
• Only unique External ID fields are available to match by.
SEE ALSO:
Import Campaign Members
Data Import Wizard
666
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
• This operation isn’t case-sensitive. For example, “ABC” is matched with “abc”. However, if the
external ID field also has the case-sensitive Unique attribute, matching by external ID does not
consider uppercase and lowercase letters identical.
• External IDs can be of type text, number, email, or auto-number. If the external ID type is auto-number, it isn’t available for matching,
but you can use it to look up the parent record if it contains the external ID.
• Standardize External ID values before performing the import to prevent unintended matches.
• Multiple records with the same External ID within a file aren’t uploaded.
• Multiple external ID fields can find matching records in Salesforce when you use the Data Import Wizard.
• Only unique External ID fields are available to match by.
SEE ALSO:
Data Import Wizard
Choosing a Method for Importing Data
667
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
Matching by Salesforce ID
USER PERMISSIONS
A Salesforce ID is a system-generated, case-sensitive string of 15 or 18 letters and numbers that
uniquely identifies each Salesforce record. When you select this option, the Data Import Wizard To import solutions:
detects existing records in Salesforce that have the same Salesforce ID. You can obtain Salesforce • Import Solutions
IDs by running reports that include the ID field of the record.
Matching by External ID
An external ID is a custom field that has the External ID attribute, meaning that it contains unique record identifiers from a system outside
of Salesforce. When you select this option, the Data Import Wizard detects existing records in Salesforce with external IDs that match
those values in the import file.
• This operation isn’t case-sensitive. For example, “ABC” is matched with “abc”. However, if the external ID field also has the case-sensitive
Unique attribute, matching by external ID does not consider uppercase and lowercase letters identical.
• External IDs can be of type text, number, email, or auto-number. If the external ID type is auto-number, it isn’t available for matching,
but you can use it to look up the parent record if it contains the external ID.
• Standardize External ID values before performing the import to prevent unintended matches.
• Multiple records with the same External ID within a file aren’t uploaded.
• Multiple external ID fields can find matching records in Salesforce when you use the Data Import Wizard.
• Only unique External ID fields are available to match by.
SEE ALSO:
Data Import Wizard
Choosing a Method for Importing Data
668
Set Up and Maintain Your Salesforce Organization Choosing a Method for Importing Data
• Multi-Select Picklists—To import multiple values into a multi-select picklist, separate the
values by a semicolon in your import file.
You can import up to 100 values at a time in a multi-select picklist field. If you have more than 100 values in your import file for any
one record, the import wizard leaves the field blank in that record.
• Checkboxes—To import data into a checkbox field, use 1 for checked values and 0 for unchecked values.
• Default Values—For picklist, multi-select picklist, and checkbox fields, if you do not map the field in the import wizard, the default
value for the field, if any, is automatically inserted into the new or updated record.
• Date/Time Fields—Ensure that the format of any date/time fields you are importing matches how they display in Salesforce per
your locale setting.
• Formula Fields—Formula fields cannot accept imported data because they are read only.
• Field Validation Rules—Salesforce runs validation rules on records before they are imported. Records that fail validation aren’t
imported. Consider deactivating the appropriate validation rules before running an import if they affect the records you are importing.
• Geolocation Custom Fields—To import a geolocation custom field using the Data Import Wizard, supply two values: a latitude
and a longitude. Import both values in one field, separated by a semicolon. If you enter only one value, it is imported as the latitude,
and the longitude is interpreted as 0. If you supply more than two values, the import fails for the entire row.
• Currency Fields—If you have currency data in your CSV file, format your values for your locale. For example, if you’re in the U.S.
locale, use periods for decimals and commas for thousand markers. Using the incorrect currency format could change your imported
values.
SEE ALSO:
Data Import Wizard
Choosing a Method for Importing Data
Import Data Into Salesforce
669
Set Up and Maintain Your Salesforce Organization Create Export Files for Import Wizards
SEE ALSO:
Data Import Wizard
670
Set Up and Maintain Your Salesforce Organization Create Export Files for Import Wizards
2. Review data you will import to ensure that it is more up-to-date than what is already in Salesforce. Your Salesforce data will be
replaced with data from your import file, even if it is out of date.
3. Compare your data fields with the Salesforce fields you can import into, and verify that your data will be mapped into the appropriate
Salesforce fields. See Prepare Your Data for Import on page 673.
4. If you are the administrator and are importing for multiple users, combine export data from multiple sources into a single comma
delimited text file (.csv) using Excel.
Note: When importing records from multiple users, your export file must include a Record Owner field for all new records
which must contain the full usernames or first and last names of existing, active users. Existing record owners will not be
changed; new records will be assigned to the user listed in the Record Owner field. For example, records that should be
owned by Joe Smith in your organization must have that user’s username (”jsmith@acme.com”) or first and last names (for
example, “Joe Smith”, or “Smith Joe” for Asian locales). For lead imports, you can also specify the name of a lead queue.
When importing leads, you can alternatively use a lead assignment rule to specify the owners of the imported data, instead
of using a Record Owner field.
Note: If commas aren’t appropriate for your locale, use a tab or other delimiter. Specify your delimiter in Data Loader Settings
(Settings | Settings).
SEE ALSO:
Default Field Mapping for ACT!
Create Export Files for Import Wizards
671
Set Up and Maintain Your Salesforce Organization Create Export Files for Import Wizards
Note: If commas aren’t appropriate for your locale, use a tab or other delimiter. Specify your delimiter in Data Loader Settings
(Settings | Settings).
3. Select the folder containing the contacts you want to export, and click Next.
4. Choose a file name for the exported data and click Next.
5. Click Finish.
SEE ALSO:
Default Field Mapping for Outlook
Create Export Files for Import Wizards
Note: If commas aren’t appropriate for your locale, use a tab or other delimiter. Specify your delimiter in Data Loader Settings
(Settings | Settings).
2. Ensure your file includes only one name per field. The system cannot accept more than one name per field.
3. Ensure your file separates names and titles into two fields. The system cannot accept fields containing both names and titles.
4. Ensure your file includes only one phone number per field.
SEE ALSO:
Field Mapping for Other Data Sources and Organization Import
Create Export Files for Import Wizards
672
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
1. Run an account, campaign member, contact, custom object, lead, or solution report in Salesforce. Available in: Professional,
Enterprise, Performance,
Include the respective ID field and any other fields that are required for the import.
Unlimited, and Developer
2. Export the report to Excel. Editions
Note: Remember that Salesforce record IDs are case-sensitive. Don’t manually change
Salesforce IDs in your import file.
SEE ALSO:
Create Export Files for Import Wizards
Videos: Data Import How-To Series
Note: If your data has information in fields that do not match any standard fields, your admin Available in: Salesforce
can create custom fields for that data before import. Classic (not available in all
orgs) and Lightning
Preparing Contacts Experience
Use Excel® to label the columns in your import file as specified in Field Mapping for Other Data
Sources and Organization Import on page 680. Available in: Essentials,
Group, Professional,
Preparing Person Accounts Enterprise, Performance,
When importing person accounts, use the field labels in Salesforce as the column labels in your Unlimited, and Developer
import file. Editions
Preparing Org Business Accounts and Contacts
When importing business accounts and contacts for your org, you must use Excel® to label the
columns in your import file as specified in Field Mapping for Other Data Sources and Organization Import on page 680.
Preparing Org Leads
When importing general leads or leads for campaigns, use the import file labels specified in Field Mapping for Importing Leads on
page 684.
Preparing Custom Objects
When importing a custom object, use the field labels shown on the custom object detail page in Salesforce as the column labels in
your import file.
Preparing Campaign Members
When importing campaign members, use the field labels in Salesforce as the column labels in your import file.
Preparing Solutions
When importing solutions, use the field labels in Salesforce as the column labels in your import file.
673
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
You can enter HTML into the solutions you plan to import into Salesforce. However, unless your org has enabled HTML solutions,
HTML tags will display in the solutions after they are imported.
For security purposes, Salesforce automatically filters all HTML solutions for potentially malicious HTML. If potentially malicious HTML
is detected in an HTML solution, the potentially malicious HTML is either removed or transformed into text for users who view the
HTML solution. Users can’t notice when potentially malicious HTML is removed from an HTML solution.
You can import solutions written in HTML format into Salesforce. However, for security purposes, only the HTML tags listed below
are allowed. The content of any HTML tags not listed below is removed when saved in HTML solutions. Furthermore, the content of
all <script> and <iframe> tags, as well as all JavaScript, is removed when saved in HTML solutions. Cascading Style Sheets
(CSS) are not supported in HTML solutions.
The following HTML tags are allowed in HTML solutions imported into Salesforce:
<dl>
Within the above tags, you can include the following attributes:
674
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
The above attributes, which can include a URL, are limited to URLs that begin with the following:
• http:
• https:
• file:
• ftp:
• mailto:
• #
• / for relative links
SEE ALSO:
Default Field Mapping for ACT!
Default Field Mapping for Outlook
Create Export Files for Import Wizards
Note: If an ACT! record contains more than one contact for the same company, the import Available in: Salesforce
wizard creates multiple contacts for one account. Classic (not available in all
orgs)
ACT! Field Import Field Available in: All Editions
except Database.com
Address 1 Contact: Mailing Address and
Account: Billing Address
675
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
676
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
2nd Last Reach, 3rd Last Reach, Asst. Title, Contact: Note or Account: Note
Last Attempt, Last Meeting, Last Reach, Last (In Professional, Enterprise, Unlimited, Performance, and Developer
Results, Letter Date, Pager, Spouse, User 1-15 Edition organizations, you specify which fields import into a single
contact or account note; separate notes are not created for each
ACT! field.)
SEE ALSO:
Exporting from ACT!
Prepare Your Data for Import
677
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
678
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
SEE ALSO:
Exporting from Outlook
Prepare Your Data for Import
679
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
Contact Fields
Label for Your Import File Salesforce Field
Assistant Contact: Assistant
680
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
Contact Fields
Label for Your Import File Salesforce Field
Contact Full Name or Contact: First Name and
First Name & Last Name Contact: Last Name
(Note: When importing contact names, use either Contact
Full Name or First Name and Last Name, but not
both.)
681
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
Contact Fields
Label for Your Import File Salesforce Field
Other Phone Ext. Appended to Contact: Other Phone
2nd Contact Split into Contact: First Name & Last Name for a second
contact for the account
2nd Phone Contact: Phone for a second contact for the account
2nd Phone Ext. Appended to Contact: Phone for a second contact for the account
2nd Title Contact: Title for a second contact for the account
3rd Contact Split into Contact: First Name & Last Name for a third
contact for the account
3rd Phone Contact: Phone for a third contact for the account
3rd Phone Ext. Appended to Contact: Phone for a third contact for the account
3rd Title Contact: Title for a third contact for the account
Account Fields
Label for Your Import File Salesforce Field
Account Description Account: Description
682
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
Account Fields
Label for Your Import File Salesforce Field
Account Fax Ext. Appended to Account: Fax
683
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
Account Fields
Label for Your Import File Salesforce Field
Shipping Country Account: Shipping Country
Note: If you include record types in your import file, the Import Wizard uses the record owner’s default record type when creating
new records. For existing records, the Import Wizard does not update the record type field.
SEE ALSO:
Prepare Your Data for Import
Note: The following default mappings aren’t always 100% accurate in mapping your data. Available in: Salesforce
Check the import and fine-tune the mapping in the Data Import Wizard as necessary. Classic (not available in all
orgs) and Lightning
Experience
Import File Label Salesforce Lead Field
Available in: Essentials,
Annual Revenue Annual Revenue
Group, Professional,
City City Enterprise, Performance,
Unlimited, and Developer
Company Company Editions
Country Country
Description Description
684
Set Up and Maintain Your Salesforce Organization Prepare Your Data for Import
Email Email
Use “1” to indicate that the user opts out. Use “0” to indicate that
the user wants emails.
Fax Fax
Full Name or First Name & Last Name First Name and Last Name
(Note: When importing lead names, use either Full Name or First
Name and Last Name, but not both.)
Industry Industry
Note: Do not specify this field if you assign the division using the
dropdown list in Step 1 of the Data Import Wizard. If you do not
map this field or use the division dropdown list, the division is set
to the record owner’s default division for each record.
Lead ID Lead ID
Note: Do not specify this field if you assign the same lead source
to all leads on the first page of the Data Import Wizard. The Lead
Source dropdown lists all active lead source picklist values.
Phone Phone
Rating Rating
Note: You do not need this field if you assign ownership using a
lead assignment rule. When you import records by Salesforce record
ID, this field is ignored.
685
Set Up and Maintain Your Salesforce Organization Data Import Wizard
State State
Status Status
(in the Campaign History related list of a lead)
Street 1 Address
Street 2 Address
Street 3 Address
Title Title
Website Website
If you include record types in this list, the Data Import Wizard uses the record owner’s default record type when creating new records.
For existing records, the Data Import Wizard does not update the record type field.
If you use assignment rules, the Data Import Wizard uses the new owner’s default record type when creating new records. When the
assignment rules assign the record to a queue, the queue owner’s default record type is used.
SEE ALSO:
Prepare Your Data for Import
Note:
• Internet Explorer 9 doesn’t support dragging CSV files into the browser.
• Don’t run more than one import job at a time, even from separate browser windows.
686
Set Up and Maintain Your Salesforce Organization Data Import Wizard
• Data Import Wizard doesn’t support importing custom objects into Experience Cloud sites.
SEE ALSO:
Import Data with the Data Import Wizard
Personalize Your Salesforce Experience
Note: If you have workflows that add new objects when importing, selecting add new and update existing records
fires them, but selecting update existing records doesn't.
c. Specify matching and other criteria as necessary. Hover your mouse over the question marks for more information about each
option.
Note: For updates and upserts of custom objects, match by Name is case-sensitive.
d. Specify whether to trigger workflow rules and processes when the imported records meet the criteria.
e. Specify the file that contains your data.
Specify your data file by dragging the CSV file to the upload area of the page. You can also click the CSV category you’re using
and then navigate to the file.
f. Choose a character encoding method for your file. Typically, you don’t change your character encoding.
g. Select comma or tab as a value separator.
687
Set Up and Maintain Your Salesforce Organization Data Import Wizard
h. Click Next.
Note: You also have the option to save data from unmapped fields in a general notes field for accounts and contacts.
Choose Account Note or Contact Note from the Map To dropdown list and click Map.
d. To change mappings that Salesforce performed automatically, click Change to the left of the appropriate field. Delete the
Salesforce fields you don’t want to map, choose the fields you want to map, then click Map.
e. Click Next.
Note: The Bulk Data Load Jobs page is not available in Professional Edition. Only administrators have access to the Bulk Data
Load Jobs page in Salesforce Setup. If you’re not an administrator, you can check the status of your upload by monitoring the
relevant tabs in Salesforce.
Need help to get started? Check out www.salesforce.com/gettingstarted to access live webinars, videos, setup series and more. For
hands-on help with data importing, complete the Importing Data module in Trailhead.
688
Set Up and Maintain Your Salesforce Organization Add Person Accounts with the Data Import Wizard
4. Select the CSV file that contains your import data, and click Next. To create person accounts
that you own via the Data
5. Map column headers from your CSV file to these fields. Import Wizard:
• First Name • Create on accounts
• Last Name AND
• Email Edit on accounts
• Phone AND
Import Personal
6. Click Next. Contacts
7. Review the import settings, and then click Start Import.
To create person accounts
When we finish importing your data, we notify you by email. Review the results and resolve any owned by others via the
errors that occurred. Data Import Wizard:
• Create on accounts
AND
Edit on accounts and
contacts
AND
Modify All Data
689
Set Up and Maintain Your Salesforce Organization About Data Loader
Note: In previous versions, Data Loader has been known as “AppExchange Data Loader“ and “Sforce Data Loader.”
690
Set Up and Maintain Your Salesforce Organization About Data Loader
691
Set Up and Maintain Your Salesforce Organization About Data Loader
Installation Considerations
Over time, several versions of the Data Loader client application have been available for download. Some earlier versions were called
“AppExchange Data Loader” or “Sforce Data Loader.” You can run different versions at the same time on one computer. However, don’t
install more than one copy of the same version. If you’ve installed the latest version and want to install it again, first remove the version
on your computer.
As of Data Loader v56.0.0, if the latest version of Data Loader isn’t compatible with your org's current API version, your installed version
of Data Loader automatically attempts to use the previous API version to resolve compatibility with your org. For example, if your org
doesn’t support API v56.0, Data Loader v56.0.0 tries making requests with API v55.0.
Download Data Loader from the Tools section of the Salesforce Developer website.
Note: Install Java Runtime Environment (JRE) version 11 or later, for example, Zulu OpenJDK version 11 or later, before installing
Data Loader.
692
Set Up and Maintain Your Salesforce Organization About Data Loader
Tip: If you experience login issues in the command-line interface after upgrading Data Loader, try encrypting your password again
to solve the problem.
Note: The Data Loader command-line interface is supported for Windows only.
To change the source code, download the open-source version of Data Loader from https://github.com/forcedotcom/dataloader.
Login Considerations
• When using Data Loader from the command line or UI, you can log in with Salesforce credentials or use Web Server OAuth
Authentication (Data Loader version 56.0 and later). See OAuth Authentication for more information.
• If your organization restricts IP addresses, logins from untrusted IPs are blocked until they’re activated. Salesforce automatically sends
you an activation email that you can use to log in. The email contains a security token that you add to the end of your password. For
example, if your password is mypassword, and your security token is XXXXXXXXXX, you must enter
mypasswordXXXXXXXXXX to log in.
• Salesforce Communities users always log in with the OAuth option in Data Loader (Data Loader version 36.0 and later). To enable
OAuth for Digital Experiences, the user modifies the config.properties file as follows.
– Change the portion in bold in the following line to the login URL of the site. Don’t add a forward slash (/) to the end of the line.
sfdc.oauth.Production.server=https\://login.salesforce.com
For example:
sfdc.oauth.Production.server=https\://MyDomainName.my.site.com/test
Note: If you’re not using enhanced domains, your org’s Experience Cloud sites URL is different. For details, see My Domain
URL Formats in Salesforce Help.
– Change the portion in bold in the following line to the hostname of the site.
sfdc.oauth.Production.redirecturi=https\://login.salesforce.com/services/oauth2/success
For example:
sfdc.oauth.Production.redirecturi=
https\:/MyDomainName.my.site.com/services/oauth2/success
The config.properties file is in the configs default configuration directory, which is installed in these locations.
– macOS: /Users/{userName}/dataloader/version/configs
– Windows: C:\Users\{userName}\dataloader\version\configs
SEE ALSO:
Technical Requirements for Lightning Experience
693
Set Up and Maintain Your Salesforce Organization About Data Loader
4. After the download completes, open the .zip file and select Extract All.
5. In the Data Loader folder, find and open the installation file. On macOS, look for the installer.command file. On Windows, look for
the install.bat file. On macOS, ignore any error regarding unidentified developer message. Press the Control key while clicking the
installer.command file, and select open from the menu.
6. Specify a directory for the Data Loader installation. Overwrite the contents if a Data Loader directory already exists.
7. Answer the prompts and decide your preferences to complete the installation.
To open Data Loader, use the Data Loader desktop icon, or find it from the Start menu (Windows) or in your Applications folder (macOS).
You can also run dataloader.app (macOS) or dataloader.bat (Windows) from the installation folder.
If you have Data Loader version 44 or earlier installed and want to upgrade to the current version while retaining your current settings,
move config.properties from /configs subdirectory of previous version of your Data Loader installation to the /configs
subdirectory of your current version.
SEE ALSO:
Considerations for Installing Data Loader
694
Set Up and Maintain Your Salesforce Organization About Data Loader
695
Set Up and Maintain Your Salesforce Organization About Data Loader
Field Description
Reset URL on Login By default, Salesforce resets the URL after login to the one
specified in Server host. To turn off this automatic reset,
disable this option.
Query request size In a single export or query operation, records are returned from
Salesforce in increments of this size. Larger values can improve
performance but use more memory on the client.
The default is 500; the minimum is 200, and the maximum is
2,000. There is no guarantee that the requested batch size
requested is the actual batch size; changes are sometimes made
to maximize performance.
Generate status files for exports Select this option to generate success and error files when
exporting data.
Read all CSVs with UTF-8 encoding Select this option to force files to open in UTF-8 encoding, even
if they were saved in a different format.
Write all CSVs with UTF-8 encoding Select this option to force files to be written in UTF-8 encoding.
Use European date format Select this option to support the date formats dd/MM/yyyy
and dd/MM/yyyy HH:mm:ss.
Allow field truncation Select this option to truncate data in the following types of fields
when loading that data into Salesforce: Email, Multi-select Picklist,
Phone, Picklist, Text, and Text (Encrypted).
In Data Loader versions 14.0 and earlier, Data Loader truncates
values for fields of those types if they are too large. In Data Loader
version 15.0 and later, the load operation fails if a value is
specified that is too large.
Selecting this option allows you to specify that the previous
behavior, truncation, be used instead of the new behavior in
Data Loader versions 15.0 and later. This option is selected by
default and has no effect in versions 14.0 and earlier.
This option is not available if the Use Bulk API option is
selected. In that case, the load operation fails for the row if a
value is specified that is too large for the field.
Allow comma as a CSV delimiter Select this option if your CSV file uses commas to delimit records.
696
Set Up and Maintain Your Salesforce Organization About Data Loader
Field Description
Allow tab as a CSV delimiter Select this option if your CSV file uses tab characters to delimit
records.
Allow other characters as CSV delimiters Select this option if your CSV file uses a character other than a
comma or tab to delimit records.
Other delimiters (enter multiple values The characters in this field are used only if the Allow other
with no separator; for example, !+?) characters as CSV delimiters option is selected. For example,
if you use the | (pipe) character to delimit data records, enter that
character in this field.
Use Bulk API Select this option to use Bulk API to insert, update, upsert, delete,
and hard-delete records. Bulk API is optimized to load or delete
many records asynchronously. It’s faster than the default
SOAP-based API due to parallel processing and fewer network
round-trips.
Enable serial mode for Bulk API To use serial processing instead of parallel processing for Bulk
API, select this option. Processing in parallel can cause database
contention. When contention is severe, the load can fail. Serial
mode processes batches one at a time, however it can increase
the processing time for a load.
This option is only available if the Use Bulk API option is
selected.
Upload Bulk API Batch as Zip File Select this option to use Bulk API to upload zip files containing
binary attachments, such as Attachment records or Salesforce
CRM Content.
This option is only available if the Use Bulk API option is
selected.
697
Set Up and Maintain Your Salesforce Organization About Data Loader
Field Description
Proxy host The host name of the proxy server, if applicable.
Proxy NTLM domain The name of the Windows domain used for NTLM authentication.
Start at row If your last operation failed, you can use this setting to begin
where the last successful operation finished.
SEE ALSO:
Data Loader Behavior with Bulk API Enabled
Enable Bulk API
Allow field truncation This option directs Data Loader to truncate data for certain field types
when the Bulk API is disabled. A load operation fails for the row if a value
is specified that is too large for the field when the Use Bulk API
option is selected.
SEE ALSO:
Configure Data Loader
698
Set Up and Maintain Your Salesforce Organization About Data Loader
Note:
• You can also select the Enable serial mode for Bulk API option. Processing in parallel can cause database
contention. When contention is severe, the load can fail. Serial mode processes batches one at a time, however it can increase
the processing time for a load.
• Caution: You can hard delete records when you configure Data Loader to Use Bulk API. Keep in mind that hard deleted
records are immediately deleted and can’t be recovered from the Recycle Bin.
SEE ALSO:
Configure Data Loader
699
Set Up and Maintain Your Salesforce Organization About Data Loader
• Only dates within a certain range are valid. The earliest valid date is 1700-01-01T00:00:00Z GMT, or just after midnight on January
1, 1700. The latest valid date is 4000-12-31T00:00:00Z GMT, or just after midnight on December 31, 4000. These values are offset
by your time zone. For example, in the Pacific time zone, the earliest valid date is 1699-12-31T16:00:00, or 4:00 PM on December
31, 1699.
Double
Standard double string
ID
A Salesforce ID is a case-sensitive 15-character or case–insensitive 18-character alphanumeric string that uniquely identifies a particular
record.
Tip: To ensure data quality, make sure that all Salesforce IDs you enter in Data Loader are in the correct case.
Integer
Standard integer string
String
All valid XML strings; invalid XML characters are removed.
700
Set Up and Maintain Your Salesforce Organization About Data Loader
Export Data
You can use the Data Loader export wizard to extract data from a Salesforce object.
EDITIONS
1. To start Data Loader, double click the Data Loader icon on your Desktop or in your Applications
folder. Available in: both Salesforce
Classic (not available in all
2. Click Export. If you want to also export archived activity records and soft-deleted records, click
orgs) and Lightning
Export All instead.
Experience
3. Enter your Salesforce username and password, and click Log in.
Available in: Enterprise,
4. When you’re logged in, click Next. (You are not asked to log in again until you log out or close Performance, Unlimited,
the program.) and Developer editions
If your organization restricts IP addresses, logins from untrusted IPs are blocked until they’re
activated. Salesforce automatically sends you an activation email that you can use to log in. The USER PERMISSIONS
email contains a security token that you add to the end of your password. For example, if your
password is mypassword, and your security token is XXXXXXXXXX, you must enter To export records:
mypasswordXXXXXXXXXX to log in. • Read on the records
To export all records:
5. Choose an object. For example, select the Account object. If your object name isn’t listed, select
• Read on the records
Show all objects to see all the objects that you can access. The objects are listed by localized
label name, with the developer name in parentheses. For object descriptions, see the Salesforce
Object Reference.
6. Select the CSV file to export the data to. You can choose an existing file or create a file.
If you select an existing file, the export replaces its contents. To confirm the action, click Yes, or choose another file by clicking No.
7. Click Next.
8. Create a SOQL query for the data export. For example, select Id and Name in the query fields, and click Finish. As you follow the
next steps, the CSV viewer displays all the Account names and their IDs. SOQL is the Salesforce Object Query Language. Similar to
the SELECT command in SQL, with SOQL, you can specify the source object, a list of fields to retrieve, and conditions for selecting
rows in the source object.
a. Choose the fields you want to export.
b. Optionally, select conditions to filter your dataset. If you do not select any conditions, all the data to which you have read access
is returned.
c. Review the generated query and edit if necessary.
Tip: You can use a SOQL relationship query to include fields from a related object. For example:
Select Name, Pricebook2Id, Pricebook2.Name, Product2Id, Product2.ProductCode FROM
PricebookEntry WHERE IsActive = true
Or:
Select Id, LastName, Account.Name FROM Contact
When using relationship queries in the Data Loader, the fully specified field names are case-sensitive. For example, using
ACCOUNT.NAME instead of Account.Name does not work.
Data Loader doesn’t support nested queries or querying child objects. For example, queries similar to the following return an
error:
SELECT Amount, Id, Name, (SELECT Quantity, ListPrice,
PriceBookEntry.UnitPrice, PricebookEntry.Name,
701
Set Up and Maintain Your Salesforce Organization About Data Loader
Also, Data Loader doesn’t support queries that use polymorphic relationships. For example, the following query results in an
error:
SELECT Id, Owner.Name, Owner.Type, Owner.Id, Subject FROM Case
10. To view the CSV file. click View Extraction, or to close, click OK.
Note:
• Data Loader currently does not support exporting attachments. As a workaround, use the weekly export feature in the online
application to export attachments.
• If you select compound fields for export in the Data Loader, they cause error messages. To export values, use individual field
components.
702
Set Up and Maintain Your Salesforce Organization About Data Loader
Use the Data Loader wizards to add, modify, or delete records. The upsert wizard combines inserting and updating a record. If a record
in your file matches an existing record, the existing record is updated with the values in your file. If no match is found, a new record is
created. When you hard-delete records, the deleted records are not stored in the Recycle Bin and are eligible for deletion. For more
information, see Configure Data Loader.
1. To start Data Loader, double click the Data Loader icon on your Desktop or in your Applications folder.
2. Click Insert, Update, Upsert, Delete, or Hard Delete. These commands are also listed in the File menu.
3. Enter your Salesforce username and password. To log in, click Log in. When you are logged in, click Next. (Until you log out or close
the program, you are not asked to log in again.)
If your organization restricts IP addresses, logins from untrusted IPs are blocked until they’re activated. Salesforce automatically sends
you an activation email that you can use to log in. The email contains a security token that you add to the end of your password. For
example, if your password is mypassword, and your security token is XXXXXXXXXX, you must enter
mypasswordXXXXXXXXXX to log in.
4. Choose an object. For example, if you are inserting Account records, select Account. If your object name does not display in the
default list, select Show all objects to see a complete list of the objects that you can access. The objects are listed by localized label
name, with the developer name noted in parentheses.
Note: Data Loader deletes records based on the IDs in the CSV file, not the object selected.
5. To select your CSV file, click Browse. For example, if you are inserting Account records, you could specify a CSV file called
insertaccounts.csv containing a Name column for the names of the new accounts.
6. Click Next. After the object and CSV file are initialized, click OK.
7. If you are performing an upsert, your CSV file must contain a column of ID values for matching against existing records. The column
is either an external ID (a custom field with the External ID attribute) or ID (the Salesforce record ID).
a. From the dropdown list, select which field to use for matching. If the object has no external ID fields, ID is used. Click Next to
continue.
b. If your file includes the external IDs of an object that has a relationship to your chosen object, enable that external ID for record
matching by selecting its name from the dropdown list. If you make no selection, you can use the related object’s ID field for
matching by mapping it in the next step. Click Next to continue.
8. Define how the columns in your CSV file map to Salesforce fields. To select an existing field mapping, click Choose an Existing
Map. To create or modify a map, click Create or Edit a Map. Click Next.
9. For each operation, the Data Loader generates two unique CSV log files. One file name starts with “success,” and the other starts
with “error.” Click Browse to specify a directory for these files.
10. To complete the operation, click Finish, and then click Yes to confirm. As the operation proceeds, a progress information window
reports the status of the data movement.
11. To view your success or error files, click View Successes or View Errors. To close the wizard, click OK .
Tip:
• If you are updating or deleting large amounts of data, review Perform Mass Updates and Perform Mass Deletes for tips and
best practices.
• There is a 5-minute limit to process 100 records when the Bulk API is enabled. If it takes longer than 10 minutes to process a
file, the Bulk API places the remainder of the file back in the queue for later processing. If the Bulk API continues to exceed the
703
Set Up and Maintain Your Salesforce Organization About Data Loader
10-minute limit on subsequent attempts, the file is placed back in the queue and reprocessed up to 10 times before the
operation is permanently marked as failed. Even if the processing fails, some records could have completed successfully, so
check the results. If you get a timeout error when loading a file, split your file into smaller files and try again.
6. If you made a mistake, use the backup file to update the records to their previous values.
USER PERMISSIONS
Upload Attachments
Use Data Loader to upload attachments to Salesforce.
EDITIONS
Before uploading attachments, note the following:
Available in: both Salesforce
• If you intend to upload with Bulk API, verify that Upload Bulk API Batch as Zip File on the
Classic (not available in all
Settings > Settings page is enabled.
orgs) and Lightning
• If you are migrating attachments from a source Salesforce org to a target org, begin by requesting Experience
a data export for the source org. On the Schedule Export page, select Include Attachments
to include the Attachment.csv file in your export. You can use this CSV file to upload the Available in: Enterprise,
attachments. . Performance, Unlimited,
and Developer editions
704
Set Up and Maintain Your Salesforce Organization About Data Loader
Confirm that the CSV file you want to use for attachment importing contains these required columns. Each column represents a Salesforce
field. The CSV file can also include other optional Attachment fields, such as Description.
• ParentId—Salesforce ID of the parent record
• Name—Name of the attachment file, such as myattachment.jpg
• Body—Absolute path to the attachment on your local drive
Make sure that the values in the Body column contain the full path of the attachments on your computer. For example, if an attachment
named myattachment.jpg is the folder C:\Export, Body must specify C:\Export\myattachment.jpg. Your CSV
file looks like this example:
ParentId,Name,Body
50030000000VDowAAG,attachment1.jpg,C:\Export\attachment1.jpg
701300000000iNHAAY,attachment2.doc,C:\Export\files\attachment2.doc
50030000000VJowBBG,attachment_word_document.doc,C:\Export\attachment_word_document.doc
Proceed with an insert or upsert operation (see Insert, Update, or Delete Data Using Data Loader on page 702). For the select data objects
step, select Show all Salesforce objects and the attachment object name in the list.
• When you upload a link using the Data Loader, specify the URL in ContentUrl. Don’t use
PathOnClient or VersionData to upload links.
• You can’t export content using the Data Loader.
• If you’re updating content that you’ve already uploaded:
– Perform the Insert function.
– Include a ContentDocumentId column with an 18-character ID. Salesforce uses this information to determine that you’re
updating content. When you map the ContentDocumentId, the updates are added to the content file. If you don’t include
the ContentDocumentId, the content is treated as new, and the content file isn’t updated.
Field Description
Title The file name
Description (Optional.) The file or link description. If there are commas in the description, use double quotes around
the text.
VersionData The complete file path on your local drive (for uploading documents only). Files are converted to base64
encoding on upload. This action adds approximately 30% to the file size.
705
Set Up and Maintain Your Salesforce Organization About Data Loader
Field Description
PathOnClient The complete file path on your local drive (for uploading documents only).
OwnerId (Optional). The file owner, defaults to the user uploading the file.
2. Upload the CSV file for the ContentVersion object (see Insert, Update, or Delete Data Using Data Loader on page 702). All documents
and links are available in the specified library.
5. To return to the CSV Chooser window, click Close. To exit the window, click OK. To generate success files when exporting data,
select Generate status files for exports.
706
Set Up and Maintain Your Salesforce Organization About Data Loader
If you are using Data Loader for Mac OSX, view the log file by opening terminal and entering open
$TMPDIR/sdl.log.
If you are having login issues from the command line, ensure that the password provided in the configuration parameters is encrypted.
If you are having login issues from the UI, you may need to obtain a new security token.
Note: The Data Loader command-line interface is supported for Windows only. Available in: Enterprise,
Performance, Unlimited,
and Developer editions
707
Set Up and Maintain Your Salesforce Organization About Data Loader
Note: If you have used batch mode from the command-line with a version earlier than 8.0, see Upgrade Your Batch Mode Interface
on page 709.
Note: The Data Loader command-line interface is supported for Windows only. Available in: both Salesforce
Classic (not available in all
bin orgs) and Lightning
Contains the batch files encrypt.bat for encrypting passwords and process.bat for Experience
running batch processes. Available in: Enterprise,
For information on running Data Loader from the command-line, see Run Batch File With Performance, Unlimited,
Windows Command-Line Interface on page 709. and Developer editions
configs
The default configuration directory. Contains the configuration files config.properties,
Loader.class, and log-conf.xml.
The config.properties file that is generated when you modify the Settings dialog in the graphical user interface is located
at C:\Users\{userName}\dataloader\version\configs.
Data Loader runs the operation, file, or map listed in the configuration file that you specify. If you don’t specify a configuration
directory, the current directory is used.
samples
Contains subdirectories of sample files for reference.
1. Open a command prompt, and navigate to the bin subfolder of your Data Loader installation
folder.
2. Run encrypt.bat.
3. At the command line, follow the prompts provided to execute the following actions.
708
Set Up and Maintain Your Salesforce Organization About Data Loader
Note: The Data Loader command-line interface is supported for Windows only. Available in: both Salesforce
Classic (not available in all
To run Data Loader from a configured Windows batch file: orgs) and Lightning
Experience
1. Include your encrypted password in the configuration file to run a batch operation. For more
information, see Data Loader Command Line Introduction on page 726 and Encrypt from the Available in: Enterprise,
Command Line on page 708. Performance, Unlimited,
and Developer editions
2. Use the process-conf.xml file to configure batch file processing. Specify the name of
the process in the ProcessRunner bean's id attribute. For example,
<bean id="accountInsert" class="com.salesforce.dataloader.process.ProcessRunner"
scope="prototype">
3. Navigate to the Data Loader \bin directory by entering this command. Replace the file path with the path from your system.
C:\Users\{userName}\dataloader\version\bin
709
Set Up and Maintain Your Salesforce Organization About Data Loader
4. To run the batch file, use the correct command syntax for process.bat:
process.bat <configdir> [<operation>]
where:
• <configdir> (mandatory) The absolute or relative path to the directory containing process-conf.xml. It must be
the first parameter when running process.bat.
• <batch process bean id> (optional) The id of the batch process bean of class
com.salesforce.dataloader.process.ProcessRunner defined in the process-conf.xmlfile. If not
provided, then the value of the process.name property in the config.properties file is used.
Tip: If you experience login issues in the command-line interface after upgrading Data Loader, try encrypting your password again
to solve the problem. For information, see Encrypt from the Command Line on page 708.
710
Set Up and Maintain Your Salesforce Organization About Data Loader
Write
all
CSVs Select this option to force files to be
with written in UTF-8 encoding.
UTF-8
dataAccess.writeUTF8 boolean encoding Sample value: true
711
Set Up and Maintain Your Salesforce Organization About Data Loader
Allow
comma as
a CSV Select this option if your CSV file uses commas to
loader.csvComma boolean delimiter delimit records.
Allow
tab as a
CSV Select this option if your CSV file uses tab characters
loader.csvTab boolean delimiter to delimit records.
Allow
other
characters
as CSV Select this option if your CSV file uses a character
loader.csvOther boolean delimiters other than a comma or tab to delimit records.
Other
delimiters
(enter
multiple
values
with no The characters in this field are used only if the Allow
separator; other characters as CSV delimiters option is
for selected. For example, if you use the | (pipe) character
example, to delimit data records, enter that character in this
loader.csvOtherValue string !+?) field.
Generate
status Select this option to generate success and error files
files when exporting data.
for
process.enableExtractStatusOutput boolean exports Sample value: true
712
Set Up and Maintain Your Salesforce Organization About Data Loader
713
Set Up and Maintain Your Salesforce Organization About Data Loader
The name of the CSV file that stores error data from
the last operation.
The name of the CSV file that stores success data from
the last operation. See also
process.enableExtractStatusOutput
on page 712.
714
Set Up and Maintain Your Salesforce Organization About Data Loader
See
process.enableExtractStatusOutput
on page 712. Stores SOAP messages sent to or from
Salesforce. As messages are sent or received, they are
appended to the end of the file. As the file does not
have a size limit, monitor your available disk storage
appropriately.
715
Set Up and Maintain Your Salesforce Organization About Data Loader
716
Set Up and Maintain Your Salesforce Organization About Data Loader
717
Set Up and Maintain Your Salesforce Organization About Data Loader
718
Set Up and Maintain Your Salesforce Organization About Data Loader
extract all Uses SOQL to export a set of records from Salesforce, including
existing and soft-deleted records. The exported data is written to
a data source.
insert Loads data from a data source into Salesforce as new records.
update Loads data from a data source into Salesforce, and updates
existing records with matching ID fields.
719
Set Up and Maintain Your Salesforce Organization About Data Loader
Operation Description
upsert Loads data from a data source into Salesforce. Existing records with a matching custom
external ID field are updated. Records without matches are inserted as new records.
delete Loads data from a data source into Salesforce, and deletes existing records with matching
ID fields. Deleted records are moved to the Recycle Bin.
hard delete Loads data from a data source into Salesforce, and deletes existing records with matching
ID fields without first storing them in the Recycle Bin.
sqlConfig
The SQL configuration bean for the data access object that interacts with a database.
dataSource
The bean that acts as database driver and authenticator. It must refer to an implementation of javax.sql.DataSource such
as org.apache.commons.dbcp.BasicDataSource.
The following code is an example of a DatabaseConfig bean:
<bean id="AccountInsert"
class="com.salesforce.dataloader.dao.database.DatabaseConfig"
scope="singleton">
<property name="sqlConfig" ref="accountInsertSql"/>
</bean>
DataSource
The DataSource bean sets the physical information needed for database connections. It contains the following properties:
driverClassName
The fully qualified name of the implementation of a JDBC driver.
url
The string for physically connecting to the database.
username
The username for logging in to the database.
password
The password for logging in to the database.
720
Set Up and Maintain Your Salesforce Organization About Data Loader
Depending on your implementation, additional information may be required. For example, use
org.apache.commons.dbcp.BasicDataSource when database connections are pooled.
The following code is an example of a DataSource bean:
<bean id="oracleRepDataSource"
class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close"
scope="prototype">
<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/>
<property name="url" value="jdbc:oracle:thin:@myserver.salesforce.com:1521:TEST"/>
<property name="username" value="test"/>
<property name="password" value="test"/>
</bean>
Versions of Data Loader from API version 25.0 onwards do not come with an Oracle JDBC driver. Using Data Loader to connect to an
Oracle data source without a JDBC driver installed will result in a “Cannot load JDBC driver class” error. To add the Oracle JDBC driver to
Data Loader:
• Download the latest JDBC driver from
http://www.oracle.com/technetwork/database/features/jdbc/index-091264.html.
• Copy the JDBC .jar file to data loader install folder/java/bin.
SEE ALSO:
Spring Framework
Data Access Objects
SQL Configuration
Spring Framework
Note: The Data Loader command-line interface is supported for Windows only. EDITIONS
The Data Loader configuration files are based on the Spring Framework, which is an open-source, Available in: both Salesforce
full-stack Java/J2EE application framework. Classic (not available in all
The Spring Framework allows you to use XML files to configure beans. Each bean represents an orgs) and Lightning
instance of an object; the parameters correspond to each object's setter methods. A typical bean Experience
has the following attributes:
Available in: Enterprise,
id Performance, Unlimited,
Uniquely identifies the bean to XmlBeanFactory, which is the class that gets objects from and Developer editions
an XML configuration file.
class
Specifies the implementation class for the bean instance.
For more information on the Spring Framework, see the official documentation and the support forums. Note that Salesforce cannot
guarantee the availability or accuracy of external websites.
SEE ALSO:
Configure Database Access
721
Set Up and Maintain Your Salesforce Organization About Data Loader
SEE ALSO:
Configure Database Access
SQL Configuration
Note: The Data Loader command-line interface is supported for Windows only. EDITIONS
When running Data Loader in batch mode from the command line, the SqlConfig class contains Available in: both Salesforce
configuration parameters for accessing specific data in the database. As shown in the code samples Classic (not available in all
below, queries and inserts are different but very similar. The bean must be of type orgs) and Lightning
com.salesforce.dataloader.dao.database.SqlConfig and have the following Experience
properties:
Available in: Enterprise,
sqlString Performance, Unlimited,
The SQL code to be used by the data access object. and Developer editions
The SQL can contain replacement parameters that make the string dependent on configuration
or operation variables. Replacement parameters must be delimited on both sides by “@”
characters. For example, @process.lastRunDate@.
sqlParams
A property of type map that contains descriptions of the replacement parameters specified in sqlString. Each entry represents
one replacement parameter: the key is the replacement parameter's name, the value is the fully qualified Java type to be used when
the parameter is set on the SQL statement. Note that “java.sql” types are sometimes required, such as java.sql.Date instead
of java.util.Date. For more information, see the official JDBC API documentation.
columnNames
Used when queries (SELECT statements) return a JDBC ResultSet. Contains column names for the data outputted by executing
the SQL. The column names are used to access and return the output to the caller of the DataReader interface.
722
Set Up and Maintain Your Salesforce Organization About Data Loader
locs.city,
locs.postal_code,
locs.state,
locs.country,
parties.sic_code
from
ar.hz_cust_accounts accounts,
ar.hz_organization_profiles org,
ar.hz_parties parties,
ar.hz_party_sites party_sites,
ar.hz_locations locs
where
accounts.PARTY_ID = org.PARTY_ID
and parties.PARTY_ID = accounts.PARTY_ID
and party_sites.PARTY_ID = accounts.PARTY_ID
and locs.LOCATION_ID = party_sites.LOCATION_ID
and (locs.last_update_date > @process.lastRunDate@ OR
accounts.last_update_date > @process.lastRunDate@
</value>
</property>
<property name="columNames">
<list>
<value>recordTypeId</value>
<value>account_number</value>
<value>organization_name</value>
<value>billing_address</value>
<value>city</value>
<value>postal_code</value>
<value>state</value>
<value>country</value>
<value>sic_code</value>
</list>
</property>
<property name="sqlParams">
<map>
<entry key="process.lastRunDate" value="java.sql.Date"/>
</map>
</property>
</bean>
723
Set Up and Maintain Your Salesforce Organization About Data Loader
SEE ALSO:
Configure Database Access
Map Columns
Note: The Data Loader command-line interface is supported for Windows only. EDITIONS
When running Data Loader in batch mode from the command line, you must create a properties Available in: both Salesforce
file that maps values between Salesforce and data access objects. Classic (not available in all
1. Create a new mapping file and give it an extension of .sdl. orgs) and Lightning
Experience
2. Observe the following syntax:
• On each line, pair a data source with its destination. Available in: Enterprise,
Performance, Unlimited,
• In an import file, put the data source on the left, an equals sign (=) as a separator, and the and Developer editions
destination on the right. In an export file, put the destination on the left, an equals sign (=)
as a separator, and the data source on the right.
• Data sources can be either column names or constants. Surround constants with double quotation marks, as in “sampleconstant”.
Values without quotation marks are treated as column names.
• Destinations must be column names.
• You may map constants by surrounding them with double quotation marks, as in:
"Canada"=BillingCountry
3. In your configuration file, use the parameter process.mappingFile to specify the name of your mapping file.
Note: If your field name contains a space, you must escape the space by prepending it with a backslash (\). For example:
Account\ Name=Name
724
Set Up and Maintain Your Salesforce Organization About Data Loader
Note: If you specify a constant value that contains spaces, you must escape the spaces by prepending each with a backslash (\).
For example:
"Food\ &\ Beverage"=Industry
725
Set Up and Maintain Your Salesforce Organization About Data Loader
Process Example
process ../conf accountMasterProcess
Note: To view tips and instructions, add -help to the command contained in process.bat.
Note: You can configure external process launchers, such as the Windows XP Scheduled Task Wizard, to run processes on a
schedule.
726
Set Up and Maintain Your Salesforce Organization About Data Loader
Prerequisites
Note: The Data Loader command-line interface is supported for Windows only. EDITIONS
To step through this quick start requires the following: Available in: both Salesforce
• Data Loader installed on the computer that runs the command-line process. Classic (not available in all
• The Java Runtime Environment (JRE) installed on the computer that runs the command-line orgs) and Lightning
process. Experience
• Familiarity with importing and exporting data by using the Data Loader interactively through Available in: Enterprise,
the user interface. This makes it easier to understand how the command-line functionality Performance, Unlimited,
works. and Developer editions
Tip: When you install Data Loader, sample files are installed in the samples directory
under the user’s directory, for example,
C:\Users\{userName}\dataloader\version\samples\. Examples of files
that are used in this quick start are in the \samples\conf directory.
4. Create an encryption key file by entering the following command. Replace [path to key file] with the key file path.
encrypt.bat —k [path to key file]
For example:
C:\Users\jjang\Dataloader\v45\bin>encrypt.bat -k
Keyfile "C:\Users\jjang\.dataloader\dataloader.key" was created!
C:\Users\jjang\Dataloader\v45\bin>
Note: To see a list of command-line options for encrypt.bat, enter encrypt.bat on the command line.
5. Note the key file path. In this example, the path is C:\Users\{userName}\.dataloader\dataLoader.key.
727
Set Up and Maintain Your Salesforce Organization About Data Loader
The encryption utility encrypts passwords but not data. HTTPS with TLS 1.0 or later encrypts data transmitted by the Apex Data Loader.
SEE ALSO:
Step Two: Create the Encrypted Password
2. Copy the generated encrypted password string. You use this value in a later step.
SEE ALSO:
Step Three: Create the Field Mapping File
#Mapping values
#Thu May 26 16:19:33 GMT 2011
Name=Name
NumberOfEmployees=NumberOfEmployees
Industry=Industry
728
Set Up and Maintain Your Salesforce Organization About Data Loader
Tip: For complex mappings, you can use the Data Loader user interface to map source and destination fields and then save
those mappings to an .sdl file. This is done on the Mapping dialog box by clicking Save Mapping.
SEE ALSO:
Step Four: Create the Configuration File
729
Set Up and Maintain Your Salesforce Organization About Data Loader
value="C:\DLTest\In\insertAccounts.csv"/>
<entry key="process.outputSuccess"
value="c:\DLTest\Log\accountInsert_success.csv"/>
<entry key="process.outputError"
value="c:\DLTest\Log\accountInsert_error.csv"/>
<entry key="dataAccess.type" value="csvRead"/>
<entry key="process.initialLastRunDate"
value="2005-12-01T00:00:00.000-0800"/>
</map>
</property>
</bean>
</beans>
3. Modify the following parameters in the process-conf.xml file. For more information about the process configuration
parameters, see Data Loader Process Configuration Parameters on page 711.
• sfdc.endpoint—Enter the URL of the Salesforce instance for your organization; for example,
https://yourInstance.salesforce.com/.
• sfdc.username—Enter the username Data Loader uses to log in.
• sfdc.password—Enter the encrypted password value that you created in step 2.
• process.mappingFile—Enter the path and file name of the mapping file.
• dataAccess.Name—Enter the path and file name of the data file that contains the accounts that you want to import.
• sfdc.debugMessages—Currently set to false. Set it to true for troubleshooting. If set to true, debug messages
are captured in the file specified by sfdc.debugMessagesFile.
Note: Debug messages can contain sensitive information such as session id.
• sfdc.debugMessagesFile—Enter the path and file name of the command-line log file.
• process.outputSuccess—Enter the path and file name of the success log file.
• process.outputError—Enter the path and file name of the error log file.
Warning: Use caution when using different XML editors to edit the process-conf.xml file. Some editors add XML
tags to the beginning and end of the file, which causes the import to fail.
SEE ALSO:
Step Five: Import the Data
730
Set Up and Maintain Your Salesforce Organization About Data Loader
Note: The Data Loader command-line interface is supported for Windows only.
Now that all the pieces are in place, you can run Data Loader from the command line and insert some new accounts.
1. Copy the following data to a file name accountInsert.csv. This is the account data that you import into your organization.
Name,Industry,NumberOfEmployees
Dickenson plc,Consulting,120
GenePoint,Biotechnology,265
Express Logistics and Transport,Transportation,12300
Grand Hotels & Resorts Ltd,Hospitality,5600
Note: Salesforce is not responsible for the availability or content of third-party websites. Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Experience
Log In with Hardware 2FA
Available in: Enterprise,
To use a hardware key, create a Salesforce Connected App to log in to Data Loader with OAuth and
Performance, Unlimited,
2FA.
and Developer editions
To log in using OAuth and two-factor authentication (2FA)
1. Create a Connected App in Salesforce for your Salesforce org's OAuth authentication Data
Loader.
a. Make sure that the API (Enable OAuth Settings) section of the app's configuration is completed as follows:
b. Check Enabled OAuth Settings. The section expands into more detail.
c. Check Enable for Device Flow. Checking this box automatically populates the Callback URL.
d. For Selected OAuth Scopes, select: Manage user data via APIs (api).
e. Click Save.
731
Set Up and Maintain Your Salesforce Organization Undoing an Import
c. Copy the value for the Consumer Key. The value of Consumer Key is the client id you need in the next steps.
Undoing an Import
If you import accounts, contacts, leads, or solutions by mistake, your administrator can delete the
EDITIONS
items you mistakenly imported.
1. As the administrator, enter Mass Delete Records in the Quick Find box from Available in: both Salesforce
Setup, Classic (not available in all
orgs) and Lightning
2. Select Mass Delete Records to delete the items were mistakenly imported.
Experience
View the Using Mass Delete to Undo Imports document for instructions.
The Mass Delete Records tools do not support custom objects. If you import custom objects by Available in: All Editions
except Database.com
mistake in Enterprise, Unlimited, Performance, or Developer Edition, your administrator can use the
Data Loader to mass delete the mistakenly imported records.
USER PERMISSIONS
SEE ALSO:
User Permissions Needed
Data Import Wizard
To mass delete data:
Import Data Into Salesforce • Modify All Data
Import Limits
Limits for importing data depend on the type of record.
You can import data from ACT!, Outlook, and any program that can save data in the CSV (comma-separated values) format, such as Excel
or GoldMine.
Business accounts and contacts owned by 50,000 at a time Modify All Data
other users
732
Set Up and Maintain Your Salesforce Organization Import Limits
Assets You can’t import these records via the Data Import Wizard.
Cases
Campaigns
Contracts
Documents
Opportunities
Products
• Your import file can be up to 100 MB, but each record in your file can’t exceed 400 KB, which is about 4,000 characters. To determine
how many fields you can import, use this formula: 4,000 / (average number of characters in an API field name * 2). For example, if
your average field character length is 40, you can import approximately 50 fields.
733
Set Up and Maintain Your Salesforce Organization General Importing Questions
734
Set Up and Maintain Your Salesforce Organization General Importing Questions
735
Set Up and Maintain Your Salesforce Organization General Importing Questions
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
Data Loader
Importing records with Data Loader requires these permissions.
• “Read,” “Create,” “Edit,” and “Delete” on the objects
736
Set Up and Maintain Your Salesforce Organization General Importing Questions
• “API Enabled”
• “Bulk API Hard Delete” (only if you configure Data Loader to use Bulk API to hard-delete records)
To import accounts and contacts owned by others via the Data Modify All Data
Import Wizard:
To import custom object data via the Data Import Wizard: Import Custom Objects
AND
Create on the custom object
To add or update campaign members via the Data Import Wizard: Marketing User selected in your user information
AND
Read on contacts OR Import Leads
AND
Edit on campaigns
To add contacts that you own to a campaign via the Data Import Marketing User selected in your user information
Wizard: AND
Create on accounts
AND
Read on contacts
AND
Edit on accounts and campaigns
AND
Import Personal Contacts
To create contacts that you own and add them to a campaign via Marketing User selected in your user information
the Data Import Wizard: AND
Create on accounts
AND
Read on contacts
AND
Edit on accounts and campaigns
737
Set Up and Maintain Your Salesforce Organization General Importing Questions
To add contacts owned by others to a campaign via the Data Marketing User selected in your user information
Import Wizard: AND
Create on accounts
AND
Read on contacts
AND
Edit on accounts, contacts, and campaigns
AND
Modify All Data
To create contacts owned by others and add them to a campaign Marketing User selected in your user information
via the Data Import Wizard: AND
Create on accounts
AND
Read on contacts
AND
Edit on accounts, contacts, and campaigns
AND
Modify All Data
To add existing leads to a campaign via the Data Import Wizard: Marketing User selected in your user information
AND
Edit on campaigns
AND
Import Leads
To create leads and add them to a campaign via the Data Import Marketing User selected in your user information
Wizard: AND
Edit on campaigns
AND
Import Leads
To add person accounts that you own to a campaign via the Data Create on accounts
Import Wizard: AND
Edit on accounts
738
Set Up and Maintain Your Salesforce Organization General Importing Questions
To create person accounts that you own via the Data Import Wizard: Create on accounts
AND
Edit on accounts
AND
Import Personal Contacts
To add person accounts owned by others to a campaign via the Create on accounts
Data Import Wizard: AND
Edit on accounts and contacts
AND
Modify All Data
To create person accounts owned by others via the Data Import Create on accounts
Wizard: AND
Edit on accounts and contacts
AND
Modify All Data
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
739
Set Up and Maintain Your Salesforce Organization General Importing Questions
• Ask your administrator whether you’re working behind a proxy server. If so, adjust your Data Loader settings. If you’re using APIs that
are behind a proxy server, the proxy server prevents the APIs from connecting with Salesforce servers; you won’t see information
about the APIs under Login History.
• Try to log in on another computer to verify that your local device settings aren’t causing the problem.
SEE ALSO:
Reset Your Security Token
Set Trusted IP Ranges for Your Organization
To add contacts that you own to a campaign via the Data Import Marketing User selected in User Detail
Wizard:
AND
Create on accounts
AND
Read on contacts
AND
Edit on accounts and campaigns
AND
Import Personal Contacts
To create contacts that you own and add them to a campaign via Marketing User selected in User Detail
the Data Import Wizard:
AND
Create on accounts
AND
Read on contacts
AND
Edit on accounts and campaigns
AND
Import Personal Contacts
740
Set Up and Maintain Your Salesforce Organization General Importing Questions
To create contacts owned by others and add them to a campaign Marketing User selected in User Detail
via the Data Import Wizard:
AND
Create on accounts
AND
Read on contacts
AND
Edit on accounts, contacts, and campaigns
AND
Modify All Data
To add existing leads to a campaign via the Data Import Wizard: Marketing User selected in User Detail
AND
Edit on campaigns
AND
Import Leads
To create leads and add them to a campaign via the Data Import Marketing User selected in User Detail
Wizard:
AND
Edit on campaigns
AND
Import Leads
To add person accounts that you own to a campaign via the Data Create on accounts
Import Wizard: AND
Edit on accounts
AND
Import Personal Contacts
741
Set Up and Maintain Your Salesforce Organization General Importing Questions
Should I sync Outlook or use import wizards to upload my data into Salesforce?
Use this information to determine how to upload data into Salesforce.
• To upload accounts and contacts for multiple users at the same time, use the Data Import Wizard and select Accounts and Contacts.
• To upload your contacts from any application other than Microsoft Outlook, use the Data Import Wizard and select Accounts and
Contacts.
• To keep your Outlook contacts, accounts, and calendar events up-to-date with Salesforce, use Lightning Sync or Salesforce for Outlook
to initially sync and update your data.
• To upload custom objects, leads, person accounts, campaign members, and solutions, use the Data Import Wizard and select the
appropriate object to import those kinds of records into Salesforce. You can’t sync those records using Lightning Sync or
Salesforce for Outlook.
• To upload business accounts and contacts for multiple users at the same time, use the Data Import Wizard and select Accounts
and Contacts.
Note: When you import person accounts, the following limitations apply.
• You can’t upload person accounts with Salesforce for Outlook.
• You can sync contacts in Outlook to person accounts in Salesforce only if the person accounts already exist. Syncing doesn’t
convert Outlook contacts to person accounts in Salesforce.
For more information about importing person accounts, see Data Import Wizard on page 686.
742
Set Up and Maintain Your Salesforce Organization General Importing Questions
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
743
Set Up and Maintain Your Salesforce Organization General Importing Questions
Note: If commas aren’t appropriate for your locale, use a tab or other delimiter. Specify your delimiter in Data Loader Settings
(Settings | Settings).
SEE ALSO:
Import Data Into Salesforce
744
Set Up and Maintain Your Salesforce Organization General Importing Questions
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
Can I import data into a picklist field if the values don’t match?
We recommend that you import your data into an existing picklist when that picklist accurately represents your data, even if the exact
values don’t match. The import wizards warn you before importing any new picklist values. However, the wizards accept any value for
a picklist field, even if the value isn’t predefined. Your administrator can later edit the picklist to include the needed values. Note that
import wizards don’t allow you to import more than 100 new picklist or multi-select picklist values for any field during a single import.
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
How do I use the Data Import Wizard to update records that match specified Salesforce
IDs?
You can use the Data Import Wizard to update leads, contacts, or accounts using the record’s ID as the unique identifier. These steps do
not apply to custom objects.
Note: These steps assume that you have administrator-level of knowledge with Salesforce.
Update Leads
1. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
2. Click Launch Wizard.
745
Set Up and Maintain Your Salesforce Organization General Importing Questions
SEE ALSO:
Data Import Wizard
Where Does Data Import Wizard Obtain the Country for the Country Field?
The Country column is a mandatory field and if it is not provided in your comma-separated values (CSV) file, Data Import Wizard tries to
derive it from other sources. This action avoids any insert issues when, for example, the CSV file has a State column but no Country
column. For the value, Data Import Wizard checks to see if the Default Country/Territory is specified in the State and Country/Territory
Picklists. If a country is selected from the picklist, then Data Import Wizard uses that value for the Country. If a country is not selected,
then the country selected in Signup Country Code during the org sign-up is used.
746
Set Up and Maintain Your Salesforce Organization General Importing Questions
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
Note: Don’t open the file after you have saved the settings or you might revert the encoding changes.
747
Set Up and Maintain Your Salesforce Organization General Importing Questions
6. Import the data using Data Loader as you normally would, and select the newly created .csv file.
Why do date fields import incorrectly when I use the Data Loader?
Sometimes dates import incorrectly because the Data Loader converts the date specified in the imported .csv file to GMT. If your machine’s
time zone isn’t GMT or if your machine’s clock adjusts for daylight savings time (DST), your dates can be off by a day.
To prevent the Data Loader from adjusting the date when it converts to GMT, directly change the format of cells containing dates to
reflect the native time zone.
1. Open your .csv file in Microsoft® Excel®.
2. In each cell in which you entered dates, add hour data to represent the native time zone. For example, if the date is June 9, 2011
and the time zone is GMT+8, enter June 9, 2011 8:00. Excel reformats this date to 6/9/2011 8:00.
3. Right-click the cell in which you entered dates, and click Format Cells.
4. Click Number > Custom.
5. In Type, enter yyyy-mm-ddThh:mm:ss.sssZ. For example, if the cell was 6/9/2011 8:00, it’s now
2011–06–09T08:00:00.00Z.
Important: Salesforce has replaced the individual import wizards for accounts, contacts, and other objects with the Data Import
Wizard. Individual import wizards open in small windows, while the Data Import Wizard opens in a full browser with dataimporter.app
at the end of the URL. From Setup, enter Data Import Wizard in the Quick Find box, then select Data Import Wizard.
The options you see depend on your permissions.
748
Set Up and Maintain Your Salesforce Organization Export Backup Data from Salesforce
Note: Users with the “Weekly Data Export” permission can view all exported data and all Available in: both Salesforce
custom objects and fields in the Export Service page. This permission is granted by default Classic (not available in all
orgs) and Lightning
only to the System Administrator profile because it enables wide visibility.
Experience
You can generate backup files manually once every 7 days (for weekly export) or 29 days (for monthly
export). In Professional Edition and Developer Edition, you can generate backup files only every 29 Weekly export available in:
days. You can schedule backup files to generate automatically at weekly or monthly intervals (only Enterprise, Performance,
monthly intervals are available in Professional Edition and Developer Edition). and Unlimited Editions
Monthly export available in:
Heavy traffic can delay an export delivery. For example, assume that you schedule a weekly export
All editions, except for
to run until the end of the month, beginning April 1. The first export request enters the queue, but
Database.com
due to heavy traffic, the export isn’t delivered until April 8. On April 7, when your second export
request is scheduled to be processed, the first request is still in the queue. So, the second request
isn’t processed until April 14. USER PERMISSIONS
Note: Only active users can run export jobs. If an inactive user schedules an export, error
To export data:
emails are generated and the export doesn’t run.
• Weekly Data Export
1. From Setup, enter Data Export in the Quick Find box, then select Data Export and
Export Now or Schedule Export.
• The Export Now option prepares your files for export immediately. This option is only available if enough time has passed since
your last export.
• The Schedule Export option allows you to schedule the export process for weekly or monthly intervals.
Note: Including special content in the export increases data export processing time.
4. If you want to have spaces instead of carriage returns or line breaks in your export files, select Replace carriage returns
with spaces. This selection is useful if you plan to use your export files for importing or other integrations.
5. If you're scheduling your export, select the frequency (only available for orgs with monthly exports), start and end dates, and time
of day for your export.
6. Under Exported Data, select the types of data to include in your export. If you aren’t familiar with the terminology used for some of
the types of data, we recommend that you select Include all data. Note the following:
• Formula (derived) and roll-up summary fields are always excluded from exports.
• If your org uses divisions, data from all divisions is included in the export.
• If your org uses person accounts and you are exporting accounts, all account fields are included in the account data.
• If your org uses person accounts and you are exporting contacts, person account records are included in the contact data.
However, the contact data only includes the fields shared by contacts and person accounts.
• For information on field limitations, see the Salesforce Field Reference Guide.
• The Include all data option selects all objects for export at the time the checkbox is selected. For a recurring scheduled export,
be sure to reselect the Include all data option to include newly created objects.
749
Set Up and Maintain Your Salesforce Organization Export Backup Data from Salesforce
Note: For security purposes, Salesforce can require users to pass a CAPTCHA user verification test to export data from their
org. This simple text-entry test prevents malicious programs from accessing your org’s data. To pass the test, users must
correctly type the two words displayed in the overlay’s text box. The words entered in the text box must be separated by a
space.
Tip: Ensure that any automated processes that process the export files rely on the column headings in the CSV files, rather than
the position of the columns.
Note: If commas aren’t appropriate for your locale, use a tab or other delimiter. Specify your delimiter in Data Loader Settings
(Settings | Settings).
750
Set Up and Maintain Your Salesforce Organization Export Backup Data from Salesforce
Note: If commas aren’t appropriate for your locale, use a tab or other delimiter. Specify your delimiter in Data Loader Settings
(Settings | Settings).
751
Set Up and Maintain Your Salesforce Organization Transfer Records
Transfer Records
USER PERMISSIONS EDITIONS
To transfer account, asset, case, contact, Update Records with Inactive Owners
lead, note, opportunity, order, AND
PersonAccount, ServiceContract, SalesTeam,
or any custom object from an inactive user: Transfer Leads OR Transfer Cases OR
Transfer Leads OR Transfer Record (Classic
only)
AND
Edit on the object type
A record owner, or any user above the owner in the role or territory hierarchy, can transfer a single record to another user. With some
objects, such as cases, leads, and campaigns, sharing can be used to grant a user access to transferring records. Depending on the type
of object, record ownership can be transferred in multiple ways.
Transfer multiple records by selecting the records from a list view Cases, leads, and custom objects, which can belong to either a
and clicking Change Owner user or a queue
Transfer multiple records using the Mass Transfer tool Accounts, leads, and custom objects
752
Set Up and Maintain Your Salesforce Organization Transfer Records
• When territory management is enabled, you can enable users assigned to territories to transfer the accounts in their territories, even
when they aren’t the record owner.
• To transfer campaigns, users must also have Marketing User selected on their user record.
• To transfer accounts that have related contacts who are external users, you must have the Manage Roles or Manage External Users
permission.
SEE ALSO:
Mass Transfer Records
Change a Record’s Owner
753
Set Up and Maintain Your Salesforce Organization Transfer Records
• Select Keep Account Team to maintain the existing account team associated with the AND
account. If you want to remove the existing account team associated with the account, Transfer Leads
deselect this checkbox.
To mass transfer custom
• Select Keep Opportunity Team on all opportunities to maintain the existing team on objects:
opportunities associated with this account. Any opportunity splits are preserved, and split • Transfer Record
percentages are assigned to the previous owner transfer to the new one. If this box is To mass transfer leads:
unchecked, all opportunity team members and splits are deleted when the opportunity is • Transfer Leads OR
transferred. Transfer Record
Note: If you transfer closed opportunities, the opportunity team is maintained,
regardless of this setting.
