Salesforce Data Security: Trusted IP Ranges versus Login IP Ranges. This one always twists my brainĀ šŸ¤Æ

A Salesforce org is like a multi-level office building. If you have a meeting with a customer in their office building on the 13th floor, you have to get through several security checks in order to meet them there. Starting with the main entrance, followed by the elevator, followed by the office entrance, followed by the meeting room. Each one requires a security pass to get through. Salesforce’s data security model works just the same. In this article we want to focus on the ‘main entrance’ security check. I’ll walk you through the options Salesforce checks for when someone attempts to enter a Salesforce org, including the importance of Trusted IP Ranges as well as Login IP Ranges.

Author: Peggy Schael | Salesforce Trainer | WeLearnSalesforce

How Salesforce Trusted IP Ranges and Login IP Ranges Fit in With The Data Security Model

Salesforce’s data security model essentially consists of four layers: 

The first layer determines a user’s access to the Salesforce organization, like their username and password, and also their login location such as their IP address.

The second layer determines what users can see and do in Salesforce such as viewing specific types of records (a.k.a. Objects), edit or delete records.

The third layer specifies whose records users can access. Not only records they own or created, but also records of their colleagues.

And the fourth layer is all about the level of detail (=fields). How much information should a user be able to see. For example, should a sales user be able to see credit card information? Possibly not! But the finance department may need to.

This means, the first layer is your ‘main entrance’ security check of the office building, a.k.a. your Salesforce org.

What Does Salesforce Check For When A User Attempts To Log In

User authentication starts by entering a valid username and a password. If that is a match, Salesforce checks whether the User has logged in before or not. What happens it that Salesforce places a cookie in the user’s browser (unless the browser uses a cookie blocker). If Salesforce finds the cookie, it will grant access. If it doesn’t find that cookie, it will require the user to verify themselves.

This means they will receive an email notification under their registered email address containing a verification code. Once they enter the code and verify, they will be able to login.

Whitelisting Login Locations With Trusted IP Ranges

While this verification process is an important security measure, it can become rather bothersome when users switch locations from time to time or switch computers or browsers they work from. We are talking about IT users supporting a Salesforce org, or Salesforce trainers like myself, or team managers etc. 

I remember one particular training roster with a government customer. There were several training sessions happening in different office location. Plus they were happening in different Sandboxes, hence different Salesforce logins. Each time I had to verify myself, and that turned out to be very time consuming, not only for myself but for the trainees too. So I took the IP addresses and whitelisted them. Problem solved!

Whitelisting IP addresses is done under Setup/Network Access by adding Trusted IP Ranges. This means. If a user tries to log in from within a Trusted IP Range, they do not have to go through the verification process.

In other words, if they try to login from outside a Trusted IP Range, they will only get access after they completed the verification process explained above.

IMPORTANT NOTE:Ā This verification method is (currently) not supported in combination with Multi-Factor Authentication (MFA). Since MFA has been enforced in all Salesforce orgs, the cookie placement has become redundant (for now, as always check the release notes for updates). This means, every Salesforce user trying to log in to a Salesforce org has to confirm their authenticity through a MFA method, like using the Salesforce Authenticator app. MFA can theoretically be turned off, making the verification process relevant again. I’m NOT saying you should turn it off though, just something to keep in mind.

Restricting Login Locations With Login IP Ranges

Here comes the brain twister. A Salesforce Admin can restrict access to specified IP Ranges. Let’s say, you want to ensure that your Salesforce users can only ever log in to their Salesforce org from their office building. Some organizations like banks, hospitals, government agencies etc. with extra high security measures, may prohibit anyone to work outside of their office, or access their Salesforce org from outside their office. Some organizations though use VPN to enable users to work from home. But still, access is limited to the VPN connection.

Restricting the locations users are allowed to log in from is done by adding Login IP Ranges to User Profiles. Here’s what this does: When a user attempts to login from outside the listed Login IP Range, Salesforce recognizes the setting on the user profile, and the user will not be able to log in, at all.

Salesforce Data Security with all its different security layers is covered in detail in our comprehensive Salesforce Administrator Certification Course. It’s all connected! I walk you through each step, building up your expertise as you progress.Ā šŸ¤“

Restricting Login Based on Login Hours

Apart from the login location, Admins can also restrict access by office hours. Let’s say a Marketing user should only be able to access Salesforce during office days and office hours. However a Sales user needs to be more flexible to accommodate their customers, and should therefore be able to access their customer data on Salesforce 24/7. 

There would be nothing to do for the Sales user, however for the Marketing user, you’ll need to add Login Hours to their respective User Profile. Be aware when locking an entire day, like Saturday and Sunday, you’ll need to select the same start and end time.

Once this has been added, upon login attempt, Salesforce will check the user’s associated Profile to verify whether there are any Login Hour restrictions to determine whether or not the user will be allowed to log in.

Managing Password Policies

Remember from earlier that the very first items Salesforce verifies are username and password. This is the very first security check to overcome. Therefore, we want to make this part as difficult as possible, especially for unauthorized people.

That’s where the Password Policies come in. You’ll use them to specify things like password complexity, number of login attempts, how often passwords need to be changed and more. But don’t make too hard though, otherwise you may loose on user adoptionā€¦

I hope this helped untie the twists in your brain. Do let me know what you find most difficult when it comes to managing data security in Salesforce. I’d love to know!


We make learning simple with our range of well-structuredĀ Salesforce Video Tutorials,Ā downloadable Study Workbooks and realisticĀ Practice Exams.

And if you are brand new to the world of Salesforce, make sure to sign up to ourĀ FREE 21-Day Salesforce Beginners Challenge.

One thought on “Salesforce Data Security: Trusted IP Ranges versus Login IP Ranges. This one always twists my brainĀ šŸ¤Æ”

Leave a Reply

%d bloggers like this: