Monday, December 23, 2013

IP Addresses And User Access

As a Salesforce administrator, have you ever wondered when and where your users are accessing their data?  A recent new feature gives you even greater information about user access through a list of IP addresses and browsers used.  If you run a really secure database, looking at the list of IP addresses where users have accessed data is a must for security review, but even administrators of more relaxed orgs can use this information to better understand their users' needs.

User Access History By IP and Browser

You can see where in the world your data has been.
 With the Activated Login List,   you can see every IP address users have used throughout their history with your org.  This view provides even more information than the user login history.  You can even review the access addresses for users you have deactivated.  And, if you have any concerns about an IP address in the list, you can just remove access for that address after talking to the user about where they may be when they access Salesforce data.

Before you remove any IP addresses and browsers from the Activated list, you may want to save the information for future reference.  You will not see the removed data in your recycle bin!  So if you want to keep a record of which users activated their accounts for which IP addresses and browsers, save before you remove. 

Note that Salesforce documentation states that removing a user's IP address activation may only trigger a new activation confirmation request for that address if you remove activations for both the address and the browser used for that access, which you can find in a second list on the Settings>Security Controls>Activations screen. 

Just below the Activated Login List, Salesforce, the browser list contains recently Activated Client Browsers and gives you a more clues about how your users access data. This can be useful when you review your mobile access policies since many mobile devices can be obvious according to the browser listed here.

Unfortunately, the browser and IP address lists don't always coincide.  The browser list does not go as far back in time as the IP address list, and for my own personal activations, I found an IP address I activated at a specific date and time and three different browser activations listed within an hour of activating that address as I used different Connected Apps.

Dynamic, Static, Fixed Or Sticky

If you are surprised by the number of IP addresses that individuals have used to access the database, keep in mind that an Internet Service Provider (ISP) and local hosts may provide dynamic IP addresses from a set list of addresses.  In that case, the last digits of the address may be different for one user on a single device. 

Learning about your user's IP addresses and browsers gives you a more complete picture of what is needed to provide or deny data access for users.  Combining the Activated Login List with the login history report gives you a more complete view of what your users have been doing in Salesforce and with mobile applications like Salesforce Touch and Salesforce1.

No comments:

Post a Comment