7. Enter search criteria that the records you’re transferring must match. For example, search accounts in California by specifying
Billing State/Province equals CA.
8. Click Find.
Note: The 'Mass Transfer Records' tool allows up to 250 records at a time. To perform transfers over 250 records, use the Data
Loader or another tool.
9. Select the checkbox next to the records that you want to transfer. To select all currently displayed items, check the box in the column
header.
754
Set Up and Maintain Your Salesforce Organization Delete Multiple Records and Reports
If duplicate records are found, you must select only one of the records to transfer. Transferring duplicate records results in an error.
Duplicate records can appear if you filter leads based on Campaign Member Status and a matching lead has the same campaign
member status on multiple campaigns. For example, if you specify Campaign Member Status equals Sent, and a
matching lead named John Smith has the status Sent on two campaigns, his record displays twice.
Leads Open activities. When transferring leads to a queue, open activities aren’t transferred.
When transferring accounts and their related data in Professional, Enterprise, Unlimited, Performance, and Developer Editions, all previous
access granted by manual sharing, Apex managed sharing, or sharing rules is removed. New sharing rules are then applied to the data
based on the new owner. To grant access to certain users, the new owner must manually share the transferred accounts and opportunities
as necessary.
SEE ALSO:
Transfer Records
Tip: Run a report of these accounts, export it to Excel, and then use the Import Leads
wizard to import the data as leads. Then using mass delete, select accounts as the record USER PERMISSIONS
type to delete and enter Type equals Prospect to locate all accounts you want
to delete. To mass delete data:
• Modify All Data
• You want to delete all the leads that have been converted for your org. Select the lead record
type, enter Converted equals 1 for the search criteria, and then click Search.
• You want to clean up web-generated leads that were created incorrectly or delete accounts and contacts with whom you no longer
do business.
755
Set Up and Maintain Your Salesforce Organization Delete Multiple Records and Reports
1. We strongly suggest you run a report to archive your information and export your data weekly. See Export Backup Data from Salesforce
on page 749.
2. From Setup, enter Mass Delete Records in the Quick Find box, then select Mass Delete Records and click the link
for the type of record to delete.
3. Review the information that is deleted with the records.
4. Specify conditions that the selected items must match, for example, “State equals California.”
5. If you’re deleting accounts, specify whether you want to delete accounts with attached closed/won opportunities or attached
opportunities owned by others.
6. If you’re deleting products, select Archive Products if you also want to delete products that are on opportunities.
This option deletes products that are not on opportunities and moves them to the Recycle Bin. It also archives products that are on
opportunities. These products are not moved to the Recycle Bin and cannot be recovered.
To delete only those products that are not on opportunities, don't select Archive Products. Selected products that are on opportunities
remain checked after the deletion to indicate that they were not included in the deletion.
7. To find records that match, click Search and select the items you want to delete. To select all currently displayed items, check the
box in the column header.
8. To permanently delete records, select Permanently delete the selected records.
Important: Selecting this option prevents you from recovering the selected records from the Recycle Bin.
9. Click Delete.
If you did not select Permanently delete the selected records, deleted items are moved to the Recycle Bin.
SEE ALSO:
Notes on Using Mass Delete
Undoing an Import
Using Mass Delete to Undo Imports
756
Set Up and Maintain Your Salesforce Organization Notes on Using Mass Delete
757
Set Up and Maintain Your Salesforce Organization Mass Update Addresses
Tip: To ensure data consistency in new records, consider using state and country/territory Available in: All Editions
picklists. Mass Update works with standard address fields, but doesn’t change Custom Address except for Database.com.
Fields.
1. From Setup, enter Mass Update Addresses in the Quick Find box, then select USER PERMISSIONS
Mass Update Addresses.
To mass update addresses:
2. Select Countries or State/Province. If you chose State/Province, enter the country or territory • Modify All Data
in which to update the state or province.
To mass update addresses
3. Click Next. of contracts:
4. Select the values to update and click Add. • Modify All Data
AND
The Selected Values box displays the values to update.
Activate Contracts
The Available Values box displays the address values found in existing records. To find more
addresses to update, enter all or part of a value and click Find.
If your organization has large amounts of data, instead of using the Available Values box, enter existing values to update in the text
area. Separate each value with a new line.
5. In the Replace selected values with field, enter the value with which to replace the specified address data, and click Next. If your
organization has large amounts of data, this field is called Replace entered values with.
The number and type of address records to update are displayed. If you have large amounts of data, only the values to update are
displayed.
SEE ALSO:
Let Users Select States, Countries, and Territories from Picklists
Tips for Mass Updating Addresses
758
Set Up and Maintain Your Salesforce Organization Scalability FAQ
• You can manually create any country/territory or state/province value or import or sync via the Lightning Platform API. Address
values are not validated when created.
• Update filter conditions to reflect address updates. For example, if you change “United States” to “US,”, assignment rules, Web-to-Lead,
Web-to-Case, Email-to-Case, and On-Demand Email-to-Case continue to use “United States” unless updated.
SEE ALSO:
Mass Update Addresses
Scalability FAQ
Find answers to frequently asked questions about scalability.
• How scalable is Salesforce?
• Will I see a degradation in performance as Salesforce’s subscriber base grows?
759
Set Up and Maintain Your Salesforce Organization Back Up Metadata to Protect and Restore Your
Customizations
Note: Unmanaged packages don’t support all metadata types. See Components Available in Unmanaged Packages.
For more advanced metadata backup options, API and CLI commands are available. See Deploying and Retrieving Metadata in
the Metadata API Developer Guide and mdapi Commands in the Salesforce CLI Command Reference. To review the metadata types
that can be packaged using more advanced developer tools, see Metadata Coverage.
Note: Changes to components that were added in a previous package version are captured automatically when you create
a new version.
5. Click Upload, and in the Package Detail screen complete the Version Name field. Consider adding details in the Description field so
you know when this version was created, and click Upload.
Each time you create a new package version, you’ve created a new snapshot of your metadata.
Note: Third-party release management apps that automate data and metadata backup are available on AppExchange.
SEE ALSO:
Trailhead: Package Development Readiness
Trailhead: Package Development Model
760
Set Up and Maintain Your Salesforce Organization Protect Your Data with Salesforce Backup and Restore
761
Set Up and Maintain Your Salesforce Organization Assign the Backup and Restore Permission Set License
762
Set Up and Maintain Your Salesforce Organization Install and Set Up the Backup and Restore Managed Package
1. Make sure that you’re assigned the Backup and Restore User permission set license and
BackupRestore permission set. See Assign the Backup and Restore Permission Set License and Assign Backup and Restore Permissions.
2. Find the order form that your organization received when you purchased Backup and Restore. It contains the installation URL.
3. Click the URL, and then download the Backup and Restore managed package.
4. From the Managed Package page, select Install for Admins Only. If you’re prompted to approve third-party access, select Yes,
grant access to these third-party web sites, and then click Continue. Although dev2.sf.k8phoenix.com isn’t a third-party
URL, Salesforce uses this domain to support the backup and restore process.
763
Set Up and Maintain Your Salesforce Organization Plan Your Backup and Restore Strategy
When provisioning is finished, an IP Addresses section appears on the page. It lists IP addresses that are specific to the AWS
region that you selected.
b. Add the IP addresses in the IP Addresses section to the Login IP Ranges for your user profile.
8. In the Set Up Your Connection section, click Connect. This action creates a secure connection using OAuth 2.0 Web Server Flow
between Salesforce and the data storage location in AWS.
9. Click Test Connection.
When the test is successful, you’re ready to create a backup policy.
764
Set Up and Maintain Your Salesforce Organization Create a Backup Policy
Start with your high-priority data. After ensuring that you have access to all objects in that initial batch, add it to your policy and initiate
your backup. While that batch processes, work on confirming object access to the objects in your next batch. After a batch completes
successfully, add the next batch. This way, if you encounter errors, you have fewer objects and issues to troubleshoot with each backup.
765
Set Up and Maintain Your Salesforce Organization Restore Data from a Backup
Tip: Some macOS X versions can’t decompress and open the downloaded CSV file. If you can’t open the downloaded file, try
running the gunzip '/path/to/your_file.csv' command in a terminal. Alternatively, you can use another data
decompression utility.
766
Set Up and Maintain Your Salesforce Organization View and Interpret Backup and Restore Logs
Logs display the status of the backup for each object. If a backup is incomplete, you can review the
logs to see errors on specific objects.
The NOT_VISIBLE status in the backup log indicates that an object isn’t visible to the service at the time that the backup process ran and
it hasn’t been backed up. When the service can’t back up an object, the most common issue is that the user running the backup doesn’t
meet one or more of the required access conditions. Review all access settings for objects that show the NOT_VISIBLE status in logs.
Correct any access gaps, then run the backup again.
• The user doesn’t have the required object-level permissions, such as read permission.
• The user initiating the backup, including automated users like Integration User, didn’t have the required licenses and permission
sets.
• Not all special access rules for the object are met.
• The user has access to a custom object, but it’s in a managed package that isn’t site-wide.
767
Set Up and Maintain Your Salesforce Organization Cache Lightning Platform Data
SEE ALSO:
Apex Developer Guide
768
Set Up and Maintain Your Salesforce Organization Request a Platform Cache Trial
Note: You can make up to 10 trial cache requests, and you must wait 90 days between trials.
After you request trial cache, you receive emails at the following intervals.
At activation
You can now allocate capacity to partitions and test the trial cache in your org.
Three days before expiration
Before expiration, be sure to reconfigure your partitions to deallocate the added trial space.
At expiration
The trial cache is removed from your org.
Note: If you haven’t deallocated enough space, Salesforce reduces your partition sizes to remove the granted trial cache space.
Note: The size of a partition is the total allocation for the partition, which includes org-wide cache and namespace-specific
cache.
• The system then works its way through the partitions from smallest to largest in size. If multiple partitions have the same size, the
system proportionally removes cache from these partitions.
• The system reduces partitions to a minimum size of 5 MB, unless all the trial cache space can’t be removed. In this case, partitions
are reduced to 0 MB.
• The default partition (if it exists) is reduced last only if the trial cache space can’t be removed from all other partitions.
If unallocated space is present:
• If the amount of unallocated space is greater than the amount of space that must be removed, the system removes only unallocated
space.
769
Set Up and Maintain Your Salesforce Organization Request Additional Platform Cache
• If the amount of unallocated space is less than the amount of space that must be removed, the system removes the unallocated
space first. The system then follows the cache reduction process to remove the remaining amount.
SEE ALSO:
Cache Lightning Platform Data
SEE ALSO:
Cache Lightning Platform Data
Note: If a Platform Cache partition is already part of your managed package, you can choose to edit the existing partition and
allocate the Provider Free capacity to it.
Create a partition from the Platform Cache page and then set it up to use the Provider Free capacity
1. From Setup, in the Quick Find box, enter Platform Cache, and then select Platform Cache.
As the Provider Free capacity is automatically enabled in all Developer edition orgs, the Org’s Capacity Breakdown donut chart shows
the Provider Free capacity.
770
Set Up and Maintain Your Salesforce Organization My Domain
5. In the Capacity section, allocate separate capacities for session cache and org cache from the available Provider Free capacity.
6. Save the new Platform Cache partition.
You can add this new Platform Cache partition to your managed package. When an AppExchange-certified, security-reviewed managed
package with Platform Cache partition is installed on the subscriber org, the Provider Free capacity is allocated and automatically made
available to the installed partition. The managed package can start using the Platform Cache partition; no post-install script or manual
allocation is required.
Note: If the managed package is not AppExchange-certified and security-reviewed, the Provider Free capacity resets to zero and
will not be allocated to the installed Platform Cache partition.
When a Platform Cache partition with Provider Free capacity is installed in a subscriber org, the Provider Free capacity allocated is
non-editable. The provider free capacity of one installed partition can’t be used for any other partition.
Tip: After you install a Platform Cache partition with Provider Free capacity, you can edit the partition and make additional
allocations from the available platform cache capacity of the org.
SEE ALSO:
Cache Lightning Platform Data
My Domain
Showcase your company’s brand with a customer-specific subdomain name in your Salesforce org
EDITIONS
URLs. With My Domain, you can include your company name in your URLs, for example,
https://mycompany.my.salesforce.com. With these org-specific URLs, you can set Available in: both Salesforce
up a custom login page, set a custom login policy, offer single sign-on, and allow users to log in Classic (not available in all
with a social account. My Domain also allows you to work in multiple Salesforce orgs in the same orgs) and Lightning
browser at the same time. Experience
All orgs get a My Domain with enhanced domains by default. If you don’t like your org’s My Domain Available in: Group,
name or circumstances warrant a change, you can rename it. Essentials, Professional,
Note: A My Domain uses Salesforce domain suffixes such as my.salesforce.com for Enterprise, Performance,
Unlimited, and Developer
your org’s URLs. In an org without enhanced domains, your My Domain name isn’t used in
Editions
Salesforce Sites and Experience Cloud sites URLs. To use a custom domain such as
https://www.example.com to serve your org’s Salesforce sites and Experience Cloud
sites, see Manage Your Domains in Salesforce Help.
771
Set Up and Maintain Your Salesforce Organization My Domain
772
Set Up and Maintain Your Salesforce Organization Brand Your Salesforce Org’s Domains
SEE ALSO:
Custom Domains in Salesforce
My Domain
My Domain allows you to showcase your company’s brand with a customer-specific domain name within your Salesforce org login and
application URLs. For example, if your org’s My Domain name is mycompany, then your org’s login URL is
https://mycompany.my.salesforce.com. All orgs get a My Domain by default. If you don’t like your org’s My Domain
name, you can change it.
773
Set Up and Maintain Your Salesforce Organization Brand Your Salesforce Org’s Domains
If enhanced domains are enabled in your org, the My Domain name is used as the subdomain for URLs across your org, including
Salesforce Sites and Experience Cloud sites.
If enhanced domains aren’t enabled in your org, you specify separate subdomains for Experience Cloud sites and Salesforce Sites. One
of these subdomains can match your My Domain name, but if you have Salesforce Sites and Experience Cloud sites, those subdomains
can’t be the same. You can rename your My Domain name, but you can’t change your Experience Cloud sites subdomain or Salesforce
Sites subdomain after you save them. Choose these subdomains carefully to ensure brand consistency. Or better yet, use enhanced
domains, and your My Domain name is the subdomain for these features.
Salesforce Sites
Salesforce Sites allows you to make any information stored in your org public through a branded URL of your choice. You can also make
the site’s pages match the look and feel of your company’s brand. For example, you can set up sites to publish a catalog of products or
to provide a store locator tool. Some features also use Salesforce Sites to deliver functionality. For example, B2B Commerce storefronts
are Salesforce Sites.
If enhanced domains are enabled in your org, your My Domain is used as your Salesforce Sites subdomain. The Salesforce Sites URL
format is https://MyDomainName.my.salesforce-sites.com.
If enhanced domains aren’t enabled in your org, the first step in setting up sites is to register a Salesforce Sites domain for your org. Like
with My Domain, you pick the subdomain name, and Salesforce adds the domain suffix. The suffix for Salesforce Sites without enhanced
domains is secure.force.com. For example, if you choose mycompany-sites as your sites subdomain, your sites domain is
https://mycompany-sites.secure.force.com. If you haven’t used your My Domain name for your Experience Cloud
sites subdomain name, you can use your My Domain name as your Salesforce Sites subdomain name. However, after you choose your
Salesforce Sites subdomain, you can’t change it.
When you create a site, its name is appended to your sites domain. For example,
https://mycompany-sites.my.salesforce-sites.com/storelocator.
For more information, see Salesforce Sites in Salesforce Help.
774
Set Up and Maintain Your Salesforce Organization What Is My Domain?
SEE ALSO:
My Domain
Salesforce Sites
Experience Cloud
Custom Domains in Salesforce
What Is My Domain?
Showcase your company’s brand with your My Domain name. That My Domain name is used as
EDITIONS
your org-specific subdomain in Salesforce login and application URLs. For example,
https://mycompany.my.salesforce.com and Available in: both Salesforce
https://mycompany.my.site.com. Learn about the benefits of My Domain, including Classic (not available in all
a custom login page and user login and authentication options. orgs) and Lightning
All orgs get a My Domain by default. If you don’t like your org’s My Domain name, you can change Experience
it. Available in: Group,
To get an overview and learn about the benefits of My Domain, watch this video. Essentials, Professional,
Enterprise, Performance,
Watch a video Unlimited, and Developer
Editions
In addition to https://login.salesforce.com, your users can log in to your Salesforce
org with your My Domain login URL. This login URL uses a standard format, with your My Domain
name as the subdomain. For example, the format for production org login URLs is
https://MyDomainName.my.salesforce.com.
With My Domain, you can:
• Highlight your business identity with your unique domain URL.
• Brand your login page, and customize content on the right side of the page.
• Block or redirect page requests that don’t use your My Domain name.
• Work in multiple Salesforce orgs in the same browser at the same time.
• Set a custom login policy to determine how users are authenticated.
• Let users log in to Salesforce from the login page with a social account like Google or Facebook.
• Let users log in to your custom external web app with their Salesforce credentials.
• Preserve deep links such as https://MyDomainName.my.salesforce.com/001/o during future instance refreshes
and org migrations.
775
Set Up and Maintain Your Salesforce Organization My Domain Considerations
With My Domain, Salesforce is enabled as the identity provider, but you can change identity providers. You can also increase security
for your org by customizing your domain’s login policy.
Note: My Domain URLs for Experience Cloud sites and Salesforce Sites use Salesforce domain suffixes such as my.site.com
and salesforce-sites.com. To use a custom domain such as https://www.example.com to serve your org’s
Experience Cloud sites and Salesforce Sites, see Custom Domains.
SEE ALSO:
My Domain Provisioning and Deployment
Configure My Domain Settings
My Domain Considerations
When you deploy a change your My Domain, it’s important to understand the impact on URLs
EDITIONS
across your Salesforce org. Review these considerations about URL changes, feature testing, and
reducing the impact to your users. Available in: both Salesforce
Classic (not available in all
orgs) and Lightning
Plan Your My Domain Change Experience
Whether you change your My Domain to update your brand or to adopt enhanced domains, the
Available in: Group,
URLs that Salesforce hosts for your org change. These changes require planning, coordination, and
Essentials, Professional,
testing. For high-level steps, recommendations, and checklists, see Plan for a My Domain Change
Enterprise, Performance,
in Salesforce Help.
Unlimited, and Developer
Editions
Logging In with a My Domain
Your users can log in to your org with its My Domain URL.
Alternatively, users can use these methods to log in to Salesforce.
• https://login.salesforce.com, unless an admin prevents logins through the My Domain policies options.
• Your org’s instance URL, such as https://InstanceName.salesforce.com/, unless an admin prevents logins through
the My Domain policies options.
776
Set Up and Maintain Your Salesforce Organization My Domain Considerations
Note: To use a custom domain such as https://www.example.com to serve your org’s Salesforce Sites and Experience
Cloud sites, see Custom Domains.
Note: If you’re using external Chatter groups along with SSO for employees, users outside your company are redirected to a SAML
identity provider that they can’t access. To get SSO to work, migrate external Chatter groups to Experience Cloud sites. Or to allow
users to continue to log in through login.salesforce.com, don’t select the My Domain login policy, Prevent login from
https://login.salesforce.com.
For more information, see Set My Domain Login and Redirect Policies and Single Sign-On in Salesforce Help.
For information about updating authentication after your My Domain login URL or sites URL changes, see Update Authentication After
a My Domain Change in Salesforce Help.
777
Set Up and Maintain Your Salesforce Organization My Domain Provisioning and Deployment
SEE ALSO:
My Domain
778
Set Up and Maintain Your Salesforce Organization My Domain Provisioning and Deployment
My Domain changes only become active (A) after they’re staged by Salesforce (B) and the admin deploys the change.
Provisioning (2). Current My Domain URLs • Wait for the provisioning process to
After you save a change to your My Domain, Salesforce (My Domain 1) complete.
provisions the domains. In other words, we get the new • To cancel your My Domain change, click
My Domain URLs ready for activation. Stop Provisioning.
User connections are unaffected.
779
Set Up and Maintain Your Salesforce Organization My Domain Provisioning and Deployment
Changes deployed (4). • New My Domain URLs • Disable redirections from your previous
The admin logs in to deploy the updated My Domain. The (My Domain 2) My Domain (My Domain 1).
deployment process also updates the related domains, • Previous My Domain • Make a My Domain change and start
such as Visualforce pages and Experience Cloud sites. URLs (My Domain 1) the provisioning process.
Immediately after the My Domain is deployed, the new My
Domain URLs are available to all users.
Until you deploy the changes, all users continue to use the original My Domain (My Domain 1).
When an admin deploys a new My Domain, the admin is logged out of Salesforce. Users are redirected to the new My Domain, which
can require logging in again. Everyone can log in again with the new My Domain login URL or, if the My Domain settings allow it, with
https://login.salesforce.com.
By default, if a user accesses one of the previous My Domain URLs through a link or bookmark, the user is redirected to the corresponding
current My Domain URL.
You can disable these redirections through the Routing options on the My Domain Setup page.
780
Set Up and Maintain Your Salesforce Organization Enhanced Domains
For this reason, before you update your My Domain in production, we recommend that you always deploy and test My Domain changes
in a sandbox. For more information, see Update Your Org and Test My Domain Changes in Salesforce Help.
SEE ALSO:
My Domain
My Domain URL Formats
My Domain Redirections
Update Your Org and Test My Domain Changes
Enhanced Domains
Enhanced domains are the current version of My Domain that meets the latest browser requirements.
EDITIONS
With enhanced domains, all URLs across your org contain your company-specific My Domain name,
including URLs for your Experience Cloud sites, Salesforce Sites, Visualforce pages, and content files. Available in: both Salesforce
This feature changes domain suffixes (the part after the My Domain name) to meet the latest security Classic (not available in all
standards. With no instance names, enhanced My Domain URLs are easier for users to remember orgs) and Lightning
and don’t change when your org is moved to another Salesforce instance. Because enhanced Experience
domains meet the latest browser requirements, they’re deployed by default in new orgs and required
in all orgs in Winter ’24. Available in: Group,
Essentials, Professional,
Salesforce deployed this feature in all orgs with Summer ’23. Orgs created in Summer ’22 or later Enterprise, Performance,
get enhanced domains by default, and orgs created in Summer ’23 or later can’t disable the feature. Unlimited, and Developer
This feature is also deployed by default in new, refreshed, and cloned sandboxes. Editions
Salesforce enforces enhanced domains in all orgs in Winter ’24. You can disable enhanced domains
until the feature is enforced. For more information, see Enhanced Domains Timeline.
To participate in discussion about this feature, join the My Domain and Enhanced Domains group in the Trailblazer Community.
Watch this video for an overview of enhanced domains, including the possible impact and where to start.
Watch a video
Here are some My Domain URL formats with enhanced domains in a production org. The login URL is the same as without enhanced
domains, but the rest of the URLs change. The login URL for a sandbox changes with enhanced domains, because it includes the word
sandbox.
781
Set Up and Maintain Your Salesforce Organization Enhanced Domains
For a full list of URL formats and URL format changes when you deploy enhanced domains, see My Domain URL Format Changes When
You Enable Enhanced Domains in Salesforce Help.
Potential Impact
If enhanced domains aren’t deployed in your Salesforce org before Salesforce deploys the feature for you, here are some issues that can
arise.
• Users can experience errors when attempting to access Salesforce, including but not limited to Experience Cloud sites, Salesforce
Sites, and Visualforce pages.
• Some embedded content stored in Salesforce no longer appears.
• Third-party applications can lose access to your data.
• Single sign-on integrations with sandboxes can fail.
• Single sign-on integrations with orgs using the *.cloudforce.com and *.database.com domain suffixes can fail.
To avoid these issues, we recommend that you test and deploy enhanced domains in a sandbox and deploy enhanced domains in
production before Salesforce deploys the feature for you.
782
Set Up and Maintain Your Salesforce Organization Enhanced Domains
783
Set Up and Maintain Your Salesforce Organization Enhanced Domains
SEE ALSO:
My Domain
My Domain URL Formats
Considerations for Enhanced Domains
Enable Enhanced Domains
784
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Winter ’24 on Enhanced domains deployed in all Enable and deploy enhanced domains before your org gets this release.
page 786 remaining orgs and enforced in all orgs. After your org gets this release, enhanced domains can’t be disabled.
Winter ’25 on Redirections stop for non-enhanced Before your org gets this release, enable redirection logging and update
page 786 domains. all references to your previous non-enhanced domains. After your org
gets this release, your previous non-enhanced domains are no longer
redirected.
Tip: To verify when a specific org gets enhanced domains, see the informational message on the My Domain Setup page.
Summer ’21: Enhanced Domains Available with Hyperforce or Salesforce Edge Network
Summer ’21 release deployment started in May 2021 (sandboxes) and June 2021 (production). With this release, enhanced domains
were available in Hyperforce orgs and in orgs with a deployed My Domain routed through Salesforce Edge Network. They weren’t
available in scratch orgs or in Developer Edition orgs.
Winter ’22: Enhanced Domains Available in Developer Edition Orgs with Hyperforce or Salesforce
Edge Network
Winter ’22 release deployment started in August 2021 (sandboxes) and September 2021 (production). With this release, enhanced
domains were available in Hyperforce orgs and in orgs with a deployed My Domain routed through Salesforce Edge Network, including
scratch orgs and Developer edition orgs.
785
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Winter ’23: Enhanced Domains Deployed Automatically in Sandbox and Non-Production Orgs
Winter ’23 release deployment started in August 2022 (sandbox) and October 2022 (production). With this release, Salesforce deployed
enhanced domains in sandboxes and non-production orgs unless you opted out before the release. Non-production orgs include
Developer Edition, demo, free, patch, and scratch orgs, plus Trailblazer Playgrounds. Production orgs were unaffected. Customers retained
the ability to disable and enable enhanced domains in this release.
Note: Enhanced domains are enforced through a Release Update, which is completed gradually after the major release. Usually
the process of enforcing enhanced domains finishes within a few hours after you get the release, but it can take up to 24 hours. To
control the timing of when enhanced domains are deployed in your org, enable and deploy the feature before it’s enforced in
Winter ’24.
In preparation for Winter ’24, Salesforce can enable enhanced domains and provision the new domains. When this step is complete, the
My Domain Setup page shows the new domain and the option to deploy it. If you see this screen, you can deploy the new domain with
enhanced domains. Or, to also change your My Domain name when you deploy enhanced domains, click Cancel New Domain, then
save the change to your My Domain Details. If you cancel the new domain without saving a different My Domain change with enhanced
domains, Salesforce enables enhanced domains again during enforcement.
SEE ALSO:
My Domain
Enhanced Domains
Plan for a My Domain Change
My Domain Redirections
786
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Important: If you don’t follow this guidance before you deploy a change to your My Domain login URL, you can be locked out
of your Salesforce org.
URL Changes
When you deploy enhanced domains, all URLs across your org contain your company-specific My Domain name, including Experience
Cloud sites and Salesforce sites. Also, your URLs don’t change when your org is moved to another Salesforce instance. Here are some
example URL formats for a production org with enhanced domains.
787
Set Up and Maintain Your Salesforce Organization Enhanced Domains
If your org was created before October 2020, you didn’t get a My Domain by default. In that case, your users accessed Salesforce with
URLs that contained your instance name but not your My Domain name. If you hard-coded any of those old URLs in your org, update
them to the enhanced domain format.
For a full list of enhanced domain URL formats and tables listing the changed formats when you deploy enhanced domains, see My
Domain URL Formats.
Because your org’s URLs change, we recommend that you test your org’s functionality in a sandbox with enhanced domains before
enabling this feature in production. Pay particular attention to customizations that reference your old URLs. Note the changes required
to complete successful tests, then use that list when deploying your My Domain with enhanced domains in production. For more
information and guidance on the areas to update, see Update Your Org and Test My Domain Changes.
• These URLs can be used outside of Salesforce. Identify all locations where these public-facing URLs are used. For example, a site URL
can be used on your website, social media pages, marketing materials, and templates, such as email signatures and automated
responses. Then create a plan to update each location and announce the change to your users and customers.
788
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Salesforce only redirects your last set of previous My Domain URLs. If you previously changed your My Domain, your previous My Domain
URLs redirect to your current My Domain URLs unless you disable those redirects. When you deploy another change to your My Domain,
including enabling enhanced domains, existing redirections stop, and Salesforce redirects the My Domains in place before the latest
deployment instead.
To see if redirects are in place for a previous My Domain, check the Routing section of the My Domain page. Salesforce stops redirections
for some non-enhanced hostnames in Winter ’25. For more information on redirections and how to determine which My Domain
hostnames are being redirected for your org, see My Domain Redirections in Salesforce Help.
789
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Note: Before you disable enhanced domains, consider the impact on My Domain URL redirections. Salesforce only redirects your
last set of previous My Domain URLs. If you disable enhanced domains after enabling them, your enhanced domain URLs are
redirected and any redirects for other previous My Domain URLs stop. To see if redirects are in place for a previous My Domain,
check the Routing section of the My Domain page. For more information, see My Domain Redirections.
If you find an issue during testing that prevents your adoption of this critical feature, share the issue in the My Domain and Enhanced
Domains group in the Trailblazer Community.
Potential Impact
If enhanced domains aren’t deployed in your Salesforce org before Salesforce deploys the feature for you, here are some issues that can
arise.
• Users can experience errors when attempting to access Salesforce, including but not limited to Experience Cloud sites, Salesforce
Sites, and Visualforce pages.
• Some embedded content stored in Salesforce no longer appears.
• Third-party applications can lose access to your data.
• Single sign-on integrations with sandboxes can fail.
• Single sign-on integrations with orgs using the *.cloudforce.com and *.database.com domain suffixes can fail.
For more information about the issues you can encounter, see Troubleshoot Common Errors Related to Enhanced Domains in Salesforce
Help.
To avoid these issues, we recommend that you test and deploy enhanced domains in a sandbox and deploy enhanced domains in
production before Salesforce deploys the feature for you. For more information about what happens in each release, see Enhanced
Domains Timeline in Salesforce Help.
SEE ALSO:
My Domain
Enable Enhanced Domains
790
Set Up and Maintain Your Salesforce Organization Enhanced Domains
To enable enhanced domains, you can’t have a different My Domain change in progress. If you don’t want the change shown on
the screen or it has been more than 24 hours, click Stop Provisioning to reset the process.
• If you see Step 3: Deploy Your New Domain, a My Domain has been provisioned, but the My Domain isn’t yet deployed.
The current domain and new domain fields indicate whether enhanced domains are enabled on each My Domain.
– To reset the process, click Cancel New Domain.
– If you’re satisfied with your new domain and that domain uses enhanced domains, you can click Deploy New Domain to make
it available to your users.
791
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Warning: Deploying a new My Domain can disrupt user access. Before updating production, we recommend that you
test all My Domain changes in a sandbox. For more information, see Update Your Org and Test My Domain Changes.
• If you see My Domain Details, you don’t have any pending My Domain changes. Your current My Domain login URL is shown in the
My Domain Details section. The current My Domain URL field also indicates whether enhanced domains are enabled.
Here’s an example of the My Domain Details section in an org with enhanced domains deployed.
The Current My Domain URL field includes the phrase “with enhanced domains,” and the Use enhanced domains option is enabled.
Note: If the Current My Domain URL includes the phrase “without enhanced domains,” enhanced domains aren’t deployed,
even if the Use enhanced domains option is enabled.
And here’s an example of the My Domain Details section in an org without enhanced domains.
The Current My Domain URL includes the phrase “without enhanced domains,” and the Use enhanced domains option isn’t
enabled.
SEE ALSO:
Enable Enhanced Domains
792
Set Up and Maintain Your Salesforce Organization Enhanced Domains
3. If more suffixes are available for your org’s My Domain, a suffix dropdown list appears. Enhanced domains can only be enabled for
the Standard suffix.
4. Select Use enhanced domains.
a. If you encounter issues with enhanced domains and need more time to test, you can disable this feature until it’s enforced in
Winter ’24. To disable enhanced domains, deselect Use enhanced domains.
Note: If you disable this setting, the option, Stabilize Visualforce, Experience Builder, Site.com Studio, and content
file URLs, is enabled by default. To revert your URLs to their prior formats before enhanced domains were deployed, if
that My Domain setting was previously disabled, deselect Stabilize Visualforce, Experience Builder, Site.com Studio,
and content file URLs.
To determine whether that setting was disabled before enhanced domains were deployed, check the Setup Audit Trail
and find the audit trail action for the deployment of your My Domain with enhanced domains. If you see the action,
“Enabled the My Domain setting, Stabilize Visualforce, Experience Builder, Site.com Studio, and content file URLs”,
immediately before the deployment of enhanced domains, then that My Domain setting was disabled before enhanced
domains were deployed.
793
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Note: To use enhanced domains and comply with the Deploy Enhanced Domains release update, deploy your updated My
Domain.
Next Steps
1. Salesforce provisions the URLs for your My Domain with enhanced domains. The provisioning process usually finishes in a few
minutes, but it can take up to 24 hours. You receive an email when your My Domain with enhanced domains is ready to be
deployed and tested.
2. Review the My Domain URL Format Changes When You Enable Enhanced Domains.
3. Deploy your new My Domain, update your org, and test the changes.
4. Update external-facing links, such as publicly available Experience Cloud sites and Salesforce Sites. For example, a site URL can
be used on your website, social media pages, marketing materials, and templates, such as email signatures and automated
responses. Create a plan to update each location and announce the change to your users and customers.
5. After you complete testing, help your users get started using your new enhanced domain URLs by providing links to pages that
they use frequently, such as your Experience Cloud sites. Encourage them to update their bookmarks the first time they’re
redirected and to use any updated templates.
6. After you complete your testing and enable this feature in production, review the Deploy Enhanced Domains release update
and complete it if appropriate.
SEE ALSO:
My Domain
Salesforce Edge Network
794
Set Up and Maintain Your Salesforce Organization Enhanced Domains
Users can't access Experience Cloud sites or Salesforce Sites. • Update IP-based restrictions to include the IPv6 range.
• Update authentication (SSO, MFA, named credentials).
• Update the identity providers on your login page.
• Update hard-coded references to your site URL.
• Update trusted domains for inline frames.
• Update network-level restrictions that specify only IP addresses.
The custom domain that serves your Experience Cloud site or Update the domain configuration as required.
Salesforce Sites stops working.
Open CTI (Computer-Telephony Integration) or Click to Dial stops • Add your new Visualforce URL to your telephony provider’s
working. allowlists.
• Update any hard-coded references to your Visualforce URLs in
your configuration. Whenever possible, update these to relative
URLs instead.
For more information, see the Knowledge Article, Enhanced
Domains and Open CTI with Visualforce (Spring ‘23).
External integrations, external software, or connected apps can't • Update authentication to use your new site login URL.
access your Experience Cloud sites or Salesforce Sites.
• Work with the third party to update their configuration to use
your new site login URL.
• Work with the third parties to ensure that they support Server
Name Indication (SNI).
Users can't access enablement sites (myTrailhead) that use your Contact Salesforce Customer Support to update your authentication
sites URL that ends in *.force.com. provider with your new sites login URL.
Images stored in Salesforce fail to load on internal sites, emails, or • Update the URL references to content stored in Salesforce.
external sites.
• Update badge and image URLs in enablement sites
(myTrailhead).
Some functionality within installed packages from AppExchange Verify whether the package has been updated and install a patch
stops working. or version that supports enhanced domains.
795
Set Up and Maintain Your Salesforce Organization Partitioned Domains
A Messaging for Web deployment that was previously published Republish all pre-existing deployments of Messaging for In-App.
no longer appears to your customer.
Users can't access enablement sites (myTrailhead) that use your Contact Salesforce Customer Support to update your authentication
My Domain login URL. provider with your new My Domain login URL.
Service Cloud Voice stops working. • Work with your telephony provider to update your
configuration with your new URLs.
• Update the allowlist in Amazon Connect with your new
Visualforce URL.
SEE ALSO:
Enhanced Domains
Update Authentication After a My Domain Change
Partitioned Domains
With partitioned domains, My Domain hostnames for your Developer Edition org, sandbox, patch
EDITIONS
org, scratch org, or Trailhead Playground include a word related to the org type. For example,
partitioned domains for Developer Edition and patch orgs include the word develop. Partitioned Available in: both Salesforce
domains allow Salesforce to maximize the availability of your orgs by gradually rolling out delivery Classic (not available in all
changes. And it’s easier to identify an org by a URL when the domain is partitioned. orgs) and Lightning
Experience
Note: Partitioned Domains are available in Developer Edition orgs, patch orgs, scratch orgs,
and Trailhead Playgrounds with enhanced domains. This feature can be available before Available in: Group,
Winter ’24 in demo orgs with enhanced domains. This feature is unavailable in Public Cloud Essentials, Professional,
and in orgs on Salesforce Edge Network. For Hyperforce orgs, partitioned domains are available Enterprise, Performance,
on the USA and IND instances and can be available before Winter ’24 on other instances. Unlimited, and Developer
Qualifying new orgs get partitioned domains by default, and you can’t disable this feature in Editions
those orgs. For updates about the availability of this feature, join the My Domain and Enhanced
Domains group in the Trailblazer Community.
Partitioned domains allow Salesforce to gradually roll out service delivery changes by org type. For example, Developer Edition orgs can
get an update separately from production orgs. This staggered approach maximizes the availability of production and sandbox orgs.
My Domain uses partitioned domains for new orgs of these types, and you can enable partitioned domains in these types.
796
Set Up and Maintain Your Salesforce Organization Partitioned Domains
For example, the My Domain login URL format for a partitioned Developer Edition org is
https://MyDomainName.develop.my.salesforce.com.
For the list of partitioned domains for sandboxes with enhanced domains, see My Domain Login and Application URL Formats with
Enhanced Domains. To better understand the purpose of each hostname type and whether it applies to you, see My Domain Hostnames
in Salesforce Help.
Note: This feature can be available in demo orgs with enhanced domains before Winter ’24. When that partition is available, new
demo orgs get partitioned domains by default. To ensure continued access to all your orgs, update your allowlists for the partitioned
domains for demo orgs. For updates about the availability of this feature by org type, join the My Domain and Enhanced Domains
group in the Trailblazer Community.
SEE ALSO:
My Domain
Enhanced Domains
797
Set Up and Maintain Your Salesforce Organization Partitioned Domains
Warning: Before you deploy partitioned domains, update your allowlists to ensure that your USER PERMISSIONS
users can connect to the partitioned domains.
To edit My Domain settings:
Partitioned domains change URLs formats across your org. To review the high-level steps and the • Customize Application
recommended practices for a My Domain change, plus how to reduce the impact on your users
and customers, see Plan for a My Domain Change in Salesforce Help.
1. From Setup, in the Quick Find box, enter My Domain, and then select My Domain.
2. In the My Domain Details section, click Edit.
3. Select Use partitioned domains.
You can preview your new My Domain login URL at the bottom of the screen.
If you don’t see Use partitioned domains, your org doesn’t qualify for this feature.
798
Set Up and Maintain Your Salesforce Organization Partitioned Domains
When you receive the email that your domain is ready to be deployed, deploy your new My Domain, update your org, and test the
changes. After you complete testing, help your users of the non-production org get started. Provide links to pages that they use frequently
and encourage them to update their bookmarks the first time that they’re redirected.
SEE ALSO:
My Domain
Partitioned Domains
Enhanced Domains
Note: Partitioned domains require enhanced domains. This feature is unavailable in Public Available in: both Salesforce
Cloud and in orgs on Salesforce Edge Network. For Hyperforce orgs, partitioned domains are Classic (not available in all
orgs) and Lightning
available on the USA and IND instances and can be available before Winter ’24 on other
Experience
instances. This feature can be available before Winter ’24 in demo orgs with enhanced domains.
When that partition is available, new demo orgs are partitioned by default, and you can’t Available in: Developer
disable this feature in those orgs. For updates about the availability of this feature, join the edition
My Domain and Enhanced Domains group in the Trailblazer Community.
Here are the domains that Salesforce hosts for demo orgs with partitioned domains. To better
understand the purpose of each hostname type and whether it applies to you, see My Domain Hostnames in Salesforce Help.
Lightning MyDomainName.demo.lightning.force.com
799
Set Up and Maintain Your Salesforce Organization Partitioned Domains
1
If your installed package is unmanaged, the package name is c
SEE ALSO:
My Domain
Partitioned Domains
Note: Partitioned domains require enhanced domains. This feature is unavailable in Public Available in: both Salesforce
Cloud and in orgs on Salesforce Edge Network. For Hyperforce orgs, partitioned domains are Classic (not available in all
orgs) and Lightning
available on the USA and IND instances and can be available before Winter ’24 on other
Experience
instances. Qualifying new orgs get partitioned domains by default, and you can’t disable this
feature in those orgs. For updates about the availability of this feature, join the My Domain Available in: Developer
and Enhanced Domains group in the Trailblazer Community. edition
Here are the domains that Salesforce hosts for Developer Edition orgs with partitioned domains.
To better understand the purpose of each hostname type and whether it applies to you, see My
Domain Hostnames in Salesforce Help.
800
Set Up and Maintain Your Salesforce Organization Partitioned Domains
Lightning MyDomainName.develop.lightning.force.com
1
Lightning Container MyDomainName--PackageName.develop.container.force.com
Component
1
If your installed package is unmanaged, the package name is c
SEE ALSO:
My Domain
Partitioned Domains
Enhanced Domains
My Domain
Partitioned Domains
801
Set Up and Maintain Your Salesforce Organization Partitioned Domains
Note: Partitioned domains require enhanced domains. This feature is unavailable in Public Available in: both Salesforce
Cloud and in orgs on Salesforce Edge Network. For Hyperforce orgs, partitioned domains are Classic (not available in all
orgs) and Lightning
available on the USA and IND instances and can be available before Winter ’24 on other
Experience
instances. Qualifying new orgs get partitioned domains by default, and you can’t disable this
feature in those orgs. For updates about the availability of this feature, join the My Domain Available in: Group,
and Enhanced Domains group in the Trailblazer Community. Essentials, Professional,
Here are the domains that Salesforce hosts for scratch orgs with partitioned domains. To better Enterprise, Performance,
Unlimited, and Developer
understand the purpose of each hostname type and whether it applies to you, see My Domain
Editions
Hostnames in Salesforce Help.
Content MyDomainName.scratch.cdn.salesforce-experience.com
Management
System (CMS)
public channels
Experience MyDomainName.scratch.builder.salesforce-experience.com
Builder
Experience MyDomainName.scratch.preview.salesforce-experience.com
Builder Preview
Experience MyDomainName.scratch.live-preview.salesforce-experience.com
Builder Live
Preview
Lightning MyDomainName.scratch.lightning.force.com
1
Lightning MyDomainName--PackageName.scratch.container.force.com
Container
Component
802
Set Up and Maintain Your Salesforce Organization Partitioned Domains
1
If your installed package is unmanaged, the package name is c
SEE ALSO:
My Domain
Partitioned Domains
Note: Partitioned domains require enhanced domains. This feature is unavailable in Public Available in: both Salesforce
Cloud and in orgs on Salesforce Edge Network. For Hyperforce orgs, partitioned domains are Classic (not available in all
orgs) and Lightning
available on the USA and IND instances and can be available before Winter ’24 on other
Experience
instances. Qualifying new orgs get partitioned domains by default, and you can’t disable this
feature in those orgs. For updates about the availability of this feature, join the My Domain Available in: Group,
and Enhanced Domains group in the Trailblazer Community. Essentials, Professional,
Here are the domains that Salesforce hosts for Trailhead Playgrounds with partitioned domains. To Enterprise, Performance,
Unlimited, and Developer
better understand the purpose of each hostname type and whether it applies to you, see My Domain
Editions
Hostnames in Salesforce Help.
Content MyDomainName.trailblaze.cdn.salesforce-experience.com
Management
System (CMS)
public channels
803
Set Up and Maintain Your Salesforce Organization Partitioned Domains
Lightning MyDomainName.trailblaze.lightning.force.com
1
Lightning Container MyDomainName--PackageName.trailblaze.container.force.com
Component
1
If your installed package is unmanaged, the package name is c
SEE ALSO:
My Domain
Partitioned Domains
804
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
SEE ALSO:
My Domain
805
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
d. Update your sandbox with changes that can be made before deployment.
5. Test in a sandbox.
a. Deploy the change in your sandbox.
b. Update authentication for your sandbox.
c. Update your sandbox with changes that can only be made after you deploy the My Domain change.
d. Test in your sandbox.
e. Follow the recommended practices after a My Domain change.
SEE ALSO:
My Domain
Plan for a My Domain Change
806
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
• Confirm that Your My Domain Name Reflects Your Brand—With enhanced domains, all the URLs that Salesforce hosts for your org
include your My Domain name, including the system-managed Experience Cloud sites and Salesforce Sites URLs. If your change
includes deploying enhanced domains, verify that your My Domain name reflects your external brand. If not, you can rename your
My Domain as part of your My Domain change.
Note: If you use a custom domain such as https://www.example.com, your system-managed site URLs aren’t visible
to your customers.
• Provision Early—To deploy your changes on your schedule, save your desired My Domain change at least 1 day before your scheduled
deployment.
After you save a change to your My Domain, Salesforce then provisions the domains. In other words, we get the new My Domain
URLs ready for activation. The provisioning process usually finishes in a few minutes, but it can take up to 24 hours. Issues with
provisioning are rare, but sometimes they require that you stop the process and save your My Domain change again, which restarts
the process.
When the provisioning process is complete, the admin who requested the change receives an email. You can leave your new My
Domain in a provisioned status as long as you need. Or, if you choose not to deploy the new Domain, you can cancel the change.
Most importantly, until you deploy your My Domain, user connections are unaffected. If a user visits the new My Domain login URL,
they’re redirected to the original My Domain login URL. Otherwise, no one can access the new domains.
• Understand Redirections After a My Domain Change and Disable Redirections During Testing—Each time that you deploy a change
to your My Domain details, Salesforce redirects your previous My Domain hostnames to the hostnames for your current My Domain
unless you disable those redirects. However, if you change your My Domain more than one time, only the last set of My Domain
URLs for your org are redirected. Before you deploy a My Domain change, consider the impact on any existing My Domain URL
redirections. To see if redirects are in place for a previous My Domain, check the Routing section of the My Domain page.
My Domain URL redirections help prevent disruption, but they’re not intended as a permanent solution. Not all services work well
with redirections, and a redirection adds a step to the process of loading the final web page. When you deploy a new My Domain,
we highly recommend that you disable redirections during testing and update all references to your old URLs.
For more information on redirections, the settings that control them, and how to log My Domain hostname redirections, see My
Domain Redirections.
• Computer-Telephony Integrations (CTIs), such as Open CTI and Service Cloud Voice: Engage with Telephony Providers—When you
deploy enhanced domains or deploy a My Domain name change, the URLs used in your Open CTI or Service Cloud Voice configuration
change.
If you use Open CTI for integrations such as Salesforce Call Center and Click to Dial, work with your telephony provider to add your
new URLs to the telephony provider’s allowlists. Also review your configuration for any hard-coded references to your Salesforce
URLs. Whenever possible, update those hard-coded references to relative URLs instead.
If you use Service Cloud Voice with Amazon Connect or Service Cloud Voice with Partner Telephony from Amazon Connect, no
action is required. Salesforce updates your configuration for you when you deploy your new My Domain.
If you use Service Cloud Voice with Partner Telephony, connect with your telephony provider. Add your new URLs to their allowlist
and coordinate with your provider to update your configuration with your new URLs after you deploy the change.
For more information, see Update Your Org for My Domain Changes.
• Upgrade Mobile Publisher for Experience Cloud Apps—If you configured a Mobile Publisher for Experience Cloud app that uses
your .force.com Experience Cloud site URL, before you enable and deploy enhanced domains in production, upgrade to Mobile
Publisher version 10.0 or later. For instructions, see Mobile Publisher for Experience Cloud Apps and Enhanced Domains
If you use a custom domain such as https://www.example.com to host your Experience Cloud site and use that custom
domain for your Mobile Publisher app, this restriction doesn’t apply. Also, this restriction doesn’t apply to Mobile Publisher for
Lightning apps.
807
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
• Review Your My Domain Configuration—A My Domain change is a great time to review your existing configuration, record it for
testing and post-deployment verification, and make any changes. For example, on your My Domain login page, update the branding
or add the option to log in via an identity provider. To review the available configuration options, see Configure My Domain Settings
and My Domain Redirections.
• Document Your Current Authentication Configuration—If your My Domain change updates your My Domain login URL, Experience
Cloud sites URL, or Salesforce Sites URL, we recommend that you document your existing settings before you deploy your My Domain
change. This snapshot is valuable reference for your rollback plan. For more information about the settings to capture, see Determine
the Required Authentication Updates After a My Domain Change.
• Replace Login References with Dynamically Created Hostnames—For stability and an extra layer of security, we recommend that
you use your My Domain login URL to log in to Salesforce with code. To insulate these references against future My Domain changes,
use Apex to retrieve the URL. To get the hostname of your My Domain login URL in Apex, use the getOrgMyDomainHostname()
method of the System.DomainCreator class. If you use the system-managed hostname to log in to your Experience Cloud
site, use the getExperienceCloudSitesHostname() method of the System.DomainCreator class to get that
hostname.
You can use dynamically created hostnames before you deploy your My Domain change. With dynamically created hostnames, any
change to the corresponding system-managed URL doesn’t affect the related code. This approach reduces your post-deployment
effort.
For more information, see Log In to Salesforce with Code in Salesforce Help and DomainCreator Class in the Apex Developer Guide.
• Consider a Custom Domain to Serve Your Sites—Custom domains allow you to use a domain that you own, such as
https://www.example.com, to serve your Experience Cloud sites and Salesforce Sites. Although your Salesforce org provides
the content, the site is served on your custom domain, providing a clear branded experience for your users. For this reason, Salesforce
recommends that you serve your sites on a custom domain.
If you’re considering a custom domain, we recommend that you set up the custom domain before any pending My Domain changes,
if possible. Even if the system-managed site URL changes, your customers continue to use the custom domain. That stability reduces
the number of updates required after a My Domain change. For example, if you reference your site URL in marketing materials,
emails, social media pages, and templates, the custom domain remains valid.
For more information, see Custom Domains.
• Consider Verifying User Addresses—A change to your My Domain login URL is a great time to verify your users as part of rolling out
the new login URL. Use async email verification to send email messages to internal and external users to ensure that they’re registered
with a valid email address that they own. Async email messages contain a verification link (URL). You can also brand the verification
email messages by customizing the email template.
For more information, see in Verify Email Addresses with Async Email.
808
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
• Prioritize the areas to test. If you have automated tests, run those tests before you start end-user testing. Focus on the biggest impact
to your business. For example, some customers test public-facing sites and revenue-generating functionality first. Or to provide more
time for troubleshooting while your testers are engaged, you can prioritize the more complex customizations.
• Whenever possible, provide testers with clear instructions on how to test each feature.
• Determine the differences in testing in your sandbox versus go-live testing in production. We recommend testing thoroughly in
your sandbox. However, due to the assumption that major issues were discovered during sandbox testing, production testing is
often less detailed. Decide whether your approach to testing requires two versions of your test plan.
809
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
Post-Deployment Recommendations
After you deploy a My Domain change, Salesforce redirects your previous hostnames. Some of those redirections stop in Winter ’25,
starting in October 2024 for production orgs. To detect visits of your old hostnames, we recommend that you enable hostname redirection
logging. Then, to get a more complete view of the hostnames being redirected for your org, schedule a daily query of the Hostname
Redirects event type via REST API. For example, you can configure a cron job in Unix or a scheduled task in Windows to run the query.
For more information, see Log My Domain Hostname Redirections in Salesforce Help and the Hostname Redirects Event Type in the
Object Reference for the Salesforce Platform.
If you enabled and deployed enhanced domains, review the hostname redirections that stop in Winter ’25 and test for the potential
impact of that change. For more information, see Prepare for the End of Redirections for Non-Enhanced Domains in Salesforce Help.
Consider whether to disable all previous redirections. For example, if your brand changed, determine whether you want users to be able
to access your Salesforce org or sites via the old My Domain references. For more information on redirections, see My Domain Redirections
in Salesforce Help. If you choose to remove redirections for your old hostnames, treat it as a second My Domain change for testing and
communications.
Finally, if you enabled and deployed enhanced domains, you completed the steps required for the Deploy Enhanced Domains release
update. To help other admins in your org know that this required task is complete, in Setup, in the Quick Find box, enter Release
Updates, and click Release Updates. For Deploy Enhanced Domains, verify and complete the testing and activation steps.
SEE ALSO:
My Domain
Plan for a My Domain Change
810
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
Task Details
Learn about enhanced If your My Domain change includes enhanced domains, review Enhanced Domains in Salesforce Help and
domains the considerations for enhanced domains. You can also watch the enhanced domains video.
To get the latest updates and ask questions about this feature, join the My Domain and Enhanced Domains
Trailblazer Community group.
Review the My Domain When you save a change to your My Domain name, Salesforce provisions the new URLs before you can
provisioning and deploy them to your users. To learn about how each step of the process impacts your users’ access to
deployment process Salesforce and why it’s important to test these changes in a sandbox, review the process.
Determine the Review the My Domain URL formats and determine which of those hostnames your My Domain change
hostnames that change updates. If your project involves renaming your My Domain, all the hostnames in those lists change. If you
plan to enable and deploy enhanced domains, review the changes specific to that deployment. And if you
plan to enable partitioned domains in a non-production org, review the list of hostnames that contain the
partition name after the change.
Note whether your login If your My Domain login URL or site URL changes, authentication updates are required. Determine whether
URLs change these changes apply to your My Domain change. Then note the authentication updates required and any
third parties involved with those updates. For details, see Determine the Required Authentication Updates
After a My Domain Change.
Identify the features that For a list of items to update before and after your My Domain change, see Update Your Org for My Domain
require an update Changes in Salesforce Help. However, you probably don’t use every feature on the list. Identify the updates
to make as part of your testing and deployment process. Optionally, you can use the example pre-deployment
and post deployment task checklists to track the items to update and test.
Review recommended Salesforce recommends several steps before and after you deploy a My Domain. Determine which
practices and identify any recommendations to adopt, and include any relevant steps in your testing and go-live plans. Also factor
additional changes those steps into your project timelines. For example, if you decide to set up a custom domain to serve your
sites, include the time required for that project in your overall project timeline.
Task Details
Identify participants for Now that you know which of your features are impacted, determine who can make the required changes.
the required updates For example, if your My Domain change requires an update to your domain allowlists, identify who can
make that update.
Review your integrations and external applications, then determine the involvement and support required
from each third party. For example, if your My Domain change requires updating authentication settings,
connect with your identity provider (IdP).
Identify testers Use the list of impacted features and your test plan to identify testers. If possible, include knowledgeable
end users in your testing, especially for key features. Many tasks in Salesforce can be performed multiple
ways. These users can uncover issues that automated tests can miss.
811
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
Task Details
Identify communication Using your communication plan, identify the owners for each communication in your project participant
owners list.
Identify go-live Use your go-live plan to determine participants for that event. In addition to people assigned specific tasks,
participants identify anyone required to resolve potential issues discovered during testing. For example, if your custom
domain serves your Experience Cloud site, arrange for coverage with the DNS provider and any external
hosting providers.
Collect contact Collect contact information for all project participants. For anyone involved in updating production, collect
information phone numbers and backup contacts. If you plan to publish a contact sheet for the go-live in production,
verify whether the go-live participants are comfortable sharing their contact information with the group.
Task Details
Identify any features that Review any automated tests that you plan to run as part of your verification. Identify features that are
automated tests cover impacted by the My Domain change that are covered by these tests. This information can help you prioritize
your testing.
Create a test plan Regardless of whether you have a small or large team for testing, a test plan helps ensure that you cover
the required areas of testing. For more recommendations on test plans, see Review Recommended Practices
for a My Domain Change in Salesforce Help.
Determine how to Provide a standard method for reporting issues discovered during testing. As you resolve issues, note the
capture testing results changes that are made in the sandbox. You can use that list to update production.
Some items that you uncover can only be performed after the change is deployed and your new My Domain
URLs are available. Include these items in a checklist for the tasks to perform after you deploy in production.
Develop a A My Domain change can impact users who log in to your Salesforce org and external users, such as visitors
communication plan to your Experience Cloud sites. As part of your planning, develop a communication plan, and identify the
owners for each communication. For more information on recommended communications, see Notify
Users and Customers About a My Domain Change in Salesforce Help.
After you identify the owners, confirm the lead time required for each communication method. As part of
your plan, specify the conditions required before each communication is sent and methods for the owners
to get updates on the status of the project.
Create a go-live plan A go-live plan ensures that you complete the essential steps when you deploy the change in production.
For more recommendations on a go-live plan, see Review Recommended Practices for a My Domain Change
in Salesforce Help.
812
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
Task Details
Develop a rollback plan The best deployment plans include contingency planning. If you discover a high-impact issue that can’t
be resolved quickly during your go live, you can restore your original My Domain state. Define a plan for
rolling back to the previous state.
To roll back a deployed My Domain change, typically you provision and deploy a change with your previous
My Domain details. In the rollback plan, include reversing the changes made after you deployed the My
Domain change and testing again.
Note: Because reversing a deployed My Domain change involves deploying another My Domain
change, it can impact existing redirections. For more information, see My Domain Redirections in
Salesforce Help.
Task Details
Identify or create a Decide the sandbox or sandboxes to use when you test the My Domain change. Confirm when the sandboxes
sandbox for testing are available, and identify any steps and lead time required to grant access to your testers.
For more information on sandboxes, see Sandboxes: Staging Environments for Customizing and Testing in
Salesforce Help and the Set Up a Sandbox in Your Salesforce Org unit in Trailhead.
Note: You can’t test enabling partitioned domains in a sandbox. If you have multiple orgs of the
same non-production type, you can test partitioned domains before enabling them in other orgs
of the same type. For example, you can enable partitioned domains in a Developer Edition org that
you use less often before you enable the feature in your primary Developer Edition org.
Determine your target To determine your target dates, discuss the project with stakeholders. If your My Domain change requires
project dates and the completion of another project, work closely with the owner of that project to align the dates. If other
dependencies projects require the new My Domain URLs, discuss their targeted completion date, then align the project
dates and expectations.
If your My Domain change includes enabling enhanced domains, that feature is enforced in Winter ’24, and
Salesforce automatically deploys this feature in non-production orgs with Winter ’23 and in all orgs with
Spring ’23 and Summer ’23. To verify when enhanced domains are deployed or required in your org, you
can find that information on the My Domain Setup page. To find the specific date that you get a release,
go to Trust Status, search for your My Domain name, and select your Salesforce instance. Then select the
Maintenance tab. For more information, see Get Your Org Status and Upcoming Maintenance Dates with
My Domain in Salesforce Help.
Choose your testing and Identify any other projects planned or in flight during your planned project timeline, which Salesforce
deployment windows sandboxes those projects plan to use, and any overlapping feature changes. Given that project information,
plus your project scope and participants, coordinate with your participants to determine the timeline for
deploying the My Domain change in a sandbox, testing, and capturing test results.
Estimate the amount of time required to resolve any issues that arise, and then schedule a target deployment
window for production. To minimize the impact on your users and customers, we recommend that you
deploy your new My Domain when your org receives minimal traffic, such as during the weekend.
813
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
Task Details
Finalize and share your After collecting input from all participants, share and confirm the timeline and the primary points of contact
schedule for participants and stakeholders.
SEE ALSO:
My Domain
Plan for a My Domain Change
814
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
• If your My Domain login URL or site URL changes, inform users that they can re-register their built-in authenticator or security key
when they log in after the change. And recommend that users register or verify a back-up authentication method, such as Salesforce
Authenticator or a third-party authenticator before the change. For more information, see Preserve Login Access During a My Domain
Login URL Change in Salesforce Help.
• Instruct your end users to prepare to update their bookmarks for any changed URLs.
• Tell your users to update all bookmarks listed on their Chatter groups.
• Highlight any other company-specific steps to take after the change. For example, if you added Google to the My Domain login
page as an identity provider, provide instructions or guidance on how to use that authentication method.
• How to report any issues they encounter after go live.
Customers—If your My Domain change impacts public-facing sites, plan your communications early. If your brand is changing, incorporate
the new URLs into your marketing campaign for the new brand. Otherwise, let customers know about the change and encourage them
to update any bookmarks.
If your customers log in to your site as authenticated users, determine whether it impacts their login method, and provide these users
with post-deployment instructions. For example, notify them about a requirement to log in again after a certain date. To help customers
who contact your company with questions after the change, share these instructions with your support team.
Partners—When you determine the scope and participants for your My Domain change, you review all functionality, including integrations
and applications that require support from third parties. Let them know about the pending My Domain change as soon as possible, and
include them in planning. Identify the key contacts at each vendor or third party, then provide updates on the progress of the project
and testing. Clearly communicate the assistance that you require, and confirm key dates such as the go-live weekend and required
participation. Also let them know how to contact you with any issues that they uncover during testing or post-deployment.
SEE ALSO:
My Domain
Plan for a My Domain Change
815
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
Note: To create your own version of these checklists, use the My Domain Change Checklist Available in: both Salesforce
Templates in Quip (available in English and Japanese only). Classic (not available in all
orgs) and Lightning
Experience
Example My Domain Change Project Checklist
Available in: Group,
The items on this list help with planning, scheduling, and performing a My Domain change.
Essentials, Professional,
Example My Domain Change Pre-Deployment Checklist Enterprise, Performance,
The items on this checklist don’t require the new My Domain URLs to be accessible. Unlimited, and Developer
Editions
Example My Domain Change Post-Deployment Checklist
The items on this checklist require your new My Domain URLs, so you can only complete them
after you deploy the new My Domain.
SEE ALSO:
My Domain
Plan for a My Domain Change
816
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
817
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
SEE ALSO:
Plan for a My Domain Change
Example My Domain Change Checklists
818
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
• Installed Packages from AppExchange—To get the latest fixes, potentially including fixes for enhanced domains, install the latest
version of each package. Note the package providers so that you can report any issues detected.
If the change to your My Domain updates your My Domain login URL, complete these tasks.
• Authentication options such as single sign-on (SSO), authentication providers, and named credentials—Plan to update authentication.
Document your existing settings for your rollback plan.
• Knowledge articles served on your *.my.salesforce.com URL—Search for hard-coded references to the knowledge article
URLs.
• Lightning Out (beta)—Identify the Visualforce pages, web pages, and other locations that call your Lightning Out app. Identify who
can update the markup that’s embedded in those pages. Determine whether authenticated users access Lightning Out and whether
the connected app for Lightning Out uses your My Domain login URL.
• Open Computer-Telephony Integrations (CTI), such as Salesforce Call Center and Click to Dial—Work with your telephony provider
to add your new URLs to their allowlists. Review your configuration for any hard-coded references to your Salesforce URLs. Whenever
possible, update these references to relative URLs instead, and note any exceptions.
• Preserve login access for your admins and end users.
• Service Cloud Voice with Partner Telephony—Work with your telephony provider to add your new URLs to their allowlist. Also
identify hard-coded connect API URLs and references to the Next generation Omni-Channel engagement URL that ends in
*.my.salesforce-scrt.com.
If the change to your My Domain updates your Visualforce URL, complete these tasks. If the change also updates your My Domain login
URL, these pre-deployment tasks are included in that section.
• Open Computer-Telephony Integrations (CTI), such as Salesforce Call Center and Click to Dial—Work with your telephony provider
to add your new Visualforce URL to their allowlists. Review your configuration for any hard-coded references to your Visualforce
URLs. Whenever possible, update these references to relative URLs instead, and note any exceptions.
• Service Cloud Voice with Partner Telephony—Work with your telephony provider to add your new Visualforce URL to their allowlist.
Also identify hard-coded references to your Visualforce URL in your configuration. Whenever possible, update these references to
relative URLs instead, and note any exceptions.
If the change to your My Domain changes your Experience Cloud sites or Salesforce Sites URL, complete these tasks.
• Authentication options such as single sign-on (SSO), authentication providers, and named credentials—Plan to update authentication.
Document your existing settings for your rollback plan.
• Embedded Service Deployment (Chat)—Identify the web pages that include chat and identify who can update the codes snippet
embedded in those pages.
• Knowledge articles served on your Experience Cloud site URL—Search for hard-coded references to the knowledge article URLs.
• Lightning Out (beta)—Identify the connected apps for Lightning Out that use your Experience Cloud sites URL. Determine whether
authenticated users access Lightning Out.
• Identity providers on your site login page—Note any authentication options available to your users.
• A Mobile Publisher for Experience Cloud app that uses your Experience Cloud site login URL—Before you deploy enhanced domains
in production, upgrade to Mobile Publisher version 10.0 or later.
• Multi-factor authentication (MFA) for your site—Preserve login access for your admins and end users.
If you have Experience Cloud sites or Salesforce Sites and the My Domain change includes deploying enhanced domains, complete
these tasks.
• External integrations—Work with third parties that currently integrate with your *.force.com site URL to ensure that they
support Server Name Indication (SNI).
819
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
• IP restrictions are configured in Salesforce with only IPv4 addresses—Update your IP allowlists or restrictions to allow IPv6 source
addresses for authorized users. Review and update the login IP range restrictions for the relevant profiles, including the site’s guest
user profile.
• Network restrictions that use IP allowlists only—Allowlist your site’s domain, serve your site via a custom domain, or plan to disable
the Salesforce CDN for your *.my.site.com URL after you deploy the My Domain change.
• Trusted domains for inline frames—Review and update the list of trusted domains for clickjack protection. Ensure that
*.my.salesforce.com is trusted.
• Visualforce pages with embedded Lightning components—For each Experience Cloud site with Visualforce pages that include
embedded Lightning components, update the Security & Privacy settings, and add your Lightning Components URL to the Trusted
Sites for Scripts.
SEE ALSO:
Plan for a My Domain Change
Example My Domain Change Checklists
820
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
If the change to your My Domain updates your My Domain login URL, complete these tasks.
• API Integrations—Update API integrations into your org to use the server endpoint. Download your metadata, and use a command-line
interface such as Salesforce CLI.
• Branding—If your brand changed, update your login page branding
• Desktop links—Update the desktop link with your new My Domain login URL.
• DevOps Center—Update the named credentials used to authenticate users that access your org through DevOps Center.
• Email templates—Update the login URL for your Salesforce org.
• Enablement Sites (myTrailhead)—If your enablement site’s login URL is your My Domain login URL, contact Salesforce Customer
Support to update your Sales Enablement authentication provider.
• Identity providers on your login page—Update your identity providers to use your new login URL.
