Mastering Organization-Level Security: Protecting Your Business’s Data And Assets

Aman Garg
5 min readOct 30, 2023

User Management (Control Access to the Organization)

What You’ll Learn:

  1. What is User Management in Salesforce?
  2. How to Create a User in Salesforce?
  3. When to Freeze and When to Deactivate a User?
  4. How to Manage Your Org’s Password?
  5. How to Restrict a User at Org Level and Profile through IP?
  6. How to Restrict a User through Login Time?
  7. How to White List and Black List a User?

Access to a Salesforce organization is a critical aspect of Salesforce User Management. This blog post will guide you through the essential elements of controlling access to your Salesforce organization, ensuring the security and integrity of your data and operations.

What Is User Management In Salesforce?

Salesforce users are employees in your organization who have a user account that allows them to log in and access the Salesforce platform. The user account identifies the user and determines what features and records they can access.

Each user contains at least the following:


Each Salesforce user account must be unique across all Salesforce organizations and instances.

User Licenses

A Salesforce user license determines which features the user can access in Salesforce. For example, the standard Salesforce license allows users to access standard Salesforce features and Chatter. However, if you want to grant a user access to only some features in Salesforce, you can choose from a variety of other licenses. For instance, the Chatter Free license allows users to access Chatter without being able to see any data in Salesforce.


A Salesforce user profile determines what actions a user can perform in Salesforce. Profiles should be assigned to users based on their job functions.


A Salesforce role hierarchy determines what additional access a user has based on their position in the hierarchy. Roles are optional, but each user can only have one role assigned.


A Salesforce user alias is a short name that identifies the user on list pages, reports, and other places where their full name doesn’t fit. By default, the alias is the first letter of the user’s first name and the first four letters of their last name. For example, a user with the name “Hira Khursheed” would have the alias “Hkhur”.

Difference Between Deactivating And Freezing A User

Deactivate a UserFreeze a UserTo prevent a user from logging in to Salesforce, administrators must deactivate the user’s account. Users cannot be deleted, so deactivation is the only way to remove their access to Salesforce. Salesforce administrators cannot immediately deactivate a user who is selected in a custom hierarchy field. Therefore, to prevent the user from logging in to the organization while the administrator performs the necessary steps to deactivate them, they can simply freeze the user first. Deactivating a Salesforce user frees up the license assigned to that user, so the license can be reassigned to a new user who can then use it to access Salesforce platform features Freezing a Salesforce user account does not free up the license assigned to that user.

What Is Managing Salesforce Password Policies?

Salesforce password policies are rules that ensure users’ passwords are strong and secure. It is important to manage password policies to keep your Salesforce organization safe.

There are several settings to ensure this:

Password Policies

Salesforce password policies allow you to set login and password requirements for your users, such as minimum password length, password complexity requirements, and password expiration intervals.

User Password Expiration

Salesforce password expiration policies allow you to set a time period after which all user passwords will expire, except for users with the “Password Never Expires” permission. You can

also reset passwords for specific users, and specify the number of login attempts a user is allowed before their account is locked. If a user is locked out, an administrator can unlock their access.

User Password Resets

Reset a password for specific users.

Login Attempts And Lockout Periods

Specifies the number of attempts a user can make and if a user is locked out due to too many failed login attempts, the administrator can unlock its access.

Restrict Login Access By IP Address (Control Access to Organisation)

Salesforce does not restrict login location by default, but administrators can do so to improve security. Administrators can specify an IP address range for the entire organization or for specific user profiles, but the behavior of each option is different.

If the login IP range is set for the entire organization:

  • All users must log in from an IP address within the specified range.
  • If a user tries to log in from an IP address outside the range, they will be denied access.

If the login IP range is set for a specific user profile:

  • Only users with that profile can log in from IP addresses within the specified range.
  • Other users can log in from any IP address.

Organization Level

Users who try to log in from outside the trusted IP range will be presented with a login challenge. If they successfully complete the challenge, typically by entering an activation code sent to their mobile device or email address, they will be granted access. This method does not completely restrict access for users outside the trusted IP range.

Profile Level

Users outside the permitted IP range(which is set) are always denied access.

Restrict Login Access By Time (Control Access To Organization)

By default, Salesforce does not restrict login times. However, administrators can enable login time restrictions for added security. Login time restrictions can only be set at the profile level, meaning that administrators can specify the hours when users with a specific profile can log in. For example, you can deny login access to customer data outside of business hours for employees who only need to access customer data during business hours. If users are logged in when their login hours end, they can continue to view the page they are currently on, but they cannot take any further actions.


By the end of this blog, you’ll have a comprehensive understanding of Salesforce User Management, empowering you to control access to your organization effectively. Stay tuned for detailed insights into each aspect and best practices to secure your Salesforce data.

I hope you like this blog and if you want any help let me know in the comment section.

Stay tuned, there is way more to come! Follow me on LinkedIn, Instagram, and Twitter. So you won’t miss out on all future articles.

Originally published at on October 30, 2023.



Aman Garg

Sr. Salesforce Developer || 5x Salesforce Certified || 2x Copado Certified || Salesforce Mentor || Founder of Salesforce Learners