Sunday, November 22, 2015

Salesforce: Password Policies and Session Timeout

Salesforce provide ability for administrator to define Password Policies and Session Timeout for their organization. Navigate to Setup | Security Controls | Password Policies to define organization password policies, from: expiry days, remember password history, minimum password length, password complexity, maximum login attempt, lockout period and so on. While Session Timeout is configured from Setup | Security ControlsSession Settings.

But, you also may notice that you can find Password Policies and Session Timeout in Profile setting.

So, which policies and setting will be applied to users and why there are two settings for the same thing? Since Winter '15, Salesforce provide finer control over the user experience by Profile, while earlier available setting at Security Control applied to the entire organization. The settings for session duration and password policies at the profile level override the settings at the organization level.

  • When you setup Salesforce initially, Profiles password policies and session timeout setting will follow setting from Security Control.
  • When you change password policies and session timeout at Security Control, it will apply to all Profiles setting, as long as setting in Profile haven't change manually.
  • You can manually change password policies and session timeout at Profile different with Security Control, and users assigned to this profile will follow setting in Profile rather than Security Control
  • Once you change the setting in Profile differ with Security Control, any changes in Security Control will NOT apply to setting in Profile anymore.
  • When you create a new custom profile, it will follow setting from Security Control, changes in Security Control will apply to the new custom profile, until you manually change in that profile.
  • When you clone a profile with password policies and session timeout has been modified, to a new custom profile, password policies and session timeout in the new profile created will copy from Security Control, not from the original profile used to clone.
  • A custom profile has been changed manually will not able to sync with Security Control setting anymore, even you manually align it with Security Control setting, it will not sync again when Security Control setting changed.