• Knowledge articles served on your *.my.salesforce.com URL—Update hard-coded references to the knowledge article
URLs.
• Lightning Out (beta)—Update connected apps that use your My Domain login URL. Refresh the markup on Visualforce pages, web
pages, and other locations that call your Lightning Out app. Generate a new Session ID or authentication token for authenticated
connections.
• Messaging for In-App and Web—To update your Messaging for Web configuration with your new URLs, republish your Messaging
for Web deployment.
• Multi-factor authentication (MFA) for accessing Salesforce—Update authentication.
• Named credentials—Review the URL field for your named credentials. If a named credential uses your My Domain login URL, update
the URL field with your new My Domain login URL. If users access functionality that relies on an updated named credential, instruct
them to reauthenticate.
• Marketing Cloud Account Engagement (Pardot) —If your configuration uses the Pardot Connector User, update the login URL that
Account Engagement uses.
• Open Computer-Telephony Integrations (CTIs), such as Salesforce Call Center and Click to Dial—Verify and optionally update your
telephony provider’s allowlist. Update any hard-coded references to your Salesforce URLs in your configuration.
• A personalized version of the Salesforce mobile app published on the Google Play or Apple App stores—If your personalized version
of the Salesforce app uses your My Domain login URL, update your app to use your new login URL.
• Service Cloud Voice with Amazon Connect or Service Cloud Voice with Partner Telephony from Amazon Connect—Optionally,
remove your old URL formats from the Amazon Connect allowlist.
• Service Cloud Voice with Partner Telephony—Update any hard-coded references to your Salesforce URLs in your configuration.
Optionally, remove your old Salesforce URLs from the telephony provider’s allowlist.
• Single sign-on for accessing your org—Update authentication.
• Streaming API—Update to use your new My Domain login URL.
• Third-party connected apps that access your org—Work with the app owners to update the login URLs in their app, including SSO
and other authentication methods.
• Zones for Experience Cloud sites (Ideas, Answers, Chatter Answers)—Update the email notification URL.
If the Visualforce URL changed, complete these tasks. If the change also updates your My Domain login URL, these post-deployment
tasks are covered in that section.
• Open Computer-Telephony Integrations (CTIs), such as Salesforce Call Center and Click to Dial—Update any hard-coded references
to your Visualforce URLs in your configuration. Verify and optionally update your telephony provider’s allowlist.
• Service Cloud Voice with Partner Telephony—Verify and optionally update your telephony provider’s allowlist.
If the content URL changed, complete these tasks.
821
Set Up and Maintain Your Salesforce Organization Plan for a My Domain Change
• Email and other document templates that use files hosted in Salesforce—Update the embedded content or images. Instruct users
to update their local templates. For example, an icon or image hosted in your org and used in email footer templates.
• Enablement Sites (myTrailhead)—Update your modules and trails with your new badge art URLs.
• Web content that uses files hosted in Salesforce—Update the content links. For example, an image used on your website or externally
published PDFs.
If your Experience Cloud sites or Salesforce Sites URL changed, complete these tasks.
• Authentication that uses your site URL—Verify your configuration. If your setup uses your site URL, update the configuration.
• Branding—If your brand changed, update the branding for your Experience Cloud site login page.
• Desktop links—Update the desktop links with your new site login URL.
• Email templates—Replace references to your old site URLs with your new site URLs.
• Embedded Service Deployment (Chat)—Regenerate the Embedded Service code snippet. Update the web pages that include chat
with the new snippet.
• Enablement Sites (myTrailhead)—If your enablement site’s login URL is your Experience Cloud sites URL, contact Salesforce Customer
Support to update your Sales Enablement authentication provider.
• External integrations—Update external integrations that reference your sites.
• External links to the site—Update all references to the new site URL.
• Hard-coded references to your site within your sites and custom pages—Update the references to your site URL. Where possible,
use relative links or dynamically created hostnames.
• Identity providers on your site login page—Update your identity providers to use your new site URL.
• Knowledge articles served on your Experience Cloud sites URL—Update hard-coded references to the knowledge article URLs.
• Lightning Out (beta)—Update connected apps that use your Experience Cloud login URL. Generate a new Session ID or authentication
token for authenticated connections.
• Messaging for In-App and Web—If you use Messaging for Web in an Experience Builder site, update your allowlisted URLs.
• A Mobile Publisher for Experience Cloud app—Update your app to use your new Experience Cloud sites URL.
• Multi-factor authentication for accessing your site—Update authentication.
• Named credentials—Review the URL field for your named credentials. If a named credential uses your site URL, update the URL field
with your new site URL. If users access functionality that relies on an updated named credential, instruct them to reauthenticate.
• Single sign-on for accessing your site—Update the configuration.
• Third-party connected apps that access your site—Work with the app owners to update the site URLs in their app, including SSO
and other authentication methods.
• Trusted domains for inline frames—Review and update the list of trusted domains for clickjack protection. In particular, ensure that
*.my.salesforce.com is trusted.
If you have Experience Cloud sites the My Domain change included deploying enhanced domains, complete this task.
• Network restrictions that use IP allowlists only—If users on your network can't access your .my.site.com URL, allowlist that domain,
disable the Salesforce CDN for that URL, or serve your site via a custom domain.
If a custom domain such as https://www.example.com serves your Experience Cloud sites or Salesforce Sites and the sites URL
changed, complete these tasks.
• The custom domain uses the HTTPS Option: Use a third-party service or CDN to serve the domain—Update the target hostname
used when forwarding requests from your domain’s proxy or CDN.
822
Set Up and Maintain Your Salesforce Organization Change Your My Domain Details
• The custom domain serves the site via a non-Salesforce host or service—Review and update the domain configuration, such as CDN
settings and hard-coded references to Salesforce URLs.
SEE ALSO:
Plan for a My Domain Change
Example My Domain Change Checklists
823
Set Up and Maintain Your Salesforce Organization Change Your My Domain Details
Avoid entering personal information in your domain name. Instead, enter only public information.
In production and sandbox orgs, your name must contain at least 3 characters and no more than 34 characters. In Developer
Edition orgs, your name must contain at least 3 characters and no more than 27 characters. It can include letters, numbers, and
hyphens, but you can’t start the name with a hyphen.
b. If other suffixes are available for your org’s My Domain, a suffix dropdown list appears. To change your My Domain suffix, select
a new suffix.
Tip: Unsure of which suffix to pick? For most orgs, the Standard suffix is the best option.
Important: Enhanced domains change URL formats across your org. For more information, see My Domain URL Format
Changes When You Enable Enhanced Domains. Before you deploy your updated My Domain in production, test it in a sandbox.
5. Optional: Stabilize your Visualforce, Experience Builder, Site.com Studio, and content file URLs.
Note: If enhanced domains are enabled, these URLs are stabilized and these settings aren’t available. Several browsers and
operating systems updated their URL requirements after this option was first made available. Enhanced domains provide the
latest standard for stabilizing the URLs that Salesforce hosts for your org.
Unless you disabled enhanced domains in a prior step, these settings apply upon saving, without redeploying your My Domain.
a. Select Stabilize Visualforce, Experience Builder, Site.com Studio, and content file URLs.
Note: If you disabled Use enhanced domains, this option is enabled by default. To revert your URLs to their prior formats
before enhanced domains were deployed, if this My Domain setting was previously disabled, deselect Stabilize Visualforce,
Experience Builder, Site.com Studio, and content file URLs.
To determine whether this setting was disabled before enhanced domains were deployed, check the Setup Audit Trail
and find the audit trail action for the deployment of your My Domain with enhanced domains. If you see the action,
“Enabled the My Domain setting, Stabilize Visualforce, Experience Builder, Site.com Studio, and content file URLs”,
immediately before the deployment of enhanced domains, then this My Domain setting was disabled before enhanced
domains were deployed.
b. Optional: Select Include the instance name in Visualforce URLs when third-party cookies are blocked.
This option only applies to the Standard, Database.com, and Cloudforce suffixes when Visualforce URLs are stabilized without
enhanced domains.
Third-party cookie blocking can cause issues loading Visualforce pages with stabilized URLs.
824
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
The provisioning process usually finishes in a few minutes, but it can take up to 24 hours. You receive an email when your My Domain
is ready to be deployed and tested.
When you change your My Domain details, Salesforce redirects your previous My Domain URLs to your current My Domain. If you change
your My Domain more than one time, only the last set of My Domain URLs for your org are redirected. For more information, see My
Domain Redirections.
Next Steps
• Salesforce provisions your updated My Domain URLs. The provisioning process usually finishes in a few minutes, but it can take
up to 24 hours. You receive an email when your updated My Domain is ready to be deployed and tested.
• Review the changes to your org’s URLs in My Domain URL Formats.
• Deploy your new My Domain, update your org, and test the changes.
SEE ALSO:
My Domain Considerations
My Domain URL Formats
Enhanced Domains
Disable or Remove Your Previous My Domain
825
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Note: A change to your My Domain login URL or site URL requires updates to your org beyond authentication methods and
settings. For details, see Update Your Org for My Domain Changes in Salesforce Help.
826
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
For more information on updating authentication after a My Domain change that affects your login URLs, see Update Authentication
After a My Domain Change in Salesforce Help. When you review this section before you deploy a My Domain change, you can gather
the list of updates to make before users and third parties access your updated org.
Important: Ensure that at least one admin registers Salesforce Authenticator or a third-party authenticator app as a backup
method before you deploy a change to your My Domain login URL. Otherwise the admin can’t log in and help reset authentication
settings or other users’ verification methods after the new My Domain is deployed.
If your admins previously registered Salesforce Authenticator or a third-party authenticator app as a backup method, instruct them to
verify that authentication method before you deploy the change.
Help Users Restore Built-In Authenticator and Security Key Verification Methods
When your My Domain login URL or site URL changes, two multi-factor authentication (MFA) verification methods stop working: built-in
authenticators and security keys. If any of your users only use these methods to authenticate when they log in to Salesforce, they can’t
log in after the login URL changes.
Tip: Not sure who in your org has registered built-in authenticators or security keys for MFA logins? Create a custom list view of
users or review the Identity Verification Methods report. For more information, see See How Your Users Are Verifying Their Identity
in Salesforce Help. To learn more about built-in authenticators or security keys, see Verification Methods for Multi-Factor
Authentication in Salesforce Help.
Make it easy for these users to restore their authentication methods after the My Domain change.
1. Before the scheduled deployment of your My Domain change, instruct affected users to register Salesforce Authenticator or a
third-party authenticator app as a backup verification method. These types of verification methods aren't affected by My Domain
changes.
This approach allows your users to restore their original verification methods at their convenience. It can reduce support tickets
related to logging in to Salesforce after the My Domain change. Also, if a user loses a device or security key, a backup verification
method can preserve their access.
For more information, see Connect Your Salesforce Account to Salesforce Authenticator or Verify Your Identity with a TOTP
Authenticator App in Salesforce Help.
2. As part of your communication for the My Domain change, let users know that they can re-register their built-in authenticator or
security key when they log in after the change.
3. When you make updates to your org after you deploy the My Domain change, disconnect the built-in authenticator and security
key verification methods for all users in Setup.
After you disconnect the methods, users can reconfigure the verification methods. If one of the affected users didn’t register a backup
method before the change, this step is required the first time that they log in to Salesforce with the new login URL.
827
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
For more information on that process, see Disconnect a User's Verification Method in Salesforce Help. You can also disconnect security
keys for all users through the UserManagement.deregisterVerificationMethod() Apex method.
SEE ALSO:
My Domain
Update Authentication After a My Domain Change
Multi-Factor Authentication
Apex Reference Guide: UserManagement.deregisterVerificationMethod()
828
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
The current domain and new domain fields show the My Domain login URL. However, Salesforce serves multiple domains for your
Salesforce org. For example, if you enabled enhanced domains, the My Domain login URL doesn’t change in production, but site,
Visualforce, content, and many other URLs change. For more information on the URLs that Salesforce serves for your org and the
potential impact, see My Domain URL Formats for details.
As part of the provisioning process for your new domain, Salesforce performs a cursory check to ensure that you have network access
to the new domains. If you don’t have the required access, the My Domain page lists the URLs you can’t access. Before you can
deploy your new domain, resolve these network access issues. The access issues can be temporary, such as connectivity issues
stemming from a stale DNS cache. Or they can require updates to your allowlists or network configuration. To deploy your My
Domain, revisit the My Domain Setup page after the access issues are resolved.
If the My Domain Setup page shows Step 2: Provisioning in Progress, Salesforce is still provisioning your new domain. The provisioning
process usually finishes in a few minutes, but it can take up to 24 hours. You receive an email when the process finishes. If you
continue to see the Provisioning in Progress page 24 hours after submitting your My Domain name, you can click Stop Provisioning
to stop the process. After you stop the process, wait 15 minutes, and then try registering your My Domain name again. Or you can
contact Salesforce Customer Support.
2. Optionally, if you renamed your My Domain, update your My Domain settings, such as adding authentication services. For more
information, see Configure My Domain Settings.
Note: My Domain settings apply to your org’s deployed and provisioned domains.
3. To roll out the new My Domain to your org, click Deploy New Domain, and click OK.
When you deploy your My Domain, it’s activated immediately. You can now set login policies. See Set My Domain Login and Redirect
Policies.
Before you test the deployed My Domain, update all URL references in your org.
Note: To avoid potential conflicts between follow-up processes such as CNAME and DNS updates, you can’t make a change that
requires provisioning for 15 minutes after you deploy or cancel a new My Domain. Changes that require provisioning include
829
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
changing your My Domain name or suffix, enabling enhanced domains, removing a previous My Domain name, and moving to
Salesforce Edge Network.
Each time that you deploy a change to your My Domain, Salesforce redirects requests from your previous My Domain URLs to your
current My Domain. If you don’t want those requests to be redirected, see Disable or Remove Your Previous My Domain.
Next Steps
• Review the changes to your org’s URLs in My Domain URL Formats.
• Update your org.
• Test the changes.
SEE ALSO:
My Domain
Configure My Domain Settings
Set My Domain Login and Redirect Policies
830
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
SEE ALSO:
Update Your Org and Test My Domain Changes
831
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Note: A change to your My Domain login URL or site URL requires updates to your org beyond authentication methods and
settings. For details, see Update Your Org for My Domain Changes in Salesforce Help.
Named Credentials
To simplify the setup of authenticated callouts, you can use a named credential as the callout endpoint. The named credential specifies
the URL of a callout endpoint and its required authentication parameters.
When your My Domain login URL or site login URL changes, named credentials that use that URL stop working. To reestablish the
impacted authentication callouts, update the URL field for the affected named credentials. For more information, see Update Named
Credentials After a My Domain Change in Salesforce Help.
Salesforce acts as the service Authentication is delegated to a third-party From Setup, in the Quick Find box, enter Auth.
provider for single sign-on identity provider such as Google, Facebook, Providers, and then select Auth. Providers.
(SSO) via an Authentication or a third party that operates over the Active Auth. Provider records exist that aren’t Salesforce
Provider or OpenID Connect OpenID Connect protocol. Or authentication Managed. As a reminder, Salesforce Managed Auth.
is delegated to a custom authentication Providers aren’t recommended.
provider that supports OAuth 2.0.
For instructions on how to update your IdP in these cases, see Update Your SAML SSO IdP Configuration After a Login or Site URL Change
and Update Your Auth Provider or OpenID Connect IdP Configuration After a Login URL Change in Salesforce Help.
When Salesforce acts as the identity provider, users can log in to an external service provider or relying party with credentials from your
Salesforce org. With these methods, if your My Domain or site login URL changes, share the updated endpoints with the third-party
service providers to allow them to authenticate against the new URL. These changes can only be made after you deploy the change to
your My Domain.
832
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
A connected app uses A custom app is integrated as a connected From Setup, in the Quick Find box, enter Apps, and select
Salesforce as an Identity app with OpenID Connect. Your users can App Manager.
Provider through OpenID log in to the custom app with their View or edit each app. If Enable OAuth Settings is
Connect Salesforce or site credentials. selected, then third parties can use Salesforce as an identity
provider for that app.
For instructions on how to update your service provider in these cases, see Update Service Provider Endpoints After a Login or Site URL
Change in Salesforce Help.
Integrated Logins
Before you deploy the change to your My Domain, visit the corresponding login pages and note the available options.
If your users can authenticate with alternate identity providers or a SAML Single Sign-On (SSO) authentication method from your My
Domain login page or Experience Cloud site login page, those authentication methods stop working when the page's URL changes and
can be removed from the page. To restore these authentication methods:
• For each authentication method, update the corresponding authentication service.
– For alternate identity providers, such as Google, Facebook, or a third party that operates over the OpenID Connect protocol, see
Update Your Auth Provider or OpenID Connect IdP Configuration After a Login URL Change in Salesforce Help.
– For SAML Single Sign-On (SSO) authentication methods include Okta, OneLogin, Azure, or another Salesforce org, see Update
Your SAML SSO IdP Configuration After a Login or Site URL Change in Salesforce Help.
• Verify the authentication method on the login page. If necessary, re-add authentication providers to your login page.
– For your org's My Domain login page: Add an Authentication Provider to Your Org’s Login Page in Salesforce Help.
– For you Experience Cloud site's login page: Add an Authentication Provider to Your Experience Cloud Site’s Login Page in
Salesforce Help.
833
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
DevOps Center
If you use DevOps Center, update the named credentials used to access the DevOps Center environment for your org. For more information,
see Update Named Credentials After a My Domain Change in Salesforce Help.
SEE ALSO:
Update Authentication After a My Domain Change
Monitor Login History
Use the Identity Provider Event Log
environmentRecordID_projectName_environmentName_sequentialNumber.
3. In the URL field, replace your old login URL with your new login URL.
For example, replace https://ExperienceCloudSitesSubdomainName.force.com/hr/jobpostings with
https://MyDomainName.my.site.com/hr/jobpostings.
834
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
b. When prompted, reauthenticate with your credentials for the affected org.
If your authentication fails, double-check the URL and update the named credential record if needed.
The first time a user accesses functionality that uses the updated named credential, the user is prompted to reauthenticate. Include this
detail in your communication plan for the My Domain change.
SEE ALSO:
My Domain
Configure My Domain Settings
Set My Domain Login and Redirect Policies
Update Your SAML SSO IdP Configuration After a Login or Site URL Change
After you deploy a My Domain change that updates your My Domain login URL or site URL, SAML
EDITIONS
Single Sign-On (SSO) authentication stops working. To allow your users to use this SSO method
again, work with your Identity Provider to update your configuration. Available in: both Salesforce
Important: Before you deploy a change that updates your login URL or you update your Classic (not available in all
orgs) and Lightning
authentication settings, make sure that you can access Salesforce after the change.
Experience
Double-check that at least one admin can log in without authentication features such as SSO,
built-in authenticators, or security keys. For more information, see Preserve Login Access Available in: Group,
During a My Domain Login URL Change. Essentials, Professional,
After you deploy the change that updates your My Domain login URL, work with your Identity Enterprise, Performance,
Unlimited, and Developer
Provider (IdP) to update your IdP configuration with the new authentication values.
Editions
These steps also apply after your Experience Cloud site URL or Salesforce Site URL changes, but only
if you use the system-managed site URL to authenticate. System-managed site URLs end in
*.my.site.com for Experience Cloud sites and *.my.salesforce-sites.com for Salesforce Sites. If you authenticate via
a custom domain, such as https://www.example.com, that serves your Experience Cloud site or Salesforce Site, then your SSO
configuration is unaffected.
1. In the Quick Find box, enter Single Sign-On, and then select Single Sign-On Settings.
2. View the details for each entry in the SAML Single Sign-On Settings table.
The updated values are shown in the Endpoints section.
835
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
4. After your Identity Provider updates the settings, verify your updated endpoints with the
/.well-known/auth-configuration URL path.
For example, if your login URL is https://mycompany.my.salesforce.com, visit
https://mycompany.my.salesforce.com/.well-known/auth-configuration.
5. If your configuration includes SAML Single Sign-On (SSO) that is initiated by the service provider, update your authentication
configuration settings on the My Domain page.
a. From Setup, in the Quick Find box, enter My Domain, and then select My Domain.
b. In the Authentication Configuration section, click Edit.
c. In the Authentication Service field, select the correct record and save your changes.
836
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Note: If you don’t know whether the service provider initiates SAML SSO, before you deploy your My Domain change, view
the authentication configuration settings on the My Domain page.
6. Verify the authentication method from your login page. If necessary, add authentication providers to your login page again.
a. For your org's My Domain login page, see Add an Authentication Provider to Your Org’s Login Page in Salesforce Help.
b. For you Experience Cloud site's login page: Add an Authentication Provider to Your Experience Cloud Site’s Login Page in
Salesforce Help.
SEE ALSO:
Update Authentication After a My Domain Change
SAML SSO with Salesforce as the Service Provider
Configure Your Experience Cloud Site as a Service Provider or Relying Party
Update Your Auth Provider or OpenID Connect IdP Configuration After a Login URL Change
After you deploy a My Domain change that updates your My Domain or site login URL, OpenID
EDITIONS
Connect single sign-on (SSO) authentication stops working. OpenID Connect SSO options include
Authentication Providers. To allow your users to use this SSO method again, work with your identity Available in: both Salesforce
provider (IdP) to update your configuration. Classic (not available in all
orgs) and Lightning
Important: Before you deploy a change that updates your login URL or you update your
Experience
authentication settings, make sure that you can access Salesforce after the change.
Double-check that at least one admin can log in without authentication features such as SSO, Available in: Group,
built-in authenticators, or security keys. For more information, see Preserve Login Access Essentials, Professional,
During a My Domain Login URL Change. Enterprise, Performance,
Unlimited, and Developer
After you deploy the change that updates your My Domain login URL, work with your identity
Editions
provider to update your IdP configuration with the new authentication values.
These steps also apply after your Experience Cloud site URL or Salesforce Site URL changes, but only
if you use the system-managed site URL to authenticate. System-managed site URLs end in *.my.site.com for Experience Cloud
sites and *.my.salesforce-sites.com for Salesforce Sites. If you authenticate via a custom domain, such as
https://www.example.com, that serves your Experience Cloud site or Salesforce Site, then your SSO configuration isn’t affected.
1. In the Quick Find box, enter Auth. Providers, and then select Auth. Providers.
2. View the details for each Auth. Provider record.
The updated values are shown in the Salesforce Configuration section.
837
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
4. After your identity provider updates the settings, verify your updated endpoints with the
/.well-known/auth-configuration URL path.
For example, if your login URL is https://mycompany.my.salesforce.com, visit
https://mycompany.my.salesforce.com/.well-known/auth-configuration.
838
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Note: If your identity provider updated the values but the changes aren’t reflected in Salesforce, disable the authentication
provider in the Authentication Configuration section of the My Domain screen, then enable it again. For more information,
see Add Identity Providers to the My Domain Login Page in Salesforce Help.
5. Before you test your new authentication configuration, verify that the value in the Authentication Service field on the My Domain
Setup page matches the authentication service record.
If needed, edit your Authentication Configuration settings on the My Domain Setup page. Then in the Authentication Service
field, select the correct record and save your changes.
6. Verify the authentication method from your login page. If necessary, add authentication providers to your login page again.
a. For your org's My Domain login page, see Add an Authentication Provider to Your Org’s Login Page in Salesforce Help.
b. For you Experience Cloud site's login page: Add an Authentication Provider to Your Experience Cloud Site’s Login Page in
Salesforce Help.
SEE ALSO:
Update Authentication After a My Domain Change
Authentication Provider SSO with Salesforce as the Relying Party
Configure Your Experience Cloud Site as a Service Provider or Relying Party
Tip: Some service providers and relying parties can use this URL to import the required settings.
839
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
2. For each service provider that relies on Salesforce as an Identity Provider, determine whether the connected app uses SAML, OpenID
Connect, or OAuth.
3. If the connected app is integrated with SAML, work with the relying party to update these fields.
• Issuer URL
• Well-known metadata endpoints
4. If the connected app is integrated with OpenID Connect or OAuth, work with the service provider or relying party to update these
fields.
• OAuth endpoints
• Audience for JWT Bearer flow
5. After the service provider or relying party updates the required fields, verify the authentication method by accessing the app with
the corresponding Salesforce credentials.
SEE ALSO:
Update Authentication After a My Domain Change
Salesforce as an Identity Provider
Configure Your Experience Cloud Site as an Identity Provider or OpenID Provider
Allowlists Review your allowlists, and ensure that they include the required Salesforce domains.
Custom Visualforce pages or Replace references to the org’s instance URL with relative URLs and dynamically generated hostnames.
custom apps Note any URLs that require a hard-coded reference.
For more information, see Update References to Hard-Coded URLs for Lightning Experience in
Salesforce Help and the knowledge article, Updating Hard-Coded References.
To search your Salesforce code, download the metadata. Then use a command-line interface such
as Salesforce CLI.
840
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Einstein Bots Identify the web pages and sites that use your chatbots so that you can update them after you deploy
the change.
For each bot, review the Permitted Domains field in the chat deployment settings. Optionally, you
can update the permitted domains and update your deployment code before you deploy the My
Domain change. For more information, see Create Chat Deployments in Salesforce Help.
External software that accesses After you deploy a My Domain change, Salesforce redirects your previous My Domain URLs. In some
your Salesforce org cases, external software calls can’t process the redirection, and the call to the Salesforce URL fails.
Before you deploy your My Domain change, verify that the external software that uses your Salesforce
URLs, including site URLs, can process redirections. If the software can’t process those redirects, work
with the software owner to get that redirection functionality in place or plan to update your use of
the software with your new URLs after you deploy the change.
Firewalls and proxy servers that Update trust settings to include all applicable URL formats for your new configuration, as described
filter by hostname in My Domain URL Formats.
Identity providers on your My Note the authentication options available to your users. For example, the ability to log in to Salesforce
Domain login page with Google credentials. For more information, see Update Authentication After a My Domain Change.
Installed packages from To get the latest fixes, including potential fixes for enhanced domains, install the latest version of
AppExchange each package. Note the package providers so that you can report any issues detected during testing.
For more information, see Manage Installed Packages in Salesforce Help, and visit AppExchange.
My Domain settings Document your configuration on the My Domain Setup page for reference after you deploy the My
Domain change. To capture all settings, view or edit each section on the Setup page.
If the change to your My Domain updates your My Domain login URL, complete these tasks before you deploy the My Domain change.
Your My Domain login URL changes when you change your My Domain name or suffix, deploy enhanced domains in a sandbox, or
deploy partitioned domains in a non-production org.
Authentication options such as If any authentication methods use your login URL, plan to update authentication after you deploy
single sign-on (SSO), the My Domain change. We recommend that you document your existing settings before you deploy
authentication providers, and your My Domain change. This snapshot of your earlier configuration is a valuable reference for your
named credentials rollback plan.
For more information about the settings to capture, see Determine the Required Authentication
Updates After a My Domain Change.
Knowledge articles served on Search for hard-coded references to the knowledge article URLs.
your
*.my.salesforce.com
URL
Lightning Out (beta) Identify the Visualforce pages, web pages, and other locations that call your Lightning Out app.
Identify who can update the markup embedded in those pages.
841
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Determine whether authenticated users can access Lightning Out and whether the connected app
for Lightning Out uses your My Domain login URL.
Multi-factor authentication Preserve login access for your admins and end users.
(MFA) for logging in to
Salesforce
Open Computer-Telephony • Work with your telephony provider to add your new URLs to the telephony provider’s allowlists.
Integrations (CTIs), such as
• Review your configuration for any hard-coded references to your URLs. Whenever possible,
Salesforce Call Center and Click
update these references to relative URLs instead. For examples, see the Knowledge Article,
to Dial
Enhanced Domains and Open CTI with Visualforce (Spring ‘23). If you find any hard-coded
references that you can’t convert to a relative URL, note them and prepare to update them after
you deploy your new My Domain.
Service Cloud Voice When you enable Service Cloud Voice, Salesforce uses your My Domain URLs to configure single
sign-on (SSO) to your telephony provider. The required action depends upon your configuration.
• If you use Service Cloud Voice with Amazon Connect or Service Cloud Voice with Partner
Telephony from Amazon Connect, Salesforce updates your configuration, including the Amazon
Connect allowlist, when you deploy your new My Domain. No action is required before you
deploy the new My Domain.
• If you use Service Cloud Voice with Partner Telephony, work with your telephony provider to
add your new URLs to their allowlist. Also identify hard-coded connect API URLs, allowlists, and
references to the Next generation Omni-Channel engagement URL that ends in
*.my.salesforce-scrt.com. With your telephony provider, prepare to update those
hard-coded references after you deploy your new My Domain.
If the change to your My Domain updates your Visualforce URL, complete these tasks before you deploy the My Domain change. Your
Visualforce URL changes when you deploy enhanced domains or change your My Domain name.
Note: If the change to your My Domain also updated your My Domain login URL changed, these steps are covered in the
corresponding list of pre-deployment tasks in this Help topic.
Open Computer-Telephony • Work with your telephony provider to add your new Visualforce URL to the telephony provider’s
Integrations (CTIs), such as allowlists.
Salesforce Call Center and Click
• Review your configuration for any hard-coded references to your Visualforce URL. Whenever
to Dial
possible, update these references to relative URLs instead. For examples, see the Knowledge
Article, Enhanced Domains and Open CTI with Visualforce (Spring ‘23). If you find any hard-coded
references that you can’t convert to a relative URL, note them and prepare to update them after
you deploy your new My Domain.
Service Cloud Voice If you use Service Cloud Voice with Partner Telephony, work with your telephony provider to add
your new Visualforce URL to their allowlist. Also identify hard-coded references to your Visualforce
842
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
URL in your configuration. With your telephony provider, prepare to update those hard-coded
references after you deploy your new My Domain.
If you use Service Cloud Voice with Amazon Connect or Service Cloud Voice with Partner Telephony
from Amazon Connect, no action is required. Salesforce updates your configuration when you deploy
your new My Domain.
If your Experience Cloud sites or Salesforce Sites URL change with your My Domain change, complete these tasks before you deploy
your My Domain change. Site URLs change when you deploy enhanced domains, change your My Domain name in an org with enhanced
domains, or deploy partitioned domains in a non-production org.
Authentication options such as If any authentication methods use your site URL, plan to update authentication after you deploy the
single sign-on, authentication My Domain change. We recommend that you document your existing settings before you deploy
providers, and named your My Domain change. This snapshot of your earlier configuration is a valuable reference for your
credentials rollback plan.
For more information about the settings to capture, see Determine the Required Authentication
Updates After a My Domain Change.
Embedded Service Deployment Identify the web pages that include chat and identify who can update the code snippet embedded
(Chat) in those pages.
Identity providers on your site Note the authentication options available to your users. For example, the ability to log in to your site
login page with their Salesforce or Google credentials. For more information, see Update Authentication After
a My Domain Change.
Knowledge articles served on Search for hard-coded references to the knowledge article URLs.
your Experience Cloud site URL
A Mobile Publisher for To support redirections of your current My Domain URLs after you deploy the My Domain change,
Experience Cloud app check your Mobile Publisher for Experience Cloud Apps version. If you’re running a version lower
than 10.0, follow the instructions in the knowledge article, Mobile Publisher for Experience Cloud
Apps and Enhanced Domains, to upgrade to the latest version before you deploy your My Domain
change.
If you use a custom domain such as https://www.example.com to host your Experience
Cloud site and use that custom domain for your Mobile Publisher app, this task doesn’t apply. Also,
this task doesn’t apply to Mobile Publisher for Lightning apps.
Lightning Out (beta) Identify the connected apps for Lightning Out that use your Experience Cloud sites URL. Determine
whether authenticated users access Lightning Out.
Multi-factor authentication for Preserve login access for your admins and end users.
logging in to your site
843
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
If you have Experience Cloud sites or Salesforce Sites and the My Domain change includes enabling enhanced domains, complete these
tasks before you deploy the new My Domain.
External integrations Salesforce uses the Server Name Indication (SNI) protocol to serve the *.my.site.com and
*.my.salesforce-sites.com domains. If an integration doesn’t support that protocol,
the integration can fail. Work with third parties that currently integrate with your *.force.com
site URL to ensure that they support SNI.
IP restrictions are configured in After you deploy enhanced domains, users can see an error when they access your site that ends in
Salesforce with only IPv4 *.my.site.com via IPv6. To prevent that error, update your IP allowlists or restrictions to allow
addresses IPv6 source addresses for authorized users. In particular, review and update the login IP range
restrictions for the relevant profiles, including the site’s guest user profile. For more information on
setting IP restrictions Salesforce, see the knowledge article, Network Access, Session Settings, and
Profile-based IP restrictions.
These three IP ranges cover the entire IPv4 and IPv6 internets.
:: to ::fffe:ffff:ffff
0.0.0.0 to 255.255.255.255
::1:0:0:0 to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Network restrictions that use IP When you deploy enhanced domains, your new system-managed Experience Cloud site *.my.site.com
allowlists only domain includes the Experience Cloud Content Delivery Network (CDN), which uses the Salesforce
CDN Partner. The IP addresses used by the Salesforce CDN partner, Akamai, aren’t published. Therefore,
if your network settings include IP allowlisting, users can lose access to your site that uses the
Salesforce CDN. For example, if your users log in via a VPN that exclusively uses IP allowlisting, the
users on that VPN can’t access your site, because it uses an Akamai IP address.
To ensure that your users can access your Experience Cloud site on the Salesforce CDN, allowlist your
site’s domain, or serve your site via a custom domain. For more information, see the Knowledge
Article, Access Experience Sites via an IP-Restricted VPN After Enhanced Domains Deployment.
If you can’t allowlist your domain at the network level or configure a custom domain to serve your
site, plan to contact Salesforce Customer Support to disable the Salesforce CDN for your
*.my.site.com site URL after you deploy enhanced domains.
Trusted domains for inline If the Clickjack protection level for your site is Allow framing of site pages on external domains
frames (Good protection), review and update the list of trusted domains. In particular, ensure that
*.my.salesforce.com is trusted.
For more information, see Enable Clickjack Protection in Experience Cloud Sites and Enable Clickjack
Protection in Site.com in Salesforce Help.
Visualforce pages with If the Visualforce page is published through an Experience Cloud site, trust your Lightning components
embedded Lightning URL for scripts on your site. For each site with Visualforce pages that include embedded Lightning
components components, edit the Security & Privacy settings in Experience Builder and add your Lightning
Components URL to the Trusted Sites for Scripts. For example, add
https://*.container.force.com or https://*.force.com. For more information,
see Where to Allowlist Third-Party Hosts for Experience Builder Sites in Salesforce Help.
844
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Post-Deployment Tasks
Complete these tasks after you deploy a My Domain change. Post-deployment tasks require your new My Domain URLs.
Incomplete pre-deployment Review the pre-deployment tasks, and complete any incomplete items.
tasks
Allowlists If you deployed enhanced domains, you can remove the domains that only apply to orgs without
enhanced domains from your allowlist. However, we recommend that you keep those domains in
your allowlist for redirection until all users and integrations are using your new domains successfully.
For the list of required domains and their purposes, see Allow the Required Domains in Salesforce
Help.
Chatter Review and update bookmarks and links on Chatter groups that you own.
Custom Visualforce pages or Replace hard-coded references to the org’s instanced URL, such as
custom apps https://na170.salesforce.com, or your My Domain login URL with your new My Domain
login URL.
For more information, see Update References to Hard-Coded URLs for Lightning Experience in
Salesforce Help and the knowledge article, Updating Hard-Coded References.
To search your Salesforce code, download the metadata. Then use a command-line interface such
as Salesforce CLI.
Einstein Bots For each bot, regenerate the deployment code and update it on each web page that uses the bot.
As part of the process, review and update the Permitted Domains field in the chat deployment
settings. For more information, see Create Chat Deployments in Salesforce Help.
External software that accesses Update the references to your Salesforce URLs within the external software, then log in to Salesforce
your Salesforce org again via the software.
Hard-coded references to URLs Update these references to your current My Domain URLs. Ideally, generate the hostnames via a
dynamic method, such as the DomainCreator Class in Apex.
If you deployed enhanced domains, review the hostnames redirections that stop in Winter ’25. If you
find any of those hostname formats in your org, update them to the enhanced domain format.
For more information about updating hard-coded references, see Update References to Hard-Coded
URLs for Lightning Experience in Salesforce Help and the knowledge article, Updating Hard-Coded
References.
To search your Salesforce code, download the metadata. Then use a command-line interface such
as Salesforce CLI.
Installed packages from Verify the package functionality. In necessary, log in to Salesforce again to access the package features.
AppExchange Note the features that require users to reconnect, and include those features in your end-user
notifications. For more information, see Notify Users and Customers About a My Domain Change.
Firewalls and proxy servers that Optionally, you can remove the hostnames that no longer apply to your org from your trust settings.
filter by hostname However, we recommend that you allow those hostnames for redirection until all users and
integrations are using your new domains successfully.
845
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Pinned certificates We don’t recommend certificate pinning. Consider updating your policies to exclude pinned
certificates. Otherwise, if you changed your My Domain suffix or deployed enhanced domains, review
your pinned certificates against your new My Domain URLs, and update them as needed. If your
software or policies require pinning, we recommend that you pin the intermediate certificate and
not the leaf certificate.
Complete these tasks if your My Domain login URL changed. Your My Domain login URL changes when you change your My Domain
name or suffix, deploy enhanced domains in a sandbox, or deploy partitioned domains in a non-production org.
Important: When your My Domain login URL or site URL changes, authentication methods such as SSO and MFA can stop working.
Before you deploy a change to your My Domain, preserve login access for your admins and users.
API integrations into your org Check whether the API client references the server endpoint. For the API client, use the
metadataServerUrl or serverURL value returned by a login request. Don’t use a
hard-coded server URL.
After you deploy a My Domain change that affects your login URL, Salesforce returns the server URL
containing your new My Domain name or suffix. If your org has been moved to another instance or
you require SOAP API logins to use your My Domain in My Domain policies, old calls to instanced
URLs fail. Otherwise, old calls to instance URLs continue to work. In either case, to avoid disruption,
use the value returned by Salesforce.
To search your Salesforce code, download the metadata. Then use a command-line interface such
as Salesforce CLI.
Branding If your brand changed, update your login page branding. For more information, see Customize Your
My Domain Login Page with Your Brand.
Desktop links Update the desktop links with your new My Domain login URL.
DevOps Center Update the named credentials used to authenticate users that access your org through DevOps
Center. For more information, see Update Named Credentials After a My Domain Change.
Email templates Replace references to the old URL with your new My Domain login URL. If the template uses a
hard-coded URL, which is more common in email templates created in Salesforce Classic, we
recommend that you update the template to use a dynamically generated URL.
Enablement sites (myTrailhead) If your enablement site’s login URL is your My Domain login URL in the format
https://MyDomainName.my.salesforce.com, contact Salesforce Customer Support
to update your authentication provider. For more information, see Configure Your Enablement Site
in Salesforce Help.
Identity providers on your login Update your identity providers with your new My Domain login URL or new site login URL. For more
page information, see Update Authentication After a My Domain Change.
Knowledge articles served on Update any hard-coded references to the knowledge article URLs.
your
846
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
*.my.salesforce.com
URL
Messaging for In-App and Web To update your Messaging for Web configuration with your My Domain login URL, republish your
Messaging for Web deployment. For more information, see Update Your Messaging for Web
Deployment After Upgrading to Enhanced Domains in Salesforce Help.
Lightning Out (beta) Update connected apps that use your My Domain login URL.
Refresh the Lightning Out markup on Visualforce pages, web pages, and other locations that call
your Lightning Out app.
If authenticated users access Lightning Out, generate a new Session ID or authentication token for
those connections.
Multi-factor authentication for Update your authentication configuration. For more information, see Update Authentication After
accessing Salesforce a My Domain Change.
Named credentials Review the URL field for your named credentials. If a named credential uses your My Domain login
URL, update the URL field with your new My Domain login URL. For more information, see Update
Named Credentials After a My Domain Change.
If users access functionality that relies on an updated named credential, instruct them to
reauthenticate.
Marketing Cloud Account If your Account Engagement configuration uses the Pardot Connector User, update the login URL
Engagement (Pardot) that Account Engagement uses. In Account Engagement, update the Pardot Connector User. To use
the same user, save the user again in Account Engagement. Then log out and back in to your org to
complete the process.
If you’re using the Account Engagement Integration User, no changes are needed.
When you deploy enhanced domains, no change to the Account Engagement tracker domain
configuration is required.
Open Computer-Telephony • Verify with your telephony provider that your new URLs are included in the telephony provider’s
Integrations (CTIs), such as allowlists. Optionally, work with the provider to remove your previous URLs from to their allowlists.
Salesforce Call Center and Click
• Update any hard-coded references to your previous URLs. Whenever possible, update these
to Dial
references to relative URLs instead. For examples, see the Knowledge Article, Enhanced Domains
and Open CTI with Visualforce (Spring ‘23).
A personalized version of the If your personalized version of the Salesforce app uses your My Domain login URL, update your app
Salesforce mobile app published to use your new My Domain login URL.
on the Google Play or Apple App
stores
Service Cloud Voice When you enable Service Cloud Voice, Salesforce uses your My Domain URLs to configure single
sign-on (SSO) to your telephony provider. The required action depends upon your configuration.
• If you use Service Cloud Voice with Amazon Connect or Service Cloud Voice with Partner
Telephony from Amazon Connect, no action is required. Salesforce updates your configuration,
847
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
including the Amazon Connect allowlist, when you deploy your new My Domain. Optionally,
remove your old URL formats from the Amazon Connect allowlist.
• If you use Service Cloud Voice with Partner Telephony, work with your telephony provider to
update your configuration with your new URLs after you deploy the new My Domain. In particular,
update hard-coded connect API URLs, allowlists, and references to the Next generation
Omni-Channel engagement URL that ends in *.my.salesforce-scrt.com. Optionally,
work with your telephony provider to remove your previous URL formats from their allowlist.
Single sign-on for accessing Update your authentication configuration. For more information, see Update Authentication After
Salesforce a My Domain Change.
Streaming API To ensure continuity during instance refreshes and org migrations, we recommend using My Domain
URLs with Streaming API. If you follow this recommendation, replace your previous My Domain login
URL with your new login URL.
If you don’t follow this recommendation yet, use your My Domain login URL with Streaming API. For
example, replace https://login.salesforce.com and
https://InstanceName.salesforce.com/ with
https://MyDomainName.my.salesforce.com/.
For more information on logging in to Salesforce with your My Domain URL, see Log In to Salesforce
with Code.
Third-party connected apps Work with the third party to update the URLs in the app, including SSO and other authentication
configuration settings. For more information, see Update Authentication After a My Domain Change.
Zones for Experience Cloud sites Update the email notification URL. From Setup, in the Quick Find box, enter Zones, and then select
(Ideas, Answers, Chatter Zones under Answers, Ideas Zones or Chatter Answers Zones. Then, next to the zone that you
Answers) want to change, click Edit. To update the Email Notification URL, clear the existing URL so that the
field is blank. Save the page, and the system populates the field with the new My Domain URL.
If the URL for your Visualforce pages changed, complete these tasks. Your Visualforce URL changes when you deploy enhanced domains
or change your My Domain name.
Note: If your My Domain login URL changed, these steps are covered in the corresponding list of post-deployment tasks in this
Help topic.
Open Computer-Telephony • Verify that your new Visualforce URL is included in the telephony provider’s allowlists. Optionally,
Integrations (CTIs), such as work with the provider to remove your previous Visualforce URL from to their allowlists.
Salesforce Call Center and Click
• Update any hard-coded references to your previous Visualforce URL. Whenever possible, update
to Dial
these references to relative URLs instead. For examples, see the Knowledge Article, Enhanced
Domains and Open CTI with Visualforce (Spring ‘23).
848
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Service Cloud Voice If you use Service Cloud Voice with Partner Telephony, work with your telephony provider to update
your configuration, including allowlists, with your new Visualforce URL. Optionally, work with your
telephony provider to remove your previous Visualforce URL from their allowlist.
If you use Service Cloud Voice with Amazon Connect or Service Cloud Voice with Partner Telephony
from Amazon Connect, no action is required. Salesforce updates your configuration when you deploy
your new My Domain. Optionally, you can update your Amazon Connect allowlist to remove your
old Visualforce URL format.
Complete these tasks if your content URL changed. That URL changes when you change your My Domain name or suffix, deploy enhanced
domains in any org, or deploy partitioned domains in a non-production org.
Email and other document Update the embedded content or images. For example, an icon or image that is hosted in your org
templates that use files hosted and used in email footer templates. Instruct users to update their local templates.
in Salesforce
Enablement sites (myTrailhead) URLs for badge art stored in your Salesforce org changed. Update your modules and trails with the
new badge art URLs. For more information, see Configure Your Enablement Site in Salesforce Help.
Web content that uses files Update the content links. For example, an image used on your website or externally published PDFs.
hosted in Salesforce
Complete these tasks if your Experience Cloud sites or Salesforce Sites URL changed. Site URLs change when you deploy enhanced
domains, change your My Domain name in an org with enhanced domains, or deploy partitioned domains in a non-production org.
Important: When your My Domain login URL or site URL changes, authentication methods such as SSO and MFA can stop working.
Before you deploy a change to your My Domain, preserve login access for your admins and users.
Authentication that uses your If you configured a Salesforce authentication provider so that your users can log in to your custom
site URL external web app using their Salesforce credentials, verify your configuration. If your setup uses your
site URL, update the configuration. For more information, see Update Authentication After a My
Domain Change.
Branding If your brand changed, update the branding for your Experience Cloud site login page. For more
information, see Brand Your Pages from the Administration Workspace in Salesforce Help.
Desktop links Update the desktop links with your new site login URL.
Email templates Replace references to your old site URLs with the new site login URLs. Hard-coded URLs are more
common in email templates created in Salesforce Classic.
Embedded Service Deployment Regenerate the Embedded Service code snippet with your new site URL. Update the web pages that
(Chat) include chat with the new snippet. See Add Your Embedded Chat to a Website.
849
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Enablement sites (myTrailhead) If your enablement site’s login URL is your site URL, contact Salesforce Customer Support to update
your authentication provider. For more information, see Configure Your Enablement Site in Salesforce
Help.
External links to the site Update external-facing links such as publicly available Experience Cloud sites and Salesforce Sites.
For example, a site URL can be used on your website, social media pages, marketing materials, and
templates such as email signatures and automated responses.
Hard-coded references to your Update any hard-coded links to Experience Cloud sites and Salesforce Sites in your sites and custom
site within your sites and custom pages. For example, if you host knowledge articles on an Experience Cloud site, update the URLs
pages that include your old site URL. These links are redirected to the equivalent current site URL until
Winter ’25 or until you disable the redirections. However, it’s best to avoid hard-coded links. Use
relative paths and dynamically generated hostnames whenever you can. If your site URL changes
again in the future, relative paths and dynamically generated hostnames continue to work.
Identity providers on your site Update your identity providers with your new site URL. For more information, see Update
login page Authentication After a My Domain Change.
Knowledge articles served on Update any hard-coded references to the knowledge article URLs.
your Experience Cloud site URL
Lightning Out (beta) Update connected apps that use your Experience Cloud URL.
If authenticated users access Lightning Out, generate a new Session ID or authentication token for
those connections.
Messaging for Web If you use Messaging for Web in an Experience Builder site, update your allowlisted URLs. For more
information, see Update Your Messaging for Web Deployment After Upgrading to Enhanced Domains
in Salesforce Help.
A Mobile Publisher for Update your app to use your new Experience Cloud sites URL before the redirection for your old site
Experience Cloud app URL stops in Winter ’25. For more information, see Mobile Publisher for Experience Cloud.
If you use a custom domain such as https://www.example.com to host your Experience
Cloud site and use that custom domain for your Mobile Publisher app, this task doesn’t apply. Also,
this task doesn’t apply to Mobile Publisher for Lightning apps.
Multi-factor authentication for Update your authentication configuration. For more information, see Update Authentication After
accessing your site a My Domain Change.
Named credentials Update named credentials that use your site login URL. For more information, see Update Named
Credentials After a My Domain Change.
Single sign-on for accessing your If you configured SSO for your Experience Cloud sites, update the configuration. SSO options for sites
site include users logging in to your site with their Salesforce credentials or with an external provider’s
credentials. For more information, see Update Authentication After a My Domain Change.
If you have Experience Cloud sites and the My Domain change included enabling enhanced domains, complete this task.
850
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Network restrictions that use IP When you deploy enhanced domains, your new system-managed Experience Cloud site
allowlists only *.my.site.com domain includes the Experience Cloud Content Delivery Network (CDN), which
uses the Salesforce CDN Partner. The IP addresses used by the Salesforce CDN partner, Akamai, aren’t
published. Therefore, if your network settings include IP allowlisting, users can lose access to your
site that uses the Salesforce CDN. For example, if your users log in via a VPN that exclusively uses IP
allowlisting, the users on that VPN can’t access your site, because it uses an Akamai IP address.
To ensure that your users can access your Experience Cloud site on the Salesforce CDN, allowlist your
site’s domain, or serve your site via a custom domain. For more information, see the Knowledge
Article, Access Experience Sites via an IP-Restricted VPN After Enhanced Domains Deployment.
If you can’t allowlist your domain at the network level or configure a custom domain to serve your
site, contact Salesforce Customer Support to disable the Salesforce CDN for your *.my.site.com
site URL.
Complete these steps if the Experience Cloud sites or Salesforce Sites URL that Salesforce hosts changed and a custom domain such as
https://www.example.com serves the site. Site URLs that Salesforce hosts change when you deploy enhanced domains, change
your My Domain name in an org with enhanced domains, or deploy partitioned domains in a non-production org.
Note: Enabling or disabling enhanced domains doesn’t change the Salesforce internal *.live.siteforce.com CNAME
for your custom domain.
Your custom domain uses the Update the target hostname used when forwarding requests from your domain’s proxy or CDN. For
External HTTPS option: Use a more information, see Prerequisites for a Custom Domain That Uses a Third-Party Service or CDN.
third-party service or CDN to
serve this domain.
The custom domain serves the Review and update the domain configuration, such as CDN settings and hard-coded references to
site via a non-Salesforce host or Salesforce URLs.
service.
SEE ALSO:
My Domain
My Domain URL Formats
My Domain Considerations
851
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Note: My Domain settings apply to all deployed and provisioned domains in the org.
For more information, see Set My Domain Login and Redirect Policies.
852
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
Tip: The My Domain Setup page shows your org’s current My Domain login URL and the login URL for any My Domain change
in progress. For the formats of the other URLs in your org, such as Visualforce pages, Salesforce Sites, and Experience Cloud sites,
see My Domain URL Formats.
If you enabled enhanced domains, or if you renamed your My Domain in an org with enhanced domains enabled, the URLs for Experience
Cloud sites and Salesforce Sites change. Include verification of these external-facing URLs from all access points in your test plans. For
example, a site URL can be used on your website, social media pages, marketing materials, and templates such as email signatures and
automated responses.
To supplement your test plans, consider including users and partners in your testing. End-user testing can help validate the most
commonly used workflows. And partners can help identify and remediate access issues efficiently.
853
Set Up and Maintain Your Salesforce Organization Update Your Org and Test My Domain Changes
• If you customized your org, for example, with buttons or Visualforce pages, make sure that you test your changes thoroughly. Look
for broken links due to hard-coded references. For example, look for instance-based URLs such as
https://na139.salesforce.com.
Tip: To search your Salesforce code, download the metadata. Then use a command-line interface such as Salesforce CLI.
• Content stored in Salesforce, such as images and files. Multiple places can reference this content, including Visualforce pages,
Experience Cloud sites, Salesforce Sites, and enablement sites (myTrailhead).
• Links to your Salesforce org from your sites, such as links to content, reports, files, and other sites.
Note: In most cases, you can’t edit package-delivered components. If you find that you can edit a package-delivered component,
don’t edit the component directly. Otherwise, the next package update can overwrite your changes.
We recommend that package developers use generated hostnames and relative paths to build any links. If they follow that approach,
updated links work after a My Domain change, such as enabling enhanced domains. If you find an issue with components or functionality
delivered by a package from AppExchange, contact the package developer. Make them aware of the issue so that they can publish a
new version of their package that remediates the issue.
Next Steps
After you complete testing, help your users get started using your new My Domain by providing links to pages that they use frequently,
such as your login page. Let your users know if you changed the login policy, and encourage them to update their bookmarks the first
time that they’re redirected.
If you enabled enhanced domains, update external-facing links such as publicly available Experience Cloud sites and Salesforce Sites.
For example, a site URL can be used on your website, social media pages, marketing materials, and templates such as email signatures
and automated responses. Create a plan to update each location, and announce the change to your users and customers.
SEE ALSO:
My Domain
Knowledge Article: Updating Hard-Coded References
Update References to Hard-Coded URLs for Lightning Experience
854
Set Up and Maintain Your Salesforce Organization My Domain Redirections
My Domain Redirections
When you deploy a change to your My Domain, Salesforce redirects multiple hostnames
EDITIONS
automatically. Learn about the types of redirections, how to log redirections for the hostnames that
Salesforce hosts for your org, and how you can control these redirections. Available in: both Salesforce
Classic (not available in all
Understand Redirections for Previous My Domain Hostnames orgs) and Lightning
After you deploy a change to your My Domain, Salesforce redirects your previous My Domain Experience
hostnames. If you enabled and deployed enhanced domains, some of those redirections are Available in: Group,
temporary. And if your org was created before Summer ’20, hostnames that contain your Essentials, Professional,
Salesforce instance can be redirected. Learn more about these directions and how you can Enterprise, Performance,
control them. Unlimited, and Developer
Prepare for the End of Redirections for Non-Enhanced Domains Editions
After you enable and deploy enhanced domains, your previous non-enhanced hostnames are
redirected. Those redirections stop in Winter ’25. Review the affected hostnames and how you
can disable the redirections to test before Salesforce disables them.
Set My Domain Login and Redirect Policies
Manage how users and API calls access your Salesforce org. Specify whether logins to your org require your My Domain. And choose
what users see when they access a bookmark or link that contains your instance-specific domain.
Disable or Remove Your Previous My Domain
Each time that you deploy a change to your My Domain, Salesforce redirects requests from your previous My Domain URLs to your
current My Domain. If you don’t want these requests to be redirected, you can disable redirections from your previous My Domain.
We recommend that you use this option when you test a My Domain change. Or, to use your previous My Domain in a different
Salesforce org, remove your previous My Domain.
Disable Redirects for Your Previous Force.com Site URLs
When you enable enhanced domains, the URL formats change for your Experience Cloud sites and Salesforce Sites. To minimize
potential disruption, the *.force.com site URLs that Salesforce hosted for your sites are redirected to your My Domain current
site URLs. If you prefer, you can disable these redirections.
Log My Domain Hostname Redirections
To reduce disruption, Salesforce redirects multiple hostnames automatically when you deploy a change to your My Domain. To
better understand which previous My Domain hostnames are being redirected, enable event logging for these redirections.
SEE ALSO:
My Domain
Change Your My Domain Details
855
Set Up and Maintain Your Salesforce Organization My Domain Redirections
Redirection Rules
Redirections for your org’s previous hostnames follow different rules.
• For previous My Domain hostnames, Salesforce redirects your previous My Domain hostnames until you deploy another My Domain
change or until you disable or remove your previous My Domain.
• After you enable and deploy enhanced domains, your previous *.force.com site hostnames are redirected. Those redirections
remain in place until you disable them or until Salesforce disables those redirections in Winter ’25.
• After you enable and deploy enhanced domains, other previous non-enhanced hostnames are redirected. These redirections remain
in place until you disable them or until Salesforce disables those redirections in Winter ’25. Also, if you deploy another change to
your My Domain, these redirections stop.
• If your org was created before Winter ’20, old bookmarks and links to your org can contain your Salesforce instance. For more
information on these categories of hostnames and the purpose of each hostname, see My Domain Hostnames. For information
about restricting the hostnames that your users can use to access your org, see Set My Domain Login and Redirect Policies in Salesforce
Help.
For all redirections, parameters passed via a URL follow these rules.
• The redirection includes query-string parameters up to the first hash (#), if present.
• The redirection doesn’t include any hash fragments. A hash fragment is the part of the URL that includes a hash (#) and the text that
follows it.
• For entity-containing requests, such as POST, the redirect includes a Temporary Redirect (307) HTTP response status code. That status
code instructs the browser to retry the request at the new location via the original request method.
Warning: Before you deploy a My Domain change, consider the impact on any existing My Domain redirections. Salesforce only
redirects your last set of previous My Domain URLs. If you previously changed your My Domain, your previous My Domain hostnames
856
Set Up and Maintain Your Salesforce Organization My Domain Redirections
redirect to your current My Domain URLs unless you disable those redirects. When you deploy another My Domain change, existing
redirections stop, and Salesforce redirects the My Domains in place before the latest deployment instead.
Let’s look at some examples of how redirections are handled when you deploy a change to your My Domain and redirects are in place
for previous My Domain hostnames.
In our first example, your old My Domain name is example1, and your current My Domain name is example2. You change your
My Domain name a second time to example3. After you deploy this change, requests to example2.my.salesforce.com
domain are redirected to example3.my.salesforce.com. Requests to example1.my.salesforce.com are no longer
redirected, and other customers can use example1 as their My Domain name.
This rule applies to any My Domain change that requires My Domain provisioning and deployment, such as enabling enhanced domains
or enabling partitioned domains.
In our second example, after you change your My Domain name to example3 and deploy the change, you enable enhanced domains.
After you deploy the My Domain with enhanced domains, the non-enhanced hostnames for My Domain example3 are redirected.
For example, requests to example3--c.visualforce.com are redirected to example3--c.vf.force.com. However,
requests to example2.my.salesforce.com are no longer redirected, and other customers can use example2 as their My
Domain name.
To stop redirections of your old My Domain hostnames, disable redirections for your previous My Domain. If your previous and current
My Domain names are different, you can make that My Domain name available for use in other orgs by removing your previous My
Domain. For more information, see Disable or Remove Your Previous My Domain.
New MyDomainName.my.site.com
New MyDomainName--PackageName.vf.force.com
For a full list of the hostnames that change, see My Domain URL Format Changes When You Enable Enhanced Domains in Salesforce
Help. To better understand the purpose of each hostname type and whether it applies to you, see My Domain Hostnames in Salesforce
Help.
857
Set Up and Maintain Your Salesforce Organization My Domain Redirections
Instanced Hostnames
Salesforce orgs created before Winter ’20 didn’t have a My Domain name by default. In this case, some users accessed Salesforce via
hostnames that contain your Salesforce instance, such as na87.lightning.force.com in the URL
https://na87.lightning.force.com/lightning/page/home. We don’t recommend using hostnames that contain
an instance name, because your Salesforce instance can change with an org migration or refresh.
The My Domain redirect policy determines what users see when they access a bookmark or link that contains your Salesforce instance.
For example, when a user visits https://InstanceName.lightning.force.com/lightning/page/home, the
redirect policy determines whether they’re redirected to
https://MyDomainName.lightning.force.com/lightning/page/home. It also controls redirections for other
instanced URLs without your My Domain or site URL, such as Visualforce pages in the format
https://PackageName.InstanceName.visual.force.com. You can choose to redirect the user to the same page
within the domain, with or without a warning, or to prevent redirects. For more information, see Set My Domain Login and Redirect
Policies in Salesforce Help.
SEE ALSO:
My Domain
Enhanced Domains
My Domain Redirections
858
Set Up and Maintain Your Salesforce Organization My Domain Redirections
Note: My Domain URL redirections help prevent disruption, but they’re not intended as a permanent solution. Not all services
work well with redirections, and a redirection adds a step to the process of loading the final web page. When you deploy enhanced
domains, we highly recommend that you disable redirections during testing and update all references to your old URLs.
859
Set Up and Maintain Your Salesforce Organization My Domain Redirections
Note: If you deploy another My Domain change after you enable and deploy enhanced domains, these hostnames are no longer
redirected. For more information, see Understand Redirections for Previous My Domain Hostnames in Salesforce Help.
To disable the redirections of these non-enhanced My Domain hostnames for testing purposes, you can temporarily disable your previous
My Domain. For more information, see Disable or Remove Your Previous My Domain in Salesforce Help.
Here are the non-enhanced hostnames for a production org that are temporarily redirected after you enable and deploy enhanced
domains.
1
• MyDomainName--PackageName.container.lightning.com
• MyDomainName--c.documentforce.com
• MyDomainName.builder.salesforce-communities.com
• MyDomainName.livepreview.salesforce-communities.com
• MyDomainName.preview.salesforce-communities.com
• MyDomainName--UniqueID.a.forceusercontent.com
• MyDomainName--UniqueID.c.my.force-user-content.com
1
• MyDomainName--PackageName.visualforce.com
• MyDomainName--c.InstanceName.content.force.com
• MyDomainName--sitestudio.InstanceName.force.com
• MyDomainName--livepreview.InstanceName.force.com
• MyDomainName--sitepreview.InstanceName.force.com
1
• MyDomainName--PackageName.InstanceName.visual.force.com
• MyDomainName--sitestudio.InstanceName.sfdc-HyperforceInstanceName.force.com
• MyDomainName--livepreview.InstanceName.sfdc-HyperforceInstanceName.force.com
• MyDomainName--sitepreview.InstanceName.sfdc-HyperforceInstanceName.force.com
• MyDomainName--c.InstanceName.content.sfdc-HyperforceInstanceName.force.com
1
• MyDomainName--PackageName.InstanceName.visual.sfdc-HyperforceInstanceName.force.com
Here are the non-enhanced hostnames for a sandbox that are temporarily redirected after you enable and deploy enhanced domains.
• MyDomainName--SandboxName.my.salesforce.com
• MyDomainName--SandboxName.lightning.force.com
1
• MyDomainName--SandboxName--PackageName.container.lightning.com
• MyDomainName--SandboxName--UniqueID.b.forceusercontent.com
• MyDomainName--SandboxName--UniqueID.c.forceusercontent.com
• MyDomainName--SandboxName--c.documentforce.com
• MyDomainName--SandboxName.builder.salesforce-communities.com
• MyDomainName--SandboxName.livepreview.salesforce-communities.com
• MyDomainName--SandboxName.preview.salesforce-communities.com
860
Set Up and Maintain Your Salesforce Organization My Domain Redirections
• MyDomainName--SandboxName.InstanceName.my.salesforce.com
1
• MyDomainName--SandboxName--PackageName.visualforce.com
• MyDomainName--SandboxName--c.InstanceName.content.force.com
• MyDomainName--SandboxName--sitestudio.InstanceName.force.com
• MyDomainName--SandboxName--livepreview.InstanceName.force.com
• MyDomainName--SandboxName--sitepreview.InstanceName.force.com
1
• MyDomainName--SandboxName--PackageName.InstanceName.visual.force.com
• MyDomainName--SandboxName--c.InstanceName.content.sfdc-HyperforceInstanceName.force.com
• MyDomainName--SandboxName--sitestudio.InstanceName.sfdc-HyperforceInstanceName.force.com
• MyDomainName--SandboxName--livepreview.InstanceName.sfdc-HyperforceInstanceName.force.com
• MyDomainName--SandboxName--sitepreview.InstanceName.sfdc-HyperforceInstanceName.force.com
1
• MyDomainName--SandboxName--PackageName.InstanceName.visual.sfdc-HyperforceInstanceName.force.com
1
If your installed package is unmanaged, the package name is c.
861
Set Up and Maintain Your Salesforce Organization My Domain Redirections
1
If your installed package is unmanaged, the package name is c.
SEE ALSO:
My Domain Redirections
Enhanced Domains
Update Your Org for My Domain Changes
Test My Domain Changes
Note: This setting has no effect on what happens when your users visit URLs associated with your previous My Domain after
a My Domain change. For example,
https://PreviousMyDomainName.lightning.force.com/lightning/page/home. For more information
on disabling or removing your previous My Domain URLs, see Disable or Remove Your Previous My Domain.
a. To allow users to continue using URLs that don’t include your My Domain name, select Redirect to the same page within the
domain.
Note: Bookmarks don’t work when Redirect to the same page within the domain is selected for partner portals.
Change the existing bookmarks manually to point to the new My Domain URL by replacing the Salesforce instanced URL
862
Set Up and Maintain Your Salesforce Organization My Domain Redirections
b. To remind users to use your My Domain URLs, select Redirect with a warning to the same page within the domain. Users
briefly see a warning message, then they’re redirected to the page. You can’t customize the warning message.
Select this option for a few days or weeks to help users transition to your new My Domain. The warning gives users a chance to
change their bookmarks and get used to using the new URLs.
c. To require users to use your My Domain URLs when viewing your pages, select Don’t redirect (recommended).
SEE ALSO:
My Domain Redirections
My Domain Considerations
My Domain URL Formats
863
Set Up and Maintain Your Salesforce Organization My Domain Redirections
3. To disable redirections from your previous My Domain, deselect Redirect previous My Domain URLs to your current My Domain
and save your changes. Or, to enable redirections from your previous My Domain, select this option.
This option determines what happens when users visit bookmarks or links that contain your previous My Domain name. For example,
when a user visits https://PreviousMyDomainName.lightning.force.com/lightning/page/home, this
option determines whether they’re redirected to
https://CurrentMyDomainName.lightning.force.com/lightning/page/home.
When you disable this option, you enforce your My Domain change. Salesforce recommends that you temporarily disable redirections
from your previous My Domain to test a My Domain change or to test the effect of removing your previous My Domain.
Note: This setting only controls redirections from URLs associated with the My Domain in the Previous My Domain URL
section.
• This setting has no effect on what happens when users visit a URL that contains your Salesforce instance. For example,
https://InstanceName.lightning.force.com/lightning/page/home. For more information on
the redirect policy for instance-specific URLs, see Set My Domain Login and Redirect Policies.
• To redirect the last *.force.com URLs that Salesforce hosted for your Experience Cloud sites and Salesforce Sites
before you enabled and deployed enhanced domains, see Disable Redirects for Your Previous Force.com Site URLs in
Salesforce Help.
4. To permanently remove your previous My Domain, click Remove Previous My Domain, and confirm your decision.
Note: To avoid user disruption, we recommend that you test before you remove your previous My Domain. To test the effect
of disabling redirections, deselect Redirect previous My Domain URLs to your current My Domain, and save your changes.
After you complete your testing, use the Remove Previous My Domain option to remove your previous My Domain.
After you remove your previous My Domain, requests to your previous My Domain’s URLs are no longer redirected. If your previous
and current My Domain names are different, your previous My Domain name is now available for use in other orgs.
To avoid potential conflicts between follow-up processes such as CNAME and DNS updates, you can’t make a change that requires
provisioning for 15 minutes after you remove your previous My Domain. Changes that require provisioning include changing your
My Domain name or suffix, enabling enhanced domains, and moving to Salesforce Edge Network.
SEE ALSO:
My Domain Redirections
My Domain Considerations
My Domain URL Formats
864
Set Up and Maintain Your Salesforce Organization My Domain Redirections
1. From Setup, in the Quick Find box, enter My Domain, and then select My Domain. Available in: Group,
Any URLs that end in force.com that Salesforce previously served your Experience Cloud Essentials, Professional,
Enterprise, Performance,
sites URL or Salesforce Sites are listed under Routing.
Unlimited, and Developer
2. Under Routing, click Edit. Editions
USER PERMISSIONS
The option to redirect your old *.force.com site URLs is enabled by default and lists the specific site URLs to be redirected (1).
To get a specific example, hover over the information icon (2).
Note: This option has no effect on the redirection of your previous *.my.site.com and
*.my.salesforce-sites.com site URLs after a My Domain change. To learn about controlling those redirections,
see Disable or Remove Your Previous My Domain in Salesforce Help.
3. To disable redirects for the displayed *.force.com URLs, deselect this option and save your changes.
When you disable this option, users that visit those *.force.com URLs see a File Not Found error. This error also displays when users
visit any custom domains such as https://www.example.com that serve those *.force.com URLs.
To enable the redirections again, select the same option and save your changes.
SEE ALSO:
My Domain Redirections
Configure My Domain Settings
865
Set Up and Maintain Your Salesforce Organization My Domain Redirections
USER PERMISSIONS
Note: This option and the Redirections section are available only after you deploy a My Domain change.
After you save your changes, Salesforce produces a log for the Hostname Redirects event type in the next daily run. Salesforce uploads
event log files after they’re generated. Most dataset uploads finish around the same time each day. Exact finish times vary depending
on dataset size and content.
You can also download the latest incremental daily Hostname Redirects log by clicking Download Redirections Log from the My
Domain Setup page.
866
Set Up and Maintain Your Salesforce Organization My Domain Redirections
The log file includes a summary of hostname redirection activity for the last 24 hours at the time that the background process generates
the file. After you enable this feature, the next log file includes only the redirections that occurred after you enabled redirection logging.
If your last My Domain change included enabling and deploying enhanced domains, the log includes redirections for the old hostnames
listed on My Domain URL Format Changes When You Enable Enhanced Domains. The log doesn’t include redirections for generic
instanced hostnames, such as na87.salesforce.com.
Only one hostname redirection log file is available at a time. When the daily incremental event log file is generated during the daily
background process, the new file replaces the existing file. When you download the redirections log from the My Domain Setup page,
you get the latest daily log file in CSV format.
If the log file doesn’t exist, either the log generation process hasn’t run yet or there’s no redirection data to report for that 24-hour
window. The log file is generated only when at least one redirection occurred for the day.
Note: To keep the size of the log file manageable, the log includes one entry for each redirected hostname and path combination
within an hour. As a result, the log includes all redirected hostnames and path combinations, but only includes the first redirection
within each hour.
For example, if https://MyCompany.my.site.com/shop is redirected at 02:01 PM and
https://MyCompany.my.site.com/shop?q=sneakers is redirected for another user at 02:02 PM, only the
redirection that occurred at 02:01 PM is captured for MyCompany.my.site.com/shop for that hour. But if
https://MyCompany.my.site.com/help is redirected at 2:05 PM, that redirection is captured on a new line because
the MyCompany.my.site.com/help hostname and path combination differs from MyCompany.my.site.com/shop.
Similarly, if the redirection of https://MyCompany.my.site.com/contactUs is blocked at 07:02 AM and
https://MyCompany.my.site.com/contactUs is redirected at 07:11 AM, only the blocked redirection for
MyCompany.my.site.com/contactUs is captured in the log for that hour.
To help you identify the locations where your URL is used, the log includes the referrer and origin sent in the corresponding HTTP headers
with each request that Salesforce redirects. The requester controls the values passed in these HTTP Headers, so fields can contain a null
value. For details about this behavior and about other fields within the log file, see Hostname Redirects in the Object Reference for the
Salesforce Platform.
To get a more complete view of the hostnames being redirected for your org, schedule a daily query of the Hostname Redirects event
type via REST API. For example, you can configure a cron job in Unix or a scheduled task in Windows to run the query.
SEE ALSO:
My Domain Redirections
Object Reference for the Salesforce Platform: Hostname Redirects Event Type
Trailhead: Event Monitoring
REST API Developer Guide: Using Event Monitoring
867
Set Up and Maintain Your Salesforce Organization Configure My Domain Settings
SEE ALSO:
My Domain
868
Set Up and Maintain Your Salesforce Organization Configure My Domain Settings
SEE ALSO:
Configure My Domain Settings
Add Identity Providers to the My Domain Login Page
869
Set Up and Maintain Your Salesforce Organization Configure My Domain Settings
Note: Authentication configuration settings apply to your org’s deployed and provisioned My Domains.
1. From Setup, in the Quick Find box, enter My Domain, and then select My Domain.
2. Under Authentication Configuration, click Edit.
3. For Login Page Type, select Discovery.
4. Optionally, for Login Prompt, enter the text or custom label.
For example, you can use a custom label to localize the text, such as $Login.loginPrompt.
5. Locate the Login Discovery Handler that you created by implementing the MyDomainLoginDiscoveryHandler interface.
From Setup, in the Quick Find box, enter Apex Classes, and then select Apex Classes. Select the handler from the list.
6. Optionally, for Execute Login As, choose a Salesforce admin with Manage Users permission.
By default, the handler runs in system mode.
Tip: If you can’t log in after setting up Login Discovery, modify the URL to return to the standard login page, which prompts for
a username and password. You can add login as a URL query string parameter, for example,
https://MyDomainName.my.salesforce.com/?login. Or you can add login=true to the URL, for example,
https://MyDomainName.my.salesforce.com/?login=true.
SEE ALSO:
Configure My Domain Settings
Verify Email Addresses with Async Email
870
Set Up and Maintain Your Salesforce Organization Configure My Domain Settings
SEE ALSO:
Configure My Domain Settings
Customize Your My Domain Login Page with Your Brand
871
Set Up and Maintain Your Salesforce Organization Salesforce Edge Network
Note: Authentication configuration settings apply to your org’s deployed and provisioned My Domains.
1. From Setup, in the Quick Find box, enter My Domain, and then select My Domain.
2. Under Authentication Configuration, click Edit.
3. Select Use the native browser for user authentication on iOS or Use the native browser for user authentication on Android.
With these settings selected, mobile users are directed to Safari if using iOS, and to Chrome if using Android.
SEE ALSO:
Configure My Domain Settings
Mobile SDK Development Guide: Configuring Advanced Authentication in iOS Apps
Mobile SDK Development Guide: Upgrading Android Single Sign-On Apps to Google Login Requirements
SEE ALSO:
My Domain
872
Set Up and Maintain Your Salesforce Organization Salesforce Edge Network
SEE ALSO:
My Domain
Considerations for Salesforce Edge Network
Route My Domain Through Salesforce Edge Network
Knowledge Article: Enable Salesforce Edge Network for your Domain
873
Set Up and Maintain Your Salesforce Organization Salesforce Edge Network
Note: Keep these things in mind if you’re considering enabling Salesforce Edge Network.
• Government Cloud is currently excluded from Salesforce Edge Network.
• Hyperforce customers using apex:page Visualforce page enable global caching with Salesforce Edge.
• Salesforce Edge Network can be disabled by Salesforce Customer Support.
URL Routing
To maximize the number of URLs that are routed through Salesforce Edge Network, enable enhanced domains after your org is on
Salesforce Edge Network. With enhanced domains, all URLs across your org include your company-specific My Domain name, and
instance names are removed from your org’s URLs.
When you enable Salesforce Edge Network, most of your My Domain URLs are routed through it. However, note these exceptions.
• URLs that contain your Salesforce instance name. See which My Domain URLs contain your instance name in My Domain URL Formats.
• URLs associated with custom domains, such as https://www.example.com, that serve your org's Salesforce Sites or Experience
Cloud sites and don't use the HTTPS option: Serve the domain with your HTTPS certificate on Salesforce servers.
• Salesforce Sites and Experience Cloud sites with domains ending in .force.com
• URLs associated with Customer 360 Data Manager that end with .admin.salesforce-hub.com and
.my.salesforce-hub.com
• URLs associated with Live Agent Chat that end with .my.salesforcescrt.com or .my.salesforce-scrt.com
• URLs associated with untrusted content domains
• URLs associated with orgs in Government Isolated Architecture (GIA) data centers
We’re in the process of migrating custom domains, such as https://www.example.com, that serve your Experience Cloud sites
to Salesforce Edge Network. This change only applies to custom domains that use the HTTPS option: Serve the domain with your HTTPS
certificate on Salesforce servers. To determine whether your qualifying custom domain uses Salesforce Edge Network, look for references
to edge when you view your custom domain’s HTTP headers, or resolve the domain name. For more information, see the Knowledge
Article, What is Salesforce Edge Network?
SEE ALSO:
My Domain Provisioning and Deployment
Route My Domain Through Salesforce Edge Network
My Domain URL Formats
Enhanced Domains
Knowledge Article: Salesforce IP Addresses and Domains to Allow
Knowledge Article: What is Salesforce Edge Network?
Knowledge Article: Enable Salesforce Edge Network for your Domain
874
Set Up and Maintain Your Salesforce Organization Salesforce Edge Network
Note: Salesforce Edge Network is available on a rolling basis starting in Summer ’23. If you’re Available in: Group,
not already on Salesforce Edge Network, prepare for the move by reviewing this Enable Essentials, Professional,
Salesforce Edge Network for your Domain knowledge article. Enterprise, Performance,
Unlimited, and Developer
Prepare your org before activating Salesforce Edge Network. If you allowlist Salesforce IP addresses Editions
by region, Salesforce recommends that you include our current IP address ranges for regions where
you have end users. If you use client-side certificate pinning to validate the server’s certificate,
Salesforce doesn’t recommend pinning leaf certificates. Because Salesforce Edge Network uses data USER PERMISSIONS
center specific certificates, Salesforce recommends that you pin the intermediate certificate instead
To edit My Domain settings:
for a better experience. • Customize Application
1. From Setup, in the Quick Find box, enter My Domain, and then select My Domain.
2. Under Routing, select Edit.
3. Select Use Salesforce Edge Network, and save your changes.
To avoid potential conflicts between follow-up processes such as CNAME and DNS updates, you can’t make a change that requires
provisioning for 15 minutes after you move to Salesforce Edge Network. Changes that require provisioning include changing your
My Domain name or suffix, enabling enhanced domains, and removing a previous My Domain name.
Routing applies to most provisioned and deployed domains for this org. For details, see Considerations for Salesforce Edge Network. To
maximize the number of URLs that are routed through Salesforce Edge Network, enable enhanced domains.
SEE ALSO:
My Domain
Knowledge Article: Salesforce IP Addresses and Domains to Allow
Considerations for Salesforce Edge Network
Enhanced Domains
875
Set Up and Maintain Your Salesforce Organization Get Your Org Status and Upcoming Maintenance Dates with
My Domain
Get Your Org Status and Upcoming Maintenance Dates with My Domain
Get information about system performance and availability from trust.salesforce.com.
EDITIONS
This trust page reports status information based on your Salesforce instance. If you don’t know your
instance, use your My Domain name to look it up. Available in: both Salesforce
1. Go to Trust Status. Classic (not available in all
The Status page shows any current incidents and provides quick access to recently viewed orgs) and Lightning
Experience
instances.
Available in: Group,
2. To view information for your instance, enter your My Domain name in the search bar.
Essentials, Professional,
Don’t enter your complete login URL. You can get your My Domain name from the My Domain Enterprise, Performance,
Setup page or via the subdomain for your My Domain login URL. For example, if your org’s My Unlimited, and Developer
Domain login URL is https://example.my.salesforce.com, enter example. Editions
Tip: If you don’t want to use your My Domain name, you can find your instance on the
Company Information Setup page. From Setup, in the Quick Find box, enter Company
Information, and then select Company Information. The Instance field contains
your Salesforce instance.
The Current Status (1) displays by default. In the Instance Details section (2), you can find your current version, region, and maintenance
window. To subscribe to updates, click Subscribe (3). For more information on subscriptions, see the Trust Status Notification Guide.
Here are the possible color indicators for your status.
• Green (Available): This instance is available and fully functional.
• Blue (Informational): Used to display information about the instance that’s unrelated to a performance issue or service disruption.
876
Set Up and Maintain Your Salesforce Organization Get Your Org Status and Upcoming Maintenance Dates with
My Domain
• Purple (Maintenance): This instance is in maintenance. An informational message indicates your ability to access the instance
during the maintenance.
• Yellow (Service Degradation): The instance is accessible, but some functionality is unavailable or the service is running with
significant latency. To get more information, click the incident number.
• Red (Service Disruption): The instance is inaccessible to customers. To get more information, click the incident number.
Optionally, you can select a range and enter a date around which to center the range. For example, to view your history from August
29, 2022 to September 4, 2022, select 7Days, and then select September 1, 2022 as the date.
877
Set Up and Maintain Your Salesforce Organization Link to Salesforce Domains in Packages
After you click Maintenance (1), you can view 12 months of future maintenance events. If maintenance events occurred within the
past 33 days, a link with a count is available at the top of the list (2). To display those events in the table, click PAST 33 DAYS (#). In
this example, AP17 is scheduled to get the Winter ’23 Major Release on October 15 (3). For more details on a maintenance event,
click the ID number.
Note: The Instance Details section includes your standard maintenance window in the UTC time zone. The date and time for
maintenance events are in the user’s time zone, as detected by the browser.
SEE ALSO:
My Domain
878
Set Up and Maintain Your Salesforce Organization Log In to Salesforce with Code
If you find a hard-coded URL, we recommend that you replace it with a relative URL whenever possible. For example, to create a link
from one Visualforce page to another, use the path without the *.com hostname. If your package functionality requires a full hostname,
use the Apex System.DomainCreator class get the corresponding hostnames. With this method, your package to works in all
orgs, regardless of the org type, My Domain settings, and whether enhanced domains are enabled. For more information, see Call
Salesforce URLs Within a Package in the ISVforce Guide.
If you find code in your package that parses a known URL or domain to get a value, we recommend that you update that code to use
the System.DomainParser and System.Domain Apex classes. For more information, see Call Salesforce URLs Within a
Package in the ISVforce Guide.
SEE ALSO:
My Domain
Enhanced Domains
Partitioned Domains
Tip: To search your Salesforce code, download the metadata. Then use a command-line interface, such as Salesforce CLI.
879
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
SEE ALSO:
My Domain
Apex Reference Guide: DomainCreator Class
A My Domain uses Salesforce domain suffixes such as my.salesforce.com for your org’s Available in: Group,
URLs. In an org without enhanced domains, your My Domain name isn’t used in Salesforce Sites Essentials, Professional,
and Experience Cloud sites URLs. To use a custom domain such as Enterprise, Performance,
https://www.example.com to serve your org’s Salesforce sites and Experience Cloud sites, Unlimited, and Developer
see Custom Domains. Editions
880
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
SEE ALSO:
My Domain
Change Your My Domain Details
Update Your Org and Test My Domain Changes
Enhanced Domains
Enhanced domains are the current version of My Domain that meets the latest browser requirements. Orgs created in Summer ’22 or
later get enhanced domains by default, and orgs created in Summer ’23 or later can’t disable the feature. If your org was created in Spring
’22 or earlier and you’re unsure whether enhanced domains are deployed, see Determine Whether Enhanced Domains Are Enabled.
With enhanced domains, all URLs across your org contain your company-specific My Domain name, including URLs for your Experience
Cloud sites, Salesforce Sites, Visualforce pages, and content files. They also comply with the latest browser requirements, allowing your
users to access Salesforce using browsers that block third-party cookies.
When you enable and deploy enhanced domains, all application URLs start with the org’s My Domain name and instance names are
removed. The domain suffix—the part after the My Domain name—changes for Experience Cloud sites, Salesforce Sites, content files,
881
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
Site.com Studio, Experience Builder, and Visualforce URLs. And sandbox org URLs include the word “sandbox,” making it easy to identify
a sandbox org from its URL. With no instance names, enhanced My Domain URLs are easier for users to remember and remain stabilized
when your org is moved to another Salesforce instance.
Here are some example URL formats for orgs that have a deployed My Domain with enhanced domains. The login URL is the same as
without enhanced domains, but the rest of the URLs change.
For a full list of URL formats when deploying a My Domain with enhanced domains, see My Domain URL Format Changes When You
Enable Enhanced Domains.
When you enable the setting, your Salesforce instance name is removed from the URL and the suffixes change.
882
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
For more information about enabling this setting, see My Domain Considerations.
For a full list of URL formats for an org without enhanced domains, see My Domain Login and Application URL Formats Without Enhanced
Domains in Salesforce Help.
SEE ALSO:
My Domain
My Domain Login and Application URL Formats with Enhanced Domains
My Domain Login and Application URL Formats Without Enhanced Domains
Custom Domains in Salesforce
883
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
My Domain Hostnames
Understand the purpose of each hostname that Salesforce serves for your org.
EDITIONS
For the format of these hostnames, see My Domain URL Formats in Salesforce Help.
Available in: both Salesforce
Hostname Type Use Classic (not available in all
orgs) and Lightning
Login Salesforce login authentication. For example, sales reps, support agents, Experience
and admins log in to MyDomainName.my.salesforce.com.
API calls and third-party integrations can also use this hostname for Available in: Group,
authentication. Essentials, Professional,
Enterprise, Performance,
Application Page or The URL for a Salesforce Classic page or tab served by Salesforce to Unlimited, and Developer
Tab authenticated users. This URL uses the login hostname plus an identifier Editions
in the format MyDomainName.my.salesforce.com/PageID.
Content (files) Files stored in Salesforce. For example, images or files served outside of
an Experience Cloud site or Salesforce Site.
Content Management Public-facing channels that let you share the content in your CMS
System (CMS) public Workspaces with one or more endpoints, or channels. For example, you
channels can share your content in marketing emails, websites, or custom apps.
For more information, see Salesforce CMS in Salesforce Help.
Email tracking The sfdcopens.com domain is reserved for future use with email
tracking.
Experience Cloud sites When Digital Experiences are enabled and configured, this hostname
serves your public-facing Experience Cloud sites. For more information,
see Experience Cloud in Salesforce Help
Experience Builder When Digital Experiences are enabled, admins use Experience Builder
to customize Experience Cloud sites. For example, they can add company
branding, share Salesforce records with site members, and work with
them in a collaborative space that meets your needs. For more
information, see Build and Customize Your Experience Cloud Site in
Salesforce Help.
Experience Builder When Digital Experiences are enabled, admins use Experience Builder
Preview to customize Experience Cloud sites. If the site or its changes aren’t
published, users can preview the site from Experience Builder as an
authenticated user or guest user. This hostname serves the preview in
the new tab. Within Experience Builder in Preview mode, certain features
aren’t available in their entirety. For more information, see Build and
Customize Your Experience Cloud Site in Salesforce Help.
Experience Builder Live When Digital Experiences are enabled, admins use Experience Builder
Preview to customize Experience Cloud sites. When a user previews a site within
Experience Builder, this hostname serves the preview. For more
information, see Build and Customize Your Experience Cloud Site in
Salesforce Help.
884
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
Lightning Container Component In Aura, the lightning:container component hosts content in an iframe. This hostname
serves that content. For more information, see Lightning Container in the Lightning Aura Components
Developer Guide.
Salesforce Sites Salesforce Sites are public websites and applications that are directly integrated with your Salesforce
org—without requiring users to log in with a username and password. For more information, see
Salesforce Sites in Salesforce Help.
Next generation Omni-Channel The hostname that serves content through Service Cloud Voice and Service Cloud Messaging. For
engagement (examples: voice more information, see Service Cloud Voice and Messaging in Salesforce Help.
and messaging)
User Content and Images Content from a third party displayed in Salesforce via an inline frame (iframe). For example, Google
Maps displayed within an iframe next to an address field.
User Content on a Government Within a Government Cloud org, content from a third party displayed in Salesforce via an inline frame
Cloud org (iframe). User content stored in a Salesforce Government Cloud org. For example, Google Maps
displayed within an iframe next to an address field.
Visualforce Visualforce pages, the top-level container for custom apps built with Visualforce. For more information,
see the Visualforce Developer Guide.
SEE ALSO:
My Domain URL Formats
If enhanced domains aren’t enabled, this page lists the final URL formats after you deploy a My Available in: Group,
Domain with enhanced domains. To understand the impact to your org when you enable and Essentials, Professional,
deploy enhanced domains, see My Domain URL Format Changes When You Enable Enhanced Enterprise, Performance,
Domains. Unlimited, and Developer
Editions
To better understand the purpose of each type and whether it applies to you, see My Domain
Hostnames in Salesforce Help.
885
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
Lightning MyDomainName.lightning.force.com
1
Lightning Container MyDomainName--PackageName.container.force.com
Component
1
If your installed package is unmanaged, the package name is c.
886
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
Content MyDomainName--SandboxName.sandbox.cdn.salesforce-experience.com
Management
System (CMS) public
channels
Lightning MyDomainName--SandboxName.sandbox.lightning.force.com
887
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
1
If your installed package is unmanaged, the package name is c.
SEE ALSO:
What Determines Your URL Formats
Update Your Org for My Domain Changes
Custom Domains in Salesforce
Note: Enhanced domains are the current version of My Domain that meets the latest browser Available in: both Salesforce
requirements. Orgs created in Summer ’22 or later get enhanced domains by default, and Classic (not available in all
orgs) and Lightning
orgs created in Summer ’23 or later can’t disable the feature. If your org was created in Spring
Experience
’22 or earlier and you’re unsure whether enhanced domains are deployed, see Determine
Whether Enhanced Domains Are Enabled. Available in: Group,
In an org without enhanced domains, your My Domain name isn’t used in Salesforce Sites and Essentials, Professional,
Experience Cloud sites URLs. The default URL formats for Salesforce Sites and Experience Cloud sites Enterprise, Performance,
Unlimited, and Developer
are listed in these tables for reference. To use a custom domain such as
Editions
https://www.example.com to serve your org’s Salesforce sites and Experience Cloud sites,
see Custom Domains in Salesforce Help.
To better understand the purpose of each My Domain type and whether it applies to you, see My Domain Hostnames in Salesforce Help.
Lightning MyDomainName.lightning.force.com
1
Lightning Container MyDomainName--PackageName.container.lightning.com
Component
888
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting is enabled, these URL formats apply to
your org.
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting isn’t enabled, these URL formats apply
to your org.
889
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
1
If your installed package is unmanaged, the package name is c.
Lightning MyDomainName--SandboxName.lightning.force.com
1
Lightning Container MyDomainName--SandboxName--PackageName.container.lightning.com
Component
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting is enabled, these URL formats apply to
your org.
890
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting isn’t enabled, these URL formats apply
to your org.
891
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
1
If your installed package is unmanaged, the package name is c.
SEE ALSO:
My Domain
What Determines Your URL Formats
Update Your Org for My Domain Changes
Custom Domains in Salesforce
To better understand the purpose of each hostname type and whether it applies to you, see My
Domain Hostnames in Salesforce Help.
Note: If you deploy a My Domain in a Developer Edition org, the My Domain name ends in -dev-ed. For example:
https://example-dev-ed.my.salesforce.com.
New This URL doesn’t change when you enable and deploy enhanced domains unless you also
change your My Domain name or suffix.
New This URL doesn’t change when you enable and deploy enhanced domains unless you also
change your My Domain name or suffix.
892
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
New This URL doesn’t change when you enable and deploy enhanced domains unless you also
change your My Domain name or suffix.
New MyDomainName.my.site.com
New MyDomainName.my.salesforce-sites.com
New This URL doesn’t change when you enable and deploy enhanced domains.
New MyDomainName--UniqueID.my.force-user-content.com
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting is enabled before you enable
and deploy enhanced domains, these production formats change.
New MyDomainName.file.force.com
893
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
New MyDomainName.builder.salesforce-experience.com
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting isn’t enabled before you enable
and deploy enhanced domains, these production URL formats change.
894
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
1
If your installed package is unmanaged, the package name is c.
New MyDomainName--SandboxName.sandbox.my.salesforce.com
New MyDomainName--SandboxName.sandbox.my.salesforce.com/PageID
New MyDomainName--SandboxName.sandbox.my.site.com
New MyDomainName--SandboxName.sandbox.lightning.force.com
1
Lightning Container Old MyDomainName--SandboxName--PackageName.container.lightning.com
Component 1
New MyDomainName--SandboxName--PackageName.sandbox.container.force.com
New MyDomainName--SandboxName.sandbox.my.salesforce-sites.com
New This URL doesn’t change when you enable and deploy enhanced domains.
895
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
New MyDomainName--SandboxName--UniqueID.sandbox.my.force-user-content.com
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting is enabled before you enable and deploy
enhanced domains, these sandbox URL formats change.
New MyDomainName--SandboxName.sandbox.file.force.com
New MyDomainName--SandboxName.sandbox.builder.salesforce-experience.com
If the Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and content files setting isn’t enabled before you enable and
deploy enhanced domains, these sandbox URL formats change.
896
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
1
If your installed package is unmanaged, the package name is c.
897
Set Up and Maintain Your Salesforce Organization My Domain URL Formats
898
Set Up and Maintain Your Salesforce Organization Protect Your Salesforce Organization
1
If your installed package is unmanaged, the package name is c.
SEE ALSO:
My Domain
What Determines Your URL Formats
Update Your Org for My Domain Changes
Custom Domains in Salesforce
899
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
900
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
SEE ALSO:
Security Implementation Guide
901
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
• Proactively sharing security best practices with customers and partners through trust.salesforce.com/security and
other ongoing activities.
If you receive a phishing email or Email-to-Case, delete it and notify your internal IT team. We appreciate your trust in us as we continue
to make your success our top priority.
902
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
Note: The Always option isn’t recommended. It allows redirections to untrusted external URLs without a warning.
Security Infrastructure
Salesforce utilizes some of the most advanced technology for Internet security available today. When you access the application using
a Salesforce-supported browser, Transport Layer Security (TLS) technology protects your information using both server authentication
and Classic Encryption, ensuring that your data is safe, secure, and available only to registered users in your organization.
One of the core features of a multi-tenant platform is the use of a single pool of computing resources to service the needs of many
different customers. Salesforce protects your organization's data from all other customer organizations by using a unique organization
identifier, which is associated with each user's session. Once you log in to your organization, your subsequent requests are associated
with your organization, using this identifier.
In addition, Salesforce is hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference
or access from outside intruders.
903
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
Salesforce requires that cipher suites used for outbound calls meet security standards. Check your servers’ cipher suite lists and ensure
that they support the advanced encryption standard (AES) with 128-bit (AES128) or 256-bit (AES256) stream keys. Otherwise, custom
code that relies on outbound calls to the HTTPS server fails.
SEE ALSO:
Knowledge Article: Salesforce Services and Marketing Cloud supported Cipher Suites for outbound calls
USER PERMISSIONS
904
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
In the baseline dropdown (1), choose the Salesforce Baseline Standard or a custom baseline. The baseline consists of recommended
values for High-Risk, Medium-Risk, Low-Risk, and Informational Security Settings (2). If you change settings to be less restrictive than in
the baseline, your health check score (3) and grade (4) decreases.
Your settings are shown with information about how they compare against baseline values (5). To remediate a risk, edit the setting (6)
or use Fix Risks (7) to quickly change settings to your selected baseline’s recommended values without leaving the Health Check page.
You can import, export, edit, or delete a custom baseline with the baseline control menu (8).
Note: New settings to Security Health Check are added to the Salesforce Baseline Standard with default values. If you have a
custom baseline, you’re prompted to add the new settings when you open it.
Example: Suppose that you changed your password minimum length from 8 (the default value) to 5, and changed other Password
Policies settings to be less restrictive. These changes make your users’ passwords more vulnerable to guessing and other brute
force attacks. As a result, your overall score decreases and the settings are listed as risks.
905
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
SEE ALSO:
How Is the Health Check Score Calculated?
Review Health Check Data
Security Implementation Guide
Note: Here are important considerations about your Health Check score.
• You can see your score on the Health Check page but not through the API.
• Your score can change if Salesforce adds or removes options that are used in the score calculation.
34%–66% Remediate high risks in the short term and medium risks in the long term
906
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
Note: New Salesforce orgs have an initial score less than 100%. Use Health Check to quickly improve your score by eliminating
high risks in your Password Policies and other setting groups.
These are the Salesforce baseline stanard settings, risk levels, and values from the default Salesforce Baseline Standard. If you’re using a
custom baseline, your information differs.
Enable the SMS method of device activation Checkbox selected N/A Checkbox deselected
Enable clickjack protection for Setup pages Checkbox selected N/A Checkbox deselected
Enable clickjack protection for non-Setup for Salesforce Checkbox selected N/A Checkbox deselected
pages
Enable clickjack protection for customer VisualForce pages Checkbox selected N/A Checkbox deselected
with standard headers
Enable clickjack protection for customer VisualForce pages Checkbox selected N/A Checkbox deselected
with headers disabled
Enable CSRF protection on GET requests on non-setup Checkbox selected N/A Checkbox deselected
pages
Enable CSRF protection on POST requests on non-setup Checkbox selected N/A Checkbox deselected
pages
Number of security risk file types with hybrid behavior No security risk file One or more security N/A
types have hybrid risk file types has hybrid
behavior enabled behavior enabled
Enforce login IP ranges on every request Checkbox selected Checkbox deselected N/A
Enable Content Security Policy protection for email Checkbox selected N/A Checkbox deselected
templates
907
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
Administrators Can Log In As Any User Checkbox deselected Checkbox selected N/A
User passwords expire in 90 days or less 180 days One year or Never
expires
Password complexity requirement Must mix alpha, Must mix alpha and No restriction
numeric, and special numeric characters
characters, or more
complex
Require identity verification during multi-factor Checkbox selected N/A Checkbox deselected
authentication (MFA) registration
Require identity verification for change of email address Checkbox selected N/A Checkbox deselected
Remote Site No remote sites with At least one remote site N/A
the Disable Protocol created with the
Security option Disable Protocol
selected Security option
selected.
908
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
Require permission to view record names in lookup fields Setting is enabled N/A Setting is disabled
SEE ALSO:
Security Health Check
USER PERMISSIONS
3. To import a file, from the Baselines Controls menu, select Import Baseline.
a. Name your custom baseline. Spaces and some special characters are allowed. If the name is SFDC recommended or Salesforce
Baseline Standard, the file fails to import.
b. Give your custom baseline a unique API name. You can use letters and numbers, but the name must begin with a letter. It can’t
contain spaces or special characters.
909
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
c. Optionally, make your custom baseline the default baseline in Security Health Check.
Unexpected information in the baseline file or a new custom baseline upload without all Health Check settings results in an import
failure. If your import fails, you receive a message to help resolve the problem. See Custom Baseline File Requirements in Salesforce
Help for troubleshooting assistance. You can change the baseline name, API name, and default baseline using the Edit feature in
the Baseline Controls menu.
4. To confirm that your file uploaded, click the baseline dropdown and select your baseline. If you set your custom baseline as the
default, it appears after import.
SEE ALSO:
Custom Baseline File Requirements
How Is the Health Check Score Calculated?
Security Health Check
Important: You can't change boolean compliant values in Health Check, but you can change noncompliant values.
910
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
• “warning” or “critical”—noncompliant
PasswordPolicies.obscureSecretAnswer • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.clickjackNonSetup • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.clickjackSetup • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.clickjackVisualForceHeaders • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.clickjackVisualForceNoHeaders • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.contentSniffingProtection • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.cspOnEmail • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.csrfGet • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.csrfPost • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.enableSmsIdentity • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.enforceLoginIp • “true”—compliant
• “warning” or “critical”— noncompliant
SessionSettings.forceLogoutOnTimeout • “true”—compliant
• “warning” or “critical”—noncompliant
911
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
SessionSettings.icOn2faRegistration • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.icOnEmailChange • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.lockSessionsToDomain • “true”—compliant
• “warning” or “critical”—noncompliant
SessionSettings.redirectionAllowUntrusted • “true”—noncompliant
• “warning” or “critical”—compliant
CertificateAndKeyManagement.expiredCert Any integer “0.0” or greater Any integer greater than the compliant
value. Any value greater than the warning
value shows as critical.
912
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
PasswordPolicies.history Any integer between “0.0” Any integer between “0.0” and “24.0” that
and “24.0” is less than the compliant value. Any value
less than the warning value shows as critical.
PasswordPolicies.minPasswordLength Any integer between “5.0” Any integer between “5.0” and “50.0” that
and “50.0” is less than the compliant value. Any value
less than the warning value shows as critical.
SharingSettings.orgWideDefaults Any integer between "0.0" Any integer between "0.0" and "1.0" that is
and "1.0" greater than the compliant value.
Important: Use every accepted value in each setting. If a value is missing, the file doesn’t import.
PasswordPolicies.expiration • “ThirtyDays”
• “SixtyDays”
• “NinetyDays”
• “SixMonths”
• “OneYear”
• “Never” (highest risk)
913
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
• “SixtyMinutes”
• “ThirtyMinutes”
• “FifteenMinutes” (highest risk)
PasswordPolicies.maxLoginAttempts • “ThreeAttempts”
• “FiveAttempts”
• “TenAttempts”
• “NoLimit” (highest risk)
PasswordPolicies.questionRestriction • “DoesNotContainPassword”
• “None” (highest risk)
SessionSettings.timeout • “FifteenMinutes”
• “ThirtyMinutes”
• “SixtyMinutes”
• “TwoHours”
• “FourHours”
• “EightHours”
• “TwelveHours”
• “TwentyFourHours” (highest risk)
914
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
Example:
SEE ALSO:
Create a Custom Baseline for Health Check
Auditing
Auditing provides information about use of the system, which can be critical in diagnosing potential or real security issues. Salesforce
auditing features don't secure your organization by themselves. Have someone in your organization perform regular audits to detect
potential abuse.
915
Set Up and Maintain Your Salesforce Organization Salesforce Security Basics
To verify that your system is secure, monitor for unexpected changes or usage trends.
Record Modification Fields
All objects include fields to store the name of the user who created the record and who last modified the record. These fields provide
basic auditing information.
Login History
You can review a list of successful and failed login attempts to your organization for the past 6 months.
Field History Tracking
You can enable auditing for individual fields, which automatically track any changes in the values of selected fields. Although auditing
is available for all custom objects, only some standard objects allow field-level auditing.
Setup Audit Trail
Administrators can view a Setup Audit Trail, which logs when modifications are made to your organization's configuration.
Salesforce Shield
Salesforce Shield is a trio of security tools that helps you build extra levels of trust, compliance, and governance right into your
business-critical apps. It includes Shield Platform Encryption, Event Monitoring, and Field Audit Trail. Ask your Salesforce administrator
if Salesforce Shield is available in your org.
916
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
And if you want to ask questions or find the latest information about Shield improvements, the map has you covered. The button bar
at the bottom of the map offers links to Shield-specific Trailblazer Community groups, discussion forums, on-demand webinars, and
release notes.
Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires the Security Center add-on subscription.
917
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires the Security Center add-on subscription.
Tenant
A virtual space provided to an individual customer of Salesforce.
Parent Tenant
A tenant used to view aggregated security data from multiple Salesforce tenants.
Child Tenant
A tenant that supplies data to a parent tenant.
Connected Tenants
Clusters of parent and child tenants.
918
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Note: If any of the tabs in the Security Center App aren’t available, review the Tab Settings Available in: Lightning
section within your profile in Setup. Ensure that those tabs aren’t set to Tab Hidden. Possible Experience
tabs include Dashboard, Connected Tenants, Alert Settings, Security Policies.
1. From Setup, click any Profile or Permission Set. USER PERMISSIONS
2. Under System Permissions, look for Manage Security Center and View Security Center pages. To view Security Center
If a permission doesn’t appear, contact your account representative to enable the Security pages:
Center license. • View Security Center
To create and edit security
policies:
• Manage Security Center
3. Click Edit.
4. Select Manage Security Center and View Security Center pages.
5. Save your changes.
6. To assign Permission Sets to users, add an assignment from Manage Assignments.
7. To ensure that you can connect a child tenant to the parent tenant, update the permissions to both the parent and child orgs.
8. If Security Center is enabled for production but you want it in a sandbox, see Push Updated Licenses to Sandbox Orgs.
Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires the Security Center add-on subscription.
919
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
To complete the parent tenant and child tenant connection API Enabled
process: AND
View Setup and Configuration
AND
View Roles and Role Hierarchy
Security Center is an application built on the Lightning Platform infrastructure. You can configure Security Center to copy customer data
from a child tenant in one data center and then store the copied data in the parent tenant data center. You can connect child tenants
in sandbox and production to a parent tenant in production. If a parent tenant is set up in a sandbox, you can only connect child tenants
in sandboxes. Ensure that the Security Center license is enabled in parent and child tenants. Contact your account team for assistance.
Because Security Center surfaces sensitive information, we recommend that you enable multi-factor authentication for all Security Center
users.
Important: This feature isn’t supported in Government Cloud or Government Cloud Plus.
1. From the App Launcher in the tenant where you want to view aggregated security data, select Security Center.
2. On the Connected Tenants tab, if the parent tenant is in production, click Connect Production Environment or Connect Sandbox
Environment. If the parent tenant is in a sandbox, click Connect Tenant.
3. On the login screen, enter the credentials for the child tenant that you want to connect. Child tenant credentials must be for a user
who has these permissions: Manage Security Center, API Enabled, View Setup and Configuration, plus View Roles and Role Hierarchy.
4. Click Log In.
5. Salesforce asks you to confirm your authenticated connection. Click Allow.
The parent tenant is created and the Connected Tenant page shows the details of the child tenant that you added.
The Security Center app updates data elsewhere in the app only one time per day. Expect to see data from parent and child tenants
in the app after the next app update.
Tip: To ensure that Security Center displays accurate data for all connected tenants, reconnect each sandbox after you refresh
it.
Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires the Security Center add-on subscription.
920
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Summary View
From the App Launcher, the default Summary view shows the aggregate data for all measured metrics. The three most sensitive metrics
in each category appear. For more information, select a category.
921
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Note: Review access to Security Center tabs if certain tabs aren't available including Dashboard, Connected Tenants, Alert Settings,
and Security Policies.
Category Dashboard
Each metric category dashboard shows the most recent information. Metric cards show the most recent data for all connected tenants.
Each card shows changes for the last 7 days and at the time of the last update via a line graph.
For more information, such as for an unexpected jump or drop in the chart, open the detail view for that metric and select the metric
card name.
922
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
• The trend graph offers an easy overview of the total metric count (1).
• The daily change graph isolates the changes made to a metric on a specific day (2).
923
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
The All Data view shows metric data by tenant (3). Detail pages also include a date range picker and detail record table (4). The detail
record table is sortable, helping you organize by date, user, or the context around a particular change. You can also add custom filters
to find data for specific tenants and users.
To download your data, click the Download icon (5).
Example: Suppose you open the preceding detail view and see a jump in the number of users assigned the Customize Application
permission. Because this permission is powerful, it’s worth looking into. From the Changes By Date fields, select the days of the
increase, and review the detail table. You can also click All Data to review how many users have the permission in each connected
tenant. Several changes were made to permission sets on December 15, and some individuals were assigned the permission by
the system admin. Use this data to inform your analysis of your security policies and practices. In this case, talk with the admin for
the applicable tenants for a better understanding of how they apply your data access policies.
924
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
• Disconnecting or connecting tenants during the update period can cause partial data to load.
• Disruptions in the connection between Security Center and a tenant can lead to partial, incomplete, or missing detail record tables.
If the Changes graph shows a change and you don’t see a detail table, the app had a connection disruption during the update
process. Graphs and detail record tables update during the next app update.
SEE ALSO:
Create Alerts for Security Changes
Use Cases for Alerts
1. On the Summary page in the Security Center app, select the Configuration Metrics tile or Configuration in the navigation bar.
The Configuration Metrics dashboard opens.
2. Click Average Health Check Score
The Security Health Check detail page opens. The time series chart shows the average Health Check score for all connected tenants
for the last 30 days.
3. To see the Health Check scores that contributed to a day’s average, enter a date in the Changes by Date field.
A list view shows all Health Check scores for all connected tenants on that day. View risk scores by category, informational security
setting counts, and per-tenant Health Check scores for all connected tenants. The Score Change Since Last Synced column shows
whether a tenant’s Health Check score rose, fell, or remained the same since the last app update.
4. To see what settings contributed to a specific tenant’s Health Check score, select the value in that tenant’s Health Check Score
column.
A window opens showing all of that tenant’s High-Risk, Medium-Risk, Low-Risk, and Informational Security Settings for that day.
925
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Example: Your organization has four tenants, and you want to see how your latest round of policy changes affects each tenant’s
Health Check score. Instead of signing in to each tenant, you log in to your Security Center parent tenant and scan the Health
Check page. You see that a few of your tenants’ Health Check scores fell by more than 10% since yesterday. It's possible that recent
user or data access settings changes reduced those tenants’ security postures. In this situation, you click those tenants Health
Check Score values and review their settings. Now that you know which settings contribute to lower scores, you take this information
to your security team and discuss adjusting your new policies.
Security Center takes a scheduled snapshot of data one time per day. The process can take a few hours to complete.
926
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Note: For Developer Edition orgs, assign at least one user with the Manage Security Center permission to collect metrics.
CS 8 am GMT
AP 4 pm GMT
EU 11 pm GMT
UM 11 pm GMT
Note: You can also update individual metrics on-demand one time per hour.
Available in: Enterprise, Performance, Unlimited, and Developer Editions. Requires the Security
Center and Event Monitoring add-on subscriptions.
The Threat Detection app monitors your org for Credential Stuffing, API Anomaly, Session Hijacking, and Report Anomaly threat events.
You can create an alert for any increases to the Threat Detection event count. For more information, see Create Alerts for Security Changes.
For more information on threat events, see Threat Detection.
Note: A delay of up to 1 day can occur between the time a threat event is observed by the Threat Detection app and the actual
time of the threat event.
To review Threat Detection events, first enable streaming for these Threat Detection events from Event Manager in Setup.
• API Anomaly Event
927
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Example: You have multiple tenants and want to see if they’ve been targeted by malicious activity. Instead of signing in to each
tenant, you log in to your Security Center parent tenant and scan the Threat Detection page. You see that a few Credential Stuffing
events occurred on a certain day. It’s possible that a user’s login credentials were stolen and used to gain unauthorized access. In
this situation, you click the Event Identifier values and review the event information. Use this information to educate your users
on how they can create and manage strong passwords.
SEE ALSO:
Create Alerts for Security Changes
Use Cases for Alerts
928
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Example: You track multiple connected tenants. Monitoring how many users have the Modify All Data permission is more difficult
as your org grows. Instead of periodically checking the assigned permissions for each tenant, you can create an alert. Then you
receive an email and an in-app notification so that you know when the total users with the Modify All Data permission exceeds
your specified threshold or increases. With this information, you can reevaluate your tenant’s security posture. You can also trigger
a flow on the TenantSecurityNotification object for this alert to incorporate a custom business process. For more examples, see
Use Cases for Alerts on page 929.
From the Alert Settings page, use the dropdown menu to activate, deactivate, or edit each alert. Click the name of an alert to see a history
of when it was triggered.
Available in: Security Center is available in Enterprise, Performance, Unlimited, and Developer Editions as an add-on subscription.
929
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Example: More than one Threat Detection event can be a security risk. Create an alert for any increases to the Threat Detection
event count so that you receive a notification whenever a Threat Detection event occurs. Trigger a flow on the
TenantSecurityNotification object for this alert to create a Case record for the appropriate team to investigate. For more information,
see Threat Detection.
Example: Create an alert for managed package count increases to monitor who installs packages and when new packages are
installed to determine a compliance or security threat. Trigger a flow on the TenantSecurityNotification object for this alert to
create a record that’s submitted to the appropriate approval process that all packages undergo.
Example: You want your Health Check score to consistently remain at 90% or above. Create a custom alert for Health Check
Score decreases to ensure that you receive a notification whenever your score decreases. Then you can assess security threats and
act to secure your tenant.
Example: Create an alert for increases to the inactive users count to ensure that former employees don’t have access to the
tenant.
Permissions Alert
Instead of periodically checking the assigned permissions for each tenant, create an alert. With this information you can reevaluate your
tenant’s security posture.
Example: Monitoring how many users have the Modify All Data permission is more difficult as your tenant grows. Create an alert
for this permission to receive a notification so that you know when the total users with the Modify All Data permission exceeds
your specified threshold or increases. Trigger a flow on the TenantSecurityNotification object for this alert to integrate with an
external security incident management system.
930
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Note: Deployed Security Policy settings overwrite existing settings in the target tenants. Available in: Enterprise,
Performance, Unlimited,
To create a Security Policy: and Developer Editions.
Requires the Security Center
1. On the Security Center dashboard, click the Security Policies tab, and then click New Security
and Event Monitoring
Policy.
add-on subscriptions.
2. Follow the prompts to define your policy, and then select the tenants that you want the policy
Available in: Lightning
to apply to.
Experience
3. Save the Security Policy as a draft, or save and activate it.
4. To view a policy’s details, on the Security Policies tab, click the name of the policy. USER PERMISSIONS
931
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Note: The only tenants displayed for the mobile app security policy type are the connected tenants that are licensed for
mobile app security.
Example: Your business handles highly sensitive customer data, so you want to establish a Health Check Baseline with a higher
risk setting than the Salesforce Baseline Standard. Create and upload a baseline to the Security Center, and deploy it to the relevant
tenants.
You then decide that the baseline setting is too strict, so you make a new version of the policy. The updated Health Check Baseline
is then applied to the same tenants as the original baseline.
On the Security Policies page, use the dropdown menu to activate, deactivate, or edit a policy. When you edit a policy, it saves as a new
version. You can still change the settings in a specific tenant after a Security Policy is deployed to it.
Disconnecting a child tenant from a parent tenant affects your ability to view metric data.
• When you disconnect all child tenants from a parent tenant, the aggregate data in that parent tenant’s dashboards and collected
data is no longer visible.
• To view data from a disconnected child tenant, reconnect it to any parent tenant. For example, a child tenant called Human Resources
is disconnected from one parent tenant and connected to another parent tenant. The data for the Human Resources child tenant
appears in the second parent tenant.
1. In a parent tenant, click the Connected Tenants tab.
2. Find the child tenant you want to disconnect, and click Disconnect.
The Connected Tenants page updates and lists only the remaining child tenants. Security Center retains existing data from the
disconnected child tenant in the background, but that data is no longer visible in the parent tenant.
Authentication Metrics
• External
• MFA & External
• MFA & OAuth
• MFA & Passwordless
• MFA & SSO
932
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Configuration Metrics
• Connected Apps
• Encryption Policies
• Managed Packages
• Mobile Security Policies
• Security Health Check
• Security Health Check Baselines
• Transaction Security Policy
• Trusted IP Ranges
• Unmanaged Packages
Permission Metrics
• Assign Permission Sets
• Author Apex
• Customize Application
• Download AppExchange Packages
• Edit Read Only Fields
• Enforce Enhanced Mobile App Security
• List Email Send
• Manage All Private Reports and Dashboards
• Manage Auth. Providers
• Manage Certificates
• Manage Connected Apps
• Manage Custom Permissions
• Manage Customer Users
• Manage Encryption Keys
• Manage Flow
• Manage Health Check
• Manage IP Addresses
• Manage Internal Users
• Manage Login Access Policies
• Manage Password Policies
• Manage Profiles and Permission Sets
• Manage Roles
933
Set Up and Maintain Your Salesforce Organization Take Charge of Your Security Goals with Security Center
Monitoring Metrics
• Threat Detection
934
Set Up and Maintain Your Salesforce Organization Einstein Data Detect
• Salesforce Industries
• Salesforce Platform
• Service Cloud
• Work.com
935
Set Up and Maintain Your Salesforce Organization Einstein Data Detect
Note: To configure session security for government cloud organizations, make sure to Available in: Enterprise,
deselect Lock sessions to the IP address from which they originated in Session Settings. Performance, Unlimited,
For more information on configuring Session Security Settings, visit Salesforce Help. and Developer editions.
1. Go to the installation URL for Einstein Data Detect: Requires the Salesforce
https://sfdc.co/install-datadetect. Shield add-on subscription.
SEE ALSO:
Salesforce Help: My Domain
Salesforce Help: Install a Package
936
Set Up and Maintain Your Salesforce Organization Einstein Data Detect
USER PERMISSIONS
9. Click Save.
937
Set Up and Maintain Your Salesforce Organization Einstein Data Detect
10. Repeat steps 5–9 on other objects that you want to include in your policy.
Your objects settings are added to your policy.
USER PERMISSIONS
938
Set Up and Maintain Your Salesforce Organization Einstein Data Detect
6. To view the record detail page for records, click the record ID.
A new tab opens, displaying information you can use to act on the sensitive data.
939
Set Up and Maintain Your Salesforce Organization Einstein Data Detect
940
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Example: Warren is an IT Systems Specialist for Northern Trail Outfitters, an outdoor apparel company. He must track the encryption
policy status across the company’s entire Salesforce rollout. He can simplify this process through the Security Center app, which
can capture selected security metrics like encryption policies across the rollout. For more information, see Take Charge of Your
Security Goals with Security Center.
941
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Learning Map: Shield Learning Map
Take Charge of Your Security Goals with Security Center
SEE ALSO:
Strengthen Your Data's Security with Shield Platform Encryption
Classify Sensitive Data to Support Data Management Policies
942
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
943
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Activity Description (encrypts Event—Description Selecting an Activity field encrypts that field
and Task—Comment) on standalone events, event series
(Lightning Experience), and recurring events
Subject (encrypts Event—Subject and (Salesforce Classic).
Task—Subject)
Cases Description
Subject
Contacts Assistant
944
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Email Messages From Name If you use Email-to-Case, these fields are also
encrypted on the customer emails that
From Name generate cases.
To Address
CC Address
945
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
946
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Recommendations Description
Regulatory Code Violation Corrective Action Description Emergency Response Management for
Public Sector standard objects and fields are
Description available to users who have the Emergency
Response for Public Sector permission set
license.
947
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Social Post Attachment URL Before you can apply encryption to Social
Post fields, make sure that Social Customer
Headline Service is enabled and connected to a
Message Marketing Cloud Social service.
Post URL
Social Handle
User Email
948
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: Deterministic encryption is unavailable for long text fields and fields that have Notes in the name.
Object Fields
Care Plan Template Problem Name
949
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Object Fields
Care Plan Template Problem Name
950
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Object Fields
Care Plan Template Problem Name
Issuer Number
Member Number
Name
Primary Care Physician
Source System Identifier
Object Fields
Financial Deal Description
Financial Deal Code
Name
Interaction Comment
Name
951
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Object Fields
Interaction Related Account Comment
Object Fields
Business Milestone Milestone Description
Milestone Name
952
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Object Fields
Lookup Data Lookup Data
953
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Classify Sensitive Data to Support Data Management Policies
Important: When you encrypt the Name field, enhanced lookups are automatically enabled. Enhanced lookups improve the
user’s experience by searching only through records that have been looked up recently, and not all existing records. Switching to
enhanced lookups is a one-way change. You can’t go back to standard lookups, even if you disable encryption.
You can’t use Schema Builder to create an encrypted custom field.
To encrypt custom fields that have the Unique or External ID attribute, you can only use deterministic encryption.
954
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Classify Sensitive Data to Support Data Management Policies
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
955
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: Enabling Encryption for Chatter encrypts all eligible Chatter fields. You can’t choose to encrypt only some Chatter fields.
CRM Analytics
Encrypts new CRM Analytics datasets.
Note: Data that was in CRM Analytics before encryption was enabled isn’t encrypted. If existing data is imported from Salesforce
objects through the dataflow, the data becomes encrypted on the next dataflow run. Other existing data (such as CSV data)
must be reimported to become encrypted. Although existing data isn’t encrypted, it’s still accessible and fully functional in its
unencrypted state when encryption is enabled.
956
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Classify Sensitive Data to Support Data Management Policies
957
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Strengthen Your Data's Security with Shield Platform Encryption
Important: Where possible, we changed noninclusive terms to align with our company Available as an add-on
value of Equality. We maintained certain terms to avoid any effect on customer subscription in: Enterprise,
Performance, and
implementations.
Unlimited Editions. Requires
Data Encryption purchasing Salesforce
The process of applying a cryptographic function to data that results in ciphertext. The Shield Shield. Available in
Platform Encryption process uses symmetric key encryption, a 256-bit Advanced Encryption Developer Edition at no
Standard (AES) algorithm using CBC mode, and a randomized 128-bit initialization vector to charge for orgs created in
encrypt data stored on the Salesforce Platform. Both data encryption and decryption occur on Summer ’15 and later.
the application servers.
Available in both Salesforce
Data Encryption Keys Classic and Lightning
Shield Platform Encryption uses data encryption keys to encrypt and decrypt data. Data Experience.
encryption keys are derived on the Shield Key Management Service (KMS) using keying material
split between a per-release master secret and an org-specific tenant secret stored encrypted
in the database. The 256-bit derived keys exist in memory until evicted from the cache.
Encrypted Data at Rest
Data that is encrypted when persisted on disk. Salesforce supports encryption for fields stored in the database; documents stored
in files, content, libraries, and attachments; search index files; CRM Analytics datasets; and archived data.
958
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
959
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
What’s the Difference Between Classic Encryption and Shield Platform Encryption?
With Shield Platform Encryption, you can encrypt a variety of widely used standard fields, along
EDITIONS
with some custom fields and many kinds of files. Shield Platform Encryption also supports person
accounts, cases, search, approval processes, and other key Salesforce features. Classic encryption Available as an add-on
lets you protect only a special type of custom text field, which you create for that purpose. subscription in: Enterprise,
Performance, and
Feature Classic Encryption Platform Encryption Unlimited Editions. Requires
purchasing Salesforce
Pricing Included in base user Additional fee applies
Shield. Available in
license
Developer Edition at no
Encryption at Rest charge for orgs created in
Summer ’15 and later.
Native Solution (No Hardware or Software
Required) Available in both Salesforce
Classic and Lightning
Encryption Algorithm 128-bit Advanced 256-bit Advanced Experience.
Encryption Standard Encryption Standard
(AES) (AES)
PCI-DSS L1 Compliance
Masking
API Access
960
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
1. When a Salesforce user saves encrypted data, the runtime engine determines from metadata whether to encrypt the field, file, or
attachment before storing it in the database.
2. If so, the encryption service checks for the matching data encryption key in cached memory.
3. The encryption service determines whether the key exists.
a. If so, the encryption service retrieves the key.
b. If not, the service sends a derivation request to a key derivation server and returns it to the encryption service running on the
Salesforce Platform.
4. After retrieving or deriving the key, the encryption service generates a random initialization vector (IV) and encrypts the data using
256-bit AES encryption.
961
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
5. The ciphertext is saved in the database or file storage. The IV and corresponding ID of the tenant secret used to derive the data
encryption key are saved in the database.
Salesforce generates a new master secret at the start of each release.
4. After retrieving the key, the encryption service generates a random initialization vector (IV) and encrypts the data using NSS or JCE’s
AES-256 implementation.
5. The key ID (identifier of the key being used to encrypt the index segment) and IV are saved in the search index.
The process is similar when a user searches for encrypted data:
1. When a user searches for a term, the term is passed to the search index, along with which Salesforce objects to search.
2. When the search index executes the search, the encryption service opens the relevant segment of the search index in memory and
reads the key ID and IV.
3. Steps 3 through 5 of the process when a user creates or edits records are repeated.
4. The search index processes the search and returns the results to the user seamlessly.
If Salesforce admins disable encryption on a field, all index segments that were encrypted are unencrypted and the key ID is set to null.
This process can take up to seven days.
962
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
963
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
• Generate and store your key material outside of Salesforce using a key service of your choice, and use the Salesforce Cache-Only Key
Service to fetch your key material on demand. Your key service transmits your key material over a secure channel that you configure.
It’s then encrypted and stored in the cache for immediate encrypt and decrypt operations.
!!!!! This service is unavailable right now. For help accessing this
service, contact Salesforce.
Custom Date 08/08/1888 This field is encrypted, and the encryption key has been
destroyed.
01/01/1777 This service is unavailable right now. For help accessing this
service, contact Salesforce.
964
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
01/01/1777 12:00 PM This service is unavailable right now. For help accessing this
service, contact Salesforce.
You can’t enter these masking characters into an encrypted field. For example, if a Date field is encrypted and you enter 07/07/1777,
you must enter a different value before it can be saved.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Shield Platform Encryption Shield Platform Encryption not The Encrypted field attribute is Available in both Salesforce
enabled enabled ignored. Classic and Lightning
Experience.
Shield Platform Encryption not Shield Platform Encryption The target Encrypted field
enabled enabled attribute indicates enablement.
965
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Change Sets
Fix Compatibility Problems
How Does Shield Platform Encryption Work in a Sandbox?
966
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Strengthen Your Data's Security with Shield Platform Encryption
967
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
The Customize Application and Manage Certificates permissions are automatically enabled for users with the System Administrator
profile.
This restriction applies to actions taken through the API or from Setup pages, such as the Encryption Policy page or the Object Manager.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
User Permissions
Metadata API Developer Guide: EncryptionKeySettings
Metadata API Developer Guide: PlatformEncryptionSettings
968
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
If you run into this limit, destroy an existing key before reactivating, rearchiving, or creating To manage tenant secrets:
a callout to another one. Before destroying a key, synchronize the data it encrypts with • Manage Encryption Keys
an active key.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
API Guide: TenantSecret
969
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
2. In the Choose Tenant Secret Type dropdown list, choose a data type.
The Key Management page displays all tenant secrets of each data type. If you generate or upload a tenant secret while viewing
tenant secrets of a particular type, it becomes the active tenant secret for that data.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
API Guide: TenantSecret
970
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the Available as an add-on
difference? subscription in: Enterprise,
Performance, and
Depending on the size of your org, enabling a standard field for encryption can take a few minutes. Unlimited Editions. Requires
1. Make sure that your org has an active encryption key. If you’re not sure, check with your purchasing Salesforce
administrator. Shield. Available in
Developer Edition at no
2. From Setup, in the Quick Find box, enter Platform Encryption, and then select charge for orgs created in
Encryption Policy. Summer ’15 and later.
3. Click Encrypt Fields.
Available in both Salesforce
4. Click Edit. Classic and Lightning
5. Select the fields you want to encrypt. Experience.
All new data entered in this field is encrypted. By default, data is encrypted using a probabilistic
encryption scheme. To apply deterministic encryption to your data, select Deterministic from USER PERMISSIONS
the Encryption Scheme list. For more information, see “How Deterministic Encryption Supports
Filtering” in Salesforce Help. To view setup:
• View Setup and
6. Save your work. Configuration
The automatic Platform Encryption validation service checks for settings in your org that can block To encrypt fields:
encryption. You receive an email with suggestions for fixing incompatible settings. • Customize Application
Field values are automatically encrypted only in records created or updated after you’ve enabled
encryption. Synchronize existing data with your active key material on the Encryption Statistics and
Data Sync page.
Note: To encrypt standard fields on custom objects, such as Custom Object Name, see Encrypt Fields on Custom Objects and
Custom Fields.
971
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
972
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
USER PERMISSIONS
973
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: If Salesforce enabled this feature for you before Spring ‘19, opt in again on the Advanced Settings page. If you don’t
opt in, you can’t enable or disable encryption on those fields. However, your encrypted custom fields in installed managed
packages remain encrypted.
Note: Before you begin, make sure that your org has an active encryption key. If you’re not Available as an add-on
sure, check with your Salesforce admin. subscription in: Enterprise,
Performance, and
1. From Setup, in the Quick Find box, enter Encryption Policy, and then select Encryption Unlimited Editions. Requires
Policy. purchasing Salesforce
2. Select Encrypt Files and Attachments. Shield. Available in
Developer Edition at no
3. Save your work. charge for orgs created in
Important: Users with access to the file can work normally with it regardless of their Summer ’15 and later.
encryption-specific permissions. Users who are logged in to your org and have read access Available in both Salesforce
can search and view the body content. Classic and Lightning
Users can continue to upload files and attachments per the usual file size limits. Expansion of file Experience.
sizes caused by encryption doesn’t count against these limits.
Turning on file and attachment encryption affects new files and attachments. It doesn’t automatically USER PERMISSIONS
encrypt files and attachments that were already in Salesforce. Synchronize existing data with your
To view setup:
active key material on the Encryption Statistics and Data Sync page.
• View Setup and
To check whether a file or attachment is encrypted, look for the encryption indicator on the detail Configuration
page of the file or attachment. You can also query the isEncrypted field on the ContentVersion To encrypt files:
object (for files) or on the Attachment object (for attachments). • Customize Application
974
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
975
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
976
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
CRM Analytics Encryption
Generate a Tenant Secret with Salesforce
977
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
978
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: By default, your results only list the first 250 errors per element. You can increase the number of errors listed in your
results to 5000. Contact Salesforce for help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Set Up Your Encryption Policy
979
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Strengthen Your Data's Security with Shield Platform Encryption
980
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
The Salesforce Shield approach is to expose just enough determinism to let bona fide users filter on encrypted data while limiting it
enough to ensure that a given plaintext value doesn’t universally result in the same ciphertext value across all fields, objects, or orgs.
Even if an attacker successfully matched cleartext to encrypted values for one field, the attacker would have to do it all over again for
another field, and again for the same field in another object.
In this way, deterministic encryption decreases encryption strength only as minimally necessary to allow filtering.
Deterministic encryption comes in two types: case-sensitive and case-insensitive. With case-sensitive encryption, a SOQL query against
the Contact object, where LastName = Jones, returns only Jones, not jones or JONES. Similarly, when the case-sensitive deterministic
scheme tests for unicity (uniqueness), each version of “Jones” is unique.
For case-insensitive, a SOQL query against the Lead object, where Company = Acme, returns Acme, acme, or ACME. When the
case-insensitive scheme tests for unicity (uniqueness), each version of Acme is considered identical.
Important: Probabilistic encryption is not supported on the email address field for the Contact object. To avoid creating duplicate
accounts during self-registration, use deterministic encryption.
4. From Setup, in the Quick Find box, enter Platform Encryption, and then select
Advanced Settings.
5. Enable Deterministic Encryption.
You can also enable deterministic encryption programmatically. For more information, see PlatformEncryptionSettings in the Metadata
API Developer Guide.
981
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
9. Enable encryption for each field, and choose a deterministic encryption scheme. How you do that depends on whether it’s a standard
field or a custom field.
• For standard fields, from Setup, select Encryption Policy, and then select Encrypt Fields. For each field you want to encrypt,
select the field name, and then choose either Deterministic—Case Sensitive or Deterministic—Case Insensitive from the
Encryption Scheme list.
• For custom fields, open the Object Manager and edit the field you want to encrypt. Select Encrypt the contents of this field,
and select an encryption scheme.
982
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
You receive an email notifying you when the enabelment process finishes.
Note: Expect the enablement process to take longer when you apply deterministic encryption to a field with a large number
of records. To support filtering, the enablement process also rebuilds field indexes.
10. When you apply or remove deterministic encryption to a field, existing data in that field might not appear in queries or filters. To
apply full deterministic functionality to existing data, synchronize all of your data with your active key material from the Encryption
Statistics and Data Sync page. For more information, see Synchronize Your Data Encryption with the Background Encryption Service.
SEE ALSO:
Metadata API Developer Guide: PlatformEncryptionSettings
983
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
USER PERMISSIONS
Work with Key Material
Shield Platform Encryption lets you generate a unique tenant secret for your org, or generate To manage key material:
a tenant secret or key material using your own external resources. In either case, you manage • Manage Encryption Keys
your own key material: You can rotate it, archive it, and designate other users to share
responsibility for it.
Rotate Your Encryption Tenant Secrets
You control the lifecycle of your data encryption keys by controlling the lifecycle of your tenant secrets. Salesforce recommends that
you regularly generate or upload new Shield Platform Encryption key material. When you rotate a tenant secret, you replace it with
either a Salesforce-generated tenant secret or customer-supplied key material.
Back Up Your Tenant Secrets
Your Shield Platform Encryption tenant secret is unique to your org and to the specific data to which it applies. Salesforce recommends
that you export your tenant secret to ensure continued access to the related data.
Get Statistics About Your Encryption Coverage
The Encryption Statistics page provides an overview of all data encrypted with Shield Platform Encryption. This information helps
you to stay on top of your key rotation and management tasks. You can also use encryption statistics to identify which objects and
fields you may want to update after you rotate your key material.
Synchronize Your Data Encryption with the Background Encryption Service
Periodically, you change your encryption policy. Or you rotate your keys. To get the most protection out of your encryption strategy
with Shield Platform Encryption, synchronize new and existing encrypted data under your most recent encryption policy and keys.
You can do this yourself or ask Salesforce for help.
Destroy Key Material
Only destroy Shield Platform Encryption tenant secrets and key material in extreme cases where access to related data is no longer
needed. Your key material is unique to your org and to the specific data to which it applies. Once you destroy key material, related
data is not accessible unless you import previously exported key material.
Require Multi-Factor Authentication for Key Management
Multi-factor authentication (MFA) is a powerful tool for securing access to data and resources. Salesforce requires the use of MFA
for all logins to your org's user interface. In addition, you can add extra security by also requiring MFA for Shield Platform Encryption
key management tasks like generating, rotating, or uploading key material and certificates.
984
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Strengthen Your Data's Security with Shield Platform Encryption
985
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
The key derivation function uses a master secret, which is rotated with each major Salesforce release. Master secret rotation doesn’t
impact your encryption keys or your encrypted data until you rotate your tenant secret.
1. From Setup, in the Quick Find box, enter Platform Encryption, and then select Key Management.
2. From the Choose Tenant Secret Type dropdown, choose a data type.
3. Check the status of the data type’s tenant secrets. Existing tenant secrets are listed as active, archived, or destroyed.
Active
Can be used to encrypt and decrypt new or existing data.
Archived
Can’t encrypt new data. Can be used to decrypt data previously encrypted with this key when it was active.
Destroyed
Can’t encrypt or decrypt data. Data encrypted with this key when it was active can no longer be decrypted. Files and attachments
encrypted with this key can no longer be downloaded.
4. Click Generate New Tenant Secret or Bring Your Own Key. If uploading a customer-supplied tenant secret, upload your encrypted
tenant secret and tenant secret hash.
Note: You can have up to 50 active and archived tenant secrets of each type. For example, you can have one active and 49
archived Data in Salesforce tenant secrets, and the same number of Analytics tenant secrets. This limit includes
Salesforce-generated and customer-supplied key material.
If you run into this limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before
destroying a key, synchronize the data it encrypts with an active key.
986
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
5. If you want to re-encrypt field values with your active key material, synchronize new and existing encrypted data under your most
recent and keys. You can sync data from the Encryption Statistics and Data Sync page in Setup.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
API Guide: TenantSecret
Synchronize Your Data Encryption with the Background Encryption Service
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield.
Available in Developer Edition at no charge for orgs created in Summer ’15 and later.
987
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
USER PERMISSIONS
988
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
The gathering process time varies depending on how much data you have in your object. You’re notified by email when the gathering
process is finished. When your statistics are gathered, the page shows updated information about data for each object. If encryption
for field history and feed tracking is turned on, you also see stats about encrypted field history and feed tracking changes.
Note:
• You can gather statistics once every 24 hours, either by clicking Gather Statistics or running the self-service background
encryption service.
• Feed Item doesn’t display statistics because it’s derived from Feed Post. Gathering statistics for Feed Post is sufficient to confirm
the encryption status of both Feed Post and Feed Item.
SEE ALSO:
Sync Data with Self-Service Background Encryption
Available as an add-on subscription in: Enterprise, Performance, and Unlimited Editions. Requires purchasing Salesforce Shield.
Available in Developer Edition at no charge for orgs created in Summer ’15 and later.
The page offers two views of your encrypted data: a summary view and a detail view.
• Object—Lists your standard and custom objects. Data about standard objects are aggregated for all standard objects of a given
type. Data about custom objects are listed for each custom object.
• Data Encrypted—The total percentage of data in an object that’s encrypted. In the example above, 50% of all data in Account objects
are encrypted.
• Uses Active Key—The percentage of your encrypted data in that object or object type that is encrypted with your active key material.
• Sync Needed—Recommends whether to synchronize your data with the background encryption service. This column displays Yes
when you’ve added or disabled encryption on fields, changed a field’s encryption scheme, or rotated key material.
When the numbers in both Data Encrypted and Uses Active Key columns are the same, and Sync Needed column reads No, all your
encrypted data is synchronized. In the example above, the Case object is synchronized.
989
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Sometimes the Sync Needed column reads Yes for an object when the Encrypted Data and Uses Active Key columns read have the same
values. This combination of values happens when encryption policy settings or keys have changed since the last time you gathered
statistics or synchronized your data. This combination also happens when statistics have been gathered for newly encrypted data, but
the object has never been synchronized. In the example above, the Account, Contact, Lead, and Opportunity objects meet one or more
of these conditions.
A double dash (--) means that statistics haven’t been gathered for that object or object type yet. In the example, statistics haven’t been
gathered for the Opportunity and Attachment objects.
Note: Not all field data is stored in the same field that displays data in the UI. For example, some Person Account field
data is stored in the corresponding Contact fields. If you have Person Accounts enabled but don’t see encrypted fields
under the Account detail view, gather statistics for the Contact object and check there.
Similarly, Chatter data is stored in the Feed Attachment, Feed Comment, Feed Poll Choice, Feed Post, and Feed Revision
objects. The Encryption Statistics page lists these objects and all fields that hold encrypted Chatter data in the database.
Some fields listed on the Encryption Statistics page aren’t visible in the UI by the same name, but they store all encrypted
data that’s visible in the UI. See Which Standard Fields Can I Encrypt? in Salesforce Help for a list of the encrypted Chatter
fields.
History
The History tab shows data about field history and feed tracking changes.
• Field—All encryptable standard and custom fields in the object that contain data.
• API Name—The API name for fields that contain data.
990
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
• Encrypted Field History—The number of encrypted field history values for a field type across all objects of a given type. For
example, you select the Account object and see “2” in the Encrypted Field History column for Account Name, which means that
Account Name has two encrypted field history values.
• Unencrypted Field History—The number of plaintext field history values stored for a field.
• Encrypted Feed Tracking—The number of encrypted feed tracking values stored for a field.
• Unencrypted Feed Tracking—The number of plaintext feed tracking values stored for a field.
SEE ALSO:
Synchronize Your Data Encryption with the Background Encryption Service
991
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: Note: Synchronizing your data encryption doesn't modify the record LastModifiedDate or LastModifiedById timestamps.
It doesn't execute triggers, validation rules, workflow rules, or any other automated service. However, it does modify the
SystemModStamp.
Tip: Also check that your field values aren’t too long for encryption.
Tip: If you’re not sure which data is already encrypted, visit the Encryption Statistics page, which keeps a record of all fields that
you have encrypted.
992
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
• Delete all the data that was encrypted with the destroyed key, then ask Salesforce Customer Support to synchronize your data.
• Ask Salesforce Customer Support to mass overwrite the data that was encrypted with the destroyed key with "?????".
Note: Keep these points in mind when disabling encryption on data encrypted with destroyed material.
• When you disable encryption for files that were encrypted with a key that’s been destroyed, the files don’t automatically go
away. You can ask Salesforce support to delete the files.
• The automatic decryption process takes longer when you disable encryption on fields encrypted with a key that’s been
destroyed. Salesforce notifies you by email when the process finishes.
SEE ALSO:
General Shield Platform Encryption Considerations
Field Limits with Shield Platform Encryption
Disable Encryption on Fields
993
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: The sync process time varies depending on how much data you have in your object. You’re notified by email when the
sync process is finished. You can sync your data from the Encryption Statistics and Data Sync page once every 7 days.
If you have lots of data in Attachment—Content Body fields, the sync process breaks your request into batches and syncs them
in sequence. However, sometimes we can’t encrypt all these batches at once. This is a service protection that helps Salesforce
maintain functional network loads. If the sync process finishes but the encryption statistics status is less than 100% complete, click
Sync again. The background encryption service picks up where it left off.
994
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
2. Select Raise session to high-assurance from the Manage Encryption Keys dropdown.
All admins with the Manage Encryption Keys permission must use an additional verification method to complete key management
tasks through Setup and the API.
SEE ALSO:
Enable MFA with Session Security Levels
995
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Key Management and Rotation
996
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Certificates and Keys
Generate a Certificate Signed by a Certificate Authority
997
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
998
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
USER PERMISSIONS
Note: You can have up to 50 active and archived tenant secrets of each type. For example, you can have one active and 49
archived Data in Salesforce tenant secrets, and the same number of Analytics tenant secrets. This limit includes
Salesforce-generated and customer-supplied key material.
If you reach the limit, destroy an existing key before reactivating, rearchiving, or creating a callout to another one. Before
destroying a key, synchronize the data that it encrypts with an active key.
4. Export your tenant secret, and back it up as prescribed in your organization’s security policy.
To restore a destroyed tenant secret, reimport it. The exported tenant secret is different from the tenant secret you uploaded. It’s
encrypted with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in Salesforce Help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
999
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
7. In the Upload Tenant Secret section, attach both your encrypted data encryption key and your hashed plaintext data encryption
key.
8. Click Upload.
This data encryption key automatically becomes the active key.
From now on, the Shield Key Management Service (KMS) skips the derivation process and uses your data encryption key to directly
encrypt and decrypt your data. You can review the derivation status of all key material on the Key Management page.
9. Export your data encryption key and back it up as prescribed in your organization’s security policy.
1000
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
To restore your data encryption key, reimport it. The exported data encryption key is different from the data encryption key you
uploaded. It is encrypted with a different key and has additional metadata embedded in it. See Back Up Your Tenant Secret in
Salesforce Help.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
1001
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Your certificate is not active, or is Ensure that your certificate settings are compatible with the Bring Your Own Key feature. Under
not a valid Bring Your Own Key the Certificate and Key Edit section of the Certificates page, select a 4096-bit certificate size,
certificate. disable Exportable Private Key, and enable Platform Encryption.
You haven’t attached both the Make sure that you attach both the encrypted tenant secret and hashed tenant secret. Both of
encrypted tenant secret and the these files should have a .b64 suffix.
hashed tenant secret.
Your tenant secret or hashed Several problems can cause this error. Usually, the tenant secret or hashed tenant secret wasn't
tenant secret wasn’t generated generated using the correct SSL parameters. If you are using OpenSSL, you can refer to the script
properly. for an example of the correct parameters you should use to generate and hash your tenant
secret. If you are using a library other than OpenSSL, check that library's support page for help
with finding the correct parameters to both generate and hash your tenant secret.
Still stuck? Contact your Salesforce account executive. They'll put you in touch with someone
at Salesforce who can help.
I’m still having problems with my key. Who should I talk to?
If you still have questions, contact your account executive. They’ll put you in touch with a support team specific to this feature.
SEE ALSO:
Key Management and Rotation
1002
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
1003
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
SEE ALSO:
Key Management and Rotation
1004
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Prerequisites
• Prepare your Salesforce org. Make sure that your org has at least one active Data in Salesforce key, either Salesforce-generated or
customer-supplied. You can create a tenant secret by clicking Generate Tenant Secret on the Key Management page in Setup.
• Generate and Host Key Material. The cache-only key exchange protocol and format requires that keys are wrapped in an opinionated
JSON Web Encryption (JWE). This format uses RSAES-OAEP for key encryption and AES GCM for content encryption.
Use a secure, trusted service to generate, store, and back up your key material.
• Use and maintain a reliable high-availability key service. Choose a high-availability key service with an acceptable service level
agreement (SLA), predefined maintenance procedures, and processes to mitigate any potential impact to business continuity.
When the connection between Salesforce and your key service is broken, the Cache-Only Key Service can encrypt and decrypt data
as long as your key material is in the cache. However, keys don’t stay in the cache for long. The cache is regularly flushed every 72
hours, but some Salesforce operations flush the cache about every 24 hours.
If your key material isn’t in the cache, and the connection to your key service is broken, users can’t encrypt or decrypt records. Make
sure that you use a key service that Salesforce can connect to at any time. This is especially important during busy times like the end
of year or end of quarter.
• Maintain a secure callout endpoint. The cache-only key exchange protocol requires that keys are wrapped in an opinionated JSON
format. Host your wrapped key inside the key response at a location Salesforce can request.
The Catch-Only Key Service uses named credentials to establish a secure, authenticated connection to allowed IP addresses and
domains. You can configure your named credentials to use popular authentication formats, such as Mutual TLS and OAuth. You can
change these authentication protocols at any time.
• Actively monitor your key service logs for errors. While Salesforce is here to help you with the Shield Platform Encryption service,
you are responsible for maintaining the high-availability key service that you use to host your key material. You can use the
RemoteKeyCalloutEvent object to review or track cache-only key events.
Warning: Because you’re in control of your keys, you’re responsible for securing and backing up your key material. Salesforce
can’t retrieve lost key material stored outside of our encrypted key cache.
1005
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
• Know how to format and assemble your key material. Format key material hosted outside of Salesforce in a way that’s compatible
with the Cache-Only Key Service. Make sure that you can generate the following components in the required formats.
BYOK-compatible certificate A 4096-bit RSA certificate who’s private key is encrypted with a
derived, org-specific tenant secret key
Unique key identifier Allows numbers, uppercase and lowercase letters, periods,
hyphens, and underscores
JSON web token ID (JTI) A 128-bit hex encoded, randomly generated identifier
Read more about assembling your key material in the Generate and Assemble Cache-Compatible Keys section. You can also look at our
Cache-Only Key Wrapper in Github for examples and sample utility.
Terminology
Here are some terms that are specific to the Cache-Only Key Service.
Content Encryption Key
For each key request, your key service endpoint generates a unique content encryption key. The content encryption key wraps the
data encryption key, which is in turn encrypted by the key encrypting key and placed in the JWE header of the key response.
JSON Web Encryption
The JSON-based structure that the Shield Platform Encryption service uses to encrypted content. JSON Web Encryption, or JWE, uses
RSAES-OAEP for key encryption and AES GCM for content encryption.
JSON Web Token ID
A unique identifier for the JSON web token, which enables identity and security information to be shared across security domains.
Key Identifier
The Key ID, or KID, is the unique identifier for your key. The KID is used as the suffix in the named credential and for validation of the
KID in the response. In Setup, enter this identifier in the Unique Key Identifier field.
1006
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
4. Create the JWE protected header. The JWE protected header is a JSON object with 3 claims: Available in both Salesforce
the algorithm used to encrypt the content encryption key, the algorithm used to encrypt the Classic and Lightning
data encryption key, and the unique ID of the cache-only key. Here’s an example header to get Experience.
us started.
{"alg":"RSA-OAEP","enc":"A256GCM","kid":"982c375b-f46b-4423-8c2d-4d1a69152a0b"}
6. Encrypt the content encryption key with the public key from the BYOK certificate using the RSAES-OAEP algorithm. Then encode
this encrypted content encryption key as BASE64URL(Encrypted CEK).
l92QA-R7b6Gtjo0tG4GlylJti1-Pf-519YpStYOp28YToMxgUxPmx4NR_myvfT24oBCWkh6hy_dqAL7JlVO4
49EglAB_i9GRdyVbTKnJQ1OiVKwWUQaZ9jVNxFFUYTWWZ-sVK4pUw0B3lHwWBfpMsl4jf0exP5-5amiTZ5oP
0rkW99ugLWJ_7XlyTuMIA6VTLSpL0YqChH1wQjo12TQaWG_tiTwL1SgRd3YohuMVlmCdEmR2TfwTvryLPx4K
bFK3Pv5ZSpSIyreFTh12DPpmhLEAVhCBZxR4-HMnZySSs4QorWagOaT8XPjPv46m8mUATZSD4hab8v3Mq4H3
3CmwngZCJXX-sDHuax2JUejxNC8HT5p6sa_I2gQFMlBC2Sd4yBKyjlDQKcSslCVav4buG8hkOJXY69iW_zhz
tV3DoJJ90l-EvkMoHpw1llU9lFhJMUQRvvocfghs2kzy5QC8QQt4t4Wu3p7IvzeneL5I81QjQlDJmZhbLLor
FHgcAs9_FMwnFYFrgsHP1_v3Iqy7zJJc60fCfDaxAF8Txj_LOeOMkCFl-9PwrULWyRTLMI7CdZIm7jb8v9AL
xCmDgqUi1yvEeBJhgMLezAWtxvGGkejc0BdsbWaPFXlI3Uj7C-Mw8LcmpSLKZyEnhj2x-3Vfv5hIVauC6ja1
B6Z_UcqXKOc
7. Generate an initialization vector for use as input to the data encryption key’s AES wrapping. Then encode it in base64url.
N2WVMbpAxipAtG9O
8. Wrap your data encryption key with your content encryption key.
a. Encode the JWE header as ASCII(BASE64URL(UTF8(JWE Protected Header))).
b. Reform authenticated encryption on the data encryption key with the AES GCM algorithm. Use the content encryption key as
the encryption key, the initialization vector (the bytes, not the base64URL encoded version), and the Additional Authenticated
Data value, requesting a 128-bit Authentication Tag output.
c. Encode the resulting ciphertext as BASE64URL(Ciphertext).
d. Encode the Authentication Tag as BASE64URL(Authentication Tag).
63wRVVKX0ZOxu8cKqN1kqN-7EDa_mnmk32DinS_zFo4
1007
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
and
HC7Ev5lmsbTgwyGpeGH5Rw
9. Assemble your JWE as a compact serialization of all the preceding values. Concatenate values separated by a period.
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00iLCJraWQiOiI5ODJjMzc1Yi1mNDZiLTQ0MjMtOGMy
ZC00ZDFhNjkxNTJhMGIifQ.l92QA-R7b6Gtjo0tG4GlylJti1-Pf-519YpStYOp28YToMxgUxPmx4NR_myvf
T24oBCWkh6hy_dqAL7JlVO449EglAB_i9GRdyVbTKnJQ1OiVKwWUQaZ9jVNxFFUYTWWZ-sVK4pUw0B3lHwWB
fpMsl4jf0exP5-5amiTZ5oP0rkW99ugLWJ_7XlyTuMIA6VTLSpL0YqChH1wQjo12TQaWG_tiTwL1SgRd3Yoh
uMVlmCdEmR2TfwTvryLPx4KbFK3Pv5ZSpSIyreFTh12DPpmhLEAVhCBZxR4-HMnZySSs4QorWagOaT8XPjPv
46m8mUATZSD4hab8v3Mq4H33CmwngZCJXX-sDHuax2JUejxNC8HT5p6sa_I2gQFMlBC2Sd4yBKyjlDQKcSsl
CVav4buG8hkOJXY69iW_zhztV3DoJJ90l-EvkMoHpw1llU9lFhJMUQRvvocfghs2kzy5QC8QQt4t4Wu3p7Iv
zeneL5I81QjQlDJmZhbLLorFHgcAs9_FMwnFYFrgsHP1_v3Iqy7zJJc60fCfDaxAF8Txj_LOeOMkCFl-9Pwr
ULWyRTLMI7CdZIm7jb8v9ALxCmDgqUi1yvEeBJhgMLezAWtxvGGkejc0BdsbWaPFXlI3Uj7C-Mw8LcmpSLKZ
yEnhj2x-3Vfv5hIVauC6ja1B6Z_UcqXKOc.N2WVMbpAxipAtG9O.63wRVVKX0ZOxu8cKqN1kqN-7EDa_mnmk
32DinS_zFo4.HC7Ev5lmsbTgwyGpeGH5Rw
For more detailed examples of this process, check out the sample Cache-Only Key Wrapper in Github. You can use either the utility in
this repository or another service of your choosing.
1008
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
1009
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Salesforce checks the connection to the endpoint specified by the named credential. If Salesforce can reach the endpoint, the key
specified for the Unique Key Identifier becomes the active key. All data marked for encryption by your encryption policy is encrypted
with your cache-only key.
If Salesforce can’t reach the specified endpoint, an error displays to help you troubleshoot the connection.
Cache-only key status is recorded as Fetched on the Key Management page. In Enterprise API, the TenantSecret Source value is listed
as Remote.
Tip: You can monitor key configuration callouts in the Setup Audit Trail. When a callout to an active or archived cache-only key
is successful, the Setup Audit Trail logs an Activated status. Individual callouts aren’t monitored in Setup Audit Trail.
SEE ALSO:
Object Reference for Salesforce and Lightning Platform: RemoteKeyCalloutEvent
1010
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
USER PERMISSIONS
{"alg":"RSA-OAEP","enc":"A256GCM","kid":"982c375b-f46b-4423-8c2d-4d1a69152a0b","jti":"e5ab58fd2ced013f2a46d5c8144dd439"}
3. From Setup, enter Platform Encryption in the Quick find box, and click Advanced Settings.
4. Select Enable Replay Detection for Cache-Only Keys.
You can also enable replay detection programmatically. For more information, see EncryptionKeySettings in the Metadata API
Developer Guide.
From now on, every callout to an external key service includes a unique RequestIdentifier.
Warning: If you enable replay detection but don’t return the nonce with your cache-only key material, Salesforce aborts the
callout connection and displays a POTENTIAL_REPLAY_ATTACK_DETECTED error.
SEE ALSO:
Object Reference for Salesforce and Lightning Platform: RemoteKeyCalloutEvent
1011
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
5. Review the details about your callout connection. If your callout connection was unsuccessful, you see a descriptive error message
at the bottom of the results pane. Use this message to make the appropriate adjustments to your key service.
SEE ALSO:
Object Reference for Salesforce and Lightning Platform: RemoteKeyCalloutEvent
1012
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: Your cache-only key is unique to your org and to the specific data to which it applies. Available in both Salesforce
When you destroy a cache-only key, related data isn’t accessible unless you reactivate it and Classic and Lightning
make sure that Salesforce can fetch it. Experience.
USER PERMISSIONS
USER PERMISSIONS
1013
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
The Shield Key Management Service fetches the reactivated cache-only key from your key service, and uses it to access data that
was previously encrypted with it.
Note: You can sync your data to your active cache-only key just like you can with any other key material.
SEE ALSO:
Object Reference for Salesforce and Lightning Platform: TenantSecret
1014
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
CRM Analytics
Backups of CRM Analytics data are encrypted with your Shield Platform Encryption keys. If you encrypt data in CRM Analytics datasets
with a cache-only key, make sure that the Analytics cache-only key is in the same state as your Data in Salesforce-type cache-only key.
Service Protections
To protect against Shield KMS interruptions and ensure smooth encryption and decryption processes, you can have up to 10 active and
archived cache-only keys of each type.
If you reach your key limit, destroy an existing key so that you can create, upload, reactivate, rearchive, or create a callout to another one.
Remember to synchronize your data with an active key before destroying key material.
MALFORMED_CONTENT_ENCRYPTION_KEY The remote key service Check that you set up your
returned a content encryption named credential properly
1015
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
MALFORMED_DATA_ENCRYPTION_KEY The content encryption key couldn’t Check that you set up your named
decrypt the data encryption key that was credential properly and are using the
returned in the remote key service’s JWE. correct BYOK-compatible certificate.
The data encryption key is either Named credentials must call out to an
malformed, or encrypted with a different HTTPS endpoint.
content encryption key.
MALFORMED_JSON_RESPONSE We can’t parse the JSON returned by your Contact your remote key service.
remote key service. Contact your remote
key service for help.
MALFORMED_JWE_RESPONSE The remote key service returned a Contact your remote key service.
malformed JWE token that can’t be
decoded. Contact your remote key service
for help.
EMPTY_RESPONSE The remote key service callout returned Contact your remote key service.
an empty response. Contact your remote
key service for help.
RESPONSE_TIMEOUT The remote key service callout took too If your key service is unavailable after
long and timed out. Try again. multiple callout attempts, contact your
remote key service.
UNKNOWN_ERROR The remote key service callout failed and Contact your remote key service.
returned an error: {000}.
INCORRECT_KEYID_IN_JSON The remote key service returned JSON with Check that you set up your named
an incorrect key ID. Expected: {valid keyID}. credential properly and are using the
Actual: {invalid keyID}. correct BYOK-compatible certificate.
INCORRECT_KEYID_IN_JWE_HEADER The remote key service returned a JWE Check that you set up your named
header with an incorrect key ID. Expected: credential properly and are using the
{valid keyID}. Actual: {invalid keyID}. correct BYOK-compatible certificate.
INCORRECT_ALGORITHM_IN_JWE_HEADER The remote key service returned a JWE The algorithm for encrypting the content
header that specified an unsupported encryption key in your JWE header must
algorithm (alg): {algorithm}. be in RSA-OAEP format.
INCORRECT_ENCRYPTION_ALGORITHM_IN_JWE_HEADER The remote key service returned a JWE The algorithm for encrypting the data
header that specified an unsupported encryption key in your JWE header must
encryption algorithm (enc): {your enc}. be in A256GCM format.
INCORRECT_DATA_ENCRYPTION_KEY_SIZE Data encryption keys encoded in a JWE Make sure that your data encryption key
must be 32 bytes. Yours is {value} bytes. is 32 bytes.
1016
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
MISSING_PARAMETERS_IN_JWE_HEADER Your JWE header is missing one or more Make sure that your JWE header includes
parameters. Required: {0}. Found:{1}. all required values. For example, if Replay
Detection is enabled, the JWE header must
include the nonce value extracted from
the cache-only key callout.
AUTHENTICATION_FAILURE_RESPONSE Authentication with the remote key service Check the authentication settings for your
failed with the following error: {error}. chosen named credential.
POTENTIAL_REPLAY_ATTACK_DETECTED The remote key service returned a JWE Make sure that your JWE header includes
header with an incorrect nonce value. the RequestID included in the callout.
Expected: {0}. Actual: {1}
UNKNOWN_ERROR The remote key service callout failed and The certificate for your cache-only key
returned an error: expired. Update your cache-only key
java.security.cert.CertificateExpiredException: material to use an active BYOK-compatible
NotAfter: {date and time of expiration} certificate.
The following key service errors can prevent the callout from completing. If you see errors related to these problems, contact your
key service administrator for help.
• The JWE is corrupt or malformed.
• The data encryption key is malformed.
• The key service returned a malformed JWE token.
• The key service returned an empty response.
For uniform resource use, Salesforce limits the amount of time for each key service callout to 3 seconds. If the callout takes more
than the allotted time, Salesforce fails the callout with a timeout error. Check that your key service is available. Make sure that your
named credential references the correct endpoint—check the URL, including the IP address.
Can I execute a remote callout in Apex?
Yes. Salesforce manages all authentication for Apex callouts that specify a named credential as the callout endpoint so that your
code doesn’t have to. To reference a named credential from a callout definition, use the named credential URL. A named credential
URL contains the scheme callout, the name of the named credential, and an optional path. For example:
callout:My_Named_Credential/some_path.
See Named Credentials as Callout Endpoints in the Apex Developer Guide.
Can I monitor my callout history?
If you want to review or track cache-only key events, use the RemoteKeyCalloutEvent standard object. Either use the
describeSObjects() call to view event information, or an after insert Apex trigger to perform custom actions after each
callout. For example, you can write a trigger that stores RemoteKeyCallout events in a custom object. When you store
RemoteKeyCallout events in a custom object, you can monitor your callout history. See the RemoteKeyCalloutEvent entry in
the Salesforce Object Reference for more information.
The Setup Audit Trail tracks changes in key material state and named credential settings. Callout history isn’t recorded in log files.
1017
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
When I try to access data encrypted with a cache-only key, I see “?????” instead of my data. Why?
Masking means one of two things. Either the connection to your key service is broken and we can’t fetch your key, or the data is
encrypted with a destroyed key. Check that your key service is available and that your named credential references the correct
endpoint. If any key versions are marked as Destroyed as a result of a key service failure, recover the connection and manually activate
the key version.
Do I have to make a new named credential every time I rotate a key?
Nope. You can use a named credential with multiple keys. As long as you host your key material at the endpoint specified in an
existing named credential, you’re all set. When you rotate your key material, change the key ID in the Unique Key Identifier field.
Double-check that your new key is stored at the specified endpoint URL in your named credential.
I’m still having problems with my key. Who should I talk to?
If you still have questions, contact your account executive or Salesforce Customer Support. They’ll put you in touch with a support
team specific to this feature.
SEE ALSO:
Object Reference for Salesforce and Lightning Platform: RemoteKeyCalloutEvent
Key Management and Rotation
1018
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
7. Click Save.
Tip: Standard matching rules are automatically deactivated when encryption is added to a field referenced by that rule. To
encrypt fields referenced in standard matching rules, follow steps 3–8.
8. After you get the email verifying encryption’s been enabled on your fields, reactivate your matching rule and associated duplicate
management rule.
Matching rules used in duplicate management now return exact and fuzzy matches on encrypted data.
Example: Let’s say you recently encrypted Billing Address on your Contacts, and you want to add this field to a custom matching
rule. First, deactivate the rule or rules you want to add this field to. Make sure that Billing Address is encrypted with the deterministic
encryption scheme. Then add Billing Address to your custom matching rule, just like you would add any other field. Finally, reactivate
your rule.
When you rotate your key material, you must update custom matching rules that reference encrypted fields. After you rotate your key
material, deactivate and then reactivate the affected matching rules. Then contact Salesforce to request the background encryption
process. When the background encryption process finishes, your matching rules can access all data encrypted with your active key
material.
1019
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Important: To ensure accurate matching results, customers who used the beta version of this feature must deactivate any
matching rules that reference encrypted fields and then reactivate them. If your custom matching rule fails on reactivation, contact
Salesforce for help reactivating your match index.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
SEE ALSO:
Customize Matching Rules
This works:
(encryptedField__c & encryptedField__c)
Why it doesn’t work: LOWER isn’t a supported function, and the input is an encrypted value.
1020
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Case
CASE returns encrypted field values, but doesn’t compare them.
This works:
CASE(custom_field__c, "1", cf2__c, cf3__c))
Why it works: custom_field__c is compared to “1”. If it is true, the formula returns cf2__c because it’s
not comparing two encrypted values.
This works:
OR(ISBLANK(encryptedField__c), ISNULL(encryptedField__c))
Why it works: Both ISBLANK and ISNULL are supported. OR works in this example because ISBLANK and
ISNULL return a Boolean value, not an encrypted value.
Spanning
This works:
(LookupObject1__r.City & LookupObject1__r.Street) &
(LookupObject2__r.City & LookupObject2__r.Street) &
(LookupObject3__r.City & LookupObject3__r.Street) &
(LookupObject4__r.City & LookupObject4__r.Street)
How and why you use it: Spanning retrieves encrypted data from multiple entities. For example, let’s say you work in the
customer service department for Universal Containers. A customer has filed a case about a distribution
problem, and you want to see the scope of the issue. You want all the shipping addresses related
to this particular case. This example returns all the customers’ shipping addresses as a single string
in your case layout.
Validation
The encryption validation service checks your org to make sure that it’s compatible with encrypted formula field types.
When you encrypt a given field, the validation service:
• Retrieves all formula fields that reference the field
• Verifies that the formula fields are compatible with encryption
• Verifies that the formula fields aren’t used elsewhere for filtering or sorting
1021
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Limits
Up to 200 formula fields can reference a given encrypted custom field. A field that is referenced by more than 200 formula fields can’t
be encrypted. If you need to reference an encrypted custom field from more than 200 formula fields, contact Salesforce.
When you specify multiple fields to encrypt at one time, the 200-field limit is applied to the whole batch. If you know that you are
encrypting fields that have multiple formula fields pointing to them, encrypt those fields one at a time.
SEE ALSO:
General Shield Platform Encryption Considerations
SEE ALSO:
Strengthen Your Data's Security with Shield Platform Encryption
1022
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
3. Create a strategy early for backing up and archiving keys and data.
If your tenant secrets are destroyed, reimport them to access your data. You are solely responsible for making sure that your data
and tenant secrets are backed up and stored in a safe place. Salesforce cannot help you with deleted, destroyed, or misplaced tenant
secrets.
4. Read the Shield Platform Encryption considerations and understand their implications on your organization.
• Evaluate the impact of the considerations on your business solution and implementation.
• Test Shield Platform Encryption in a sandbox environment before deploying to a production environment. Encryption policy
settings can be deployed using change sets.
• Before enabling encryption, fix any violations that you uncover. For example, if you reference encrypted fields in a SOQL ORDER
BY clause, a violation occurs. Fix the violation by removing references to the encrypted fields.
• When requesting feature enablement, such as pilot features, give Salesforce Customer Support several days lead time. The time
to complete the process varies based on the feature and how your org is configured.
7. Grant the Manage Encryption Keys user permission to authorized users only.
1023
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Users with the Manage Encryption Keys permission can generate, export, import, and destroy organization-specific keys. Monitor
the key management activities of these users regularly with the setup audit trail.
12. Use discretion when granting login as access to users or Salesforce Customer Support.
If you grant login access to a user, and they have field level security access to an encrypted field, that user is able to view encrypted
data in that field in plaintext.
If you want Salesforce Customer Support to follow specific processes around asking for or using login as access, you can create
special handling instructions. Salesforce Customer Support follows these instructions in situations where login as access may help
them resolve your case. To set up these special handling instructions, contact your account executive.
1024
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Flow Builder Record Choice Set resource Record Choice Set resource
Get Records element Get Records element
Delete Records element
Update Records element
Condition requirements
1025
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
You can store the value from an encrypted field in a variable and operate on that value in your flow’s logic. You can also update the
value for an encrypted field.
Paused flow interviews can cause data to be saved in an unencrypted state. When a flow or process is waiting to resume, the associated
flow interview is serialized and saved to the database. The flow interview is serialized and saved when:
• Users pause a flow
• Flows execute a Pause element
• Processes are waiting to execute scheduled actions
If the flow or process loads encrypted fields into a variable during these processes, that data isn’t always encrypted at rest.
Custom Fields
You can’t use encrypted custom fields in criteria-based sharing rules.
Some custom fields can’t be encrypted.
• Fields that have the Unique or External ID attributes or include these attributes on previously encrypted custom fields
(applies only to fields that use the probabilistic encryption scheme)
• Fields on external data objects
• Fields that are used in an account contact relation
You can’t use Schema Builder to create an encrypted custom field.
You can’t use Shield Platform Encryption with Custom Metadata Types.
Tip: Consider whether you can replace a WHERE clause in a SOQL query with a FIND query in SOSL.
• When you query encrypted data, invalid strings return an INVALID_FIELD error instead of the expected MALFORMED_QUERY.
1026
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
If you encrypt the contact email address field, the Salesforce Connector can’t use the email address as a secondary prospect match
criteria. For more information, read Salesforce Connector Settings.
Portals
If a legacy portal (created before 2013) is enabled in your org, you can't encrypt standard fields. Deactivate all legacy customer and
partner portals to enable encryption on standard fields. (Salesforce Experience Cloud sites are supported.)
To deactivate a legacy customer portal, go to the Customer Portal Settings page in Setup. To deactivate a legacy partner portal, go to
the Partners page in Setup.
Search
If you encrypt fields with a key and then destroy the key, the corresponding search terms remain in the search index. However, you can’t
decrypt the data associated with the destroyed key.
1027
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Email-to-Case
Copying text from email fields also copies unicode characters embedded in email text. Two of those unicode character sequences,
\uFFFE and \uFFFF, can’t be included in text encrypted by Shield Platform Encryption. If you encounter an error mentioning these
unicode sequences, delete the text copied from the email field and type it manually.
Campaigns
Campaign member search isn’t supported when you search by encrypted fields.
Notes
You can encrypt the body text of Notes created with the new Notes tool. However, the Preview file and Notes created with the old Notes
tool aren’t supported.
Salesforce Experiences
If you encrypt the Account Name field and you’re not using Person Accounts, encryption affects how users’ roles are displayed to admins.
Normally, a site user’s role name is displayed as a combination of their account name and the name of their user profile. When you
encrypt the Account Name field, the account ID is displayed instead of the account name.
For example, when the Account Name field isn’t encrypted, users belonging to the Acme account with the Customer User profile would
have a role called Acme Customer User. When Account Name is encrypted (and Person Accounts aren’t in use), the role is displayed
as something like 001D000000IRt53 Customer User.
1028
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
1029
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Employees
If the email field is encrypted using probabilistic encryption, wellness check surveys can’t be used. Deterministic encryption is fully
supported.
General
• Encrypted fields can’t be used in:
– Criteria-based sharing rules
– Similar opportunities searches
– External lookup relationships
• Fields encrypted with the probabilistic encryption scheme can’t be used in filter criteria for data management tools. For considerations
specific to filter-preserving deterministic encryption, read Considerations for Using Deterministic Encryption .
• Web-to-Case is supported, but the Web Company, Web Email, Web Name, and Web Phone fields aren’t encrypted at rest.
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Filter Operators
In reports and list views, the operators “equals” and “not equal to” are supported with case-sensitive deterministic encryption. Other
operators, like “contains” or “starts with,” don’t return an exact match and aren’t supported. Features that rely on unsupported operators,
such as Refine By filters, also aren’t supported.
1030
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Case-insensitive deterministic encryption supports list views and reports. However, the user interface displays all operators, including
operators that aren’t supported for encrypted data. To review the list of supported operators, see Use Encrypted Data in Formulas.
Formulas
Fields encrypted with the deterministic encryption scheme can’t be referenced in SOQL WHERE queries.
Case Sensitivity
When you use case-sensitive deterministic encryption, case matters. In reports, list views, and SOQL queries on encrypted fields, the
results are case-sensitive. Therefore, a SOQL query against the Contact object, where LastName = Jones, returns only Jones, not jones
or JONES. Similarly, when the case-sensitive deterministic scheme tests for unicity (uniqueness), each version of “Jones” is unique.
External ID
Case-insensitive deterministic encryption supports Text and Email external ID custom fields but not other external ID custom fields.
When you create or edit these fields, use one of the following field setting combinations.
You can’t save changes to both Unique - Case-Sensitive and Encrypted options at the same time. Change one setting, save it, then
change the next.
1031
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Compound Fields
Even with deterministic encryption, some kinds of searches don’t work when data is encrypted with case-sensitive deterministic encryption.
Concatenated values, such as compound names, aren’t the same as the separate values. For example, the ciphertext for the compound
name “William Jones” isn’t the same as the concatenation of the ciphertexts for “William” and “Jones”.
So, if the First Name and Last Name fields are encrypted in the Contacts object, this query doesn’t work:
Select Id from Contact Where Name = 'William Jones'
Case-sensitive and case-insensitive deterministic encryption schemes support compound fields, but only with individual column queries.
Indexes
Case-sensitive deterministic encryption supports single-column indexes, single-column case-sensitive unique indexes, two-column
indexes, and custom indexes on standard and custom fields.
Case-insensitive deterministic encryption offers limited support for standard indexes on the following standard fields.
• Contact—Email
• Email Message—Relation
• Lead—Email
• Name
Queries against these fields, when encrypted with case-insensitive deterministic encryption, can perform poorly with large tables. For
optimal query performance, use custom indexes instead of standard indexes. To set up custom indexes, contact Salesforce Customer
Support.
1032
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Expect the enablement process to take longer when you apply deterministic encryption to a field with a large number of records. To
support filtering, the enablement process also rebuilds field indexes.
Chat
For the best possible recommendation results, use the case-sensitive deterministic encryption scheme with the Utterance field on the
Utterance Suggestion object. This field doesn’t support other encryption schemes at this time.
The Actor Name field on the Conversation Entry object supports case-sensitive deterministic encryption, but not case-insensitive
deterministic encryption.
1033
Set Up and Maintain Your Salesforce Organization Strengthen Your Data's Security with Shield Platform
Encryption
Note: This list isn’t exhaustive. For information about a field not shown here, refer to the API.
1034
Set Up and Maintain Your Salesforce Organization Session Security
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Note: This page is about Shield Platform Encryption, not Classic Encryption. What's the difference?
Session Security
After logging in, a user establishes a session with the platform. Use session security to limit exposure to your network when a user leaves
the computer unattended while still logged in. Session security also limits the risk of internal attacks, such as when one employee tries
to use another employee’s session. Choose from several session settings to control session behavior.
You can control when an inactive user session expires. The default session timeout is two hours of inactivity. When the session timeout
is reached, users are prompted with a dialog that allows them to log out or continue working. If they don’t respond to this prompt,
they’re logged out.
Note: When users close a browser window or tab, they aren’t automatically logged out from their Salesforce session. Ensure that
your users are aware of this behavior and that they end all sessions properly by selecting Your Name > Logout.
1035
Set Up and Maintain Your Salesforce Organization Session Security
User sessions can expire when a new Salesforce major release takes effect. To avoid disruptions, start a new session after a major release.
To see major release dates for your instance, go to Trust Status, search for your instance, and click the maintenance tab.
You can restrict access to certain types of resources based on the security level associated with the authentication method for the user’s
current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session
security level and define policies so that specified resources are available only to users assigned a High Assurance level. For details, see
Session-level Security on page 1042.
You can control whether your org stores user logins and whether they can appear from the Switcher with the settings Enable caching
and autocomplete on login page, Enable user switching, and Remember me until logout.
1036
Set Up and Maintain Your Salesforce Organization Session Security
SEE ALSO:
Set Trusted IP Ranges for Your Organization
Monitor Identity Verification History
1037
Set Up and Maintain Your Salesforce Organization Session Security
Note: Salesforce updates the last active session time value every 5 minutes. So if you have a 30-minute timeout and you
update a record at the 3-minute mark, Salesforce checks for activity and refreshes your session at the 5-minute mark. If you
don’t make any other updates, the total length of the session is 35 minutes.
3. To disable the timeout warning message for inactive users, select Disable session timeout warning popup. When this parameter
isn’t selected, a timeout warning message prompts inactive users 30 seconds before timeout, or as specified by the timeout value.
4. To invalidate timed-out sessions for inactive users, select Force logout on session timeout. The browser refreshes and returns to
the login page, and the user must log in again for access.
Note: When this setting is enabled, don’t select Disable session timeout warning popup.
1038
Set Up and Maintain Your Salesforce Organization Session Security
Note: This setting can inhibit various applications and mobile devices.
3. To associate a current UI session for a user with a specific domain, select Lock sessions to the domain in which they were first
used. For example, associate an Experience Cloud site user with the site domain. This setting helps prevent unauthorized use of the
session ID in another domain. This setting is enabled by default for Salesforce orgs created with the Spring ’15 release or later.
4. Optionally, enable Allow employees to log in directly to an Experience Cloud site (recommended). With this setting, your
internal users can use their internal username and password on the site login page. Employees must be members of the site to log
in directly from the site login page. After they log in, your internal users land on the site home page.
Note: If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require
HttpOnly attribute breaks your application. It denies the application access to the cookie. Also if you select this setting, the
AJAX Toolkit debugging window isn’t available.
4. To send session information using a POST request rather than a GET request for cross-domain exchanges, select Use POST requests
for cross-domain sessions. For example, when you use a Visualforce page, POST requests are more secure because they keep the
session information in the body of the request. But if you enable this setting, sometimes embedded content from another domain,
such as an image, doesn’t display.
5. To restrict the IP addresses that users can gain access from to only the IP addresses defined in Login IP Ranges, select Enforce login
IP ranges on every request.
• If you enable this setting, login IP ranges are enforced on each page request, including requests from client applications.
• If you don’t enable this setting, login IP ranges are enforced only when a user logs in. This setting affects all user profiles with
login IP restrictions.
6. For Login IP Ranges (for Contact, Manager, Group, and Professional editions only), if you selected Enforce login IP ranges on
every request, specify a range of IP addresses that users must log in from (inclusive). To specify a range, click New, and enter a Start
IP Address and End IP Address to define the range, which includes the start and end values.
Note: This field isn’t available in Enterprise, Unlimited, Performance, and Developer Editions. In those editions, you can specify
a valid Login IP Range in the user profile settings.
1039
Set Up and Maintain Your Salesforce Organization Session Security
Warning: Disabling secure and persistent browser caching has a significant negative performance impact on Lightning
Experience. Only disable in these scenarios.
• Your company’s policy doesn’t allow browser caching, even if the data is encrypted.
• During development in a sandbox or Developer Edition, you want to see the effect of any code changes without emptying
the secure cache.
4. To display the Switcher when your users select their profile pictures, select Enable user switching. This setting also prevents your
users from seeing the Switcher when they select their profile picture. This setting is enabled by default. To prevent your org from
displaying in Switchers on other orgs, deselect this setting.
Note: To enable the Enable user switching setting, you must also enable the Enable caching and autocomplete on login
page setting.
5. To delete cached usernames only when the user explicitly logs out, select Remember me until logout. If the session times out,
usernames display on the Switcher as inactive. So if users are on their own computer and allow a session to time out, they can select
the username to reauthenticate. But if they’re on a shared computer, the username is deleted immediately when the user logs out.
This setting applies to all your users.
If you don’t enable this setting (default), usernames are cached only while a session is active or a user selects Remember Me. This
option isn’t available for single sign-on sessions. When the session expires, the username disappears from the login page and the
Switcher. Keep this setting disabled if authentication providers aren’t exposed on your login page.
6. To load Lightning Experience and other apps faster by enabling Akamai’s content delivery network (CDN) to serve the static content
for Lightning Component framework, select Enable Content Delivery Network (CDN) for Lightning Component framework.
A CDN generally speeds up page load time, but it also changes the source domain that serves the files. If your company has IP range
restrictions for content served from Salesforce, test thoroughly before enabling this setting. CDNs improve the load time of static
content by storing cached versions in multiple geographic locations. This setting turns on CDN delivery for the static JavaScript and
CSS in the Lightning Component framework. It doesn’t distribute your Salesforce data or metadata in a CDN.
1040
Set Up and Maintain Your Salesforce Organization Session Security
2. To override a specific security restriction on accessing email templates in Salesforce Classic from Internet Explorer, select Override
Restriction on Accessing Email Templates in Salesforce Classic Using Internet Explorer.
Warning: We strongly recommend against enabling this setting. Internet Explorer doesn’t meet Salesforce’s required level
of browser security protection. Enabling this setting makes your users vulnerable to malicious third-party attempts to access
your data.
3. To prohibit the use of the unsafe-inline source for the script-src directive, select Enable Stricter Content Security
Policy.
The Lightning Component framework uses Content Security Policy (CSP), the W3C standard to control the source of content that
can be loaded on a page. This setting mitigates the risk of cross-site scripting attacks and is enabled by default.
Important: We strongly recommend that you keep this setting enabled. Lightning Locker and Lightning Web Security rely
on this setting to provide strong security for Lightning components.
1041
Set Up and Maintain Your Salesforce Organization Session Security
4. To protect your users from malicious URLs and phishing, specify external domains that you trust, and then choose an External
Redirection setting. You can block these redirections or alert the user that the link is taking them outside the Salesforce domain. For
details, see Manage Redirects to External URLs in Salesforce Help. In Lightning Experience, the warning message applies only to web
tabs.
Note: Enable Content Sniffing protection is enabled and can’t be disabled. This setting helps prevent the execution of malicious
files (JavaScript, Style sheet) as dynamic content by preventing the browser from inferring the MIME type from the document
content. To temporarily disable this feature for issue remediation, contact Salesforce Customer Support.
Activation Standard Users verify their identity when accessing Salesforce from
a new browser or device.
1042
Set Up and Maintain Your Salesforce Organization Session Security
SAML Standard Users are authenticated using the SAML protocol for
single sign-on.
The security level for a SAML session can also be specified
using the SessionLevel attribute of the SAML assertion
sent by the identity provider. The attribute can take one
of two values: STANDARD or HIGH_ASSURANCE.
Configure High Assurance Sessions for Reports, Dashboards, and Connected Apps
You can also set policies requiring High Assurance on reports, dashboards, and connected apps. And you can specify an action to take
when the session that’s used to access the resource isn’t High Assurance. These actions are supported.
• Block—Prevents access to the resource by showing an insufficient privileges error.
• Raise session level—Prompts users to complete MFA. When users authenticate successfully, they can access the resource. For reports
and dashboards, you can apply this action when users access reports or dashboards, or just when they export and print them.
Warning: Raising the session level to High Assurance by redirecting the user to complete MFA isn’t a supported action in Lightning
Experience. If you enable Lightning Experience and set the High Assurance session policy requirement, Lightning Experience users
with a standard session are blocked from reports and dashboards. Also, they don’t see the icons for these resources in the navigation
menu. As a workaround, users with a Standard Assurance session can log out and log in again using an authentication method
that is defined as High Assurance for their org. Then they can access reports and dashboards. Or they can switch to Salesforce
Classic, where they’re prompted to raise the session level when they attempt to access reports and dashboards.
Session levels have no impact on resources in the app other than connected apps, reports, and dashboards that have defined security
policies.
For information about requiring High Assurance when accessing a connected app, see Manage Session Policies for a Connected App.
To require a High Assurance policy when accessing reports and dashboards, take these steps.
1. From Setup, in the Quick Find box, enter Access Policies, then select Access Policies.
2. Select High Assurance session required.
3. Select an option to block access to reports and dashboards or to raise the session level to high assurance.
4. Save your changes.
For more information, see Require High Assurance Session Security for Sensitive Operations
1043
Set Up and Maintain Your Salesforce Organization Session Security
This redirect logout URL is used only if no logout URL is specified in the identity provider, SAML single sign-on, or third-party
authentication provider settings. If you don’t provide a logout URL, the default is
https://MyDomainName.my.salesforce.com.
3. To redirect all expired tabs in your browser to your custom logout URL, select Store the redirect logout URL in your local browser.
Before enabling this setting, review these considerations.
• This setting uses the browser’s local storage to store the custom logout URL.
• Verify that this setting doesn’t interfere with your custom login integrations.
SEE ALSO:
Session Security
Explore the Salesforce Setup Menu
Monitor Identity Verification History
Define Identity Verification Settings for Your Orgs and Experience Cloud Sites
Require High-Assurance Session Security for Sensitive Operations
Network Best Practices
1044
Set Up and Maintain Your Salesforce Organization Session Security
Note: Who Sees What: Organization Access (English only) Available in: both Salesforce
Classic (not available in all
Watch how you can restrict login through IP ranges and login hours. orgs) and Lightning
Experience
To help protect your organization’s data from unauthorized access, you can specify a list of IP
addresses from which users can log in without receiving a login challenge. However, this step Available in: All Editions
doesn’t restrict access entirely for users outside the Trusted IP Range. After these users complete
the login challenge, usually by entering a code sent to their mobile device or email address, they
USER PERMISSIONS
can log in.
1. From Setup, in the Quick Find box, enter Network Access, and then select Network To change network access:
Access. • Manage IP Addresses
2. Click New.
3. Enter a valid IP address in the Start IP Address field and a higher IP address in the End IP Address field.
The start and end addresses define the range of allowable IP addresses from which users can log in, including the start and end
values. If you want to allow logins from a single IP address, enter the same address in both fields.
The start and end IP addresses must be in an IPv4 range and include no more than 33,554,432 addresses (225, a /7 CIDR block).
4. Optionally, enter a description for the range. For example, if you maintain multiple ranges, enter details about the part of your network
that corresponds to this range.
5. Save your changes.
Example: Warren is an IT Systems specialist for a business that handles highly sensitive customer data. He uses the Security
Center app to monitor the security posture for multiple Salesforce tenants. Warren can define and deploy Trusted IP ranges to
selected tenants from the Security Center app. For more information, see Define and Deploy Security Policies.
Note: For organizations that were activated before December 2007, Salesforce automatically populated your organization’s
trusted IP address list in December 2007, when this feature was introduced. The IP addresses from which trusted users had already
accessed Salesforce during the past six months were added.
SEE ALSO:
Session Security
Security Implementation Guide
1045
Set Up and Maintain Your Salesforce Organization Session Security
• font-src
• media-src
This change to the CSP header directives allows Lightning components to load resources, such as images, styles, and fonts, from the
site. It also allows client-side code to make requests to the site.
For Aura sites in Experience Cloud, if the HTTP header size is greater than 8 KB, the directives are moved from the CSP header to the
<meta> tag. We recommend that you don't exceed 3 KB for the header size per context to avoid errors from infrastructure limits.
Important: You can’t load JavaScript resources from a third-party site, even if it’s a CSP Trusted Site. To use a JavaScript library
from a third-party site, add it to a static resource, and then add the static resource to your component. After the library is loaded
from the static resource, you can use it as normal.
1. From Setup, enter CSP in the Quick Find box, then select CSP Trusted Sites.
This page displays a list of any CSP Trusted Sites already registered, and provides additional information about each site, including
site name and URL.
2. Select New Trusted Site.
3. Enter a name for the trusted site.
For example, Google Maps.
Important: CSP requires secure (https or wss) connections for external resources because an insecure (http or ws)
connection would compromise the security of your org.
1046
Set Up and Maintain Your Salesforce Organization Session Security
Context Description
All (Default) CSP header is approved for all supported context types.
Experience Builder Sites CSP header is approved only for your organization’s Experience Builder sites.
Lightning Experience CSP header is approved only for your organization’s Lightning Experience.
pages
VisualForce CSP header is approved only for your organization’s custom Visualforce pages.
For custom Visualforce pages, content is restricted to CSP Trusted Sites only if the page’s cspHeader
attribute is set to true.
8. Select which resources Lightning components can load from this site. To reduce the size of the HTTP header, only select the resources
that are necessary. You must select at least one resource setting. If you don't select any resources, the Allow site for img-src
setting is enabled by default. If the HTTP header size is greater than 8 KB, the report-uri directive isn’t supported for published
sites.
Setting Description
Allow site for Allow Lightning components to load URLs using script interfaces from this site.
connect-src
Allow site for Allow Lightning components to load fonts from this site.
font-src
Allow site for Allow Lightning components to load resources contained in <iframe> elements from this site.
frame-src
Allow site for Allow Lightning components to load images from this site.
img-src
Allow site for Allow Lightning components to load audio and video from this site.
media-src
Allow site for Allow Lightning components to load style sheets from this site.
style-src
9. Select Save.
CSP isn’t enforced by all browsers. For a list of browsers that enforce CSP, see caniuse.com.
1047
Set Up and Maintain Your Salesforce Organization Session Security
IE11 doesn’t support CSP, so we recommend using other supported browsers for enhanced security.
SEE ALSO:
Work With APIs
Secure Coding Guide: Secure Coding WebSockets
Lightning Aura Components Developer Guide: Content Security Policy Overview
Mozilla Developer Network: The WebSocket API
Note: The CSP frame-ancestors header replaces the obsolete X-Frame-Options header. For more information, see
X-Frame-Options on the Mozilla Developer Network.
1048
Set Up and Maintain Your Salesforce Organization Session Security
Lightning Pages
Lightning pages delivered by Salesforce as part of the Platform can frame Lightning pages within the same org. The URLs for these pages
contain lightning.force.com and a unique identifier in the form of a 16-digit number. For these pages, the CSP
frame-ancestors HTTP response header is set to 'self', and you can’t change the HTTP response header.
For details on clickjack protection options for your Experience Cloud site’s Lightning page, see the section of this topic on Experience
Cloud sites.
Visualforce Pages
By default, Visualforce pages can be loaded in an iframe. For Visualforce pages with headers, the CSP frame-ancestors HTTP
response header is absent.
To prevent external websites from loading your Visualforce pages in an iframe, enable two session settings. Then you can optionally
define the external domains that you trust to frame your Visualforce pages. For more information, see Enable Clickjack Protection for
Visualforce Pages and Specify Trusted Domains for Inline Frames in Salesforce Help.
Surveys
By default, Surveys can be framed by pages with the same domain and protocol security. The CSP frame-ancestors HTTP response
header is set to 'self'.
Optionally, you can define the external domains that you trust to frame the surveys for your org. For more information, see Specify Trusted
Domains for Inline Frames in Salesforce Help.
1049
Set Up and Maintain Your Salesforce Organization Session Security
SEE ALSO:
Session Security
Mozilla Developer Network: CSP: frame-ancestors
To allow trusted external sites to load your Visualforce pages in an iframe, add each domain that
you trust to the allowlist in Session Settings. For more information, see Specify Trusted Domains for Inline Frames in Salesforce Help.
SEE ALSO:
Configure Clickjack Protection
Salesforce Feedback Management
1050
Set Up and Maintain Your Salesforce Organization Session Security
Note: To specify trusted domains for Experience Cloud sites and Salesforce Sites, see Enable Available in: both Salesforce
Clickjack Protection for Experience Builder Sites and Enable Clickjack Protection in Site.com Classic (not available in all
orgs) and Lightning
in Salesforce Help.
Experience
1. From Setup, in the Quick Find box, enter Session Settings, and then select Session
Settings. Available in: Contact
Manager, Group,
2. In the Trusted Domains for Inline Frames section of the Session Settings Setup page, click Add Professional, Enterprise,
Domain. Performance, Unlimited,
3. Enter the domain. and Developer Editions
Acceptable formats are example.com, https://example.com, and
*.example.com. USER PERMISSIONS
4. Select the allowed IFrame Type for this domain. To modify session security
a. To allow the specified domain to load Visualforce pages in an iframe, select Visualforce settings:
Pages and save your changes. • Customize Application
If clickjack protection is enabled for the Visualforce page, the domain is added to the Content
Security Policy (CSP) frame-ancestors HTTP response header for the corresponding
Visualforce pages. For example, 'self' abc.com *.my.site.com. For more information, see Enable Clickjack Protection
for Visualforce Pages in Salesforce Help.
If clickjack protection isn’t enabled for the Visualforce page, then all external websites can load the Visualforce page in an iframe.
For more information, see Configure Clickjack Protection in Salesforce Help.
b. To allow the specified domain to load surveys in an iframe, select Surveys and save your changes.
The domain is added to the CSP frame-ancestors HTTP response header for Survey pages. For example, 'self'
abc.com *.my.site.com.
5. To edit a domain in your Trusted Domains for Inline Frames list, click Edit for that domain.
6. To delete a domain in your Trusted Domains for Inline Frames list, click Del for that domain.
SEE ALSO:
Configure Clickjack Protection
1051
Set Up and Maintain Your Salesforce Organization Session Security
Example: Let’s look at how URLs are shared with the strict-origin-when-cross-origin HTTP Referrer Policy.
Start on your user profile on an Experience Cloud site with the URL
https://MyDomainName.my.site.com/pageName/s/profile/userId. When you click a link on your profile
to another Experience Cloud site page with the URL https://MyDomainName.my.site.com/pageName, both URLs
are on the site.com domain, and both URLs use the HTTPS protocol. So the full URL of your user profile is shared as the referrer.
That Experience Cloud site page includes an embedded image with the URL
http://example.com/images/header_image.png. Loading that image is an example of a request with a downgraded
protocol because the site page uses HTTPS but the target URL uses HTTP. The request to load the image includes no referrer
information.
1052
Set Up and Maintain Your Salesforce Organization Session Security
Then you click a link on that Experience Cloud site page to access a report with the URL
https://MyDomainName.lightning.force.com/lightning/r/Report/reportId/view. This action
initiates a cross-origin request because site.com and force.com are different domains. And both URLs use the same protocol: HTTPS.
So in this case, the request includes only the origin as the referrer. The origin is the URL without the path, in this case,
https://MyDomainName.my.site.com. A request to an external website on the same protocol, such as
https://www.example.com, also includes only the origin as the referrer.
For more information on HTTP Referrer Policy values, including examples, see the Referrer-Policy entry in the MDN Docs HTTP Guide.
Tip: The origin URL pattern doesn’t always match the URL that appears in your browser's address bar.
1053
Set Up and Maintain Your Salesforce Organization Session Security
Note: To access certain OAuth endpoints with CORS, other requirements apply. See Enable CORS for OAuth Endpoints.
SEE ALSO:
Work With APIs
Note: To preserve your users’ access to required content, we recommend that you review USER PERMISSIONS
the expected behavior and test COOP in a sandbox before you enable this feature in
To modify session security
production. settings:
Browser access checks use the headers for both your Visualforce page and the external sites • Customize Application
that you access from your page. The combination of Cross-Origin Opener Policy (COOP) and
Cross-Origin Embedder Policy (COEP) headers determines whether the Visualforce page and
external sites can interact. To learn more about COOP and COEP, we recommend these topics
on MDN Web Docs: Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy.
1. From Setup, in the Quick Find box, enter Session Settings, and then click Session Settings.
2. In the Visualforce Cross-Origin Security Headers section, select Cross-Origin Opener Policy (COOP).
3. Save your changes.
SEE ALSO:
Session Security
Restrict Page Resource Requests with Cross-Origin Embedder Policy (COEP)
1054
Set Up and Maintain Your Salesforce Organization Session Security
• Cross Origin Resource Policy (CORP). The externally sourced content includes the Available in: Contact
Cross-Origin-Resource-Policy header with the cross-origin value. Manager, Group,
• Cross-Origin Resource Sharing (CORS). The external origin includes your page or its domain in Professional, Enterprise,
Performance, Unlimited,
its CORS allowlist. When your page makes a request, the external origin responds with the
and Developer Editions
required Access-Control-Allow-* headers that allow your page access to the content.
Note: To preserve your users’ access to required content, we recommend that you review
USER PERMISSIONS
the expected behavior and test COEP in a sandbox before you enable this feature in production.
Browser access checks use the headers for both your Visualforce page and the external sites To modify session security
that you access from your page. The combination of Cross-Origin Embedder Policy (COEP) settings:
and Cross-Origin Opener Policy (COOP) headers determines whether the Visualforce page • Customize Application
and external sites can interact. To learn more about COOP and COEP, we recommend these
topics on MDN Web Docs: Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy.
1. From Setup, in the Quick Find box, enter Session Settings, and then click Session Settings.
2. In the Visualforce Cross-Origin Security Headers section, select Cross-Origin Embedder Policy (COEP).
SEE ALSO:
Session Security
Protect Your Visualforce Pages with Cross-Origin Opener Policy (COOP)
1055
Set Up and Maintain Your Salesforce Organization Session Security
• Manage Encryption Keys—Controls access to the Platform Encryption page, the Certificate and Key Management Setup page,
and the TenantSecret object.
• Manage Auth. Providers—Controls access to the Auth. Providers page, the User Details Setup page, and the AuthProvider object.
• Manage Certificates—Controls access to the Certificate and Key Management Setup page, Single Sign-On Settings Setup page,
and the Certificate object.
• Manage Connected Apps—Controls access to the Connected Apps Setup pages and the App Manager Setup page.
• Manage Data Export—Controls access to the Data Export Setup page.
• Manage IP Addresses—Controls access to the Network Access Setup page.
• Manage Login Access Policies—Controls access to the Login Access Policies Setup page.
• Manage Password Policies—Controls access to the Password Policies Setup page and profile details.
• Manage Permission Sets and Profiles—Controls access to the Permission Sets and Profile Setup pages and related objects.
• Manage Roles—Controls access to the Roles Setup page, the UserRole object, and the Role object in Metadata API.
• Manage Sharing—Controls access to the Sharing Settings Setup page, the SharingRules object, and the CustomObject’s
sharingModel field in Metadata API.
• Manage Multi-Factor Authentication in API—Controls access to the VerificationHistory, TwoFactorInfo, and TwoFactorTempCode
objects.
• Manage Multi-Factor Authentication in User Interface—Controls access to the Identity Verification History Setup page and the
VerificationHistory, TwoFactorInfo, and TwoFactorTempCode objects.
• Manage Users—Controls access to the Users Setup page.
• Unlock Users and Reset Passwords—Controls permission to reset passwords and unlock users on the Users Setup page.
• View Health Check—Controls access to the Health Check Setup page.
Note: You can’t block users from accessing the setup areas controlled by the Manage Permission Sets and Profiles or Manage
Users settings.
When you manually end a user’s session by clicking the Remove button, the user must log in again Available in: All Editions
to the organization.
Note: If your org has a login flow with a concurrent user limit of 1, then instruct the user to
wait a few minutes before attempting to log in again. The system needs time to periodically
clear obsolete session records from memory.
Salesforce issues a session cookie to record encrypted authentication information for the duration of a specific session. The session cookie
doesn't include the user's username or password. Salesforce doesn't use cookies to store other confidential user and session information,
but instead implements more advanced security methods based on dynamic data and encoded session IDs.
This table contains information about the fields that you can view on this page. Because of the nature of geolocation technology, the
accuracy of geolocation fields, for example, country, city, or postal code, can vary.
1056
Set Up and Maintain Your Salesforce Organization Session Security
Field Description
City The city where the user’s IP address is physically located. This value isn’t localized.
Country The country where the user’s IP address is physically located. This value isn’t localized.
Country Code The ISO 3166 code for the country where the user’s IP address is physically located. This value isn’t
localized. For more information, see Country Codes - ISO 3166.
Location The approximate location of the IP address from where the user logged in. To show more geographic
information, such as approximate city and postal code, create a custom view to include those fields.
This value isn’t localized.
Login Type The type of login associated with the session. Some login types include Application, SAML, and Portal.
Parent Session ID If a session has a parent, this ID is the parent’s unique ID.
Postal Code The postal code where the user’s IP address is physically located. This value isn’t localized.
Session Type The type of session the user is logged in to. For example, common ones are UI, Content, API, and
Visualforce.
Subdivision The name of the subdivision where the user’s IP address is physically located. This value isn’t localized.
Username The username used when logged in to the session. To view the user’s profile page, click the username.
Updated The date and timestamp of the last session update due to activity. For example, during a UI session,
users make frequent changes to records and other data as they work. With each change, both the
Updated and Valid Until date and timestamps are refreshed.
Valid Until If you don’t end the session manually, the date and timestamp of when the session automatically
expires.
SEE ALSO:
User Session Types
1057
Set Up and Maintain Your Salesforce Organization Session Security
APIOnlyUser Created to enable a password reset in the user interface for API-only users.
ChatterNetworksAPIOnly Created when using the Chatter Networks or Chatter Sites API.
DataDownloadOnly A session that allows users to download data when their org status is Locked, Suspended, or
Hold. You can’t create this session manually.
OauthApprovalUI A session that allows access only to the OAuth approval page.
Oauth2 Created using OAuth flows. For example, if you use OAuth authentication for a connected app,
this type of session is created.
SubstituteUser Created when one user logs in as another user. For example, if an administrator logs in as
another user, a SubstituteUser session is created.
UI Created for access to the Salesforce Classic UI. Represents the core session for a login to the
user interface.
1058
Set Up and Maintain Your Salesforce Organization Session Security
Temporary session types are used during the process of switching domains. For example, when you access Lightning Experience, a
temporary session is created as part of that flow.
TempContentExchange Created to switch to the content domain, such as the user interface into which users enter their
credentials.
TempLivepreviewExchange Created to switch to using the live preview functionality in Experience Builder.
TempOauthAccessTokenFrontdoor Created for a user attempting to grant access to an application using the OAuth protocol.
SEE ALSO:
View User Session Information on the Session Management Page
1059
Set Up and Maintain Your Salesforce Organization Session Security
• Marketing: Used to track online activity for a more personalized experience, including relevant advertisement.
Note: The Salesforce Platform can run without the use of functional cookies, but doing so can reduce functionality. The impact
on functionality depends on the purpose of the blocked cookie.
This table describes the Salesforce Platform cookies collected by Salesforce.
1060
Set Up and Maintain Your Salesforce Organization Session Security
1061
Set Up and Maintain Your Salesforce Organization Session Security
calViewState Session Functional: Statistics Sets the inline calendar date state in
Salesforce Classic (current week
selected).
caPanelState Session Functional: Preferences Saves the open, closed, and height
percent states of the calendar panel.
1062
Set Up and Maintain Your Salesforce Organization Session Security
disco Session Required Tracks the last user login and active
session for bypassing login. For
example, OAuth immediate flow.
hideIdentityDialog 1 Year Functional: Preferences Hides the dialog box that informs that
the current user is logged out when
switching to another user.
1063
Set Up and Maintain Your Salesforce Organization Session Security
ideaToggle Session Functional: Preferences Show the Ideas list view or the Feed
list view.
iotcontextsplashdisable 10 Years Functional: Preferences For the IoT product, stores user
preference of whether to show
Context Splash popup.
lastlist Session Required Used to store the cookie name for the
last list URL.
login 60 Days Functional: Preferences If the user’s session has expired, used
to fetch the username and populate
it on the main login page when using
the process builder app.
1064
Set Up and Maintain Your Salesforce Organization Session Security
1065
Set Up and Maintain Your Salesforce Organization Session Security
waveUserPrefFinderListView 100 Years Functional: Preferences Preference for displaying list views in
CRM Analytics.
webact 1 Year Functional: Statistics Used to collect metrics per page view
for personalization.
Note: Users with the API Only User permission can use bridged sessions only to change and Available in: All Editions
reset their passwords. They can’t access any other UIs.
1066
Set Up and Maintain Your Salesforce Organization Session Security
For example, the following form posts the current session ID to frontdoor.jsp.
In this example, domain_name is the domain of the server URL (for example, myDomainName.my.salesforce.com).
Full Session ID
An example of a full session ID is the access_token obtained from OAuth authentication. One of the scopes specified when you
create a connected app must be web or full.
Note: Not all session types are supported with frontdoor.jsp, such as Experience Cloud site API sessions. For these sessions,
consider using SAML for single sign-on, instead.
You have several ways to get a Session ID, such as from UserInfo.getSessionId() in Apex, $Api.SessionID and other
sources. Sometimes the ID values from these sources vary depending on context, don't work with frontdoor.jsp, and can pose
security risks as you use them. Use the access_token from an OAuth authentication for a secure, reliable value.
1067
Set Up and Maintain Your Salesforce Organization Secure Cross-Cloud Integrations with Private Connect
Inbound Outbound
Description Data traffic flows from AWS to Salesforce Data traffic flows from Salesforce to AWS
1068
Set Up and Maintain Your Salesforce Organization Secure Cross-Cloud Integrations with Private Connect
1. From Setup, in the Quick Find box, enter Private Connect, and then select Private Connect.
2. To open a dropdown menu of the available regions, IAM Roles, and Service Names, click AWS Regions.
3. Find the region in which your VPC is hosted and copy the corresponding Service Name.
4. In the AWS Console, create an Endpoint using the Service Name you copied in Step 3 for your VPC.
5. After saving the Endpoint, copy the VPC Endpoint ID and the IP address from the Subnet of your Endpoint.
6. From the Private Connect Setup page, click Create Inbound Connection.
7. Select the AWS PrivateLink Connection Type.
8. Enter the Connection Name, Description, and the VPC Endpoint ID you copied in Step 5.
9. Save your changes. Your connection appears on the Inbound Connections list with the Status field as Unprovisioned.
10. In the AWS Console, create a private Hosted Zone with your My Domain name and the VPC ID that matches the location of the
endpoint. Create a Record Set for the Hosted Zone that includes your My Domain name and the IP address of your Endpoint Subnet
from Step 5.
To ensure that your Hosted Zone and Record Set are configured properly, perform an nslookup of your My Domain from your
VPC. Make sure it matches the Record Set entry in the Hosted Zone and not the public Salesforce IP.
11. From the Private Connect Setup page, click the arrow under the Actions field that corresponds to your connection on the Inbound
Connections list. Click Sync.
1069
Set Up and Maintain Your Salesforce Organization Secure Cross-Cloud Integrations with Private Connect
Warning: After the Status field changes to Ready, it can take an extra few minutes for the connection to be fully prepared
for runtime callouts. Wait a few minutes before making callouts.
To view details about the inbound connection, such as its allocated source IP addresses, click the connection name. Use these IP
addresses to further protect your Salesforce org. on page 1070
Note: The Status field is programmatically controlled. When it’s Unprovisioned, the Actions field allows you to Edit, Provision, and
Delete the connection. After you click Provision, the field automatically moves through the in-between states until it gets to Ready.
When the status is Provisioned, the Actions field allows you to Edit, Sync, and Teardown the connection. Only connections with a
Ready status can send traffic. The following are the possible values for the Status field:
• Unprovisioned
• Allocating
• PendingAcceptance
• PendingActivation
• RejectedRemotely
• DeletedRemotely
• TeardownInProgress
• Ready
These IP address ranges are allocated by the Salesforce-managed VPC in your cloud provider, such as AWS. The IP addresses are unique
to your inbound connection and don’t change after you provision it. Use them to add more protection to your Salesforce org. Here are
some examples.
• Define a list of IP addresses that users can log in from without receiving a login challenge.
• Restrict the IP addresses that users can access Salesforce from to only certain ranges.
• Let Salesforce Authenticator automatically verify identities based on trusted IP addresses only.
• Monitor and view the user session information about Private Connect users, including their source IP address.
• View the login history of Private Connect users, including their source IP address.
• Control login access at the user level by specifying a range of allowed IP addresses on a user’s profile.
1070
Set Up and Maintain Your Salesforce Organization Secure Cross-Cloud Integrations with Private Connect
• Restrict access to trusted IP address when using the OAuth web server flow.
SEE ALSO:
Modify Session Security Settings
View User Session Information on the Session Management Page
Monitor Login History
Restrict Login IP Ranges in the Enhanced Profile User Interface
Restrict Access to Trusted IP Ranges for a Connected App
1. From Setup, enter Private Connect in the Quick Find box, and then select Private Connect.
2. To open a dropdown menu of the available regions, IAM Roles, and Service Names, click AWS Regions.
3. Find the region in which your VPC is hosted, and copy the corresponding IAM Role.
4. In the AWS Console, add the IAM Role to the Whitelisted Principals tab of your VPC Endpoint Service. This grants AWS access to the
Salesforce-managed VPC.
1071
Set Up and Maintain Your Salesforce Organization Secure Cross-Cloud Integrations with Private Connect
5. After saving the Endpoint Service, copy the VPC Endpoint Service Name and the DNS Name of the Endpoint Service’s Network Load
Balancer.
6. From the Private Connect Setup page, click Create Outbound Connection.
7. Select the AWS PrivateLink Connection Type.
8. Enter the Connection Name, Description, and the VPC Endpoint Service Name you copied in Step 5.
9. Save your changes. Your connection appears on the Outbound Connections list with the Status field as Unprovisioned.
10. Click the arrow under the Actions field that corresponds to your connection on the Outbound Connections list. Click Sync.
Warning: After the Status field changes to Ready, it can take an extra few minutes for the connection to be fully prepared
for runtime callouts. Wait up to 5 minutes before making callouts.
11. Register your AWS VPC Endpoint Service Name as a Named Credential using the new OutboundNetworkConnection lookup field.
Make sure that the hostname matches the certificate of the endpoint service.
Note: The URL should contain the VPC Endpoint Service DNS Name from Step 5 and the port of the destination service,
separated by a colon. If your target group is attached to a port that is different than the default for the protocol, you must
specify the port in the URL. AN HTTP URL defaults to Port 80 and an HTTPS URL defaults to port 443.
Note: The Status field is programmatically controlled. When it is Unprovisioned, the Actions field allows you to Edit, Provision,
and Delete the connection. After you click Provision, the field automatically moves through the in-between states until it gets to
Ready. When the status is Provisioned, the Actions field allows you to Edit, Sync, and Teardown the connection. Only connections
with a Ready status can send traffic. The following are the possible values for the Status field:
• Unprovisioned
• Allocating
• PendingAcceptance
• PendingActivation
• RejectedRemotely
• DeletedRemotely
• TeardownInProgress
• Ready
1072
Set Up and Maintain Your Salesforce Organization Secure Cross-Cloud Integrations with Private Connect
Users who aren’t admins can modify inbound and outbound Private Connections using the Tooling, Available in: Enterprise,
Metadata, and Connect APIs. They can also use third-party tools that are built on these APIs, such Performance, Unlimited,
as Amazon AppFlow. But before users can use these APIs or tools to modify Private Connections, and Developer Editions
they must be assigned these user permissions.
• Allow user to modify Private Connections
• Modify Metadata Through Metadata API Functions
Enable these user permissions by creating or modifying a permission set and assigning it to the user. In Setup, these permissions are
listed in the System Permissions section of the Permission Sets page. Creating a separate permission set with these permissions is useful
for users who use third-party tools to modify Private Connections, but don’t need other administrative permissions.
Current Availability
AWS Regions
ap-southeast-1 Singapore
Note: The AWS Regions dropdown in the Private Connect Setup page shows only the regions that your Salesforce org can access.
If you don’t see your VPC region in the dropdown, you can peer your existing VPC to an available region that shows in the dropdown.
You can also create a VPC inside an available region before creating a connection.
Supported Salesforce Services
1073
Set Up and Maintain Your Salesforce Organization Secure Cross-Cloud Integrations with Private Connect
• Experience Cloud
• Financial Services Cloud
• Health Cloud
• Platform Cloud
• Sales Cloud
• Service Cloud
Note: Private Connect also supports AppExchange Partners on each of the listed clouds.
Licensing
Each Private Connect license allows for one provisioned connection in each direction, inbound and outbound. Each connection represents
a one-to-one mapping between an org ID and a VPC Endpoint ID. Every provisioned connection requires a Private Connect license. For
example, four inbound connections require four licenses, leaving four available outbound connections.
There’s a per-org limit of 1,000 connections per direction. Connections in an unprovisioned state don’t count toward your license.
Rate Limits
The data rate limit is managed on an hourly basis. Data doesn’t roll over after an hour or accumulate. Rate limits are managed separately
for inbound connections and outbound connections.
• Inbound connections are used by tools like MuleSoft or Amazon AppFlow to call in to the standard enterprise APIs.
• Outbound connections are used by Apex code or platform tools like Flow and External Services to fetch data from external systems.
The initial license purchase entitles the org to 225 MB of data per hour. Usage is expressed in hourly terms because the Limits API allows
you to track the remaining outbound allocation on a per-hour basis. Standard enterprise API limits apply to inbound connections.
Contact Salesforce to purchase a separate add-on license for more data. Outbound connections can’t transfer more than 56.48 GB of
data per hour.
Direction Default Rate Limit Per Org Per Hour Max Rate Limit Per Org Per Hour
Inbound 225 MB 56.48 GB
1074
Set Up and Maintain Your Salesforce Organization Activations
Environment Limitations
Full and Partial Copy Sandboxes Private connections aren’t copied from production orgs and must
be recreated in sandbox environments. You can create and
provision connections.
Developer and Developer Pro Sandboxes Private connections aren’t copied from production orgs and must
be recreated in sandbox environments. You can create connections,
but you can’t provision them.
Scratch Orgs You can create connections, but you can’t provision them.
Developer Orgs You can create connections, but you can’t provision them unless
you file a case.
Standards Compliance
Private Connect maintains compliance with these standards:
• ISO 27001, 27017, 27018
• SOC 2 Type II
• ASIP Santé HDS
• NEN 7510
• PCI-DSS
If you want to build Health Care applications on Salesforce that comply with the US Health Insurance Portability and Accountability Act
(HIPAA), contact your account representative about signing a Business Associate Addendum.
See Compliance engineered for the Cloud for more information about these standards.
SEE ALSO:
Knowledge Article: Troubleshoot and fix Salesforce Private Connect inbound connection issues
Activations
Activation tracks information about devices from which users have verified their identity. Salesforce
EDITIONS
prompts users to verify their identity when they access Salesforce from an unrecognized browser
or application. Identity verification adds an extra layer of security on top of username and password Available in: Both Salesforce
authentication. The Activations page lists the login IP addresses and client browsers used. Classic and Lightning
When a user logs in from outside a trusted IP range and uses a browser or app we don’t recognize, Experience
the user is challenged to verify identity. We use the highest-priority verification method available
Available in: All Editions
for each user. In order of priority, the methods are:
1. Verification via push notification or location-based automated verification with the Salesforce
Authenticator mobile app (version 2 or later) connected to the user’s account.
2. Verification via a U2F security key registered with the user’s account.
3. Verification code generated by a mobile authenticator app connected to the user’s account.
4. Verification code sent via SMS to the user’s verified mobile phone.
1075
Set Up and Maintain Your Salesforce Organization Activations
Use Activations
View your users’ activations and revoke activation status to prevent security breaches.
SEE ALSO:
Use Activations
Monitor Identity Verification History
Use Activations
View your users’ activations and revoke activation status to prevent security breaches.
EDITIONS
To see login IP and browser information about devices from which users have verified their identity,
from Setup, enter Activations in the Quick Find box, then select Activations. Available in: both Salesforce
Classic (not available in all
You can revoke activation status by selecting one or more entries in the Activated Client Browser
orgs) and Lightning
list, clicking Remove, and confirming the action. Users can view and revoke only their own activated
Experience
browsers. A user who logs in from a deactivated browser is prompted to verify identity, unless the
login IP address is within a trusted IP range. Available in: All Editions
Note: When a user deselects the Don’t ask again option that appears on the identity
verification page, the browser isn’t activated. Advise your users to deselect this option
whenever they log in from a public or shared device.
SEE ALSO:
Activations
Monitor Identity Verification History
1076
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
• Threats detected in your org, such as anomalies in how users view or export reports, session
hijacking attacks, or credential stuffing attacks
As a best practice, before creating transaction security policies, you can view or query events to determine appropriate thresholds for
normal business usage.
1077
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Threat Detection
Threat Detection uses statistical and machine learning methods to detect threats to your Salesforce org. While Salesforce identifies
these threats for all Salesforce customers, you can view the information in the events with Threat Detection in Event Monitoring and
investigate further if necessary.
SEE ALSO:
Salesforce Help: What’s the Difference Between the Salesforce Events?
Learning Map: Shield Learning Map
The following object supports only Lightning Experience: Requires Salesforce Shield
or Salesforce Event
• LightningUriEvent Monitoring add-on
• LightingUriEventStream subscriptions.
Note: Real-Time Event Monitoring objects sometimes contain sensitive data. Assign object
permissions to Real-Time Events accordingly in profiles or permission sets.
1078
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Note: Real-Time Event Monitoring Platform Events aren't a system of record for user activity. They're a source of truth but event
notifications aren’t always available or guaranteed. For more reliable data storage, use Real-Time Event Monitoring Storage Events
on page 1083.
1079
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
1080
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Note: Real-Time Event Monitoring objects sometimes contain sensitive data. Assign object permissions to Real-Time Events
accordingly in profiles or permission sets.
1. From Setup, in the Quick Find box, enter Events, then select Event Manager.
2. Next to the event you want to enable or disable streaming for, click the dropdown menu.
3. Select whether you want to enable or disable streaming or storing on the event.
SEE ALSO:
Real-Time Event Monitoring
Stream and Store Event Data
Metadata API Developer Guide: RealTimeEventSettings
1081
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
BulkApiResultEvent Track when a user downloads the results of a Bulk API or Object is available only in Real-Time Event
Bulk API 2.0 request. Monitoring.
ConcurLongRunApexErrEvent Detect errors that occur when an org exceeds the Object is available only in Real-Time Event
concurrent long-running Apex limit. Monitoring.
CredentialStuffingEvent Track when a user successfully logs into Salesforce during Object is available only in Real-Time Event
an identified credential stuffing attack. Credential stuffing Monitoring.
refers to large-scale automated login requests using
stolen user credentials.
FileEvent Detects file-related events, such as when a user Object is available only in Real-Time Event
downloads a file. Monitoring.
LightningUriEventStream Detect when a user creates, accesses, updates, or deletes Object is available only in Real-Time Event
a record containing sensitive data in Lightning Monitoring.
Experience.
ListViewEventStream Detect when a user accesses, updates, or exports list view Object is available only in Real-Time Event
data using Salesforce Classic, Lightning Experience, or Monitoring.
the API.
LoginAsEventStream Detect when a Salesforce admin logs in as another user Object is available only in Real-Time Event
and track the admin’s activities. Monitoring.
LoginEventStream Detect when a user tries to log in under certain Object is available only in Real-Time Event
conditions—for example, from an unsupported browser Monitoring.
or from an IP address that is outside of your corporate
range.
LogoutEventStream Detect when a user logs out of Salesforce by clicking Log Object is available to all customers.
Out in the Salesforce UI.
MobileEmailEvent Track your users’ email activity in a Salesforce mobile app. Object is available only in Real-Time Event
Monitoring and Enhanced Mobile App
Security.
MobileEnforcedPolicyEvent Track enforcement of Enhanced Mobile Security policy Object is available only in Real-Time Event
events on a Salesforce mobile app. Monitoring and Enhanced Mobile App
Security.
MobileScreenshotEvent Track your users’ screenshots in a Salesforce mobile app. Object is available only in Real-Time Event
Monitoring and Enhanced Mobile App
Security.
MobileTelephonyEvent Track your users’ phone calls and text messages in a Object is available only in Real-Time Event
Salesforce mobile app. Monitoring and Enhanced Mobile App
Security.
1082
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
ReportAnomalyEvent Track anomalies in how users run or export reports. Object is available only in Real-Time Event
Monitoring.
ReportEventStream Detect when a user creates, runs, updates, or exports a Object is available only in Real-Time Event
report that contains sensitive data. Monitoring.
SessionHijackingEvent Track when unauthorized users gain ownership of a Object is available only in Real-Time Event
Salesforce user’s session with a stolen session identifier. Monitoring.
UriEventStream Detect when a user creates, accesses, updates, or deletes Object is available only in Real-Time Event
a record containing sensitive data in Salesforce Classic. Monitoring
For more information about building apps that listen to streaming data channels, see the Streaming API Developer Guide.
For a quick start about subscribing to streaming events using the EMP Connector open-source tool, see the Example: Subscribe to and
Replay Events Using a Java Client (EMP Connector) in the Platform Events Developer Guide.
For reference documentation of the standard platform events and the corresponding big objects, see Real-Time Event Monitoring Objects
in the Platform Events Developer Guide.
1083
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Note: As a beta feature, the UserId filter in ReportEvent is a preview and isn’t part of the “Services” under your Main Services
Agreement with Salesforce. Use this feature at your sole discretion, and make your purchase decisions only on the basis of generally
available products and features. Salesforce doesn’t guarantee general availability of this feature within any particular time frame
or at all, and we can discontinue it at any time. This feature is for evaluation purposes only, not for production use. It’s offered as
is and isn’t supported, and Salesforce has no liability for any harm or damage arising out of or in connection with it. All restrictions,
Salesforce reservation of rights, obligations concerning the Services, and terms for related Non-Salesforce Applications and Content
apply equally to your use of this feature.
Async SOQL
Async SOQL is a way to run SOQL queries when you must filter on big object fields other than EventDate and EventId. Async
SOQL schedules and runs queries asynchronously in the background, so it can run queries that normally time out with regular SOQL.
With Async SOQL, you can run multiple queries in the background while monitoring their completion status. Set up your queries and
come back a few hours later to a dataset to work with. Async SOQL is the most efficient way to process the large amount of data in a
storage event, especially for big objects. For more information, see Use Async SOQL with Real-Time Event Monitoring and Async SOQL
in the Big Objects Implementation Guide.
Storage Events
Here are the Real-Time Event Monitoring storage events.
ApiAnomalyEventStore Standard Store data about anomalies in how users Object is available only in Real-Time Event
Object make API calls. Monitoring. Data is stored for up to 6
months.
BulkApiResultEventStore Big Object Store large amount of data about Bulk API Object is available only in Real-Time Event
activity that occurred for particular objects Monitoring. Data is stored for up to 6
during a fiscal year. months.
CredentialStuffingEventStore Standard Store data about successful user logins Object is available only in Real-Time Event
Object during an identified credential stuffing Monitoring. Data is stored for up to 6
attack. Credential stuffing refers to months.
large-scale automated login requests using
stolen user credentials.
FileEventStore Big Object Stores file-related event data, such as when Object is available only in Real-Time Event
a user downloads a file. Monitoring. Data is stored for up to 6
months.
IdentityVerificationEvent Big Object Store data about user identity verification Object is available only in Real-Time Event
events in your org. Monitoring. Data is stored for up to 10
years.
IdentityProviderEventStore Big Object Store data about problematic and successful Object is available only in Real-Time Event
authentication requests in the Identity Monitoring. Data is stored for up to 6
Provider Event Log. months.
1084
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
ListViewEvent Big Object Store data about when users interact with Object is available only in Real-Time Event
a list of records, such as contacts, accounts, Monitoring. Data is stored for up to 6
or custom objects. months.
LoginAsEvent Big Object Store data about when Salesforce admins Object is available only in Real-Time Event
log in as another user. Monitoring. Data is stored for up to 6
months.
LoginEvent Big Object Store data about how many users tried to Object is available only in Real-Time Event
log in from an unknown IP address or Monitoring. Data is stored for up to 10
location and who was blocked from years.
successfully logging in.
LogoutEvent Big Object Store data about users who logged out Object is available only in Real-Time Event
successfully. Monitoring. Data is stored for up to 6
months.
PermissionSetEventStore Big Object Store data about permission assignment Object is available only in Real-Time Event
changes in permission sets and permission Monitoring. Data is stored for up to 6
set groups. months.
ReportAnomalyEventStore Standard Store data about anomalies in how users Object is available only in Real-Time Event
Object run or export reports. Monitoring. Data is stored for up to 6
months.
ReportEvent Big Object Store data about how many times a Object is available only in Real-Time Event
sensitive report was downloaded or viewed Monitoring. Data is stored for up to 6
and by whom. months.
SessionHijackingEventStore Standard Store data about when unauthorized users Object is available only in Real-Time Event
Object gain ownership of a Salesforce user’s session Monitoring. Data is stored for up to 6
with a stolen session identifier. months.
UriEvent Big Object Store data about when entities are created, Object is available only in Real-Time Event
accessed, updated, or deleted in Salesforce Monitoring. Data is stored for up to 6
Classic. months.
Note: In Developer Edition orgs, data for all events is stored for only one day.
Note: Async SOQL is scheduled for retirement in all Salesforce orgs as of Summer ’23.
Let’s say you’ve created a custom object called Patent__c that contains sensitive patent information. You want to know when users
query this object using any API. Use the following Async SOQL query on the ApiEvent object to determine when Patent__c was last
1085
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
accessed, who accessed it, and what part of it was accessed. The WHERE clause uses the QueriedEntities field to narrow the
results to just API queries of the Patent__c object.
Example URI
https://yourInstance.salesforce.com/services/data/v48.0/async-queries/
Note: All number fields returned from a SOQL query of archived objects are in standard notation, not scientific notation, as in the
number fields in the entity history of standard objects.
If you ask this question on a repeated basis for audit purposes, you can automate the query using a cURL script.
curl -H "Content-Type: application/json" -X POST -d
'{"query": "SELECT EventDate, EventIdentifier, QueriedEntities, SourceIp, Username, UserAgent
FROM ApiEvent WHERE QueriedEntities LIKE '%Patent__c%'",
"targetObject": "ApiTarget__c",
"targetFieldMap": {"EventDate": "EventDate__c","EventIdentifier":
1086
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
"EventIdentifier__c","QueriedEntities": "QueriedEntities__c","SourceIp":
"IPAddress__c","Username": "User__c","UserAgent": "UserAgent__c"}}'
"https://yourInstance.salesforce.com/services/data/v48.0/async-queries/" -H
"Authorization: Bearer 00D30000000V88A!ARYAQCZOCeABy29c3dNxRVtv433znH15gLWhLOUv7DVu.
uAGFhW9WMtGXCul6q.4xVQymfh4Cjxw4APbazT8bnIfxlRvUjDg"
Another event monitoring use case is to identify all users who accessed a sensitive field, such as Social Security Number or Email. For
example, you can use the following Async SOQL query to determine the users who saw social security numbers.
Example URI
https://yourInstance.salesforce.com/services/data/v48.0/async-queries/
SEE ALSO:
Big Objects Implementation Guide: Async SOQL
1087
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Timeouts don't cause a LogoutEventStream object to be published. An exception is when a user is automatically logged out of the org
after their session times out because the org has the Force logout on session timeout setting enabled. In this case, a logout event is
recorded. However, if users close their browser during a session, regardless of whether the Force logout on session timeout setting
is enabled, a logout event isn't recorded.
1. From Setup, enter Event Manager in the Quick Find box, then select Event Manager.
2. Next to Logout Event, click the dropdown, and select Enable Streaming.
3. Create Apex triggers that subscribe to logout events.
Example: In this example, the subscriber inserts a custom logout event record during logout.
Tip: This topic applies to ReportEvent, ReportEventStream, ListViewEvent, and Available in: Salesforce
ListViewEventStream. However, for readability, we refer to just ReportEvent and ListViewEvent. Classic and Lightning
Experience
When Salesforce chunks a ReportEvent or ListViewEvent (and their streaming equivalents), it breaks
it into multiple events in which most field values are repeated. The exceptions are the Records, Available in: Enterprise,
Sequence, and EventIdentifier fields. You view all the data from a chunked result by Unlimited, and Developer
correlating these fields with the ExecutionIdentifier field, which is unique across the Editions
chunks. Requires Salesforce Shield
or Salesforce Event
Important: When a report executes, we provide the first 1000 events with data in the Records Monitoring add-on
field. Use the ReportId field to view the full report. subscriptions.
Let’s describe in more detail the fields of ReportEvent and ListViewEvent (and their storage
equivalents) that you use to link together the chunks.
• Records—A JSON string that represents the report or list view data. If Salesforce has chunked the data into multiple events, each
event’s Records field contains different data.
• Sequence—An incremental sequence number that indicates the order of multiple events that result from chunking, starting with
1. For example, if Salesforce breaks up an event into five chunks, the first chunk’s Sequence field is 1, the second is 2, and so on up
to 5.
1088
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
• ExecutionIdentifier—A unique identifier for a particular report or list view execution. This identifier differentiates the
report or list execution from other executions. If chunking has occurred, this field value is identical across the chunks, and you can
use it to link the chunks together to provide a complete data picture.
• EventIdentifier—A unique identifier for each event, including chunked events.
To view all the data chunks from a single report or list view execution, use the Sequence, Records, and ExecutionIdentifier
fields in combination.
For example, let’s say a report execution returns 10K rows. Salesforce splits this data into three chunks based on the size of the records,
and then creates three separate ReportEvent events. This table shows an example of the field values in the three events; the fields not
shown in the table (except EventIdentifier) have identical values across the three events.
a50a4025-84f2-425d-8af9-2c780869f3b5 2 {"totalSize":3000,
"rows":[{"datacells":["005B000000fewai"..........]}]}
a50a4025-84f2-425d-8af9-2c780869f3b5 3 {"totalSize":4000,
"rows":[{"datacells":["005B0000001vURv",..........]}]}
This sample SOQL query returns data similar to the preceding table.
SELECT ExecutionIdentifer, Sequence, Records FROM ReportEvent
These events result from a triggered policy that has a multi-factor authentication (MFA) action. The first three rows show the multi-factor
authentication in process, and the last three rows show the chunked events.
Note: Multi-factor authentication was previously called two-factor authentication. Some MFA-related values reference “TwoFa”.
1089
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
TwoFaInProgress
TwoFaSucceed
These events result from a policy that has a block action but the event didn't meet the condition criteria. As a result, the PolicyOutcome
field is NoAction.
These events result from a policy that has a multi-factor authentication action but the policy wasn’t triggered and so the action didn’t
occur. The policy didn’t trigger because the user already had a high assurance session level.
1090
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Conditions at a Glance
1091
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
1092
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Best Practices for Writing and Maintaining Enhanced Transaction Security Policies
Transaction security policy management isn’t always easy, especially when you have many policies. To make sure that your policies
remain functional, write and maintain them using these best practices. Well-structured and tested policies keep your employees
and customers connected, productive, and secure.
Enhanced Transaction Security Metering
Transaction Security uses resource metering to help prevent malicious or unintentional monopolization of shared, multi-tenant
platform resources. Metering prevents transaction security policy evaluations from using too many resources and adversely affecting
your Salesforce org.
Exempt Users from Transaction Security Policies
If you have transaction security policies that work well for most users, but not all, you can assign specific users the Exempt from
Transaction Security user permission. Assign this permission only when business-critical actions are regularly blocked by transaction
security policy metering. For example, assign it to users who make bulk or automated bulk API calls. You can assign this user permission
to integration users or admins responsible for transaction security policies who you don't want to get blocked.
Test and Troubleshoot Your New Enhanced Policy
If your enhanced transaction security policy isn’t behaving as you expect, check out these testing and troubleshooting tips to diagnose
the problem.
1093
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
ReportAnomalyEventStore Policies
Report anomaly event policies monitor anomalies in how users run or export reports.
SessionHijackingEventStore Policies
Session hijacking event policies monitor when unauthorized users gain ownership of a Salesforce user’s session with a stolen session
identifier.
ApiEvent Policies
API events monitor API transactions, such as SOQL queries and data exports.
EDITIONS
1094
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
ApiAnomalyEventStore Policies
API anomaly event policies monitor anomalies in how users make API calls.
EDITIONS
BulkApiResultEventStore Policies
Bulk API Result Event policies detect when a user downloads the results of a Bulk API request.
Policy at a Glance
1095
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
CredentialStuffingEventStore Policies
Credential stuffing event policies monitor when a user successfully logs into Salesforce during an
EDITIONS
identified credential stuffing attack. Credential stuffing refers to large-scale automated login requests
using stolen user credentials. Available in: Salesforce
Classic and Lightning
Policy at a Glance Experience
FileEvent Policies
File event policies detect file-related events, such as when a user downloads a file containing
EDITIONS
sensitive information.
Available in: Salesforce
Policy at a Glance Classic and Lightning
Experience
Object Conditions Available in Actions Available in: Enterprise,
Condition Builder Unlimited, and Developer
FileEventStore Can Download PDF, Content Block, Notifications Editions
Size, Content Download ID, Requires Salesforce Shield
Content Version ID, Evaluation or Salesforce Event
Time, File Action, File Name, Monitoring add-on
File Source, File Type, Is Latest subscriptions.
Version, Policy Outcome,
Process Duration, Session Level,
Source IP, Transaction Security
Policy ID, User ID, Username,
Version Number
1096
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
• Block downloads for specific user IDs, version IDs, and document IDs.
ListViewEvent Policies
List View event policies monitor when data is viewed or downloaded from your list views using
EDITIONS
Salesforce Classic, Lightning Experience, or the API.
Available in: Salesforce
Policy at a Glance Classic and Lightning
Experience
Object Conditions Available in Actions Available in: Enterprise,
Condition Builder Unlimited, and Developer
ListViewEvent Application Name, Developer Block, Notifications, Editions
Name, Event Source, List View Multi-Factor Authentication (for Requires Salesforce Shield
ID, Name, Name of Columns, UI logins) or Salesforce Event
Number of Columns, Order By, Monitoring add-on
Multi-factor authentication isn’t
Owner ID, Queried Entities, subscriptions.
supported for list views in
Rows Processed, Scope, Session Lightning pages, so the action
Level, Source IP, User ID, is upgraded to Block.
Username
Note: The values captured by transaction security policies are unique API names that can be retrieved by performing REST API
Describe calls on the object. When creating a ListViewEvent policy, make sure that the values you want the conditions to check
for are unique API names and not display labels. For example, a “Name of Column” condition checks for values that match the
metadata information retrieved from a Describe call on the report, not the column headers displayed on the report. Refer to the
REST API Developer Guide for more information.
LoginEvent Policies
Login event policies track login activity and enforce your login requirements.
EDITIONS
1097
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Policy at a Glance
How Does LoginEvent Compare to Login Log Lines and Login History?
Permissions View Real-Time Event View Event Log Files Manage Users
Monitoring Data
Availability Included with Event Monitoring Included with Event Monitoring Included with all orgs
add-on or Real-Time Event add-on
Monitoring
1098
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
PermissionSetEventStore Policies
Permission set event policies monitor when users are assigned critical permissions in a permission
EDITIONS
set.
Available in: Salesforce
Policy at a Glance Classic and Lightning
Experience
Object Conditions Available in Actions Available in: Enterprise,
Condition Builder Unlimited, and Developer
PermissionSetEventStore Event Source, Operation, Block, Notifications Editions
Permission Type, User Count, Requires Salesforce Shield
User ID, Username or Salesforce Event
Monitoring add-on
subscriptions.
What You Can Do with It
Create a policy that can:
• Prevent users from being assigned the following permissions in a permission set:
– Assign Permission Sets
– Author Apex
– Customize Application
– Manage Encryption Keys
– Manage Internal Users
– Manage Password Policies
– Manage Profiles and Permission Sets
– Manage Roles
– Manage Sharing
– Manage Users
– Modify All Data
– Multi-Factor Authentication for User Interface Logins
– Password Never Expires
– Reset User Passwords and Unlock Users
– View All Data
1099
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
ReportEvent Policies
Report event policies monitor when data is viewed or downloaded from your reports.
EDITIONS
Note: The values captured by transaction security policies are unique API names, which can be retrieved by performing REST API
Describe calls on the object. When creating a ReportEvent policy, make sure that the values you want the conditions to check for
are unique API names, not display labels. For example, a “Name of Column” condition checks for values that match the metadata
information retrieved from a Describe call on the report, not the column headers displayed on the report. Refer to the Salesforce
Report and Dashboard REST API Developer Guide for more information.
1100
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
ReportAnomalyEventStore Policies
Report anomaly event policies monitor anomalies in how users run or export reports.
EDITIONS
SessionHijackingEventStore Policies
Session hijacking event policies monitor when unauthorized users gain ownership of a Salesforce
EDITIONS
user’s session with a stolen session identifier.
Available in: Salesforce
Policy at a Glance Classic and Lightning
Experience
Object Conditions Available in Actions Available in: Enterprise,
Condition Builder Unlimited, and Developer
SessionHijackingEventStore CurrentUserAgent, CurrentIp, Notifications Editions
CurrentPlatform, Requires Salesforce Shield
CurrentScreen, CurrentWindow, or Salesforce Event
PreviousUserAgent, PreviousIp, Monitoring add-on
PreviousPlatform, subscriptions.
PreviousScreen,
PreviousWindow, Score,
SourceIp, UserId, Username
1101
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Don’t let the user complete the request. For example, if a ReportEvent policy with a block action Available in: Enterprise,
triggers during a report view, the user sees a message explaining the action. You can also customize Unlimited, and Developer
the block message when you create your policy. Each custom message can be up to 1000 characters, Editions
and you can only customize messages for ApiEvent, ListViewEvent, and ReportEvent policies. Custom Requires Salesforce Shield
block messages aren’t translated. or Salesforce Event
Monitoring add-on
subscriptions.
Multi-Factor Authentication
Prompt the user to confirm their identity with an additional verification method, such as the Salesforce Authenticator app, when they
log in. In situations where you can’t use multi-factor authentication (for instance, during an API query), this action changes to a block
action.
1102
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Email Notifications
You can send two kinds of email notifications when a policy is triggered: default email messages and custom email messages. Both use
the subject Transaction Security Alert.
Default email notifications contain the policy that was triggered, the event or events that triggered it, the policy’s ID, and related event
fields. The times listed indicate when the policy was triggered in the recipient’s locale and time zone. For example, a policy is triggered
at 6:46 AM Eastern Standard Time. The administrator who receives the notification is in the Pacific Standard Time zone, so the time shows
as PST. Here’s an example.
From: Transaction Security <noreply@salesforce.com>
To: Admin@company.com
Sent: Wednesday, September 4, 2021, 10:00 AM
Subject: Transaction Security Alert
Policy Name:
Restrict Views of the My Confidential Report
ID:
0NIRM00000000dV
1103
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
For more context about this event, refer to these event fields:
Org ID: 00DLA0000003YjP
User ID: 005IL000001ZqMb
Custom email notifications let you write your own email content and include event-specific field data of your choosing. To populate
your message with field-level event data, use the lookup field. Salesforce recommends that you include only event information that the
recipient is authorized to view. Custom email notifications aren’t translated.
In-App Notifications
In-app notifications list the policy that was triggered. Notifications aren’t available in Classic. Here’s an example.
Example:
Transaction Security Alert:
Policy Restrict Views of the My Confidential Report was triggered.
16 minutes ago
1104
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
USER PERMISSIONS
To view events:
• View Real-Time Event
Monitoring Data
To view transaction security
policies:
• View All Data
5. Select your condition logic. The logic applies to the conditions that you create in the next step.
You can specify whether all conditions must be met for the policy to trigger an action, or any condition.
Select Custom Condition Logic Is Met if you want to specify more complex logic. Use parentheses and logical operators (AND,
OR, and NOT) to build the logical statements. Use numbers to represent each condition, such as 1 for the first condition and 2 for
the second condition. For example, if you want the policy to trigger if the first condition and either the second or third conditions
are met, enter 1 AND (2 OR 3).
1105
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Tip: Conditions map to fields of the event storage objects, such as ApiEvent.RowsProcessesd or
LoginEvent.SourceIP. See the API documentation for possible values and examples for each field that shows up
as a condition in Condition Builder.
This example shows a policy that monitors API calls. The actions trigger if an API call queries the Lead object and either the number
of rows processed is greater than 2000 or the request took longer than 1000 milliseconds to complete. See Condition Builder Examples
for more examples.
7. Click Next.
8. Select what the policy does when triggered.
The actions available vary depending on the event type. For more information, see Enhanced Transaction Security Actions and
Notifications
Note: The multi-factor authentication action isn’t available in the Salesforce mobile app, Lightning Experience, or via API for
any events. Instead, the block action is used. For example, if a multi-factor authentication policy is triggered on a list view
performed via the API, Salesforce blocks the API user.
Important: If you customize a Condition Builder policy with the API, you must include the Flow ID (for flow API), EventName, and
Type of CustomConditionBuilderPolicy to save your policy.
1106
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
• Notes: Use the Contains operator, rather than Equals, to also include reports that are based
on multiple objects, one of which is Lead.
Description of Example: Track when a user views or exports a report that has a column that contains email addresses.
• Event: Report Event
• Condition Logic: All Conditions Are Met
• Conditions: Name of Columns Contains Email
• Notes: Use the Contains operator to include any of these column names: Email, Customer Email, or Email of
Customer.
1107
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
• Notes: Use the Contains operator, rather than Equals, to also include queries on multiple objects, of which one is Lead.
1108
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
• Notes: Track when a user without high assurance executes a report (Report Event) or an API query (API Event) using the same
condition in separate transaction security policies.
1109
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
• Notes:
1110
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
5. Select the Apex class that implements your policy. If you haven’t already created the class, select To view events:
New Empty Apex Class. • View Real-Time Event
Monitoring Data
6. Click Next.
To view transaction security
7. Select the action that the policy performs when triggered. policies:
The available actions vary depending on the event type. For more information, see Enhanced • View All Data
Transaction Security Actions and Notifications. To create, edit, and manage
transaction security policies:
Note: The two-factor authentication action isn’t available in the Salesforce mobile app, • Customize Application
Lightning Experience, or via API for events. Instead, the block action is used. For example,
if a two-factor authentication policy is triggered on a list view performed via the API,
Salesforce blocks the API user.
12. Click the name of your Apex class if you want to edit it.
If you chose to create an Apex class, you must add the implementation code. Salesforce adds this basic code to get you started.
global class MyApexClassEventCondition implements TxnSecurity.EventCondition {
1111
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
When you delete a transaction security policy that uses Apex, the implementation class isn't deleted. You can either delete this Apex
class separately or reuse it in another policy.
Don’t include DML statements in your Apex-based policies because they can cause errors. When you send a custom email via Apex
during transaction policy evaluation, you get an error, even if the record isn’t explicitly related to another record. For more information,
see Apex DML Operations in the Apex Reference Guide.
SEE ALSO:
Apex Reference Guide: TxnSecurity.EventCondition Interface
1112
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
}
when else{
return false;
}
}
}
Data Export
This example implements a transaction security policy that triggers when more than 2,000 leads are either:
• Viewed in the UI
• Exported with a SOQL query
• Exported from a list view
1113
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
}
when null {
return false;
}
when else{
return false;
}
}
}
1114
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
}
}
}
Browser Check
This policy triggers when a user with a known operating system and browser combination tries to log in with another browser on a
different operating system.
Many organizations have standard hardware and support specific versions of different browsers. You can use this standard to reduce
the security risk for high-impact individuals by acting when logins take place from unusual devices. For example, your CEO typically logs
in to Salesforce from San Francisco using a MacBook or Salesforce mobile application on an iPhone. When a login occurs from elsewhere
using a Chromebook, it’s highly suspicious. Because hackers do not necessarily know which platforms corporate executives use, this
policy makes a security breach less likely.
In this example, the customer organization knows that its CEO uses a MacBook running OS X with the Safari browser. An attempt to log
in using the CEO’s credentials with anything else is automatically blocked.
global class AccessEventCondition implements TxnSecurity.EventCondition {
public boolean evaluate(SObject event) {
switch on event{
when LoginEvent loginEvent {
return evaluate(loginEvent);
}
when null {
return false;
}
when else{
return false;
}
}
}
1115
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
// Trigger policy and block access for any user trying to log in from North Korea.
if(country.equals('North Korea')) {
return true;
}
return false;
}
}
You can also restrict access to other values, like postal code or city.
1116
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
when else{
return false;
}
}
}
SEE ALSO:
Apex Reference Guide: TxnSecurity.EventCondition Interface
Note: Only DML operations and callouts are supported when you use asynchronous Apex Requires Salesforce Shield
or Salesforce Event
with an enhanced transaction security policy.
Monitoring add-on
subscriptions.
Create Asynchronous Apex Class
In this section, you create an asynchronous Apex class that takes in an SObject. In this example, we
use ApiEvent. Then you invoke a callout or a DML operation.
public class SimpleAsynchronousApex implements Queueable {
private ApiEvent apiEvent;
1117
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Create Policy
In this section, you create the transaction security policy, which modifies the Apex class associated with the policy. Then you create the
SimpleAsynchronousApex object, pass in the ApiEvent, and enqueue the job.
global class SimpleApiEventCondition implements TxnSecurity.EventCondition,
TxnSecurity.AsyncCondition {
public boolean evaluate(SObject event) {
// Cast SObject to an ApiEvent object
ApiEvent apiEvent = (ApiEvent) event;
SimpleAsynchronousApex simpleAsynchronousApex = new SimpleAsynchronousApex(apiEvent);
System.enqueueJob(simpleAsynchronousApex);
return false;
// In a typical implementation may return true if it triggers an action
}
}
SEE ALSO:
Apex Developer Guide: Queueable Apex
Apex Reference Guide: Apex Implementation Examples
Apex Developer Guide: Asynchronous Apex
Apex Developer Guide: Invoking Callouts Using Apex
Let’s look at some sample unit tests to get you started. Here’s the Apex policy that we want to test.
1118
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
}
when null {
return false;
}
when else {
return false;
}
}
}
Any event object The event doesn’t have Lead in its false
QueriedEntities field and has a
number greater than 2000 in its
RowsProcessed field
1119
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
If the evaluate method receives... And ... Then the evaluate method
returns...
Any event object The event doesn’t have Lead in its false
QueriedEntities field and has a
number less than or equal to 2000 in its
RowsProcessed field
Here’s the Apex testing code that implements all of these use cases.
/**
* Tests for the LeadExportEventCondition class, to make sure that our Transaction Security
Apex
* logic handles events and event field values as expected.
**/
@isTest
public class LeadExportEventConditionTest {
/**
* ------------ POSITIVE TEST CASES ------------
** /
/**
* Positive test case 1: If an ApiEvent has Lead as a queried entity and more than
2000 rows
* processed, then the evaluate method of our policy's Apex should return true.
**/
static testMethod void testApiEventPositiveTestCase() {
// set up our event and its field values
ApiEvent testEvent = new ApiEvent();
testEvent.QueriedEntities = 'Account, Lead';
testEvent.RowsProcessed = 2001;
/**
* Positive test case 2: If a ReportEvent has Lead as a queried entity and more than
1120
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
2000 rows
* processed, then the evaluate method of our policy's Apex should return true.
**/
static testMethod void testReportEventPositiveTestCase() {
// set up our event and its field values
ReportEvent testEvent = new ReportEvent();
testEvent.QueriedEntities = 'Account, Lead';
testEvent.RowsProcessed = 2001;
/**
* Positive test case 3: If a ListViewEvent has Lead as a queried entity and more
than 2000 rows
* processed, then the evaluate method of our policy's Apex should return true.
**/
static testMethod void testListViewEventPositiveTestCase() {
// set up our event and its field values
ListViewEvent testEvent = new ListViewEvent();
testEvent.QueriedEntities = 'Account, Lead';
testEvent.RowsProcessed = 2001;
/**
* Positive test case 4: If an event does not have Lead as a queried entity and has
more
* than 2000 rows processed, then the evaluate method of our policy's Apex
* should return false.
**/
static testMethod void testOtherQueriedEntityPositiveTestCase() {
// set up our event and its field values
ApiEvent testEvent = new ApiEvent();
testEvent.QueriedEntities = 'Account';
testEvent.RowsProcessed = 2001;
/**
* Positive test case 5: If an event has Lead as a queried entity and does not have
* more than 2000 rows processed, then the evaluate method of our policy's Apex
* should return false.
**/
static testMethod void testFewerRowsProcessedPositiveTestCase() {
1121
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
/**
* Positive test case 6: If an event does not have Lead as a queried entity and does
not have
* more than 2000 rows processed, then the evaluate method of our policy's Apex
* should return false.
**/
static testMethod void testNoConditionsMetPositiveTestCase() {
// set up our event and its field values
ListViewEvent testEvent = new ListViewEvent();
testEvent.QueriedEntities = 'Account';
testEvent.RowsProcessed = 2000;
/**
* ------------ NEGATIVE TEST CASES ------------
**/
/**
* Negative test case 1: If an event is a type other than ApiEvent, ReportEvent, or
ListViewEvent,
* then the evaluate method of our policy's Apex should return false.
**/
static testMethod void testOtherEventObject() {
LoginEvent loginEvent = new LoginEvent();
LeadExportEventCondition eventCondition = new LeadExportEventCondition();
System.assertEquals(false, eventCondition.evaluate(loginEvent));
}
/**
* Negative test case 2: If an event is null, then the evaluate method of our policy's
/**
* Negative test case 3: If an event has a null QueriedEntities value, then the
1122
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
evaluate method
* of our policy's Apex should return false.
**/
static testMethod void testNullQueriedEntities() {
ApiEvent testEvent = new ApiEvent();
testEvent.QueriedEntities = null;
testEvent.RowsProcessed = 2001;
/**
* Negative test case 4: If an event has a null RowsProcessed value, then the evaluate
method
* of our policy's Apex should return false.
**/
static testMethod void testNullRowsProcessed() {
ReportEvent testEvent = new ReportEvent();
testEvent.QueriedEntities = 'Account, Lead';
testEvent.RowsProcessed = null;
We’ve changed the code so that before performing the .contains operation on the queriedEntities variable, we first check
if the value is null. This change ensures that the code doesn’t dereference a null object.
In general, when you encounter unexpected values or situations in your Apex code, you have two options. Determine what is best for
your users when deciding which option to choose:
• Ignore the values or situation and return false so that the policy doesn't trigger.
• Fail-close the operation by returning true.
1123
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Advanced Example
Here's a more complex Apex policy that uses SOQL queries to get the profile of the user who is attempting to log in.
global class ProfileIdentityEventCondition implements TxnSecurity.EventCondition {
// check if the name of the Profile is one of the ones we want to monitor
if (PROFILES_TO_MONITOR.contains(profile.Name)) {
return true;
}
return false;
}
}
Because every Salesforce user is always assigned a profile, there's no need to create a negative test for it. It’s also not possible to create
actual tests for the two negative test cases. We take care of them by updating the policy itself. But we explicitly list the use cases in our
plan to make sure that we cover many different situations.
The positive test cases rely on the results of SQQL queries. To ensure that these queries execute correctly, we must also create some test
data. Let's look at the test code.
/**
* Tests for the ProfileIdentityEventCondition class, to make sure that our
* Transaction Security Apex logic handles events and event field values as expected.
**/
@isTest
public class ProfileIdentityEventConditionTest {
/**
1124
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
/**
* Positive test case 1: Evaluate will return true when user has the "System
* Administrator" profile.
**/
static testMethod void testUserWithSysAdminProfile() {
// insert a User for our test which has the System Admin profile
Profile profile = [SELECT Id FROM Profile WHERE Name='System Administrator'];
assertOnProfile(profile.id, true);
}
/**
* Positive test case 2: Evaluate will return true when the user has the "Custom
* Admin Profile"
**/
static testMethod void testUserWithCustomProfile() {
// insert a User for our test which has the System Admin profile
Profile profile = [SELECT Id FROM Profile WHERE Name='Custom Admin Profile'];
assertOnProfile(profile.id, true);
}
/**
* Positive test case 3: Evalueate will return false when user doesn't have
* a profile we're interested in. In this case we'll be using a profile called
* 'Standard User'.
**/
static testMethod void testUserWithSomeProfile() {
// insert a User for our test which has the System Admin profile
Profile profile = [SELECT Id FROM Profile WHERE Name='Standard User'];
assertOnProfile(profile.id, false);
}
/**
* Helper to assert on different profiles.
**/
static void assertOnProfile(String profileId, boolean expected){
User user = createUserWithProfile(profileId);
insert user;
/**
* Helper to create a user with the given profileId.
**/
1125
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Let’s handle the two negative test cases by updating the transaction security policy code to check for exceptions or null results when
querying the Profile object.
global class ProfileIdentityEventCondition implements TxnSecurity.EventCondition {
if (profile == null){
return false;
}
// check if the name of the Profile is one of the ones we want to monitor
if (PROFILES_TO_MONITOR.contains(profile.Name)) {
return true;
}
return false;
} catch(Exception ex){
System.debug('Exception: ' + ex);
return false;
}
}
}
1126
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Best Practices for Writing and Maintaining Enhanced Transaction Security Policies
Transaction security policy management isn’t always easy, especially when you have many policies.
EDITIONS
To make sure that your policies remain functional, write and maintain them using these best
practices. Well-structured and tested policies keep your employees and customers connected, Available in: Salesforce
productive, and secure. Classic and Lightning
Experience
Writing Policies Available in: Enterprise,
Use these general guidelines as you write your policies. Unlimited, and Developer
Editions
Know your users
Do your users use features that work best with certain browsers? Do they rely on mobile devices Requires Salesforce Shield
in the field? Have features that your users regularly access changed? Think about what your or Salesforce Event
users experience during their day-to-day work, and write your policies with those behaviors in Monitoring add-on
subscriptions.
mind. Remember: Policies prevent activities that are genuinely out of bounds, and they must
not prevent users from completing core job tasks.
Know what’s coming
To check whether the features that your users rely on change, read the Salesforce release notes. Feature changes can sometimes
cause your policies to behave unexpectedly.
Know your environments
Use sandbox environments to your advantage. Run your policies in a sandbox under conditions similar to your production org. Let
policies run for 24 hours to see how they work. Use this feedback to evaluate how your policy functions in the conditions it has to
work under.
Know your policies
To avoid confusion and lighten your maintenance load, create only one policy per event. Schedule regular policy maintenance and
reviews to make sure that you don’t have policies that counteract one another. Check the Salesforce release notes for feature updates
that might change the way your policies behave.
Use these guidelines if you write an Apex-based policy rather than use Condition Builder.
Know your code
If you have an Apex developer in your organization, work with the developer as you write your policy. By consulting with someone
who knows the ins and outs of Apex, you can team up to write robust and reliable policies and tests. If you don’t have access to an
Apex expert, learn about Apex by taking the Apex Basics Trailhead module or studying the Apex Developer Guide.
Know your limits
Because Apex runs in a multi-tenant environment, the Apex runtime engine strictly enforces limits. Enforcing limits ensures that
runaway Apex code or processes don’t monopolize shared resources. If some Apex code exceeds a limit, the associated governor
issues a runtime exception that cannot be handled. Limits vary based on the event that the policy is based on. Construct your policies
with these limits in mind. Read more about Apex Governors and Limits.
Testing Policies
Testing policies is the best way to make sure that you’re crafting the right solution for your organization and your users.
• Try out your policies in a sandbox. Then deploy your security policy in a production org when you’re certain your policy works.
• If you make far-reaching changes in your org, retest your policies to make sure that they are compatible with the changes you made.
For example, if you create a workflow for field employees that generates a report, check all report event policies that could be affected.
• If your policy is Apex-based, follow Apex testing best practices.
• Run data silo tests. These tests run faster, produce easy-to-diagnose failures, and are more reliable.
1127
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Troubleshooting
Something is wrong with my policy. Where do I start?
Use the error message that your policy creates as a starting point. Check the Apex Developer Guide for advice on the error category.
My policy shuts down before it executes.
Policies don’t execute if they take too long to perform all their actions. Streamline your policy, and make sure that it’s within the
metering limit.
I have multiple policies for the same event. What do I do?
In general, make only as many policies as you can manage and maintain. There’s no limit on the number of policies you can create,
but not all policies trigger. Policies are prioritized, and trigger in this order: block the operation, require multi-factor authentication,
no action. If you have multiple policies for the same event, not all of those policies trigger. For example, let's say you have two policies
for one event, but one policy blocks the operation and the second is set to require multi-factor authentication. The policy that blocks
the user executes first and if it triggers, the other policy doesn’t execute.
My policy isn’t working. How do I debug it?
First, disable the policy and move it to a sandbox. You don’t want a broken policy to cause problems for your colleagues or customers
while you troubleshoot. Then evaluate whether the issue is with your policy settings or the Apex code if your policy is Apex-based.
• If you think your settings are the source of the problem, evaluate the policy’s conditions and actions in your sandbox. Adjust the
policy’s settings, and test for the behaviors you want.
• If you suspect that the problem is with your Apex code, you can debug Apex using the Developer Console and debug logs.
I can’t turn off my policy, and it’s blocking my users in production. What do I do?
Check for known issues documented in Knowledge Articles or Known Issues. These resources explain issues that other customers
experienced, along with functional workarounds. If that doesn’t work, contact Salesforce.
1128
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
If you encounter this situation regularly, you can prevent metering from blocking user actions with the bypassMeteringBlock
field on the EventSetting metadata type. If all your transaction security policies specify no action, metering doesn’t block user operations.
If metering occurs, policy notifications aren’t sent. Policies with block actions still block when triggered.
SEE ALSO:
Metadata API Developer Guide: EventSettings
1129
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
/**
* Test Case 1: If an ApiEvent has Lead as a queried entity and more than 2000 rows
* processed, then the evaluate method of our policy's Apex should return true.
**/
static testMethod void testApiEventPositiveTestCase() {
// set up our event and its field values
ApiEvent testEvent = new ApiEvent();
testEvent.QueriedEntities = 'Account, Lead';
testEvent.RowsProcessed = 2001;
1130
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Rerun the Apex test from the Developer Console, and view the debug logs that your Apex code generated. This example shows that
the QueriedEntities field of the recent event doesn’t contain a Lead. The highlighted debug log pinpoints the condition that
didn’t evaluate correctly. Now it’s easy to examine your Apex code and find the typo.
1131
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
If you want to see the debug output when a policy runs in a production environment, add a User Trace flag for the Automated User. The
Automated User executes transaction security policies.
SEE ALSO:
Manage Real-Time Event Monitoring Events
Execute Apex Tests
Apex Developer Guide: Debug Log
View Debug Logs
Set Up Debug Logging
1132
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Threat Detection
Threat Detection uses statistical and machine learning methods to detect threats to your Salesforce
EDITIONS
org. While Salesforce identifies these threats for all Salesforce customers, you can view the information
in the events with Threat Detection in Event Monitoring and investigate further if necessary. Available in: Salesforce
Threat Detection identifies: Classic and Lightning
Experience
• If a user session is hijacked
• When a user successfully logs in during an identified credential stuffing attack. Credential stuffing Available in: Enterprise,
occurs when large-scale automated login requests use stolen user credentials to gain access Unlimited, and Developer
to Salesforce. Editions
Session Hijacking
Session Hijacking is a customer-focused attack where attackers try to steal information from using a client’s access to a web application.
In our case, this application is Salesforce. When a client successfully authenticates with Salesforce, they receive a session token. The
attacker tries to hijack the client’s session by obtaining their session token.
Credential Stuffing
Credential stuffing is a type of cyber attack that uses stolen account credentials. It’s also known as “password spraying” or “credential
spills”. Attackers obtain large numbers of usernames and passwords through data breaches or other types of cyber attacks. They
then use these credentials to gain unauthorized access to user accounts through large-scale automated login requests against a
web application such as Salesforce.
1133
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Report Anomaly
An anomaly is any user activity that is sufficiently different from the historical activity of the same user. We use the metadata in
Salesforce Core application logs about report generation and surrounding activities to build a baseline model of the historical activity.
We then compare any new report generation activity against this baseline to determine if the new activity is sufficiently different to
be called an anomaly. We don't look at the actual data that a user interacts with— we look at how the user interacts with the data.
API Anomaly
An anomaly is any user activity that is sufficiently different from the historical activity of the same user. We use the metadata in
Salesforce Core application logs about API generation and surrounding activities to build a baseline model of the historical activity.
We then compare any new API generation activity against this baseline to determine if the new activity is sufficiently different to be
called an anomaly. We don't look at the actual data that a user interacts with— we look at how the user interacts with the data.
View Threat Detection Events and Provide Feedback
Launch the Threat Detection app and view all the detected threats that occurred in your Salesforce org. Threats include anomalies
in how users run reports, session hijacking attempts, and credential stuffing. Use the same app to easily provide feedback about the
severity of a specific threat.
SEE ALSO:
Platform Events Developer Guide: Real-Time Event Monitoring Objects
Platform Events Developer Guide: Subscribe to Platform Event Messages with Flows
Enhanced Transaction Security
How Salesforce Helps Protect You From Insider Threats
How Salesforce Helps Protect You From Credential Stuffers
Session Hijacking
Session Hijacking is a customer-focused attack where attackers try to steal information from using
EDITIONS
a client’s access to a web application. In our case, this application is Salesforce. When a client
successfully authenticates with Salesforce, they receive a session token. The attacker tries to hijack Available in: Salesforce
the client’s session by obtaining their session token. Classic and Lightning
The Real-Time Event Monitoring object SessionHijackingEvent addresses the “Man In The Browser” Experience
attack (MiTB), a type of session hijacking attack. In a MiTB attack, the attacker compromises the
Available in: Enterprise,
client’s web application by first planting a virus like a Trojan proxy. The virus then embeds itself in Unlimited, and Developer
the client’s browser. And when the client accesses a web application such as Salesforce, the virus Editions
manipulates pages, collects sensitive information shared between client and Salesforce, and steals
Requires Salesforce Shield
information. These types of attacks are difficult for the client to detect.
or Salesforce Event
Fortunately, Salesforce is ahead in this race with the bad guys and has mechanisms in place to Monitoring add-on
detect MiTB attacks. When detected, Salesforce kills the session and any child sessions, logs out the subscriptions.
user, and asks for multi-factor authentication. With this action, Salesforce helps prevent the attacker
from performing any subsequent malicious activity with that user’s session. This autonomous
enforcement makes session hijacking costly for attackers and results in safer sessions for Salesforce customers.
All Salesforce customers get this threat mitigation. Event monitoring customers get granular visibility into these attacks. These customers
can collect useful information about the attacks in real time and send notifications to other users in Salesforce.
1134
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
device using the stolen legitimate session ID. Salesforce computes the session hijacking risk score for every pair of intra-session browser
fingerprints. It then compares the score to an empirically determined threshold to detect anomalous user sessions in real time. If Salesforce
detects an anomaly, it generates a SessionHijackingEvent.
Note: While Salesforce uses browser fingerprinting to identify a device, it doesn’t use it to track a user. Salesforce uses the data
only to detect suspicious behavior.
SEE ALSO:
Open Web Application Security Project: Session Hijacking Attack
plugins JavaScript attribute that lists the activated browser plugins. Chrome PDF
Plugin:Portable
Document
FormatChrome
PDF Viewer
1135
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
dnt JavaScript attribute that indicates whether the user is requesting web sites and enabled
advertisers to not track them.
platform Browser-populated JavaScript attribute regarding the platform the browser is running iPad
on (window.navigator.platform).
localStorage Whether local storage is used, extending beyond the duration of the session. false
Important: If the SessionHijackingEvent object contains a record, an attack occurred in Requires Salesforce Shield
or Salesforce Event
the past and Salesforce security has already taken care of the security issue. You don’t do
Monitoring add-on
anything other than investigate the attack for your own purposes.
subscriptions.
• LoginEventStream (and its storage equivalent LoginEvent) tracks all login activity in your org.
For example, say that your org receives a SessionHijackingEvent. The first thing you do is look at
relevant fields of the event to get basic information about the attack, such as:
• Score: A number from 0.0 to 1.0 that indicates how significantly the new browser fingerprint deviates from the previous one. The
higher the number, the more likely a session hijacking attack occurred.
• UserId: The user’s unique ID. Use this ID to query LoginEvent for more login information.
• EventDate: When this attack occurred.
• SecurityEventData: JSON field that contains the current and previous values of the browser fingerprint features that contributed
the most to this anomaly detection. See this table for the full list of possible features.
1136
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Let’s look at the SecurityEventData field a bit more closely because it contains the browser fingerprints that triggered this
anomaly detection. Here’s sample data:
[
{
"featureName": "userAgent",
"featureContribution": "0.45 %",
"previousValue": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/75.0.3770.142",
"currentValue": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/76.0.3809.100 Safari/537.36."
},
{
"featureName": "ipAddress",
"featureContribution": "0.23 %",
"previousValue": "201.17.237.77",
"currentValue": "182.64.210.144"
},
{
"featureName": "platform",
"featureContribution": "0.23 %",
"previousValue": "Win32",
"currentValue": "MacIntel"
},
{
"featureName": "screen",
"featureContribution": "0.23 %",
"previousValue":"(1050.0,1680.0)",
"currentValue": "(864.0,1536.0)"
},
{
"featureName": "window",
"featureContribution": "0.17 %",
"previousValue": "1363x1717",
1137
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
"currentValue": "800x1200"
}
]
The sample JSON shows that many browser fingerprint features changed, including window, IP address, platform, and more. Salesforce
concludes the user session was hijacked.
SEE ALSO:
Platform Events Developer Guide: SessionHijackingEvent
Credential Stuffing
Credential stuffing is a type of cyber attack that uses stolen account credentials. It’s also known as
EDITIONS
“password spraying” or “credential spills”. Attackers obtain large numbers of usernames and
passwords through data breaches or other types of cyber attacks. They then use these credentials Available in: Salesforce
to gain unauthorized access to user accounts through large-scale automated login requests against Classic and Lightning
a web application such as Salesforce. Experience
Salesforce identifies a credential stuffing attack using a two-step process. First, it detects if a credential
Available in: Enterprise,
stuffing attack is taking place by analyzing the login traffic. In particular, we look for attackers who Unlimited, and Developer
stuff multiple credentials in the same end-point or stuff the same user accounts by enumerating Editions
multiple passwords. Next we check the ratio of successful versus failed login traffic volume. If the
Requires Salesforce Shield
volume exceeds a certain threshold, we use more fingerprint details to identify the affected user’s
or Salesforce Event
profile.
Monitoring add-on
When we detect a successful login from an endpoint that exhibits credential stuffing behavior, we subscriptions.
pose an identity challenge to the affected user. If the user successfully completes that challenge,
they are required to change their password before accessing Salesforce again.
All Salesforce customers get this threat mitigation. However, Event Monitoring customers can get granular visibility into these attacks
using the CredentialStuffingEvent object. These customers can then collect useful information related to these events in real time and
send notifications to other users in Salesforce.
1138
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
For example, say that your org receives a CredentialStuffingEvent. The first thing you do is look at relevant fields of the event to get basic
information about the attack, such as:
• UserId: The user’s unique ID. Use this ID to query LoginEvent for more login information.
• EventDate: When this attack occurred.
• Summary: A text summary of the event.
See the API documentation for the full list of fields.
This sample SOQL query returns these field values.
SELECT UserId, EventDate, Summary FROM CredentialStuffingEventStore
You can use this type of query to identify the users in your org that were affected by the credential stuffing attack. These users reused
their org password in other web sites or their password follows a common pattern and is not strong enough. Educate your users on how
they can create and manage strong passwords to protect your org.
Also consider improving your security with password protection. You can set password history, length, and complexity requirements.
You can also specify what to do when a user forgets the password. Salesforce requires the use of multi-factor authentication (MFA) for
all logins to the user interface — make sure MFA is enabled for all your users. Finally, investigate enabling Lightning Login for password-free
logins.
SEE ALSO:
Salesforce Help: Enable Lightning Login for Password-Free Logins
Trailhead: Educate Your Users to Help Protect Your Org
Salesforce Security Guide: Set Password Policies
Platform Events Developer Guide: CredentialStuffingEvent
Report Anomaly
An anomaly is any user activity that is sufficiently different from the historical activity of the same
EDITIONS
user. We use the metadata in Salesforce Core application logs about report generation and
surrounding activities to build a baseline model of the historical activity. We then compare any new Available in: Salesforce
report generation activity against this baseline to determine if the new activity is sufficiently different Classic and Lightning
to be called an anomaly. We don't look at the actual data that a user interacts with— we look at Experience
how the user interacts with the data.
Available in: Enterprise,
Unlimited, and Developer
Training and Inference Steps Editions
Similar to other machine learning or statistical models, our detection model has a familiar
Requires Salesforce Shield
two-step process: a training step and an inference or detection step. As a customer, you don't
or Salesforce Event
perform either of these steps—Salesforce performs them for you. You only review the detection Monitoring add-on
events generated by our detection mode and take further action if necessary. subscriptions.
Investigate Report Anomalies
It's often necessary to further investigate a report anomaly to either rule it out as benign or to
determine if a data breach occurred.
Best Practices for Investigating Report Anomalies
Keep these tips and best practices in mind when you investigate unusual user behavior. They can help you find the information you
require to make a well informed conclusion about your data’s safety.
1139
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Anomaly Score
We assign a numerical anomaly score to every report generation activity based on how different the activity is compared to the user’s
typical activity. The anomaly score is always a number from 0 through 100, and is often expressed as a percentage. A low anomaly score
indicates that the user's report generation activity is similar to the user's typical activity. A high anomaly score indicates that the user's
report generation activity is different from the user's typical activity.
Critical Threshold
Every report generation event is assigned an anomaly score, but not all generation events are anomalies. We use a threshold to determine
which report generation events are sufficiently different from a user’s typical activity. Any event with an anomaly score above the critical
threshold is considered an anomaly.
1140
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Let’s look at the SecurityEventData field a bit more closely because it contains the contributing factors that triggered this
anomaly detection. Here’s sample data:
[
{
"featureName": "rowCount",
"featureValue": "1937568",
"featureContribution": “95.00 %"
},
{
"featureName": "autonomousSystem",
"featureValue": "Bigleaf Networks, Inc.",
"featureContribution": “1.62 %"
},
{
"featureName": "dayOfWeek",
"featureValue": "Sunday",
"featureContribution": “1.42 %"
},
{
1141
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
"featureName": "userAgent",
"featureValue": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/76.0.3809.132 Safari/537.36}",
"featureContribution": “1.21 %"
},
{
"featureName": "periodOfDay",
"featureValue": “Evening”,
"featureContribution": “.09 %"
},
{
"featureName": "averageRowSize",
"featureValue": "744",
"featureContribution": “0.08 %"
},
{
"featureName": "screenResolution",
"featureValue": "900x1440",
"featureContribution": “0.07 %"
}
]
The feature that contributed the most (95.00%) to this anomaly detection was rowCount with a value of 1937568. The feature indicates
that the user viewed or exported a report that had 1,937,568 rows. But based on historical data, the user rarely views or exports so much
data. The other features contributed much less to the score. For example, the user executed the report on Sunday, but this feature
contributed only 1.42% to the overall score.
Now that you have the data, you can investigate further.
SEE ALSO:
Training and Inference Steps
Platform Events Developer Guide: ReportAnomalyEvent
Platform Events Developer Guide: ReportEvent
1142
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Field: ReportAnomalyEvent.EventDate
Use contributing factors as a guide.
The contributing factors JSON output shows the list of features on page 1148 in descending order of contribution. As you start your
investigation into the event logs, keep an eye out for the top contributing features. If these features look unusual, they can provide
more evidence that confirms the anomaly or even indicate a possible data breach.
Field: ReportAnomalyEvent.SecurityEventData
Consider the anomaly in the context of the user's typical behavior.
Using the ReportAnomalyEvent field values, try to determine whether the user activity within the detection event is typical for the
user. For example, consider if it's typical for a user to generate a report from the IP address provided.
Field: ReportAnomalyEvent.SourceIp
Consider the size of the report.
We consider the size of the report to determine if the report generation was anomalous. A user generating a larger report than usual
can indicate an unauthorized data export attempt. For example, an attacker obtained unauthorized access to the user's account and
exfiltrate as much data as possible before losing access. Alternatively, it could mean that a disgruntled employee is exfiltrating data
for use beyond the needs of the employer.
Field: ReportAnomalyEvent.SecurityEventData (specifically the rowCount feature name)
Not all anomalies are malicious.
While some anomalies can indicate a malicious intent, other anomalies can be legitimate but unusual. Our detection model can
produce detection events that are unusual but not malicious. For example, if an employee gets promoted to a new role and starts
generating larger reports, our model can flag this behavior as anomalous.
SEE ALSO:
Training and Inference Steps
Platform Events Developer Guide: ReportAnomalyEvent
Platform Events Developer Guide: ReportEvent
1143
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Report 00OD0000001leVCMAY
dayOfWeek 0 25.6%
numberColumns 12 12.5%
numberFilters 11 1.04%
Alia notices that this report had approximately 17k rows generated on a Sunday. She decides to investigate further. Using the UserId
field value, Alia identifies Jason as the user. She then looks through Jason’s past report generation activity using the ReportEvent event.
She notices that Jason, a sales data analyst, generates reports of varying sizes, ranging from just a handful of rows to 20k rows. Alia also
notices that Jason often accompanies his manager on road shows, which often involves working Sundays and nights.
Alia concludes that this detection event wasn’t anomalous because the report generation activity is well within Jason's typical activity.
SEE ALSO:
Platform Events Developer Guide: ReportAnomalyEvent
Platform Events Developer Guide: ReportEvent
1144
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
userAgent - 30.23%
browserCodecs - 2.33%
acceptedLanguages - 2.19%
Tony notices that the rowCount feature is a bit high for their org. The second-ranking feature is userAgent with a feature contribution
of around 30%. This percentage indicates that this user agent is not common for their org. Tony investigates further and finds Rob with
the UserId field. Tony notices that Rob is a relatively new employee. By looking at the ReportEvent events, Tony notices that Rob
occasionally generates reports of 46k rows. Because Rob is a relatively new employee, Tony can’t be certain whether this report matches
Rob’s typical activity pattern.
Tony concludes that this detection is possibly nomalous, although he doesn’t take any threat mitigation actions now.
SEE ALSO:
Platform Events Developer Guide: ReportAnomalyEvent
Platform Events Developer Guide: ReportEvent
1145
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Report 00OD0000001leVCMAY
userAgent - 9.9%
numberFilters 11 0.81%
Bob notices that the autonomous system—derived from the IP address—is the top-ranked feature with 73.4% feature contribution.
This percentage indicates that Alice rarely uses this autonomous system. Bob also notices that the report has around 50k rows, which is
not small for this org. Bob then uses the UserId to identify the user as Alice. By looking at the ReportEvent events, Bob notices that Alice
typically generates reports containing 1,000–10,000 rows. But on rare occasions, Alice generated reports with more than 50k rows. The
userAgent has a smaller feature contribution, which could be attributed to Alice using her mobile device less when she travels. The
numberFilters and periodOfDay features have small feature contributions, and are therefore not important.
Because Alice rarely uses this autonomous system and the report is bigger than what Alice typically generates, Bob concludes that this
report falls outside of typical activity. However, Bob is unable to verify whether Alice or an attacker committed this malicious act. He
attempts to get more information on this incident before pursuing any threat mitigation actions.
SEE ALSO:
Platform Events Developer Guide: ReportAnomalyEvent
Platform Events Developer Guide: ReportEvent
1146
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
UserId 00530000009M943
Report 00OD0000001leVCMAY
userAgent - 0.02%
Kate starts an investigation to dig deeper. She uses the UserId to determine that the report was downloaded using John’s account. She
then searches the ReportEvent events for John and notices that he generates weekly reports, but they contain only 500–1,000 rows. The
table shows that rowCount contributes nearly 100% to this anomaly. This feature contribution value is a numerical value that indicates
the importance of rowCount in flagging this report generation activity as an anomaly. Because John has a consistent history of generating
small reports (500–1,000 rows), a report with a million rows is a noticeable departure from that trend. This fact generates the high feature
contribution value.
Upon further investigation, Kate discovers that John’s account was hacked and the attacker escalated John’s access privileges to access
data for the entire sales team. As a result, the report contained sales leads for the entire sales team instead of only the sales leads assigned
to John.
Kate concludes that this detection event is malicious and takes further threat mitigation actions.
SEE ALSO:
Platform Events Developer Guide: ReportAnomalyEvent
Platform Events Developer Guide: ReportEvent
1147
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
API Anomaly
An anomaly is any user activity that is sufficiently different from the historical activity of the same
EDITIONS
user. We use the metadata in Salesforce Core application logs about API generation and surrounding
activities to build a baseline model of the historical activity. We then compare any new API generation Available in: Salesforce
activity against this baseline to determine if the new activity is sufficiently different to be called an Classic and Lightning
anomaly. We don't look at the actual data that a user interacts with— we look at how the user Experience
interacts with the data.
Available in: Enterprise,
Unlimited, and Developer
Training and Inference Steps Editions
Similar to other machine learning or statistical models, our detection model has a familiar
Requires Salesforce Shield
two-step process: a training step and an inference or detection step. As a customer, you don't
or Salesforce Event
perform either of these steps—Salesforce performs them for you. You only review the detection Monitoring add-on
events generated by our detection mode and take further action if necessary. subscriptions.
Investigate API Request Anomalies
It's often necessary to further investigate an API request anomaly to either determine if a data
breach occurred or to rule it out as benign.
Best Practices for Investigating API Request Anomalies
Keep these tips and best practices in mind when you investigate unusual user behavior. Find the information you require to make
a well-informed evaluation of your data’s safety.
API Request Anomaly Detection Examples
Here are several examples that illustrate how you can investigate anomalous API request events thoroughly.
Anomaly Score
We assign a numerical anomaly score to every report generation activity based on how different the activity is compared to the user’s
typical activity. The anomaly score is always a number from 0 through 100, and is often expressed as a percentage. A low anomaly score
1148
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
indicates that the user's report generation activity is similar to the user's typical activity. A high anomaly score indicates that the user's
report generation activity is different from the user's typical activity.
Critical Threshold
Every report generation event is assigned an anomaly score, but not all generation events are anomalies. We use a threshold to determine
which report generation events are sufficiently different from a user’s typical activity. Any event with an anomaly score above the critical
threshold is considered an anomaly.
• LoginEventStream (and its storage equivalent LoginEvent) track all login activity in your org. Requires Salesforce Shield
or Salesforce Event
For example, say that your org receives an ApiAnomalyEvent that indicates a potential anomaly in Monitoring add-on
a user’s API calls. The first thing you do is look at relevant fields of the event to get basic information subscriptions.
about the anomaly, such as:
• Score: A number that represents how much this user’s API activity differed from their usual
activity. The higher the number, the more it diverged.
• UserId: The user’s unique ID.
• EventDate: The time that the API request occurred.
• SecurityEventData: JSON field that contains the features, such as row count or day of the week, that contributed the most
to this anomaly detection. See this table on page 1148 for the full list of possible features.
• Summary: A text summary of the event.
See the API documentation for the full list of fields.
This sample SOQL query returns these field values.
SELECT Score, UserId, EventDate, SecurityEventData, Summary
FROM ApiAnomalyEventStore
Let’s look at the SecurityEventData field a bit more closely because it contains the contributing factors that triggered this
anomaly detection. Here’s sample data:
[
{
"featureName": "rowCount",
"featureValue": "1937568",
"featureContribution": “95.00 %"
},
{
"featureName": "autonomousSystem",
"featureValue": "Bigleaf Networks, Inc.",
1149
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
The feature that contributed the most (95.00%) to this anomaly detection was rowCount with a value of 1937568. The feature indicates
that the user viewed or exported a report that had 1,937,568 rows. But based on historical data, the user rarely views or exports so much
data. The other features contributed much less to the score. For example, the user executed the report on Sunday, but this feature
contributed only 1.42% to the overall score.
Now that you have the data, you can investigate further.
SEE ALSO:
Platform Events Developer Guide: ApiAnomalyEvent
Platform Events Developer Guide: ApiEvent
1150
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
SEE ALSO:
Platform Events Developer Guide: ApiAnomalyEvent
Platform Events Developer Guide: ApiEvent
1151
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
1152
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Alia, the Salesforce admin, notices that 10,000 records were retrieved from an Account object on a Sunday. She investigates further.
Using the UserId field value, Alia identifies Jason as the user. She then looks through Jason’s past activity. She notices that Jason, a
developer, retrieves records of varying amounts, ranging from just a handful to 20,000 records. Alia also notices in the dayOfWeek
and periodOfDay features that Jason often works Sundays and nights.
Alia concludes that this detection event wasn’t anomalous because the activity is well within Jason's typical activity.
SEE ALSO:
Platform Events Developer Guide: ApiAnomalyEvent
Platform Events Developer Guide: ApiEvent
1153
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Tony, the security auditor, notices that the rowCount feature is a bit high for their Salesforce org. The second-ranking feature is
userAgent with a feature contribution of close to 30%. This percentage indicates that this user agent, or browser, isn’t common for
their org. Tony finds Rob with the UserId field. Tony notices that Rob is a relatively new employee. By looking at the <need field or
feature name> events, Tony notices that Rob used a different browser and IP address in the past. Because Rob is a relatively new employee,
Tony can’t be certain whether this report matches Rob’s typical activity pattern.
Tony concludes that this detection is possibly anomalous.
SEE ALSO:
Platform Events Developer Guide: ApiAnomalyEvent
Platform Events Developer Guide: ApiEvent
1154
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Bob, the Salesforce admin, notices that the autonomous system—derived from the IP address—is the top-ranked feature with 73.4%
feature contribution. This percentage indicates that Alice rarely uses this autonomous system. Bob also notices that the rowCount
has around 50,000 rows, which isn’t small for this org. Bob then uses the UserId to identify the user as Alice. By looking at the <need
event name here> events, Bob notices that Alice typically generates reports containing 1,000–10,000 rows. But on rare occasions, Alice
generated reports with more than 50,000 rows. The userAgent has a smaller feature contribution, which could be attributed to Alice
using her mobile device less when she travels. The numberFilters and periodOfDay features have small feature contributions, and are
therefore not important.
Because Alice rarely uses this autonomous system and the report is larger than reports Alice typically generates, Bob concludes that this
report falls outside of typical activity. But Bob is unable to verify whether Alice or an attacker committed this malicious act. He attempts
to get more information on this incident.
SEE ALSO:
Platform Events Developer Guide: ApiAnomalyEvent
Platform Events Developer Guide: ApiEvent
1155
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
Kate, the security auditor, starts an investigation. She uses the UserId to determine that Alan’s account was used to query the
Opportunity object. She then searches the events for Alan and notices that he’s never queried the Opportunity object. The table shows
that rowCount contributes nearly 100% to this anomaly. This feature contribution value is a numerical value that indicates the
importance of rowCount in flagging this report generation activity as an anomaly. Because Alan has no history of generating small
reports (500–1,000 rows), a report with a million rows is a noticeable departure from that trend. This fact generates the high feature
contribution value.
Kate next discovers that Alan’s account was hacked and the attacker escalated Alan’s access privileges to access data for the entire sales
team. As a result, the records contain sales leads for the entire sales team instead of only the sales leads assigned to Alan.
Kate concludes that this detection event is malicious.
SEE ALSO:
Platform Events Developer Guide: ApiAnomalyEvent
Platform Events Developer Guide: ApiEvent
1156
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
2. Create a permission set that’s associated with the Salesforce license. Available in: Enterprise,
3. Edit the System Permissions page of your permission set and enable the View Threat Detection Unlimited, and Developer
Editions
Events permission.
Requires Salesforce Shield
4. Assign the permission set to the user who administers the Threat Detection app.
or Salesforce Event
Salesforce recommends that you create a profile specifically for security administrators who are Monitoring add-on
responsible for managing threat detections. For example, create a profile called Threat Detection subscriptions.
Administrator. Then assign the permission set to a user with the Threat Detection Administrator
profile.
USER PERMISSIONS
5. Edit the Tab Settings of each user profile that uses the Threat Detection app and specify the
visibility of the four tabs. The four tabs are named Report Anomaly Event Store, Session Hijacking User Permissions Needed
Event Store, Credential Stuffing Event Store, and Threat Detection Feedback.
To view the Threat Detection
For example, system administrators usually access everything in the UI, so set the visibility of events:
all four tabs to Default On for the System Administrator profile. If you created a Threat Detection • View Threat Detection
Administrator profile, set the same visibility. If you don’t want standard users to view feedback, Events
set the visibility of Threat Detection Feedback for the Standard User profile to Tab Hidden.
1157
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
6. In Setup, navigate to the Lightning Experience App Manager by entering App Manager in the quick search box.
7. Edit the Threat Detection app by selecting Edit in the dropdown box to the right of the app.
8. In the Assign to Profiles section, select the profiles for which the Threat Detection app is visible.
SEE ALSO:
Salesforce Help: Monitor Streaming Events with Event Manager
Salesforce Help: Permission Sets
Salesforce Help: App and System Settings in Permission Sets
Salesforce Help: View and Edit Tab Settings in Permission Sets and Profiles
1158
Set Up and Maintain Your Salesforce Organization Real-Time Event Monitoring
USER PERMISSIONS
4. Click Provide Feedback to specify whether a specific detected threat is Malicious, Suspicious, Not a Threat, or Unknown.
You can associate only one feedback object with each event. If you try to provide more than one feedback object, you get an error.
If the severity of a threat changes after you provided feedback, edit the response.
SEE ALSO:
Platform Events Developer Guide: Real-Time Event Monitoring Objects
1159
Set Up and Maintain Your Salesforce Organization Configure Remote Site Settings
For security reasons, Salesforce restricts the outbound ports you can specify to one of the following: Available in: Enterprise,
Performance, Unlimited,
• 80: This port only accepts HTTP connections.
Developer, and
• 443: This port only accepts HTTPS connections. Database.com Editions
• 1024–65535 (inclusive): These ports accept HTTP or HTTPS connections. Visualforce and S-controls
To register a new site: aren’t available in
Database.com
1. Click New Remote Site.
2. Enter a descriptive term for the Remote Site Name.
3. Enter the URL for the remote site. USER PERMISSIONS
4. To allow access to the remote site regardless of whether the user’s connection is over HTTP or To configure remote
HTTPS, select the Disable Protocol Security checkbox. When selected, Salesforce settings:
can pass data from an HTTPS session to an HTTP session, and vice versa. Only select this checkbox • Customize Application
if you understand the security implications. or Modify All Data
Tip: For best performance, verify that your remote HTTPS encrypted sites have OCSP (Online Certificate Status Protocol) stapling
turned on.
SEE ALSO:
Manage CSP Trusted Sites
Named Credentials
A named credential specifies the URL of a callout endpoint and its required authentication parameters
EDITIONS
in one definition. To simplify the setup of authenticated callouts, specify a named credential as the
callout endpoint. Available in: both Salesforce
Important: In Winter ’23, Salesforce introduced an improved named credential that is Classic and Lightning
Experience
extensible and customizable. We strongly recommend that you use this preferred credential
instead of legacy named credentials. For information on extensible, customizable named Available in: All Editions
credentials, see Named Credentials and External Credentials. Legacy named credentials are
deprecated and will be discontinued in a future release.
Salesforce manages all authentication for callouts that specify a named credential as the callout endpoint. You can also skip remote site
settings, which are otherwise required for callouts to external sites, for the site defined in the named credential.
Note: All credentials stored by this feature set are encrypted under a framework that’s consistent with other encryption frameworks
on the platform. Salesforce encrypts your credentials by auto-creating org-specific keys.
1160
Set Up and Maintain Your Salesforce Organization Named Credentials
callout:My_Named_Credential/some_path?format=json
Note: If you’re transmitting sensitive information such as healthcare data or credit card data, use authenticated named credentials.
We recommend that customers provide their own certificates for extra security of sensitive data transmissions.
1161
Set Up and Maintain Your Salesforce Organization Named Credentials
Named Credentials
A named credential is a logical entity that can be thought of as a named connection to an external system. With named credentials,
there’s no need to embed a physical URL into Apex code and manage authentication tokens in unencrypted data stores. Instead, a
variable in the code allows an administrator to provision the physical endpoint at deployment time and manage user credentials in the
organization’s encrypted credential store. The named credential URL is resolved at runtime to the configured physical endpoint along
with the credentials for the authorized user performing the callout.
Named credentials support different types, with a default of Secure Endpoint. Advanced use cases can benefit from storing custom
parameters, which are also supported. A parameter is essentially a name-value pair to capture arbitrary metadata, and the parameter
values are stored securely. See the API documentation for more details.
The named credential type can be one of the following.
SecuredEndpoint
The named credential includes an endpoint’s transport protocol as secured through transport layer security (TLS).
PrivateEndpoint
The named credential sends traffic through a private connection, bypassing the public internet.
Legacy
A legacy named credential specifies the URL of a callout endpoint and its required authentication parameters in one definition.
Important: Legacy named credentials are deprecated and will be discontinued in a future release.
1162
Set Up and Maintain Your Salesforce Organization Named Credentials
A named credential can be customized. For example, you can define HTTP headers with Salesforce formula functions to tailor header
values to the calling user context or substitute formula function variables in the request body.
External Credentials
Security policies often mandate that authentication details change on a rotating basis. An external credential encapsulates the details
of how Salesforce authenticates to a remote system. By externalizing authentication information from the code, developers aren’t required
to change these details to stay compliant with such policies.
Hyperscale cloud infrastructure providers often host many different systems, and a single set of credentials can be used to access multiple
named systems. A named credential holds a reference to an external credential, and multiple named credentials can benefit from sharing
a single external credential. For example, a Salesforce integration can access the APIs for Google Drive and Google Calendar with the
same credentials.
Authentication protocols such as OAuth or AWS Signature v4 specify how to authenticate with an external system. For example, they
can specify how access keys are exchanged or how to refresh expired access keys. The protocol specifies implementation details handled
by the platform, such as how keys are exchanged and when they’re refreshed. Authentication parameters are captured as external
credential name-value pairs. See the API documentation for authentication of protocol-specific parameters.
Tip: To apply credential permissions to the largest number of users, link a permission set to a principal and add the permission
set to a permission set group.
Tokens are encrypted and stored in a user external credential object. Any user performing an authenticated callout needs profile- or
permission set-based access to user external credentials.
Custom Headers
Custom headers are a way for a remote system to define parameters it needs as input to respond to a request. See Custom Headers for
Credentials.
1163
Set Up and Maintain Your Salesforce Organization Named Credentials
SEE ALSO:
Connect REST API Developer Guide: Named Credentials Resources
Apex Reference Guide: NamedCredentials Class
Apex Developer Guide : Invoking Callouts Using Apex
4. Authorize user external credentials. Authorize one time for each permission set or user.
5. In a named credential, link to the external credential you created.
1164
Set Up and Maintain Your Salesforce Organization Named Credentials
Label A user-friendly name for the external credential that’s displayed in the
Salesforce user interface, such as in list views.
Name A unique identifier that’s used to refer to this external credential from
callout definitions and through the API.
The name can contain only underscores and alphanumeric characters.
It must be unique, begin with a letter, not include spaces, not end
with an underscore, and not contain two consecutive underscores.
Authentication Select either Browser Flow or JWT Bearer Flow. See Authentication
Flow Type Protocols for Named Credentials for information on these variants.
Scope Optional. Specifies the scope of permissions to request for the access
token. Your authentication provider determines the allowed values.
See OAuth Tokens and Scopes and Use the Scope Parameter.
A scope declared here is a credential-level scope that applies to all
callouts that use this credential. For instance, you can create a scope
to specify that all callouts using this credential request have offline
access. You can also specify principal-level scopes, which apply only
per principal, when creating principals. For example, create a
principal-level scope to request access by role. See Create Principals
for OAuth.
• The value that you enter replaces the Default Scopes value
that’s defined in the specified authentication provider.
• A scope can affect whether each OAuth flow prompts the user
with a consent screen.
• We recommend that you request a refresh token or offline access.
Otherwise, when the token expires, you lose access to the external
system.
1165
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Authentication Provider Choose the provider. See Authentication Providers.
5. If you chose JWT Bearer Flow as the Authentication Flow Type, complete these fields:
Field Description
Identity Provider URL The URL of the identity provider to send the JWT (JSON Web
Token) to in exchange for an OAuth 2.0 token.
JWT Expiration (Seconds) How long the JWT token should last. Defaults to 120 seconds.
6. Save the external credential. You’re taken to the Named Credentials screen.
Field Description
Parameter Name Enter a name for the principal, such as Admin or Marketing Group.
Sequence Number Assign a sequence number. A sequence number specifies the order of principals to apply when
a user participates in more than one principal. For example, a user could be part of multiple
permission sets that are applicable for a credential provider. Priority is from lower to higher
numbers.
1166
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Scope Optional. Enter a principal-level scope.
This scope is in addition to the optional credential-level scope. You can use it to provide access
parameters on a per-principal basis. For example, the credential-level scope can specify offline
token access, while the principal-level scope can specify access for users with certain roles, such
as Marketing or System Administrator.
Credential-level and principal-level scopes are concatenated together in callouts and sent as a
space-separated list. These scopes overwrite an authentication provider’s default scopes, if the
appended list is non-null.
This example uses a principal-level scope to link a group of authenticated users to roles on an
external site. The scope is session:role:<role>. If a user has Sales or Service in their
department name, the scope is set as session:role:Sales or
session:role:Service.
{!IF(OR(CONTAINS($User.Department, "Sales"),
CONTAINS($User.Department, "Service")), "session:role:" +
$User.Department, "")}
1167
Set Up and Maintain Your Salesforce Organization Named Credentials
Note: This table doesn’t apply to legacy named credentials. For legacy named credentials, see Define a Legacy Named Credential.
Table 13: OAuth 2.0 Default JWT Claims for Named Credentials
Claim Name Description Notes
alg The algorithm used to sign the token. Default is RS256, an asymmetric algorithm
that uses a private/public pair. Added
automatically on external credential
creation. Not editable.
aud (Audience) Recipient for whom the token Added when claims are edited. Editable
is intended. through the JWT Claims panel on the
editable credential.
exp (Expiration) Time after which the token Set on external credential creation through
expires. Expressed as a NumericDate the Expiration field. If no expiration
value, representing the number of seconds number is provided, a default of two
from 1970-01-01T00:00:00Z UTC until the minutes in the future is set.
specified UTC date/time, ignoring leap
seconds.
iat (Issued At Time): Time at which the token Added automatically on external credential
was issued. Can be used to determine age creation. Not editable.
of the token. Expressed as a
NumericDate value, representing the
number of seconds from
1970-01-01T00:00:00Z UTC until the
specified UTC date/time, ignoring leap
seconds.
iss Issuer of the token. Added when claims are edited. Editable
through the JWT Claims panel on the
editable credential.
kid (Key ID) Used to match a specific key. Added automatically on external credential
creation. Editable through the JWT Claims
panel on the editable credential.
nbf (Not Before Time) Time before which the Added automatically on external credential
token must not be accepted for processing. creation. Not editable.
Expressed as a NumericDate value,
representing the number of seconds from
1970-01-01T00:00:00Z UTC until the
specified UTC date/time, ignoring leap
seconds.
sub Subject of the token (the user). Added when claims are edited. Editable
The subject is a string when the identity through the JWT Claims panel on the
type is named principal, and it’s a formula editable credential.
when the identity type is per user.
1168
Set Up and Maintain Your Salesforce Organization Named Credentials
6. Optionally, modify the value of the kid claim. You can also delete this claim.
7. Optionally, add a custom claim of your own. Provide a name, description, and value for the claim, and select either JWT Body Claim
or JWT Header Claim as the type.
8. Save the edited claims.
Congratulations—you’ve finished the main steps in creating an OAuth external credential. See Additional Tasks for External Credentials
for a few more jobs to complete.
Label A user-friendly name for the external credential that’s displayed in the
Salesforce user interface, such as in list views.
Name A unique identifier that’s used to refer to this external credential from
callout definitions and through the API.
The name can contain only underscores and alphanumeric characters.
It must be unique, begin with a letter, not include spaces, not end
with an underscore, and not contain two consecutive underscores.
1169
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Authentication Protocol Choose AWS Signature 4.
AWS Account ID Optional. The 12-digit number that uniquely identifies your AWS account.
Obtain Temporary IAM Optional. If you want to use STS, pick one of using these credential types:
Credentials via STS • IAM User Identified by Access Key
• Roles Anywhere (Assume an IAM Role via Certificate)
See Authentication Protocols for Named Credentials for information on these variants.
If you’re using Amazon API Gateway, configure the Gateway Response for Expired Token so that
it returns a 400 or 401 HTTP code. Salesforce then can refresh the token when it expires. A 403
code doesn’t cause a token refresh because it’s reserved for scenarios where the token is valid
but the caller doesn’t have access to the resource.
5. If you selected Obtain Temporary IAM Credentials via STS, complete fields for the corresponding credential type.
a. For the IAM User Identified by Access Key credential type:
Field Description
STS Access Key The access key ID for the AWS access key.
STS Access Secret The access secret for the AWS access key.
STS External ID The AWS ExternalId value that can be used when
delegating account access to a third party. This value helps
ensure that only a specified third party can access the role.
Using an External ID such as
salesforceIntegration-unique_phrase
For example
salesforceIntegration-abc123
ensures that the server side can identify Salesforce as the client
assuming the IAM Role.
1170
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Trust Anchor ARN The Amazon Resource Name for the trust anchor. A trust anchor
is either a reference to AWS Private Certificate Authority (AWS
Private CA) or another CA certificate.
Profile ARN The Amazon Resource Name for the Amazon profile. Profiles
are predefined sets of permissions that are applied after
successfully authenticating with Roles Anywhere. Profiles map
to one or more IAM roles.
6. Save the external credential. You’re taken to the Named Credentials screen.
5. Complete the following fields. If you’re using STS, the Access Key and Secret fields are disabled and display the temporary credentials,
if any.
Field Description
Parameter Name Enter a name for the principal, such as Admin or Marketing Group.
Sequence Number Assign a sequence number. A sequence number specifies the order of principals to apply when
a user participates in more than one principal. For example, a user could be part of multiple
permission sets that are applicable for a credential provider. Priority is from lower to higher
numbers.
Access Key Optional. The access key ID for the AWS access key.
Access Secret Optional. The access secret for the AWS access key.
IAM Role ARN Optional. The Amazon Resource Name (ARN) of the role that the credential assumes.
1171
Set Up and Maintain Your Salesforce Organization Named Credentials
You can’t modify the Principal Name and Identity Type of an existing principal. To change these parameters, delete the principal
and recreate it.
7. Map the principal to a permission set or profile. See Enable External Credential Principals. You can map a principal to multiple
permission sets, permission set groups, or profiles.
Congratulations—you’ve finished the main steps in creating an AWS Signature v4 external credential. See Additional Tasks for External
Credentials for a few more jobs to complete.
Field Description
Label A user-friendly name for the external credential that’s displayed in the Salesforce user interface,
such as in list views.
Name A unique identifier that’s used to refer to this external credential from callout definitions and
through the API.
The name can contain only underscores and alphanumeric characters. It must be unique, begin
with a letter, not include spaces, not end with an underscore, and not contain two consecutive
underscores.
5. Save the external credential. You’re taken to the Named Credentials screen.
1172
Set Up and Maintain Your Salesforce Organization Named Credentials
When editing an existing principal, not all the fields listed here are modifiable.
Field Description
Parameter Name Enter a name for the principal, such as Admin or Marketing Group.
Sequence Number Assign a sequence number. A sequence number specifies the order of principals to apply when
a user participates in more than one principal. For example, a user could be part of multiple
permission sets that are applicable for a credential provider. Priority is from lower to higher
numbers.
Identity Type This field defaults to Named Principal and can’t be modified.
A named principal applies the same credential or authentication configuration for an entire org.
Authentication Parameters Click Add to add your own Name and Value authentication parameters.
Declaring them here alone doesn’t do anything in a callout, but you can use authentication
parameters as variables in request bodies and headers in Apex, and custom headers in named
and external credentials. For example:
{!$Credential.SampleCustomExternalCredential.myAuthParam}
1173
Set Up and Maintain Your Salesforce Organization Named Credentials
5. Select one or more external credential principals from the list of available principals. Click the Add arrow to move them into the
Enabled column.
6. Save your changes.
1174
Set Up and Maintain Your Salesforce Organization Named Credentials
1. From Setup, in the Quick Find box, enter Profiles, and then select Profiles.
2. Click the profile for whom you want to enable user external credentials.
3. Scroll to Standard Object Permissions and select User External Credentials.
4. Check the boxes for the user external credential access that you want to give this user profile.
5. Save the settings.
1175
Set Up and Maintain Your Salesforce Organization Named Credentials
1. From Setup, in the Quick Find box, enter permission sets, and then select Permission Sets.
2. Click the permission set for which you want to enable user external credentials.
3. Under Apps, click Object Settings.
4. Click User External Credentials.
5. Click Edit, and assign the permissions that you want.
6. Save the settings.
You can’t manipulate tokens directly. For example, you can’t read them out or change them. You can, however, access user external
credentials through the ConnectApi interface, just as you would with named credentials and external credentials.
Example: As an example, use deleteCredential to remove a user external credential and its associated tokens when an
employee leaves a company. You provide the developer name of the external credential and the principal name and type associated
with your credentials (the user external credential), and deleteCredential deletes all user external credentials for that
principal.
String externalCredential = 'SampleExternalCredential';
String principalName = 'Principal';
ConnectApi.CredentialPrincipalType principalType =
ConnectApi.CredentialPrincipalType.NamedPrincipal;
ConnectApi.NamedCredentials.deleteCredential(externalCredential, principalName,
principalType);
SEE ALSO:
Apex Reference Guide: NamedCredentials Class
Named Credentials and External Credentials
1176
Set Up and Maintain Your Salesforce Organization Named Credentials
Custom headers are most often used for security or authentication purposes. The HTTP standard includes a commonly used, dedicated
Authorization header. However, many use cases require something else. Two common use cases are per-user callouts and API keys.
Per-User Callouts
Many systems respond to HTTP requests differently based on which user, or role, makes the request. For example, sometimes an integration
to a company returns a personal phone number, but only if the person whose phone number it’s makes that callout request. However,
a calling user in the company’s HR department can see any user’s salary, though the HR role must be specified.
Here’s an example of a per-user callout that uses a custom header to identify the user by their email address.
GET https://example.com/getInfo?personId=my_username%40example.com/HTTP/1.1
X-Calling-User:my_username@example.com
As another example, Microsoft offers an enterprise-wide search service and returns different results based on the caller’s identity. (Users
don’t get results they’re not allowed to see.) Salesforce named credentials support this service because administrators can define headers
like X-Calling-User and substitute the value of the user making the callout, for example {!$User.email}. The header is
defined on an external credential in a manner similar to the next example.
Tip: If you’re using a formula in a custom header in an external credential, and you chose Named Principal as your Identity Type,
don’t use $User in the formula.
API Keys
“API key” refers to a programmatic password used in an HTTP request to identify a calling application attempting to access a given API.
API keys have no strict standard, so anyone who builds an API can define their own headers, rules, and so on.
GET https://example.com/api/11a5aea0?count=20 HTTP/1.1
X-API-Key: abc123
X-API-Key is arbitrary, and some vendors use headers like Client-ID. This example, for retrieving a random photograph, uses a
mixture of Client-ID and the standard Authorization header.
GET https://example.com/photos/random_HTTP/1.1
Authorization: Client-ID abc123
Here’s what an external credential that uses a custom header with an API key can look like.
1177
Set Up and Maintain Your Salesforce Organization Named Credentials
• Headers from named credentials are placed before headers from external credentials.
• Headers from named credentials overwrite headers from external credentials if the names duplicate.
• Headers can have duplicate header names if they’re from the same source.
1178
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Name The name of the custom header for this credential.
Value The value of the header, evaluated as a formula. For more on setting custom header values, see
Using API Keys with Named Credentials, Using Basic Authentication with Named Credentials, and
Named Credential Formula Functions.
If you’re using a formula in a custom header and you’ve chosen Named Principal as your Identity
Type, don’t use $User in the formula.
Sequence Number A number that determines the order in which headers are sent out in the callout. Headers with
lower numbers are sent out first.
1179
Set Up and Maintain Your Salesforce Organization Named Credentials
Here the API key Client-ID is also the name of the header, and abc123 is the value of the API key used for authentication. The name
and the value are set by the authenticating system. Typically, you retrieve these parameters through the external system’s UI.
The HTTP standard includes an Authorization header for authentication. By default, Salesforce named credentials use this standard
authorization header. However, you can override the default and create a custom Authorization header. This example shows the
Authorization header used with an API key.
The general steps to using API keys with named credentials are:
1. Create an external credential, setting the Authentication Protocol to Custom. An external credential stores authentication and
authorization information and is used by named credentials.
2. Store the API key as an authorization parameter in a principal.
3. Create a custom header for the external credential. The header references the API key.
4. Create a named credential that references the external credential.
1180
Set Up and Maintain Your Salesforce Organization Named Credentials
Parameter Name
A name for the principal, such as Admin or Marketing Team.
Sequence Number
This number determines which mapping is used for the callout, sorted from lowest to highest. Set the sequence number in case
a user has multiple permission sets used in multiple principals.
Identity Type
Custom authentication uses the Named Principal identity type. Named Principal indicates that Salesforce users share the same
API key, and they don’t have unique access to the external service. You can’t change the identity type for Custom authentication.
Note: At this time, only the OAuth protocol supports unique per-user access to a remote system. In that case, each user
logs in separately before the integration works in their user context.
Name
The name for the authentication parameter. In this example, the name is MyClientId.
Value
The API key value. In many cases, you get the API key from the web service’s UI.
4. Map the principal to a permission set or profile. See Enable External Credential Principals. You can map a principal to multiple
permission sets, permission set groups, or profiles.
1181
Set Up and Maintain Your Salesforce Organization Named Credentials
Name
The name of the standard HTTP request header as required by the external service. In this case we’re performing authentication,
so we use the HTTP standard name ‘Authorization’.
Value
The API key name and value. It can be a literal or a programmatic expression.
The value can be expressed programmatically with merge fields and formulas. For instance, the value can take the form:
where the literal string Client-ID is concatenated with the API key. In our example, this expression resolves as:
{!'Client-ID ' & $Credential.MyCustAuthExternCred.MyClientId}
Formulas can be used in header values via the {!FormulaGoesHere} syntax. Anything inside {!} is evaluated as a
Salesforce formula. Formulas provide significant power and flexibility to craft header values without coding.
Merge fields provide access to encrypted values via the $Credential.Container.ParameterName syntax. In this
example Container is the external credential MyCustAuthExternCred. ParameterName is the principal
authentication parameter MyClientId, which was mapped to the API key value.
Sequence Number
This number determines which header “wins” and gets used for the callout, sorted from lowest to highest. If you’re not worried
about collisions with other headers, leave this field as the default.
The external credential now shows the custom header with a reference to the authorization parameter that contains the API key.
1182
Set Up and Maintain Your Salesforce Organization Named Credentials
If Client-ID is abc123, the resulting callout looks like this. The named credential appends ‘Authorization:’ as the header name.
Tip: Make sure you’ve enabled user external credentials for your users who are using named credentials. See User External
Credentials.
SEE ALSO:
Custom Headers for Credentials
Calculate Field Values With Formulas
Apex Developer Guide: Merge Fields for Apex Callouts That Use Named Credentials
1183
Set Up and Maintain Your Salesforce Organization Named Credentials
For example:
myUsername:myPassword → base64 encoding → bXlVc2VybmFtZTpteVBhc3N3b3JkCg==
Example:
bXlVc2VybmFtZTpteVBhc3N3b3JkCg== → base64 data decoded → myUsername:myPassword
Important: The Basic system encodes the username and password, but it doesn’t encrypt them. Because the username and
password can be decoded by anyone who encounters them, the Basic authentication scheme is only secure when used with SSL
encryption (HTTPS/TLS).
The encoded Basic data goes in the Authentication header as follows.
1184
Set Up and Maintain Your Salesforce Organization Named Credentials
6. Under Authentication Parameters, click Add to add a parameter, for example Username. Set the value to the username you use
for the web service provider. Click Add again to add another parameter, for instance Password, and set it as the password you
use for the web service provider.
Note: Some systems don’t use passwords for Basic authentication. For example, when authenticating to GitHub, you use a
personal access token instead of your user password.
where externalCredentialName is the name of the external credential you created (’BasicAuth’ in this example).
Base64 encoding is often used to convert binary data to a text string for easier transfer between systems. Binary data stored in some
databases is sometimes referred to as a Binary Large OBject (BLOB). Two formulas, BLOB and BASE64ENCODE, used together,
take the secret values, treat them as binary data, and then encode that binary data with base64. For more information on formula
functions like BASE64ENCODE, see Named Credential Formula Functions.
1185
Set Up and Maintain Your Salesforce Organization Named Credentials
SEE ALSO:
Custom Headers for Credentials
Calculate Field Values With Formulas
External Services
Use Flow to Invoke External Service Actions
BASE64ENCODE(expr) Input
BlobValue
Output
String
1186
Set Up and Maintain Your Salesforce Organization Named Credentials
Function Description
Description
Encode the binary BLOB expression as a Base64-encoded String.
BLOB(expr) Input
String
Output
BlobValue
Description
Convert the value to a UTF-8 binary BLOB.
HEX(expr) Input
BlobValue
Output
String
Description
Represents the given BLOB expression as a base-16 lower-case encoded
String. This hex encoding contains the binary data expected by encryption
functions.
1187
Set Up and Maintain Your Salesforce Organization Named Credentials
Examples
• This example shows encoding a username and password stored in an external credential. The BLOB function first converts a string
of form username:password into a binary. BASE64ENCODE then converts the binary into an encoded string.
myExternalCredential is the name of an external credential.
• This example sets a header named X-Username with a base-16, SHA-256-hashed username as the value. req is an
HTTPRequest. Username is an authentication parameter attached to a principal.
req.setHeader('X-Username', '{!HEX(HASH(\'SHA-256\',
BLOB($Credential.myExternalCredential.Username)))}');
• This example sets the X-Body header as the base-16, hashed evaluated body, meaning that all formulas within the request body
are evaluated. BLOB isn’t required here because $Credential.myExternalCredential.Body is returned as a BLOB
type, rather than as a String.
req.setHeader('X-Body', '{!HEX(HASH(\'SHA-256\',
$Credential.myExternalCredential.Body))}');
SEE ALSO:
Using Basic Authentication with Named Credentials
Formula Operators and Functions by Context
Calculate Field Values With Formulas
Apex Developer Guide: Merge Fields for Apex Callouts That Use Named Credentials
1188
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Label A user-friendly name for the named credential that’s displayed in the Salesforce user interface,
such as in list views.
Name A unique identifier that’s used to refer to this named credential from callout definitions and
through the API.
The name can contain only underscores and alphanumeric characters. It must be unique, begin
with a letter, not include spaces, not end with an underscore, and not contain two consecutive
underscores.
URL The URL or root URL of the callout endpoint. Must begin with https://. Can include a path
but not a query string. For example:
https://my_endpoint.example.com/secure/payroll
You can, however, append a query string and a specific path in the callout definition’s reference
to the named credential.
For example, an Apex callout could reference the named credential “My_Payroll_System” as
follows.
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:My_Payroll_System/paystubs?format=json');
Enabled for Callouts By default, the ability to make callouts with the named credential is turned on. The exception is
when the named credential is created from applications written in Apex, in which case it’s turned
off. Be aware of security considerations when enabling callouts for named credentials that originate
from Apex.
Authentication
External Credential The name of an external credential. See Create and Edit an External Credential.
Client Certificate Optional. If you specify a certificate, your Salesforce org supplies it when establishing each two-way
SSL connection with the external system. The certificate is used for digital signatures, which verify
that requests are coming from your Salesforce org.
Callout Options
Generate Authorization By default, Salesforce generates an authorization header and applies it to each callout that
Header references the named credential.
Deselect this option only if one of the following statements applies.
• The remote endpoint doesn’t support authorization headers.
• You’re generating an authorization header by creating a custom header and naming it
‘Authorization’. For example, create a custom authorization header if you’re using HTTP Basic
authorization. Likewise, in Apex callouts, you can have the code construct a custom
authorization header for each callout.
This option is required if you reference the named credential from an external data source. See
Custom Headers and Bodies of Apex Callouts That Use Named Credentials.
1189
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Allow Formulas in HTTP Use credential fields as formula fields in named credential custom headers, external credential
Header custom headers, and Apex HTTP headers. For example:
Client-ID: {!$Credential.MyExtCred.MyClientId}
Defaults to false. See Custom Headers and Bodies of Apex Callouts That Use Named Credentials.
Allow Formulas in HTTP Allow Apex to construct the callout’s HTTP body with credential fields available as formula fields.
Body Defaults to false. See Custom Headers and Bodies of Apex Callouts That Use Named Credentials.
Outbound Network Use a private connection that bypasses the public internet. Enter the name of an existing outbound
Connection network connection. See Secure Cross-Cloud Integrations with Private Connect.
If you choose this option, your new named credential has PrivateEndpoint as its type.
Otherwise the named credential has a SecuredEndpoint type.
Allowed Namespaces Optional list of namespaces that identifies the managed packages that are allowed to make
callouts using this named credential.
• For managed packages, the subscriber must add the package’s namespace to a named
credential’s list of allowed namespaces to enable callouts. This action isn’t necessary if the
named credential is installed as part of the same package.
• If you have multiple orgs, you can create a named credential with the same name but with
a different endpoint URL in each org. You can then package and deploy—on all the orgs—one
callout definition that references the shared name of those named credentials. For example,
the named credential in each org can have a different endpoint URL to accommodate
differences in development and production environments. If an Apex callout specifies the
shared name of those named credentials, the Apex class that defines the callout can be
packaged and deployed on all those orgs without programmatically checking the environment.
Named credentials aren’t automatically added to packages. If you package an external data source
or Apex code that specifies a named credential as a callout endpoint, add the named credential
to the package. Alternatively, make sure that the subscriber org has a valid named credential with
the same name.
1190
Set Up and Maintain Your Salesforce Organization Named Credentials
You can append a query string to a named credential URL. Use a question mark (?) as the separator between the named credential URL
and the query string. For example: callout:My_Named_Credential/some_path?format=json.
SEE ALSO:
Create and Edit an External Credential
Custom Headers for Credentials
Metadata API: NamedCredential
Tooling API: NamedCredential
Note: All credentials stored within the NamedCredential, ExternalDataSource, and ExternalDataUserAuth entities are encrypted
under a framework that is consistent with other encryption frameworks on the platform. Salesforce encrypts your credentials by
auto-creating org-specific keys.
Legacy named credentials are supported in these types of callout definitions:
• Apex callouts
• External data sources of these types:
– Salesforce Connect: OData 2.0
– Salesforce Connect: OData 4.0
– Salesforce Connect: Custom (developed with the Apex Connector Framework)
– Salesforce Connect: Amazon DynamoDB
• External Services
Legacy named credentials include an OutboundNetworkConnection field that you can use to route callouts through a private
connection. By separating the endpoint URL and authentication from the callout definition, legacy named credentials make callouts
easier to maintain. For example, if an endpoint URL changes, you update only the legacy named credential. All callouts that reference
the legacy named credential simply continue to work.
If you have multiple orgs, you can create a legacy named credential with the same name but with a different endpoint URL in each org.
You can then package and deploy—on all the orgs—one callout definition that references the shared name of those legacy named
credentials. For example, the legacy named credential in each org can have a different endpoint URL to accommodate differences in
1191
Set Up and Maintain Your Salesforce Organization Named Credentials
development and production environments. If an Apex callout specifies the shared name of those legacy named credentials, the Apex
class that defines the callout can be packaged and deployed on all those orgs without programmatically checking the environment.
Legacy named credential authentication protocols include basic password authentication, OAuth 2.0, JWT, JWT Token Exchange, and
AWS Signature Version 4. You can set up each legacy named credential to use an org-wide named principal or per-user authentication.
A named principal applies the same credential or authentication configuration for the entire org, while per-user authentication provides
access control at the individual user level.
To reference a legacy named credential from a callout definition, use the legacy named credential URL. A legacy named credential URL
contains the scheme callout:, the name of the legacy named credential, and an optional path. For example:
callout:My_Named_Credential/some_path.
You can append a query string to a legacy named credential URL. Use a question mark (?) as the separator between the legacy named
credential URL and the query string. For example: callout:My_Named_Credential/some_path?format=json.
Note: If transmitting sensitive information such as healthcare data or credit card data, authenticated legacy named credentials
are required. We recommend that customers provide their own certificates for extra security of sensitive data transmissions.
Example: In the following Apex code, a legacy named credential and an appended path specify the callout’s endpoint.
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:My_Named_Credential/some_path');
req.setMethod('GET');
Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());
The referenced legacy named credential specifies the endpoint URL and the authentication settings.
If you use OAuth instead of password authentication, the Apex code remains the same. The authentication settings differ in the
legacy named credential, which references an authentication provider that’s defined in the org.
1192
Set Up and Maintain Your Salesforce Organization Named Credentials
In contrast, let’s see what the Apex code looks like without a legacy named credential. Notice that the code becomes more complex
to handle authentication, even if we stick with basic password authentication. Coding OAuth is even more complex and is an ideal
use case for legacy named credentials.
HttpRequest req = new HttpRequest();
req.setEndpoint('https://my_endpoint.example.com/some_path');
req.setMethod('GET');
SEE ALSO:
Authentication Protocols for Named Credentials
Apex Developer Guide: Invoking Callouts Using Apex
Authentication Provider SSO with Salesforce as the Relying Party
1193
Set Up and Maintain Your Salesforce Organization Named Credentials
Legacy named credentials are supported in these types of callout definitions: To view legacy named
credentials:
• Apex callouts
• View Setup and
• External data sources of these types: Configuration
– Salesforce Connect: OData 2.0 To create, edit, or delete
– Salesforce Connect: OData 4.0 legacy named credentials:
• Customize Applications
– Salesforce Connect: Custom (developed with the Apex Connector Framework)
– Salesforce Connect: Amazon DynamoDB
• External Services
To set up a legacy named credential:
1. From Setup, enter Named Credentials in the Quick Find box, then select Named Credentials.
2. To create a legacy named credential, click New Legacy from the dropdown menu. To edit an existing legacy credential, click its link
and click Edit.
3. Enter information in the fields.
Field Description
Label A user-friendly name for the legacy named credential that’s displayed in the Salesforce user
interface, such as in list views.
If you set Identity Type to Per User, this label appears when your users view or edit their
authentication settings for external systems.
Name A unique identifier that’s used to refer to this legacy named credential from callout definitions
and through the API.
The name can contain only underscores and alphanumeric characters. It must be unique, begin
with a letter, not include spaces, not end with an underscore, and not contain two consecutive
underscores.
URL The URL or root URL of the callout endpoint. Must begin with http:// or https://. Can
include a path but not a query string. Examples:
• http://my_endpoint.example.com
• https://my_endpoint.example.com/secure/payroll
1194
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
You can, however, append a query string and a specific path in the callout definition’s reference
to the legacy named credential. For example, an Apex callout could reference the legacy named
credential “My_Payroll_System” as follows.
HttpRequest req = new HttpRequest();
req.setEndpoint('callout:My_Payroll_System/paystubs?format=json');
Certificate If you specify a certificate, your Salesforce org supplies it when establishing each two-way SSL
connection with the external system. The certificate is used for digital signatures, which verify
that requests are coming from your Salesforce org.
This certificate is for the callout endpoint URL. If you plan to use the JWT or JWT Token Exchange
authentication protocol, enter the token endpoint URL certificate in the JWT Signing Certificate
field. The JWT Signing Certificate field is displayed when you select JWT or JWT Token
Exchange for the Authentication Protocol field, as described in a later step.
Identity Type Determines whether you're using one set or multiple sets of credentials to access the external
system.
• Anonymous: No identity and therefore no authentication.
• Per User: Use separate credentials for each user who accesses the external system via callouts.
Select this option if the external system restricts access on a per-user basis.
After you grant user access through permission sets or profiles in Salesforce, users can manage
their own authentication settings for external systems in their personal settings. If you’re using
JWT or JWT Token Exchange, the per-user credentials are handled for them.
• Named Principal: Use the same set of credentials for all users who access the external system
from your org. Select this option if you designate one user account on the external system
for all your Salesforce org users.
Field Description
Authentication Choose the provider. See Authentication Providers.
Provider
Scope Specifies the scope of permissions to request for the access token. Your authentication provider
determines the allowed values. See Use the Scope Parameter.
– The value that you enter replaces the Default Scopes value that’s defined in the
specified authentication provider.
– Whether scopes are defined can affect whether each OAuth flow prompts the user with
a consent screen.
– We recommend that you request a refresh token or offline access. Otherwise, when the
token expires, you lose access to the external system.
1195
Set Up and Maintain Your Salesforce Organization Named Credentials
Field Description
Start To authenticate to the external system and obtain an OAuth token, select this checkbox. This
Authentication Flow authentication process is called an OAuth flow.
on Save When you click Save, the external system prompts you to log in. After successful login, the
external system grants you an OAuth token for accessing its data from this org.
Redo the OAuth flow when you need a new token—for example, if the token expires—or if
you edit the Scope or Authentication Provider fields. When the token expires,
the external system returns a 401 HTTP error status.
• If you select JWT or JWT Token Exchange, complete the following fields.
Field Description
Issuer Specify who issued the JWT using a case-sensitive string.
Scope JWT Token Exchange only. Determines the permissions associated with the tokens that you’re
requesting.
Token Endpoint URL JWT Token Exchange only. The URL of the authorization provider. JSON Web Token requests
are sent to the provider in exchange for access tokens.
Per User Subject Per User identity type only. Formula string calculating the JWT’s subject. Include API names
and constant strings in quotes. Allows a dynamic subject unique per user requesting the token.
For example, 'User='+$User.Id.
Named Principal Named Principal identity type only. Enter static text, without quotes, that specifies the JWT
Subject subject.
Audiences External service or other allowed recipients for the JWT. Store each audience as a case-sensitive
string on a new line.
Token Valid for The length of time that the token is valid to authenticate the user into the external system.
Field Description
AWS Access Key ID First part of the access key used to sign programmatic requests to AWS.
AWS Secret Access Second part of the access key used to sign programmatic requests to AWS.
Key
AWS Region The AWS region name for the legacy named credential’s endpoint. For example, us-east-1.
1196
Set Up and Maintain Your Salesforce Organization Named Credentials
5. If you want to use custom headers or bodies in the callouts, enable the relevant options.
Field Description
Generate Authorization Header By default, Salesforce generates an authorization header and applies it to
each callout that references the legacy named credential.
Deselect this option only if one of the following statements applies.
• The remote endpoint doesn’t support authorization headers.
• The authorization headers are provided by other means. For example,
in Apex callouts, the developer can have the code construct a custom
authorization header for each callout.
This option is required if you reference the legacy named credential from
an external data source.
Allow Merge Fields in HTTP Header In each Apex callout, the code specifies how the HTTP header and request
Allow Merge Fields in HTTP Body body are constructed. For example, the Apex code can set the value of a
cookie in an authorization header.
These options enable the Apex code to use merge fields to populate the
HTTP header and request body with org data when the callout is made.
These options aren’t available if you reference the legacy named credential
from an external data source.
To reference a legacy named credential from a callout definition, use the legacy named credential URL. A legacy named credential URL
contains the scheme callout:, the name of the legacy named credential, and an optional path. For example:
callout:My_Named_Credential/some_path.
You can append a query string to a legacy named credential URL. Use a question mark (?) as the separator between the legacy named
credential URL and the query string. For example: callout:My_Named_Credential/some_path?format=json.
SEE ALSO:
Legacy Named Credentials
Authentication Protocols for Named Credentials
Grant Access to Authentication Settings for Legacy Named Credentials
Apex Developer Guide : Invoking Callouts Using Apex
1197
Set Up and Maintain Your Salesforce Organization Named Credentials
SEE ALSO:
Store Authentication Settings for External Systems
Define a Legacy Named Credential
Legacy Named Credentials
Important: In Winter ’23, Salesforce introduced an improved named credential that is extensible and customizable. We strongly
recommend that you use this preferred credential instead of legacy named credentials. For information on extensible, customizable
named credentials, see Named Credentials and External Credentials. Legacy named credentials are deprecated and will be
discontinued in a future release.
If you don’t want to specify an authentication protocol:
• Select the Custom protocol and use custom headers for non-legacy named credentials.
• Select No Authentication if you’re creating a legacy named credential.
AWS Signature Version 4
A protocol to authenticate callouts to resources in Amazon Web Services over HTTP. The identity type must be Named Principal.
If you use the AWS Signature v4 protocol, grant all users Modify All access to user external credentials. See User External Credentials
for more information.
1198
Set Up and Maintain Your Salesforce Organization Named Credentials
A user or the admin applies a credential for a specified OAuth 2.0 system that authenticates into the external system.
OAuth uses an authentication provider, which issues a token to Salesforce for calling a target endpoint, after the user logs in via a
browser and allows access. To an end user, an authentication provider can appear distinct from the actual target endpoint. For
example, a user logs into Google to give an application access to Google Photos or Nest smart home devices. The authentication
provider gives Salesforce a “valet key” that it can use for limited access to the user’s resources. For more on OAuth authentication,
see OAuth Authorization Flows.
If you’re using OAuth with named principals, grant all users Modify All access to user external credentials. If you’re using OAuth with
per-user authentication, grant all users Create, Read, Update, and Delete access to user external credentials. See User External
Credentials for more information.
1199
Set Up and Maintain Your Salesforce Organization Named Credentials
If you’re using the per-user identity type, each user accessing the external system manages their own credential.
OAuth 2.0 Variants
Browser Flow
One or more users logs into the remote system via a web browser, triggering a callback that includes tokens used to
authenticate calls to the endpoint in the Named Credential. Browser Flow is sometimes referred to as Authorization Code
Grant Flow.
JWT Bearer Flow
For legacy named credentials, JWT Bearer Flow is referred to as JWT Token Exchange.
A JWT (JSON Web Token) is sent to an authorization provider and receives a token in return that’s used to authenticate into
the external system.
Users don’t manage their credentials for the external system. When users view their authentication settings for external
systems, using this authentication protocol, they can’t edit options. But users can delete their JWT Bearer Flow settings to
use a different named credential.
The following table doesn’t apply to legacy named credentials. For legacy named credentials, see Define a Legacy Named
Credential.
Table 15: OAuth 2.0 Default JWT Claims for Named Credentials
Claim Name Description Notes
alg The algorithm used to sign the token. Default is RS256, an asymmetric
algorithm that uses a private/public pair.
Added automatically on external
credential creation. Not editable.
aud (Audience) Recipient for whom the Added when claims are edited. Editable
token is intended. through the JWT Claims panel on the
editable credential.
exp (Expiration) Time after which the token Set on external credential creation
expires. Expressed as a through the Expiration field. If no
NumericDate value, representing expiration number is provided, a default
the number of seconds from of two minutes in the future is set.
1970-01-01T00:00:00Z UTC until the
specified UTC date/time, ignoring leap
seconds.
iss Issuer of the token. Added when claims are edited. Editable
through the JWT Claims panel on the
editable credential.
1200
Set Up and Maintain Your Salesforce Organization Named Credentials
nbf (Not Before Time) Time before which Added automatically on external
the token must not be accepted for credential creation. Not editable.
processing. Expressed as a
NumericDate value, representing
the number of seconds from
1970-01-01T00:00:00Z UTC until the
specified UTC date/time, ignoring leap
seconds.
sub Subject of the token (the user). Added when claims are edited. Editable
The subject is a string when the identity through the JWT Claims panel on the
type is named principal, and it’s a editable credential.
formula when the identity type is per
user.
typ (Type) The media type of the token. Added automatically on external
credential creation. The value is set to
‘JWT’. Not editable.
Signing certificates aren’t included in packages. If you’re using JWT or JWT Bearer Flow as the authentication protocol for a
packaged named credential, recreate the package’s referenced signing certificate in the subscriber org before installing the
package.
Password
This authentication protocol is available only for legacy named credentials. But if you’re using the Custom authentication protocol,
you can configure a credential that supports the standard HTTP Basic authentication protocol. That protocol uses passwords.
A static username and password are used to directly authenticate into the external system.
If you’re using the per-user identity type, each user accessing the external system manages their own username and password.
SEE ALSO:
Create and Edit an External Credential
Legacy Named Credentials
Define a Legacy Named Credential
Authentication Provider SSO with Salesforce as the Relying Party
1201
Set Up and Maintain Your Salesforce Organization Certificates and Keys
1202
Set Up and Maintain Your Salesforce Organization Certificates and Keys
4. Enter a unique name. You can use the name that’s automatically populated based on the USER PERMISSIONS
certificate label you enter.
This name can contain only underscores and alphanumeric characters, and must be unique in To create, edit, and manage
your org. It must begin with a letter, not include spaces, not end with an underscore, and not certificates:
contain two consecutive underscores. Use the unique name when referring to the certificate • Customize Application
using Lightning Platform APIs or Apex.
Note: After you save a Salesforce certificate, you can’t change its type or key size.
6. Click Save.
Downloaded self-signed certificates have .crt extensions.
After you successfully save a Salesforce certificate, the certificate and corresponding keys are automatically generated.
Note: Some business processes require more certificates than others. If you require more than 50 certificates, contact Salesforce
Customer Support.
SEE ALSO:
Certificates and Keys
Generate a Certificate Signed by a Certificate Authority
1203
Set Up and Maintain Your Salesforce Organization Certificates and Keys
Note: After you save a Salesforce certificate, you can’t change its type or key size.
Field Description
Common Name The fully qualified domain name of the company requesting the signed certificate, generally of the
form http://www.mycompany.com.
Company Either the legal name of your company or your legal name.
Department The branch of your company using the certificate, such as marketing or accounting.
Country Code A two-letter code indicating the country where the company resides. For the United States, the value
is US.
7. Click Save.
After you save a Salesforce certificate, the certificate and corresponding keys are automatically generated.
8. Find your new certificate from the certificates list, then click Download Certificate Signing Request.
Downloaded certificate signing requests have .csr extensions.
1204
Set Up and Maintain Your Salesforce Organization Certificates and Keys
Tip: To edit a certificate that you’ve uploaded, upload it again; published site domains are republished if they have at least one
Salesforce Site or Experience Cloud site. The expiration date of the certificate record is updated to the expiration date of the newly
uploaded certificate.
You can have up to 50 certificates.
Note: Some business processes require more certificates than others. If you require more than 50 certificates, contact Salesforce
Customer Support.
After you create a CA-signed certificate, it's valid for 3 years. After that, the certificate must be renewed, which extends the expiration
date.
• If you use the “Serve the domain with the Salesforce Content Delivery Network (CDN)” HTTPS option, Akamai automatically renews
the certificate.
• For other HTTPS options, contact your certificate authority (CA) to extend the certificate expiration date.
1205
Set Up and Maintain Your Salesforce Organization Certificates and Keys
SEE ALSO:
Configure Your API Client to Use Mutual Authentication
USER PERMISSIONS
curl -k https://MyDomainName.my.salesforce.com:8443/services/Soap/u/31.0 -H
"Content-Type: text/xml; charset=UTF-8" -H "SOAPAction: login" -d @login.txt -v -E
fullcert.pem:xxxxxx
2. After a session ID is returned from your call, you can perform other actions, such as queries.
1206
Set Up and Maintain Your Salesforce Organization Certificates and Keys
In the following result, @accountQuery.xml is the file name containing the query Soap message with the session ID from the login
response.
curl -k https://MyDomainName.my.salesforce.com:8443/services/Soap/u/31.0 -H
"Content-Type: text/xml; charset=UTF-8" -H "SOAPAction: example" -d @accountQuery.xml
-v -E fullcert.pem:xxxxxx
SEE ALSO:
Certificates and Keys
Set Up a Mutual Authentication Certificate
Exporting Keys
You can export your keys to a back-up location for safe keeping. It's a good idea to export a copy of any key before deleting it.
Exporting creates a text file with the encrypted key, so you can import the key back into your organization later.
Deleting Keys
Don't delete a key unless you're absolutely certain no data is currently encrypted using the key. After you delete a key, any data encrypted
with that key can no longer be accessed.
1207
Set Up and Maintain Your Salesforce Organization Technical Requirements and Performance Best Practices
Important: Export and delete keys with care. If your key is destroyed, you must reimport it to access your data. You are solely
responsible for making sure your data and keys are backed up and stored in a safe place. Salesforce cannot help you with deleted,
destroyed or misplaced keys.
Importing Keys
If you have data associated with a deleted key, you can import an exported key back into your organization. Any data that was not
accessible becomes accessible again.
Click Import next to the key you want to import.
SEE ALSO:
Certificates and Keys
Available in: Essentials, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Contact Manager Editions
Beginning with the Winter ’18 release, Salesforce is switching away from the default proxy certificate even if you are still using it. Before
the Winter ’18 release, manually migrate to a self-signed certificate and update identity providers to prevent an interruption in service.
We recommend switching from the default certificate even if your identity provider doesn’t validate signatures in SAML requests.
1. If you are using Single SAML Configurations, enable multiple configurations by clicking Enable Multiple Configs under Single
Sign-On Settings. Read and understand all the instructions on that page. Enabling multiple configurations switches the certificate,
so skip Step 2.
2. Edit each affected configuration by changing the Request Signing Certificate to a certificate in your org. If you don’t have a certificate
and key pair you want to use, upload one or select Generate self-signed certificate.
3. Check whether service provider-initiated SAML works properly for your configuration. If it does, no identity provider updates are
necessary, and you can skip steps four and five.
If you migrated from a single to multiple configurations, update the Assertion Consumer Service URL.
4. If identity provider updates are necessary, download the certificate you selected for the Request Signing Certificate.
5. Upload this certificate into the identity provider for use in validating SAML requests from Salesforce. If you migrated to multiple
configurations from a single configuration, note the Salesforce Login URL and update the value in the identity provider.
SEE ALSO:
Certificates and Keys
Configure SSO with Salesforce as a SAML Service Provider
1208
Set Up and Maintain Your Salesforce Organization Technical Requirements for Lightning Experience
Salesforce provides technical requirements to help you predict whether your hardware and network can provide an acceptable and
productive user experience. We strongly recommend testing the actual end-user experience with a configuration identical to what you
expect to use in production. Test using the same geographic location, hardware, browser, network settings, and the expected concurrent
users for shared hardware like virtual desktops. In Lightning Experience, page load times can be captured using Lightning Component
Debug Mode, or by appending ?eptVisible=1 to your URL.
https://MyDomainName.lightning.force.com/one/one.app?eptVisible=1
Load times are measured in Experienced Page Time, or EPT. EPT measures how long it takes for a page to load so that a user can
meaningfully interact with it.
https://MyDomainName.lightning.force.com/speedtest.jsp
We recommend running this test on the same hardware, network, physical location, and browser as your users. For virtual environments,
such as VDI, run all tests from within that virtual environment.
Octane 2.0 is a benchmark developed by Google that measures JavaScript performance. A higher Octane 2.0 score correlates to faster
page load times. Octane 2.0 factors in your computer hardware and browser choice.
• Using newer-generation hardware with faster CPUs generates higher Octane 2.0 scores.
• Using the latest version of Salesforce-supported browsers generates higher Octane 2.0 scores.
– IE11 results in low Octane 2.0 scores and much slower page load speeds.
1209
Set Up and Maintain Your Salesforce Organization Technical Requirements for Lightning Experience
SEE ALSO:
Improve Speed and Performance of Lightning Experience Pages
Lightning Console Technical Requirements
Lightning Reports and Dashboards Technical Requirements
CRM Analytics Requirements
Considerations for Installing Data Loader
Improve Virtual Desktop Environment Performance
Note: Lightning Experience on iPad Safari is only supported when using Safari's desktop websites setting.
1210
Set Up and Maintain Your Salesforce Organization Technical Requirements for Lightning Experience
Wireless Connection
You need a Wi-Fi or cellular network connection to communicate with Salesforce. For best performance, we support the use a strong
Wi-Fi connection.
SEE ALSO:
Lightning Experience on iPad Safari Considerations
Requirements for the Salesforce Mobile App
To allow for innovation and to keep Salesforce current in the rapidly evolving mobile market, minimum platform requirements are subject
to change at the sole discretion of Salesforce, with or without advance notice.
1211
Set Up and Maintain Your Salesforce Organization Technical Requirements for Lightning Experience
Customers aren’t blocked from using the Salesforce mobile app on untested devices that meet current platform requirements. Salesforce
might not be able to replicate some issues for customers using the mobile app on untested devices or due to manufacturer-specific
customizations.
Note: Salesforce treats touch-enabled laptops, including Microsoft Surface and Surface Pro devices, as laptops instead of tablets.
It’s not possible to access the Salesforce mobile app on these devices. Users are always redirected to the full site experience that’s
enabled for them—Lightning Experience or Salesforce Classic. Only standard keyboard and mouse inputs are supported on these
types of devices.
On phones and older tablet experiences, the Salesforce mobile app is supported in portrait orientation only. On tablets, if using the
Lightning on tablet app experience, both portrait and landscape orientations are supported.
Salesforce Editions
These user license types can access the Salesforce mobile app. A These user license types don’t have access to the mobile app:
special mobile license isn’t required. • Portal users (unless a member of a Salesforce community)
• Salesforce users • Database.com users
• Salesforce Platform and Lightning Platform users • Sites and Site.com users
• Chatter Plus users (also known as Chatter Only), Chatter Free • Data.com users
users, and Chatter External users*
• WDC users
1212
Set Up and Maintain Your Salesforce Organization Technical Requirements for Lightning Experience
Note: You can access the same data and functionality that’s available to you in the full site, as determined by your organization’s
Salesforce edition, your user license type, and your assigned user profile and permission sets.
Network
A Wi-Fi® or cellular network connection is required to communicate with Salesforce. For cellular connections, a 3G network or faster is
required. For the best performance, we recommend using Wi-Fi or LTE.
In the Salesforce mobile app, you can view your most recently accessed records, and create and edit records, when your device is offline.
Salesforce doesn’t provide support or recommend an implementation involving a reverse proxy. Issues that may arise from the use a
reverse proxy and the Salesforce mobile app are not supported. If customers encounter issues with the app, they must perform due
diligence and isolate such issues outside of the reverse proxy integration.
1213
Set Up and Maintain Your Salesforce Organization Improve Speed and Performance of Lightning Experience
Pages
Because we enhance functionality with every release, we support the latest version of the Salesforce mobile app available in the App
Store and Google Play only.
SEE ALSO:
Requirements for the Salesforce Mobile App
https://MyDomainName.lightning.force.com/speedtest.jsp
Performance Assistant
To ensure that your Salesforce implementation meets your future needs, it’s important to develop and test your system with scale
in mind. Meet Performance Assistant, your central hub of information and resources about scalability and performance testing with
Salesforce. Use the step-by-step instructions, articles, and tools to help you architect your system, conduct performance testing, and
interpret your results.
What Is EPT?
Experienced Page Time (EPT) is a performance metric Salesforce uses in Lightning to measure page load time. EPT measures how
long it takes for a page to load into a state that a user can meaningfully interact with.
Measure Performance for Your Salesforce Org
Set up your test org and test client, and accurately measure performance.
Network Best Practices
Issues within your network or latency between your device and your Salesforce environment can affect load times.
Device and Browser Best Practices
To improve device and browser performance, you can take some simple steps. Slow load times can result from devices that don't
meet Salesforce minimum technical requirements. Also, plug-ins, extensions, and excessive tabs can consume processing power
and memory, degrading performance.
Org Configuration Best Practices
The way your Salesforce org is configured can lead to slow performance.
1214
Set Up and Maintain Your Salesforce Organization Improve Speed and Performance of Lightning Experience
Pages
SEE ALSO:
Technical Requirements for Lightning Experience
Trailhead: Lightning Experience Performance Optimization
Improve List View Performance
Improve Report Performance
Improve Dashboard Performance: Best Practices
Developer Guide: Best Practices for Optimizing Visualforce Performance
Developer Blog: Lightning Web Components Performance Best Practices
Performance Assistant
To ensure that your Salesforce implementation meets your future needs, it’s important to develop
EDITIONS
and test your system with scale in mind. Meet Performance Assistant, your central hub of information
and resources about scalability and performance testing with Salesforce. Use the step-by-step Available in: Lightning
instructions, articles, and tools to help you architect your system, conduct performance testing, and Experience
interpret your results.
Available in: Professional,
From Setup, in the Quick Find box, enter Performance Assistant, and then select
Enterprise, Essentials,
Performance Assistant. Unlimited, and Developer
We recommend that you integrate performance testing into your release cycle. Performance Editions
Assistant guides you through the three main phases of performance testing:
• Learn: Learn the basics of scalability and understand the performance testing process from USER PERMISSIONS
end to end.
To use Performance
• Prepare: Create your performance testing strategy, develop a test plan, and schedule your test.
Assistant:
• Analyze and Optimize: Interpret your test results, identify performance hotspots, and optimize • View Setup and
your solution. Configuration
In each phase, Performance Assistant provides guidance and resources to help you test your system
with confidence. You can visit Performance Assistant at any time during testing.
1215
Set Up and Maintain Your Salesforce Organization Improve Speed and Performance of Lightning Experience
Pages
SEE ALSO:
Knowledge Article: Performance test FAQs
Trailblazer Community Group: Salesforce Scalability
What Is EPT?
Experienced Page Time (EPT) is a performance metric Salesforce uses in Lightning to measure page load time. EPT measures how long
it takes for a page to load into a state that a user can meaningfully interact with.
A major difference between Salesforce Classic and Lightning Experience is that pages load progressively in Lightning, while pages in
Classic are generated on request by the server. Because of the progressive loading from the client, any loaded component in the page
can load more components at any time. Measuring when a page finishes loading in Lightning isn’t straightforward. Many factors can
influence the EPT value.
Client-side and server-side factors both affect EPT. On the client side, the user’s browser, hardware, network quality, and their org’s
complexity all affect EPT. On the server side, Apex and API processing and XMLHttpRequests (XHRs) impact EPT. For instance, component
implementation details, errors, caching, and user interactions while the page is loading can all increase EPT.
Other things to consider:
• Lightning UI is rendered client side, making it sensitive to browser performance.
• Lightning UI requires many XHRs to render a page, making it sensitive to network latency.
• Complex pages with many custom fields and components slow page rendering.
The EPT is measured as the time from the page start to when no more activity occurs for at least two frames (~33 ms). The two extra
frames help to avoid false positives due to asynchronous calls. These calls include any XHR activity, any storage activity, or any user
interaction or client-side work of any kind in the main JavaScript thread.
1216
Set Up and Maintain Your Salesforce Organization Improve Speed and Performance of Lightning Experience
Pages
SEE ALSO:
Get Lightning Experience Adoption Insights with the Lightning Usage App
Get Lightning Experience Adoption Insights from Custom Reports
Note: Sandbox and production orgs exist in different instances, have different hardware, and can differ in performance. These
differences can be most noticeable in asynchronous processing and database caching. Don’t use sandbox performance as a
benchmark for production performance. Likewise, don’t use production as a benchmark for sandbox performance.
After your sandbox org is set up, identify the key personas for your org and plan your tests around their page flows. Different personas
have different data volumes and data visibility. Performance for a persona with a wide view of your org’s data, like the VP of Sales, can
be different from users with more specialized roles. Use your key personas to build a site map and identify likely page flows for each
persona.
1217
Set Up and Maintain Your Salesforce Organization Improve Speed and Performance of Lightning Experience
Pages
response times and throughput. Performance testing is an iterative process. Finding and solving issues uncovered by your tests can
uncover more issues.
Note: For step-by-step guidance on designing, executing, and analyzing performance tests, use Performance Assistant. For more
information, see Performance Assistant.
Salesforce measures performance in Experienced Page Time (EPT). You can measure EPT in four ways.
Add an EPT counter to the header of your app
To add an EPT counter to the header of your app, use Lightning Component Debug Mode, or append ?eptVisible=1 to your
URL.
https://MyDomainName.lightning.force.com/one/one.app?eptVisible=1
Lightning Component Debug Mode slows performance because it doesn’t minify code. Using ?eptVisible=1 has a smaller
impact on performance.
Use the Lightning Usage App to view page and browser performance
To measure EPT with the Lightning Usage App, select a tab in the Activity or Usage section on the left side of the page. You can view
EPT by the browser used, or by page. Because the Lightning Usage App aggregates performance metrics, using the EPT counter can
be better for measuring specific pages.
Build a custom report using Lightning Usage App objects
To measure EPT with custom reports in the Lightning Usage App, create a report type using a Lightning Usage App object. After
you create the report type, build the report using Report Builder. Available Lightning Usage App objects are:
• LightningUsageByAppTypeMetrics
• LightningUsageByBrowserMetrics
• LightningUsageByPageMetrics
• LightningUsageByFlexiPageMetrics
Use the Event Monitoring Analytics App to monitor performance with event types
To measure EPT with the Event Monitoring Analytics App, use the prebuilt Lightning Performance dashboard. You can also use event
types to monitor specific aspects of performance. Some useful event types include:
• Apex REST API
• Lightning Page View
• Lightning Error
• Lightning Interaction
• Lightning Performance
In addition to EPT, use browser developer tools to test network throttling, and use automation tools such as Selenium to test page flow
performance. Write persona-based load generation scripts using tools such as LoadRunner or JMeter.
Example:
• In a single user performance test, you can look at a Lightning page with custom components. For that test, measure EPT,
octane score, and network performance.
• In a large data volume test, you can look at a list view with many records and complex filters. For that test, focus on SOQL
performance.
1218
Set Up and Maintain Your Salesforce Organization Improve Speed and Performance of Lightning Experience
Pages
• When testing API performance, you can look at Account object updates using the SOAP API. For that test, measure request
throughput and database time.
SEE ALSO:
Trailhead: Measure Lightning Experience Performance and Experienced Page Time (EPT)
Event Monitoring Analytics App
Event Monitoring Analytics App Prebuilt Dashboards
Developer Guide: EventLogFile Supported Event Types
Developer Blog: Open Sourcing Performance Metrics Gathering for Salesforce Platform
Developer Guide: Salesforce Lightning Inspector Chrome Extension
SEE ALSO:
Knowledge Article: Troubleshoot network performance issues with ping and traceroute
Modify Session Security Settings
1219
Set Up and Maintain Your Salesforce Organization Improve Speed and Performance of Lightning Experience
Pages
• Switch to a different browser. Chrome is generally the fastest browser for Lightning Experience, while Internet Explorer is generally
the slowest.
• Reset browser settings to the default settings.
• Restart your device or browser.
• Upgrade your device to a model with higher specifications.
SEE ALSO:
Recommendations and Requirements for All Browsers
SEE ALSO:
Developer Guide: Enable Debug Mode for Lightning Components
Improve Your Implementation with Salesforce Optimizer
Salesforce Console in Lightning Experience
1220
Set Up and Maintain Your Salesforce Organization Monitor Your Organization
If your Octane 2.0 score is below 20,000, or you have slow page load times, Salesforce recommends upgrading your hardware, reducing
the number of users per environment, or using dedicated desktops.
SEE ALSO:
Technical Requirements for Lightning Experience
1221
Set Up and Maintain Your Salesforce Organization The System Overview Page
Note: The system overview page shows only the items enabled for your org. For example, Available in: both Salesforce
your system overview page shows workflow rules only if workflow is enabled for your org. Classic and Lightning
Experience
Click the numbers under each metric to get more details about your usage. If it’s available, use
Checkout to increase usage limits for your org. For example, if your org reaches the limit for custom Available in: All Editions
objects, the system overview page notifies you with a message link. Click the link to clean up any except Personal Edition
unused objects, or visit Checkout to increase your limit for objects.
To access the system overview page, from Setup, enter System Overview in the Quick Find USER PERMISSIONS
box, then select System Overview.
To access the system
The system overview page displays usage for: overview page:
• Schema • Customize Application
• API usage
• Business logic
• User interface
• Most used licenses
• Portal roles
Note: The object limit percentages are truncated, not rounded. For example, if your org uses 95.55% of the limit for a particular
customization, the object limit displays 95%.
1222
Set Up and Maintain Your Salesforce Organization The System Overview Page
Note: Compare the number of custom objects and settings that you created against
the total number in your org, including the ones installed from packages. These values
help you understand how many custom objects you can still create or install before you
reach the limit.
• Custom Metadata Types—Quantity of visible and hidden custom metadata types used. This count includes all custom metadata
types regardless of their visibility setting or how they were installed. All custom metadata types installed from packages appear in
this count. Use this page to determine whether your org is close to the limit.
• Custom Metadata Type Usage—Size of custom metadata type records used.
• Data Storage—Quantity of total bytes used.
1223
Set Up and Maintain Your Salesforce Organization The System Overview Page
1224
Set Up and Maintain Your Salesforce Organization Monitor Data and Storage Resources
1225
Set Up and Maintain Your Salesforce Organization Monitor Data and Storage Resources
Data Storage
Starting in late March 2019, Contact Manager, Group, Essentials, Professional, Enterprise, Performance, and Unlimited Editions are allocated
10 GB for data storage, plus incrementally added user storage. For example, a Professional Edition org with 10 users receives 10 GB of
data storage, plus 200 MB, for 10.2 GB of total data storage.
File Storage
Contact Manager, Group, Professional, Enterprise, Performance, and Unlimited Editions are allocated 10 GB of file storage per org.
Essentials edition is allocated 1 GB of file storage per org.
Orgs are allocated additional file storage based on the number of standard user licenses. In Enterprise, Performance, and Unlimited
Editions, orgs are allocated 2 GB of file storage per user license. Contact Manager, Group, Professional Edition orgs are allocated 612 MB
per standard user license, which includes 100 MB per user license plus 512 MB per license for the Salesforce CRM Content feature license.
An org with fewer than 10 users will receive a total of 1 GB of per-user file storage rather than 100 MB per user license.
Each Salesforce CRM Content feature license provides an additional 512 MB of file storage, whether Salesforce CRM Content is enabled
or not.
File storage and data storage are calculated asynchronously, so if you import or add a large number of records or files, the change in
your org’s storage usage isn’t reflected immediately.
The minimum values apply to Salesforce and Salesforce Platform user licenses. If your org uses custom user licenses, contact Salesforce
to determine your exact storage amount.
Salesforce Edition Data Storage Data Storage File Storage File Storage
Minimum per Org Allocation per User Allocation per Org Allocation per User
License License
Contact Manager
Group 612 MB
10 GB 20 MB 10 GB
Professional
Enterprise 2 GB
1226
Set Up and Maintain Your Salesforce Organization Monitor Data and Storage Resources
Salesforce Edition Data Storage Data Storage File Storage File Storage
Minimum per Org Allocation per User Allocation per Org Allocation per User
License License
Performance 120 MB
Developer 5 MB
Personal 20 MB (approximately 20 MB
N/A N/A
10,000 records)
Essentials 10 GB 1 GB
The values in the File Storage Allocation Per User License column apply to Salesforce and Salesforce Platform user licenses.
Note: Under Current File Storage Usage, the values in the Percent column represent the percentage of storage in use rather than
of all storage available. So, let's say there's one photo file in storage and no other file types. The Percent value for that one photo
file is 100%. Our one photo file is using all the file storage currently in use. Add more files of different types, and the percentage is
recalculated.
Notice in this illustration how the Percent values for Photos and Content Bodies add up to 100%. Though the file sizes add up to
only 475 KB, these files represent 100% of the files currently using storage.
If your org uses custom user licenses, contact Salesforce to determine if these licenses provide more storage.
1227
Set Up and Maintain Your Salesforce Organization Get Adoption and Security Insights for Your Organization
Increase Storage
When you need more storage, increase your storage limit or reduce your storage usage.
• Purchase more storage space, or add user licenses in Professional, Enterprise, Unlimited, and Performance Editions.
• Delete outdated leads or contacts.
• Remove any unnecessary attachments.
• Delete files in Salesforce CRM Content.
Storage Considerations
When planning your storage needs, keep in mind:
• Person accounts count against both account and contact storage because each person account consists of one account as well as
one contact.
• Archived activities count against storage.
• Active or archived products, price books, price book entries, and assets don’t count against storage.
SEE ALSO:
Get Lightning Experience Adoption Insights with the Lightning Usage App
Get Lightning Experience Adoption Insights from Custom Reports
Login forensics helps you identify suspicious login activity. It provides you key user access data, Available in: Enterprise,
including: Unlimited, and Developer
Editions
• The average number of logins per user per a specified time period
• Who logged in more than the average number of times Requires Salesforce Shield
or Salesforce Event
• Who logged in during non-business hours Monitoring add-on
• Who logged in using suspicious IP ranges subscriptions.
There’s some basic terminology to master before using this feature.
Event
Anything that happens in Salesforce, including user clicks, record state changes, and taking measurements of various values. Events
are immutable and timestamped.
1228
Set Up and Maintain Your Salesforce Organization Monitor Login Activity with Login Forensics
Login Event
A single instance of a user logging in to an organization. Login events are similar to login history in Salesforce. However, you can
add HTTP header information to login events, which makes them extensible.
Login History
The login history that administrators can obtain by downloading the information to a .cvs or .gzip file and the login history
that’s available through Setup and the API. This data has indexing and history limitations.
Administrators can track events using the LoginEvent object. There’s no user interface for login forensics. To interact with this feature,
use the Salesforce Extensions for Visual Studio Code, Postman, or other development tools.
Permissions View Login Forensics Manage Users View Event Log Files
Events
Packaging Included with Event Included with all orgs Included with Event
Monitoring add-on Monitoring add-on
1229
Set Up and Maintain Your Salesforce Organization Manage Real-Time Event Monitoring Events
USER PERMISSIONS
1230
Set Up and Maintain Your Salesforce Organization Monitor Training History
Note: Real-Time Event Monitoring objects sometimes contain sensitive data. Assign object permissions to Real-Time Events
accordingly in profiles or permission sets.
1. From Setup, in the Quick Find box, enter Events, then select Event Manager.
2. Next to the event you want to enable or disable streaming for, click the dropdown menu.
3. Select whether you want to enable or disable streaming or storing on the event.
SEE ALSO:
Real-Time Event Monitoring
Stream and Store Event Data
Metadata API Developer Guide: RealTimeEventSettings
Note: If you don’t see this link under Manage Users, your organization has been migrated Available in: Group,
to a new system. You need to be a Help & Training Admin to access the training reports via Essentials, Professional,
Enterprise, Performance,
My Cases in Help & Training. Contact Salesforce if you do not have this access.
Unlimited, and
Database.com Editions
USER PERMISSIONS
1231
Set Up and Maintain Your Salesforce Organization Monitor Setup Changes with Setup Audit Trail
The history shows the 20 most recent setup changes made to your org. It lists the date of the change, Available in: Contact
who made it, and what the change was. If a delegate such as an admin or customer support Manager, Essentials,
representative makes a setup change on behalf of an end user, the Delegate User column shows Group, Professional,
the delegate’s username. For example, if a user grants login access to an admin and the admin Enterprise, Performance,
makes a setup change, the admin’s username is listed in the Delegate User column. The user granting Unlimited, Developer, and
access is listed in the User column. Database.com Editions
1232
Set Up and Maintain Your Salesforce Organization Monitor Setup Changes with Setup Audit Trail
Customization • User interface settings like collapsible sections, Quick Create, hover details, or related list hover links
• Page layout, action layout, and search layouts
• Compact layouts
• Salesforce app navigation menu
• Inline edits
• Custom fields and field-level security, including formulas, picklist values, and field attributes like the
auto-number field format, field manageability, or masking of encrypted fields
• Lead settings, lead assignment rules, and lead queues
• Activity settings
• Support settings, business hours, case assignment and escalation rules, and case queues
• Requests to Salesforce Customer Support
• Tab names, including tabs that you reset to the original tab name
1233
Set Up and Maintain Your Salesforce Organization Monitor Setup Changes with Setup Audit Trail
Security and Sharing • Public groups, sharing rules, and org-wide sharing, including the Grant Access Using Hierarchies option
• Password policies
• Password resets
• Session settings, like session timeout (excluding Session times out after and Session security level
required at login profile settings)
• Delegated administration groups and the items delegated admins can manage (setup changes made by
delegated administrators are also tracked)
• Lightning Login, enabling or disabling, enrollments, and cancellations
• How many records a user permanently deleted from their Recycle Bin and from the Org Recycle Bin
• SAML (Security Assertion Markup Language) configuration settings
• Salesforce certificates
• Identity providers, enabling or disabling
• Named credentials
• Service providers
• Shield Platform Encryption setup
• Event Manager
• Transaction Security
• Some connected app policy and setting updates
1234
Set Up and Maintain Your Salesforce Organization Monitor Setup Changes with Setup Audit Trail
Using the application • Account team and opportunity team selling settings
1235
Set Up and Maintain Your Salesforce Organization Field History Tracking
SEE ALSO:
Security Health Check
1236
Set Up and Maintain Your Salesforce Organization Field History Tracking
• Service Contracts
• Solutions
• Tasks
• Work Orders
• Work Order Line Items
Modifying any of these fields adds an entry to the History related list. All entries include the date, time, nature of the change, and who
made the change. Not all field types are available for historical trend reporting. Certain changes, such as case escalations, are always
tracked.
Salesforce stores an object’s tracked field history in an associated object called StandardObjectNameHistory or CustomObjectName__History.
For example, AccountHistory represents the history of changes to the values of an Account record’s fields. Similarly,
MyCustomObject__History tracks field history for the MyCustomObject__c custom object.
Note: Since the Spring ’15 release, increasing the entity field history retention period beyond the standard 18–24 months requires
the purchase of the Field Audit Trail add-on. When the add-on subscription is enabled, field history data is retained until you
manually delete it. If your org was created before June 1, 2011, Salesforce continues to retain all field history. If your org was created
on or after June 1, 2011 and you decide not to purchase the add-on, Salesforce retains your field history for the standard 18–24
months.
Considerations
Consider the following when working with field history tracking.
General Considerations
• Salesforce starts tracking field history from the date and time that you enable it on a field. Changes made before this date and
time aren’t included and didn’t create an entry in the History related list.
• Use Data Loader or the queryAll() API to retrieve field history that ‘s 18–24 months old.
• Changes to fields with more than 255 characters are tracked as edited, and their old and new values aren’t recorded.
• Changes to time fields aren’t tracked in the field history related list.
• The Field History Tracking timestamp is precise to a second in time. In other words, if two users update the same tracked field
on the same record in the same second, both updates have the same timestamp. Salesforce can’t guarantee the commit order
of these changes to the database. As a result, the display values can look out of order.
• You can’t create a record type on a standard or custom object and enable field history tracking on the record type in the same
Metadata API deployment. Instead, create the record type in one deployment and enable history tracking on it in a separate
deployment.
• Salesforce doesn’t enable the recently viewed or referenced functionality in StandardObjectNameHistory or
CustomObjectName__History objects. As a result, you can’t use the FOR VIEW or FOR REFERENCE clauses in SOQL queries on
these history objects. For example, the following SOQL query isn’t valid:
SELECT AccountId, Field FROM AccountHistory LIMIT 1 FOR VIEW
1237
Set Up and Maintain Your Salesforce Organization Field History Tracking
• If Process Builder, an Apex trigger, or a Flow causes a change on an object the current user doesn’t have permission to edit, that
change isn’t tracked. Field history honors the permissions of the current user and doesn’t record changes that occur in system
context.
• Salesforce attempts to track all changes to a history-tracked field, even if a particular change is never stored in the database. For
example, let’s say an admin defines an Apex before trigger on an object that changes a Postal Code field value of 12345 to
94619. A user adds a record to the object and sets the Postal Code field to 12345. Because of the Apex trigger, the actual
Postal Code value stored in the database is 94619. Although only one value was eventually stored in the database, the tracked
history of the Zip Code field has two new entries:
– No value --> 12345 (the change made by the user when they inserted the new record)
– 12345 --> 94619 (the change made by the Apex trigger)
1238
Set Up and Maintain Your Salesforce Organization Field History Tracking
• Changes to custom field labels that have been translated via the Translation Workbench are shown in the locale of the user
viewing the History related list. For example, if a custom field label is Red and translated into Spanish as Rojo, then a user
with a Spanish locale sees the custom field label as Rojo. Otherwise, the user sees the custom field label as Red.
• Changes to date fields, number fields, and standard fields are shown in the locale of the user viewing the History related list. For
example, a date change to August 5, 2012 shows as 8/5/2012 for a user with the English (United States) locale, and
as 5/8/2012 for a user with the English (United Kingdom) locale.
SEE ALSO:
Track Field History for Standard Objects
Track Field History for Custom Objects
Field Audit Trail
Disable Field History Tracking
Salesforce Help: Export Data with Data Loader
1239
Set Up and Maintain Your Salesforce Organization Field History Tracking
5. Click Save.
Salesforce tracks history from this date and time forward. Changes made prior to this date and time are not included.
SEE ALSO:
Field History Tracking
1240
Set Up and Maintain Your Salesforce Organization Field History Tracking
Field History Tracking is supported on custom objects in managed packages. However, if the package developer updates the packaged
field history settings, those settings aren’t updated during package upgrades.
SEE ALSO:
Field History Tracking
Find Object Management Settings
1241
Set Up and Maintain Your Salesforce Organization Field History Tracking
USER PERMISSIONS
SEE ALSO:
Field History Tracking To set up which fields are
tracked:
Find Object Management Settings • Customize Application
Note: Async SOQL is scheduled for retirement in all Salesforce orgs as of Summer ’23. Available in: Salesforce
Classic (not available in all
Use Salesforce Metadata API to define a field history retention policy for those fields that have history orgs), Lightning Experience,
tracking enabled. Then use REST API, SOAP API, and Tooling API to work with your archived data. and the Salesforce mobile
For information about enabling Field Audit Trail, contact your Salesforce representative. app
Field history is copied from the History related list into the FieldHistoryArchive big object. Available in: Enterprise,
You define one HistoryRetentionPolicy for your related history lists, such as Account Performance, and
History, to specify Field Audit Trail retention policies for the objects that you want to archive. Then Unlimited Editions
use Metadata API to deploy your policy. You can update the retention policy on an object as often
as needed. With Field Audit Trail, you can track up to 60 fields per object. Without it, you can track USER PERMISSIONS
only 20 fields per object. With Field Audit Trail, archived field history data is stored until you manually
delete it. You can manually delete data that falls outside of your policy window. To specify a field history
retention policy:
Important: Field history tracking data and Field Audit Trail data don’t count against your • Retain Field History
data storage limits.
You can set field history retention policies on these objects.
• Accounts, including Person Accounts
• Assets
• Authorization Form Consent
• Campaigns
1242
Set Up and Maintain Your Salesforce Organization Field History Tracking
• Cases
• Communication Subscription Consent
• Contacts
• Contact Point Consent
• Contact Point Type Consent
• Contracts
• Contract Line Items
• Crisis
• Employee
• Employee Crisis Assessment
• Entitlements
• Individuals
• Internal Organization Unit
• Leads
• Opportunities
• Orders
• Order Products
• Party Consent
• Price Books
• Price Book Entries
• Products
• Service Appointments
• Service Contracts
• Solutions
• Work Orders
• Work Order Line Items
• Custom objects with field history tracking enabled
Note: When Field Audit Trail is enabled, HistoryRetentionPolicy is automatically set on the supported objects. By
default, data is archived after 18 months in production, after one month in sandboxes, and all archived data is stored until you
manually delete it. The default retention policy isn’t included when retrieving the object’s definition through Metadata API. Only
custom retention policies are retrieved along with the object definition.
You can include field history retention policies in managed and unmanaged packages.
These fields can’t be tracked.
• Formula, roll-up summary, or auto-number fields
• Created By and Last Modified By
• Expected Revenue field on opportunities
• Master Solution Title or the Master Solution Details fields on solutions
• Long text fields
• Multi-select fields
1243
Set Up and Maintain Your Salesforce Organization Field History Tracking
After you define and deploy a Field Audit Trail policy, production data is migrated from related history lists such as Account History into
the FieldHistoryArchive big object. The first copy writes the field history that’s defined by your policy to archive storage and
sometimes takes a long time. Subsequent copies transfer only the changes since the last copy and are faster. A bounded set of SOQL is
available to query your archived data. If you delete a record in your production data, the delete cascades to the associated history tracking
records, but the history copied into the FieldHistoryArchive big object isn’t deleted. To delete data in
FieldHistoryArchive, see Delete Field History and Field Audit Trail Data.
Use Async SOQL to build aggregate reports from a custom object based on the volume of the data in the FieldHistoryArchive
big object.
Important: If you enable Platform Encryption in your org and use Field Audit Trail to track encrypted fields, there are limitations
on using Async SOQL. Using Async SOQL to query the NewValue or OldValue fields of the FieldHistoryArchive
big object isn’t supported. Use SOQL to query both encrypted and unencrypted NewValue and OldValue fields of
FieldHistoryArchive.
Tip: Previously archived data remains unencrypted if you turn on Platform Encryption later. For example, your organization uses
Field Audit Trail to define a data history retention policy for an account field, such as the phone number field. After enabling
Platform Encryption, you turn on encryption for that field, and phone number data in the account is encrypted. New phone number
records and previous updates stored in the Account History related list are encrypted. But phone number history data already
archived in the FieldHistoryArchive object remains stored without encryption. To encrypt previously archived data,
contact Salesforce to encrypt and rearchive the stored field history data, then delete the unencrypted archive.
Examples
Here are some examples of field history workflows.
SEE ALSO:
Learning Map: Shield Learning Map
SOAP API Developer Guide: FieldHistoryArchive
Metadata API Developer Guide: HistoryRetentionPolicy
ISVforce Guide: Overview of Packages
Lightning Platform SOQL and SOSL Reference: SOQL with Archived Data
Big Objects Implementation Guide: Async SOQL
Examples
Here are some examples of field history workflows.
Note: The first copy writes the entire field history that’s defined by your policy to archive storage and takes a long time. Subsequent
copies transfer only the changes since the last copy, and are faster.
1244
Set Up and Maintain Your Salesforce Organization Field History Tracking
1. Define a field history data retention policy for each object. The policy specifies the number of months that you want to maintain
field history in Salesforce. The following sample file defines a policy of archiving the object after six months.
<?xml version="1.0" encoding="UTF-8"?>
<CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">
<historyRetentionPolicy>
<archiveAfterMonths>6</archiveAfterMonths>
<archiveRetentionYears>5</archiveRetentionYears>
<description>My field history retention</description>
</historyRetentionPolicy>
...
</CustomObject>
The file name determines the object to which the policy is applied. For example, to apply the preceding policy to the Account object,
save the file as Account.object. For existing custom objects, the file is also named after the custom object. For example:
myObject__c.object.
2. Create the project manifest, which is an XML file that’s called package.xml. The following sample file lists several objects for
which data retention policy is to be applied. With this manifest file, you expect the objects folder to contain five files:
Account.object, Case.object, and so on.
3. Create the .zip file and use the deploy()function to deploy your changes to your production environment. For more information,
see the Metadata API Guide.
Note: This feature doesn’t support deployment from sandbox to production environments.
That's it! Your field history retention policy goes into effect according to the time periods that you set.
Create a Custom Object and Set Field History Retention Policy at the Same Time
You can use Metadata API to create a custom object and set retention policy at the same time. Specify the minimum required fields
when creating a custom object. This sample XML creates an object and sets field history retention policy.
<?xml version="1.0" encoding="UTF-8"?>
<CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">
<deploymentStatus>Deployed</deploymentStatus>
<enableHistory>true</enableHistory>
<description>just a test object with one field for eclipse ide testing</description>
<historyRetentionPolicy>
<archiveAfterMonths>3</archiveAfterMonths>
1245
Set Up and Maintain Your Salesforce Organization Field History Tracking
<archiveRetentionYears>10</archiveRetentionYears>
<gracePeriodDays>1</gracePeriodDays>
<description>Transaction Line History</description>
</historyRetentionPolicy>
<fields>
<fullName>Comments__c</fullName>
<description>add your comments about this object here</description>
<inlineHelpText>This field contains comments made about this object</inlineHelpText>
<label>Comments</label>
<length>32000</length>
<trackHistory>true</trackHistory>
<type>LongTextArea</type>
<visibleLines>30</visibleLines>
</fields>
<label>MyFirstObject</label>
<nameField>
<label>MyFirstObject Name</label>
<type>Text</type>
</nameField>
<pluralLabel>MyFirstObjects</pluralLabel>
<sharingModel>ReadWrite</sharingModel>
</CustomObject>
Set trackHistory to true on the fields that you want to track and false on the other fields.
Note: To check the current data retention policy for any object, retrieve its metadata using Metadata API and look up the value
of HistoryRetentionPolicy.
SEE ALSO:
Metadata API Developer Guide: deploy()
Metadata API Developer Guide: CustomObject
Lightning Platform SOQL and SOSL Reference: SOQL with Archived Data
1246
Set Up and Maintain Your Salesforce Organization Monitor Debug Logs
Warning: If the debug log trace flag is enabled on a frequently accessed Apex class or for a user executing requests often,
the request can result in failure, regardless of the time window and the size of the debug logs.
• When your org accumulates more than 1,000 MB of debug logs, we prevent users in the org from adding or editing trace flags. To
add or edit trace flags so that you can generate more logs after you reach the limit, delete some debug logs.
1247
Set Up and Maintain Your Salesforce Organization Monitor Debug Logs
1248
Set Up and Maintain Your Salesforce Organization Monitor Debug Logs
1249
Set Up and Maintain Your Salesforce Organization Monitor Debug Logs
Tip: Debug logs are for live troubleshooting. To record all site traffic, use event monitoring. For details, see EventLogFile in the
Salesforce Object Reference.
SEE ALSO:
Monitor Debug Logs
Delete Debug Logs
Warning: If the debug log trace flag is enabled on a frequently accessed Apex class or
for a user executing requests often, the request can result in failure, regardless of the time
window and the size of the debug logs.
• When your org accumulates more than 1,000 MB of debug logs, we prevent users in the org from adding or editing trace flags. To
add or edit trace flags so that you can generate more logs after you reach the limit, delete some debug logs.
SEE ALSO:
Monitor Debug Logs
Delete Debug Logs
1250
Set Up and Maintain Your Salesforce Organization Monitoring Scheduled Jobs
1251
Set Up and Maintain Your Salesforce Organization Manage Bulk Data Load Jobs
Note: You can only monitor background jobs on this page. Contact Salesforce to abort a background job.
SEE ALSO:
Recalculate Sharing Rules
Asynchronous Parallel Recalculation of Sharing Rules
The In Progress Jobs list contains the following columns, shown in alphabetical order: Available in: Enterprise,
Performance, Unlimited,
Column Description Developer, and
Database.com Editions
Job ID The unique, 15–character ID for this job.
Job Type The API type used for the job. Valid values are ‘Bulk V1’, ‘Bulk V2’, and ‘Bulk V2 USER PERMISSIONS
Query’. Bulk V2 and Bulk V2 Query jobs use the newer Bulk API 2.0 for creating and
processing job data. Bulk API 2.0 simplifies the job process by automatically creating To monitor bulk data load
batches. jobs:
• Manage Data
Object The object type for the data being processed. All data in a job must be of a single Integrations, API
object type. Enabled, View Setup and
Configuration
1252
Set Up and Maintain Your Salesforce Organization Manage Bulk Data Load Jobs
Column Description
Operation The processing operation for all the batches in the job. Possible values are:
• Delete
• Insert
• Query
• QueryAll
• Upsert
• Update
• HardDelete
Progress The percentage of batches processed relative to the total number of batches submitted. Progress is not shown
when the job is open because the total number of batches in the job is not known until the job is closed. Progress
may not accurately reflect the number of records processed. Batches may not all contain the same number of
records and they may be processed at different speeds.
Records The number of records already processed. This number increases as more batches are processed.
Processed
Start Time The date and time when the job was submitted.
Status The current state of processing for the job. The valid values are:
• Open: The job has been created, and data can be added to the job.
• Closed: No new data can be added to this job. Data associated with the job may be processed after a job
is closed. You cannot edit or save a closed job.
• Aborted: The job has been aborted.
• Failed: The job has failed. Data that was successfully processed in the job cannot be rolled back.
• Job Complete: The job was processed by Salesforce. For Bulk API 2.0 jobs only.
• Upload Complete: No new data can be added to this job. You can’t edit or save a closed job. For Bulk
API 2.0 jobs only.
The Completed Jobs list contains the following columns, shown in alphabetical order. Completed jobs are removed from the list seven
days after completion.
Column Description
End Time The date and time when the job completed.
Job Type The API type used for the job. Valid values are ‘Bulk V1’, ‘Bulk V2’, and ‘Bulk V2 Query’. Bulk V2 and Bulk V2 Query
jobs use the newer Bulk API 2.0 for creating and processing job data. Bulk API 2.0 simplifies the job process by
automatically creating batches.
Object The object type for the data being processed. All data in a job must be of a single object type.
1253
Set Up and Maintain Your Salesforce Organization Manage Bulk Data Load Jobs
Column Description
Operation The processing operation for all the batches in the job. The valid values are:
• Delete
• Insert
• Query
• QueryAll
• Upsert
• Update
• HardDelete
Records The number of records already processed. This number increases as more batches are processed.
Processed
Start Time The date and time when the job was submitted.
Status The current state of processing for the job. The valid values are:
• Open: The job has been created, and data can be added to the job.
• Closed: No new data can be added to this job. Data associated with the job may be processed after a job
is closed. You cannot edit or save a closed job.
• Aborted: The job has been aborted.
• Failed: The job has failed. Data that was successfully processed in the job cannot be rolled back.
• Job Complete: The job was processed by Salesforce. For Bulk API 2.0 jobs only.
• Upload Complete: No new data can be added to this job. You can’t edit or save a closed job. For Bulk
API 2.0 jobs only.
SEE ALSO:
View Bulk Data Load Job Details
Introduction to Bulk API 2.0
1254
Set Up and Maintain Your Salesforce Organization Manage Bulk Data Load Jobs
Completed The number of batches that have been completed for this job.
Batches
Concurrency The concurrency mode for processing batches. The valid values are:
Mode • parallel: Batches are processed in parallel mode. This is the default value.
• serial: Batches are processed in serial mode.
Content The content type for the job. The valid values are:
Type • CSV—data in CSV format (default and only supported content type for Bulk
V2 type jobs)
• JSON—data in JSON format
• XML—data in XML format (default option for Bulk V1 type jobs)
• ZIP_CSV—data in CSV format in a zip file containing binary attachments
• ZIP_JSON—data in JSON format in a zip file containing binary attachments
• ZIP_XML—data in XML format in a zip file containing binary attachments
End Time The date and time when the job completed.
Failed The number of batches that have failed for this job.
Batches
1255
Set Up and Maintain Your Salesforce Organization Manage Bulk Data Load Jobs
Field Description
Job Type The API type used for the job. Valid values are ‘Bulk V1’, ‘Bulk V2’, and ‘Bulk V2 Query’. Bulk V2 and Bulk V2 Query
jobs use the newer Bulk API 2.0 for creating and processing job data. Bulk API 2.0 simplifies the job process by
automatically creating batches.
In Progress The number of batches that are in progress for this job.
Batches
Object The object type for the data being processed. All data in a job must be of a single object type.
Operations The processing operation for all the batches in the job. Possible values are:
• Delete
• Insert
• Query
• QueryAll
• Upsert
• Update
• HardDelete
Progress The percentage of batches processed relative to the total number of batches submitted. Progress is not shown
when the job is open because the total number of batches in the job is not known until the job is closed. Progress
may not accurately reflect the number of records processed. Batches may not all contain the same number of
records and they may be processed at different speeds.
Records The number of records that were not processed successfully in this job.
Failed
Records The number of records processed at the time the request was sent. This number increases as more batches are
Processed processed.
Retries The number of times that Salesforce attempted to save the results of an operation. The repeated attempts are due
to a problem, such as a lock contention.
Start Time The date and time when the job was submitted.
Status The current state of processing for the job. The valid values are:
• Open: The job has been created, and data can be added to the job.
• Closed: No new data can be added to this job. Data associated with the job may be processed after a job
is closed. You cannot edit or save a closed job.
• Aborted: The job has been aborted.
• Failed: The job has failed. Data that was successfully processed in the job cannot be rolled back.
• Job Complete: The job was processed by Salesforce. For Bulk API 2.0 jobs only.
• Upload Complete: No new data can be added to this job. You can’t edit or save a closed job. For Bulk
API 2.0 jobs only.
1256
Set Up and Maintain Your Salesforce Organization Manage Bulk Data Load Jobs
Field Description
Time to The total time to complete the job.
Complete
Total The number of milliseconds taken to process the job. This is the sum of the total processing times for all batches
Processing in the job.
Time (ms)
The job detail page includes a related list of all the batches for the job. The related list provides View Request and View Response links
for each batch. If the batch is a CSV file, the links return the request or response in CSV format. If the batch is an XML or JSON file, the
links return the request or response in XML or JSON format, respectively. These links are available for batches created in API version 19.0
and later. For Bulk V2 type jobs, batch information is unavailable.
The batch related list contains the following fields, shown in alphabetical order:
Field Description
Apex The number of milliseconds taken to process triggers and other processes related to the batch data. If there are
Processing no triggers, the value is 0. This doesn't include the time used for processing asynchronous and batch Apex
Time (ms) operations.
API Active The number of milliseconds taken to actively process the batch, and includes Apex processing time. This doesn't
Processing include the time the batch waited in the queue to be processed or the time required for serialization and
Time (ms) deserialization.
Batch ID The ID of the batch. May be globally unique, but does not have to be.
End Time The date and time in the UTC time zone that processing ended. This is only valid when the state is Completed.
Records The number of records that were not processed successfully in this batch.
Failed
Records The number of records processed in this batch at the time the request was sent. This number increases as more
Processed batches are processed.
Retry Count The number of times that Salesforce attempted to save the results of an operation. The repeated attempts are due
to a problem, such as lock contention or a batch taking too long to process.
Start Time The date and time in the UTC time zone when the batch was created. This is not the time processing began, but
the time the batch was added to the job.
State Contains the reasons for failure if the batch didn't complete successfully.
Message
1257
Set Up and Maintain Your Salesforce Organization Installed Packages
Field Description
• Completed: The batch has been processed completely, and the result resource is available. The result
resource indicates if some records have failed. A batch can be completed even if some or all the records have
failed. If a subset of records failed, the successful records aren’t rolled back.
• Failed: The batch failed to process the full request due to an unexpected error, such as the request is
compressed with an unsupported format, or an internal server error.
• Not Processed: The batch failed to process the full request due to an unexpected error, such as the
request is compressed with an unsupported format, or an internal server error.
Total The number of milliseconds taken to process the batch. This excludes the time the batch waited in the queue to
Processing be processed.
Time (ms)
View Request Click the link for a batch to see the request. Bulk V1 type jobs only.
View Result Click the link for a batch to see the results. Bulk V1 type jobs only.
SEE ALSO:
Monitor Bulk Data Load Jobs
Introduction to Bulk API 2.0
Installed Packages
You can install packages into your Salesforce organization, and then configure and manage them.
EDITIONS
To view the packages you’ve installed, from Setup, enter Installed in the Quick Find box, and
then select Installed Packages. Available in: both Salesforce
Classic and Lightning
Experience
1258
Set Up and Maintain Your Salesforce Organization Install a Package
Install a Package
Install a managed package in your Salesforce org to add new functionality to your org. Choose a
EDITIONS
custom installation to modify the default package settings, including limiting access to the package.
Before you install a package, verify that the AppExchange listing is compatible with your Salesforce Available in: both Salesforce
edition. Classic and Lightning
Experience
Pre-Installation Steps Available in: Essentials,
Group, Professional,
1. In a browser, go to the installation URL provided by the package developer, or, if you’re installing
Enterprise, Performance,
a package from AppExchange, click Get It Now from the application information page.
Unlimited, and Developer
2. Enter your username and password for the Salesforce organization in which you want to install Editions
the package, and then click Log In.
3. Select Install in Production or Install in Sandbox. USER PERMISSIONS
Note: If you’re installing into a sandbox, replace the www.salesforce.com portion To install packages:
of the package installation link with test.salesforce.com. The package is removed • Download AppExchange
from your sandbox organization whenever you create a sandbox copy. Packages
4. Accept the terms and conditions, then click Confirm and Install.
5. Enter org’s login credentials. After you’re directed to the appropriate org, continue with the package installation steps.
• If the package is password-protected, enter the password you received from the publisher.
• Optionally, if you’re installing an unmanaged package, select Rename Conflicting Components in Package. When you select
this option, Salesforce changes the name of a component in the package if its name conflicts with an existing component name.
Default Installation
Click Install. You’ll see a message that describes the progress and a confirmation message after the installation is complete.
Custom Installation
To modify the default settings:
1. Determine your package access settings.
• Click View Components. You see an overlay with a list of components in the package. For managed packages, the screen also
contains a list of connected apps (trusted applications that are granted access to a user's Salesforce data after the user and the
application are verified). To confirm that the components and any connected apps shown are acceptable, review the list and
then close the overlay.
Note: Some package items, such as validation rules, record types, or custom settings don’t appear in the Package
Components list but are included in the package and installed with the other items. If there are no items in the Package
Components list, it’s likely that the package contains only minor changes.
• If the package contains a remote site setting, you must approve access to websites outside of Salesforce. The dialog box lists all
the websites that the package communicates with. We recommend that a website uses SSL (secure sockets layer) for transmitting
data. After you verify that the websites are safe, select Yes, grant access to these third-party websites and click Continue,
or click Cancel to cancel the installation of the package.
1259
Set Up and Maintain Your Salesforce Organization Install a Package
Warning: By installing remote site settings, you’re allowing the package to transmit data to and from a third-party website.
Before using the package, contact the publisher to understand what data is transmitted and how it's used. If you have an
internal security contact, ask the contact to review the application so that you understand its impact before use.
• Click API Access. You see an overlay with a list of the API access settings that package components have been granted. Review
the settings to verify they’re acceptable, and then close the overlay to return to the installer screen.
• In Enterprise, Performance, Unlimited, and Developer Editions, choose one of the following security options.
Note: This option is visible only in specific types of installations. For example, in Group and Professional Editions, or if the
package doesn’t contain a custom object, Salesforce skips this option, which gives all users full access.
Install for Admins Only
Specifies the following settings on the installing administrator’s profile and any profile with the "Customize Application"
permission.
– Object permissions—Read, Create, Edit, Delete, View All, and Modify All enabled
– Field-level security—set to visible and editable for all fields
– Apex classes—enabled
– Visualforce pages—enabled
– App settings—enabled
– Tab settings—determined by the package developer
– Page layout settings—determined by the package developer
– Record Type settings—determined by the package developer
After installation, if you have Enterprise, Performance, Unlimited, or Developer Edition, set the appropriate user and object
permissions on custom profiles as needed.
Install for All Users
Specifies the following settings on all internal custom profiles.
– Object permissions— Read, Create, Edit, and Delete enabled
– Field-level security—set to visible and editable for all fields
– Apex classes—enabled
– Visualforce pages—enabled
– App settings—enabled
– Tab settings—determined by the package developer
– Page layout settings—determined by the package developer
– Record Type settings—copied from admin profile
Note: The Customer Portal User, Customer Portal Manager, High Volume Customer Portal, Authenticated Website,
Partner User, and standard profiles receive no access.
Install for Specific Profiles...
Lets you determine package access for all custom profiles in your org. You can set each profile to have full access or no access
for the new package and all its components.
– Full Access—Specifies the following settings for each profile.
• Object permissionsRead, Create, Edit, and Delete enabled
• Field-level security—set to visible and editable for all fields
• Apex classes—enabled
1260
Set Up and Maintain Your Salesforce Organization Install a Package
• Visualforce pages—enabled
• App settings—enabled
• Tab settings—enabled
• Page layout settings—determined by the package developer
• Record Type settings—determined by the package developer
– No Access—Page layout and Record Type settings are determined by the package developer. All other settings are
hidden or disabled.
If the package developer has included settings for custom profiles, you can incorporate the settings of the publisher’s custom
profiles into your profiles without affecting your settings. Choose the name of the profile settings in the dropdown list next
to the profile that you’re applying them to. The current settings in that profile remain intact.
Alternatively, click Set All next to an access level to give this setting to all user profiles.
2. Click Install. You’ll see a message that describes the progress and a confirmation message after the installation is complete.
• During installation, Salesforce checks and verifies dependencies. An installer’s organization must meet all dependency requirements
listed on the Show Dependencies page or else the installation fails. For example, the installer's organization must have divisions
enabled to install a package that references divisions.
• When you install a component that contains Apex, all unit tests for your organization are run, including the unit tests contained
in the new package. If a unit test relies on a component that is initially installed as inactive, such as a workflow rule, this unit test
fails. You can select to install regardless of unit test failures.
• If your installation fails, see Why did my installation or upgrade fail? on page 1277.
Post-Installation Steps
If the package includes post-installation instructions, they’re displayed after the installation is completed. Review and follow the instructions
provided. In addition, before you deploy the package to your users, make any necessary changes for your implementation. Depending
on the contents of the package, some of the following customization steps are required.
• If the package includes permission sets, assign the included permission sets to your users who need them. In managed packages,
you can't edit permission sets that are included in the package, but subsequent upgrades happen automatically. If you clone a
permission set that comes with a managed package or create your own, you can edit the permission set, but subsequent upgrades
won't affect it.
• If you’re reinstalling a package and need to reimport the package data by using the export file that you received after uninstalling,
see Import Package Data.
• If you installed a managed package, click Manage Licenses to assign licenses to users.
Note: You can’t assign licenses in Lightning Experience. To assign a license, switch to Salesforce Classic.
• Configure components in the package as required. For more information, see Configuring Installed Packages on page 1262.
SEE ALSO:
Upgrading Packages
Installation Guide: Installing Apps from Salesforce AppExchange
Installed Packages
1261
Set Up and Maintain Your Salesforce Organization Configuring Installed Packages
1262
Set Up and Maintain Your Salesforce Organization Configuring Installed Packages
You can't edit permission sets that are included in a managed package. If you clone a permission set that comes with the package
or create your own, you can make changes to the permission set, but subsequent upgrades won't affect it.
Records Created During Post-Installation Scripts
To edit records created by a post-install script, reassign the owner of the records to someone in your org. By default, records created
during a post-install script are assigned to the APP account owner alias and can't be shared or edited.
Translation Workbench
Translated values for installed package components are also installed for any language that the developer has included. Any package
components the developer has customized within setup, such as a custom field or record type, display in the installer’s setup pages
in the developer’s language (the language used when defining these components). Users in the installer’s organization automatically
see translated values if their personal language is included in the package. Additionally, installers can activate additional languages
as long as the Translation Workbench is enabled.
Workflow Alerts
If the recipient of a workflow alert is a user, Salesforce replaces that user with the user installing the package. You can change the
recipients of any installed workflow alerts.
Workflow Field Updates
If a field update is designed to change a record owner field to a specific user, Salesforce replaces that user with the user installing
the package. You can change the field value of any installed field updates.
Workflow Outbound Messages
Salesforce replaces the user in the User to send as field of an outbound message with the user installing the package. You
can change this value after installation.
Workflow Rules
Workflow rules are installed without any time-based triggers that the developer might have created. Set up time-based triggers as
necessary.
Workflow Tasks
Salesforce replaces the user in the Assigned To field with the user installing the package. You can change this value after
installation.
Make any more customizations that are necessary for your implementation.
Note: Anything you add to a custom app after installation will be removed with the custom app if you ever uninstall it.
SEE ALSO:
Installed Packages
Tradeoffs and Limitations of Shield Platform Encryption
1263
Set Up and Maintain Your Salesforce Organization Uninstall a Managed Package
• You can’t uninstall a package that removes all active business and person account record types. Activate at least one other business
or person account record type, and try again.
• You can’t uninstall a package if a background job is updating a field added by the package, such as an update to a roll-up summary
field. Wait until the background job finishes, and try again.
1264
Set Up and Maintain Your Salesforce Organization Manage Installed Packages
Note: Salesforce only lists license information for managed packages. For unmanaged Available in: Salesforce
packages, the license-related fields, such as Allowed Licenses, Used Licenses, and Expiration Classic (not available in all
orgs) and Lightning
Date, displays the value “N/A.”
Experience
Using this list, you can:
Available in: Essentials,
• Click Uninstall to remove the package and all its components from your Salesforce organization. Group, Professional,
• Click Manage Licenses to assign available licenses to users in your organization. Enterprise, Performance,
If you purchased a site license or if the managed package is not licensed, Salesforce assigns Unlimited, and Developer
Editions
licenses to all your users and you can’t manage licenses. Your users can use the package as long
as they have the appropriate permissions.
USER PERMISSIONS
Note: Certain managed packages created by Salesforce, require external access to data
within your org. To grant access to allow an installed managed package to connect with To uninstall packages:
external data, click Enable for Platform Integrations. Alternatively, to revoke access • Download AppExchange
between an installed managed package and external data, click Disable for Platform Packages
Integrations. Enable this functionality, only upon request from a Salesforce-owned To assign licenses for a
managed package. managed package:
• Manage Package
• Click Become Primary Contact to update the current contact for the installed package to your
Licenses
username. This contact name displays for the package publisher from the Push Package Upgrade
page. Initially, it’s set to the name of the person who installed the package. If you have Download To download or delete the
AppExchange Packages permission and aren’t the current primary contact, this option is enabled. export file for an uninstalled
package:
• Click Configure if the publisher has included a link to an external website with information • Download AppExchange
about configuring the package. Packages
• Click the package name to view details about this package.
• View the publisher of the package.
• View the status of the licenses for this package. Available values include:
– Trial
– Active
– Suspended
– Expired
– Free
This field is only displayed if the package is managed and licensed.
• Track the number of licenses available (Allowed Licenses) and the number of licenses that are assigned to users (Used
Licenses).
• View the date your licenses for this package are scheduled to expire.
• View the date your licenses were installed.
• View the number of custom apps, tabs, and objects this package contains.
• See whether the custom apps, tabs, and objects count toward your organization’s limits. If they do, the box in the Limits column
is checked.
1265
Set Up and Maintain Your Salesforce Organization Manage Installed Packages
Note: If you have not installed a licensed managed package, the Publisher, Status, Allowed Licenses, Used
Licenses, and Expiration Date fields do not appear.
After an uninstall, Salesforce automatically creates an export file containing the package data, associated notes, and any attachments.
When the uninstall is complete, Salesforce sends an email containing a link to the export file to the user performing the uninstall. The
export file and related notes and attachments are listed below the list of installed packages. We recommend storing the file elsewhere
because it’s only available for a limited time after the uninstall completes. Using this list, you can:
• Click Download to open or store the export file.
• Click Del to delete the export file.
Expired Managed Packages and Sharing Rules
If a criteria-based sharing rule references a field from a licensed managed package whose license has expired, (expired) is
appended to the label of the field. The field label is displayed in the field drop-down list on the rule’s definition page in Setup.
Criteria-based sharing rules that reference expired fields aren't recalculated, and new records aren't shared based on those rules.
However, the sharing of existing records prior to the package's expiration is preserved.
SEE ALSO:
View Installed Package Details
Importing Package Data
1266
Set Up and Maintain Your Salesforce Organization Manage Installed Packages
Attribute Description
Action Can be one of two options:
• Uninstall
• Manage Licenses
Allowed Licenses The total number of licenses you purchased for this package. The
value is “Unlimited” if you have a site license for this package. This
field is only displayed if the package is managed and licensed.
Connected Apps A list of the connected apps that can have access to a user's
Salesforce data after the user and the application have been
verified.
Expiration Date The date that this license expires, based on your terms and
conditions. The expiration date is “Does Not Expire” if the package
never expires.This field is only displayed if the package is managed
and licensed.
Limits If checked, the package’s custom apps, tabs, and objects count
toward your organization’s limits.
Used Licenses The total number of licenses that are already assigned to users.
This field is only displayed if the package is managed and licensed.
1267
Set Up and Maintain Your Salesforce Organization Manage Installed Packages
Attribute Description
Version Name The version name for this package version. The version name is
the marketing name for a specific release of a package. It is more
descriptive than the Version Number.
Attribute Description
Apps The number of custom apps in the package.
First Installed Version Number The first installed version of the package in your organization. This
field is only displayed for managed packages. You can reference
this version and any subsequent package versions that you have
installed. If you ever report an issue with a managed package,
include the version number in this field when communicating with
the publisher.
Installed By The name of the user that installed this package in your
organization.
Limits If checked, the package’s custom apps, tabs, and objects count
toward your organization’s limits.
Modified By The name of the last user to modify this package, including the
date and time.
Post Install Instructions A link to information on configuring the package after it’s installed.
As a best practice, the link points to an external URL, so you can
update the information independently of the package.
Release Notes A link to release notes for the package. As a best practice, link to
an external URL, so you can make the information available before
the release and update it independently of the package.
1268
Set Up and Maintain Your Salesforce Organization Manage Installed Packages
Attribute Description
Version Name The version name for this package version. The version name is
the marketing name for a specific release of a package. It is more
descriptive than the Version Number.
Version Number The version number for the latest installed package version. The
format is majorNumber.minorNumber.patchNumber,
such as 2.1.3. The version number represents a release of a package.
The Version Name is a more descriptive name for the release.
The patchNumber is generated only when you create a patch.
If there is no patchNumber, it is assumed to be zero (0).
Unused Components
You can see a list of components deleted by the developer in the current version of the package. If this field is part of a managed package,
it’s no longer in use and is safe to delete unless you’ve used it in custom integrations. Before deleting a custom field, you can keep a
record of the data from Setup by entering Data Export in the Quick Find box, then selecting Data Export. After you've
deleted an unused component, it appears in this list for 15 days. During that time, you can either undelete it to restore the field and all
data stored in it, or delete the field permanently. When you undelete a field, some properties on the field are lost or changed. After 15
days, the field and its data are permanently deleted.
The following component information is displayed (in alphabetical order):
Attribute Description
Action Can be one of two options:
• Undelete
• Delete
Parent Object Displays the name of the parent object a component is associated
with. For example, a custom object is the parent of a custom field.
Package Components
You can see a list of the components included in the installed package. The following component information is displayed (in alphabetical
order):
Attribute Description
Action Can be one of two options:
• Undelete
• Delete
1269
Set Up and Maintain Your Salesforce Organization Manage Installed Packages
Attribute Description
Parent Object Displays the name of the parent object a component is associated
with. For example, a custom object is the parent of a custom field.
SEE ALSO:
Importing Package Data
Manage Installed Packages
To import Salesforce
Notes on Importing AppExchange Package Data AppExchange package
• Salesforce converts date fields into date/time fields upon export. Convert the appropriate fields data:
into date fields before you import. • The permissions
required to use the
• Salesforce exports all date/time fields in Greenwich Mean Time (GMT). Before importing these import tool you choose,
fields, convert them to the appropriate time zone. such as the import
• The value of auto number fields may be different when you import. To retain the old values, wizard or Data Loader.
create a new custom auto number field on a custom object before importing the data.
• Salesforce updates system fields such as Created Date and Last Modified Date
when you import. To retain the old values for these fields, contact Salesforce support.
• Relationships are not included in the export file. Recreate any master-detail or lookup relationships after importing your data.
• Record type IDs are exported but not the record type name.
• Field history is not exported.
• Recreate any customizations that you made to the package after installation.
SEE ALSO:
View Installed Package Details
Manage Installed Packages
1270
Set Up and Maintain Your Salesforce Organization Managing Licenses for Installed Packages
Note: To assign licenses for a package, you must have access to the package and at least To manage licenses for a
one available license. AppExchange package:
• Manage Package
• To assign licenses to more users, click Add Users. Licenses
• To remove a license from a user, click Remove next to the user's name. To remove licenses
from multiple users, click Remove Multiple Users.
• Click any column heading to sort the users in ascending order using the data in that column. Click the heading again to sort in
descending order.
• If available, select fewer or more to view a shorter or longer display list.
SEE ALSO:
Assigning Licenses for Installed Packages
Removing Licenses for Installed Packages
Responding to License Manager Requests
To view the properties and permissions of your namespace permission set license, from Setup, in The availability of each
the Quick Find box, enter Users, and then select Users. Select a user and from the Permission permission set license
Set License Assignments related list, click Edit Assignments. Here you can view the contents of a depends on the edition
permission set license, the package namespace, and license expiration policy details. requirements for permission
sets and the related feature.
1271
Set Up and Maintain Your Salesforce Organization Managing Licenses for Installed Packages
License Expiration Policy indicates whether package access is blocked for existing users when all namespace permission set licenses
expire.
Note: You can assign a permission set unconstrained by licenses that has components from a managed package. If you assign
such a permission set, at assignment time Salesforce validates whether the user has a namespace permission set license for the
relevant managed package namespace. If users don’t have the license, the permission set assignment fails.
7. (Optional) Certain managed packages created by Salesforce, require external access to data within your org. To grant access to allow
an installed managed package to connect with external data, click Enable for Platform Integrations. Alternatively, to revoke access
between an installed managed package and external data, click Disable for Platform Integrations.
Enable this functionality, only upon request from a Salesforce-owned managed package.
SEE ALSO:
Managing Licenses for Installed Packages
1272
Set Up and Maintain Your Salesforce Organization Managing Licenses for Installed Packages
You can also remove licenses for an AppExchange package from a single user using the following
options:
1. From Setup, enter Users in the Quick Find box, then select Users and click Remove next to the package in the managed
packages list.
2. From Setup, enter Installed Packages in the Quick Find box, then select Installed Packages. Then, click Manage
Licenses next to the package name, and click Remove next to the user.
SEE ALSO:
Managing Licenses for Installed Packages
1273
Set Up and Maintain Your Salesforce Organization Managing Licenses for Installed Packages
SEE ALSO:
Managing Licenses for Installed Packages
1274
Set Up and Maintain Your Salesforce Organization Package Usage
Package Usage
Discover whether your company is taking advantage of AppExchange packages that you installed
EDITIONS
by reviewing usage summaries. Usage summaries are available for managed packages that passed
security review. Events from sandbox, scratch, and trial orgs aren’t tracked in package usage Available in: both Salesforce
summaries. Classic and Lightning
From Setup, in the Quick Find box, enter Package Usage, and then select Package Usage. Experience
To request a .csv file of your managed package usage data, click Request Summary. Available in: Essentials,
To access the link to download your usage summary, refresh the Package Usage page. Group, Professional,
Enterprise, Performance,
The link to download a requested usage summary expires after 15 minutes.
Unlimited, and Developer
Editions
Unauthorized Managed Packages
To participate in the AppExchange Partner Program, Salesforce’s partners must meet certain standards and submit their AppExchange
products for security review. When you install a managed package that the AppExchange Partner Program hasn’t authorized for
distribution, we notify you during installation.
The notification appears when you configure the package installation settings (1). Before you install the package, you must confirm that
you understand that the package isn’t authorized for distribution (2).
For information about the AppExchange Partner Program and its requirements, visit the Salesforce Partner Community. For information
about non-Salesforce providers, see our Main Services Agreement.
1275
Set Up and Maintain Your Salesforce Organization Upgrading Packages
Upgrading Packages
Salesforce supports upgrades for managed packages only. Publishers can publish an upgrade for
EDITIONS
a managed package and notify installers that the new version is available. Installers of a managed
package can then install the upgrade as follows: Available in: Salesforce
1. Before you install an upgrade, determine if the app you installed was from a managed package. Classic (not available in all
Look for the Managed - Installed icon on the detail pages for each component and on the orgs)
list of packages installed. Available in: Group,
If the app you installed is not from a managed package, upgrades for it are not available. Professional, Enterprise,
Performance, Unlimited,
2. Then, install the upgrade in the same way you would install any other package from the and Developer Editions
AppExchange. If the publisher provided a link to the new version, follow the link to the package
posting and install it in your organization. The first page of the install wizard lists the current
version you have installed, the version you’re about to install, and a list of additional components USER PERMISSIONS
included in the new version. To upload packages:
• Upload AppExchange
Packages
Notes on Upgrading Managed Packages
To install and uninstall
Consider the following when upgrading a managed package: packages:
• All existing custom objects that were previously deployed will still be deployed. Salesforce • Download AppExchange
prompts you to deploy any new custom objects or previously undeployed custom objects. Packages
• Profile settings for components in a package are editable by the customer but not upgradeable
by the package developer. If the developer makes changes to any profile settings after releasing
the package, those changes won’t be included in an upgrade. Customers will need to manually update the profile settings after
upgrading the package. In contrast, permission sets in a package are upgradeable by the developer, so any changes the developer
makes will be reflected in the customer organization after upgrading the package.
• If the developer chooses to add universally required custom fields, the fields will have default values.
• Translation Workbench values for components that are “editable but not upgradeable” are excluded from upgrades.
• If an installed package has Restricted API access, upgrades are successful only if the upgraded version does not contain any
s-controls. If s-controls are present in the upgraded version, you must change the currently installed package to Unrestricted
API access.
• When you upgrade a package, changes to the API access are ignored even if the developer specified them. This ensures that the
administrator installing the upgrade has full control. Installers should carefully examine the changes in package access in each
upgrade during installation and note all acceptable changes. Then, because those changes are ignored, the admintrator should
manually apply any acceptable changes after installing an upgrade.
SEE ALSO:
Lightning Platform Quick Reference for Developing Packages
1276
Set Up and Maintain Your Salesforce Organization Installing Packages FAQ
SEE ALSO:
Uninstall a Managed Package
Importing Package Data
1277
Set Up and Maintain Your Salesforce Organization Installing Packages FAQ
SEE ALSO:
Install a Package
Importing Package Data
1278
Set Up and Maintain Your Salesforce Organization Learn More About Setting Up Salesforce
SEE ALSO:
Salesforce Features and Edition Allocations
Data Import
Guides and Tip Sheets For End Users For Admins
Data Loader Guide
Data Management
Guides and Tip Sheets For End Users For Admins
Salesforce Field Reference Guide
1279
Set Up and Maintain Your Salesforce Organization Learn More About Setting Up Salesforce
Security
Guides and Tip Sheets For End Users For Admins
Security Implementation Guide
1280
INDEX
A D
Access data encryption 942–943, 954–955, 971–976, 1019
revoking 475 Data Loader
Activities blank fields, replacing 746
controlled by parent 583 date formats 699
apex 1118 updating fields with blank values 746
Apex data visibility 964
monitoring system logs 1247 Debug logs
Apex classes 1112, 1117 monitoring 1247
api event 1094 retaining 1247
Apps Debugging
visibility, setting in profiles 517 monitoring logs 1247
attachments 955, 974 Defer sharing calculations 607
definitions 1005
B deploy 965
background encryption 987–989, 991, 993 destroy key material 991, 993–994, 1013
Background jobs deterministic encryption 980–981, 1030
about 1251 disable encryption 979
sharing recalculation 1251 duplicate management 1019
viewing 1251
baseline 910 E
best practices for Shield Platform Encryption 1023 encrypt Chatter 975
Bring Your Own Key (BYOK) 963, 995–1001, 1003 encryption policy 942, 966, 971–975, 979
Browser security 1044 encryption process 957, 961
encryption statistics 987–989, 993
C enhanced transaction security 1118
Cache-Only Key 1003–1005, 1007, 1009, 1011–1015 Event Bus 978
Certificates export key material 987
api client 1206 Exporting
mutual authentication 1205–1206 from LinkedIn 672
uploading 1205
Change Data Capture 978 F
compatibility 978 FAQ
condition 1094, 1097, 1100 Import wizard, updating 745
Condition Builder 1091, 1094, 1097, 1100, 1105 importing or uploading data 742
conditions 1094, 1097, 1100 mass upload 742
considerations 1014, 1022, 1030, 1033–1034 replacing fields with blank values 746
Currency updating fields with blank values 746
importing multiple currencies 670 updating records, import wizard 745
custom fields 954, 972–973 what data can be imported 742
Custom views field limits 1034
profiles 499 Field-level security
customizations 1018 accessibility 559
permission sets 470
profiles 470
1281
Index
1282
Index
1283
Index
Updating records
T Import wizard 745
Team
User setup
See Account team 572
groups 565
See Case teams 572
public groups 565
tenant secret 969, 984–985
User Sharing
terminology 1005
compatibility with report types 625
testing 1118
Users
threat detection 1141–1147, 1149, 1151–1155
permission set assignments 530
Training history 1231
revoking access 475
transaction security 1091, 1094, 1097, 1100, 1105, 1112, 1117
revoking permissions 475
troubleshoot Bring Your Own Key 1001
usage-based entitlements 457
troubleshoot Cache-Only Key 1012, 1015
troubleshoot Shield Platform Encryption 978 V
two-factor authentication 994
validation service 978
View All permission 469
U
Updating W
blank values 746
Workflow
monitoring debug logs 1247
1284