Wednesday, November 25, 2015

Salesforce: Cross Filter disabled in Report

Cross filter is one of the most useful feature when you are looking for exception report, such as: Open Opportunities without Activities. But, if for some reason you find not able to use Cross Region as screenshot below.

You may see it when using custom report type, no matter the primary object is related to a child object or not. It is caused by the standard ID field not included in the available fields for reports.

With adding ID field as available field in report, for example Opportunity ID for primary object = Opportunity, Account ID for primary object = Account, and so on, will make Cross Filter available again, therefore this is not related to child object.

To add the ID field, navigate to Setup | CreateReport Types, look for the report type name, and click Edit Layout button at Fields Available for Reports and add ID from the primary object for that report type.

Monday, November 23, 2015

Salesforce: Cannot edit Dashboard

This blog only applicable for Salesforce org have "enable access levels for sharing report and dashboard folders", which is enhanced version of the report/dashboard folder sharing.

Recently we have a super user not able to edit a dashboard (Edit button is not visible for the user), although user have View All Data and Manage Dashboards in Public Folders permissions, and user also have Editor access to the dashboard folder. Enable Manage Dashboards in Public Folders permissions will auto enable following permissions:
  • Create Dashboard Folders 
  • View Dashboards in Public Folders
  • Edit My Dashboards

After thorough finding, the dashboard is a dynamic dashboard created by other super users, so user is
in the same role hierarchy. The super user also already have Manage Dynamic Dashboards permission.

Latest finding, it is caused by View My Team's Dashboards permission is not enable for the user. To investigate why a user not able to edit a dashboard in organizations using enhanced folder sharing. Users can edit some dashboard details and save the changes as the current running user of the dashboard. They will be restricted to which details they can modify if they are not the running user of the dashboard. To ensure complete access, the profile permission View All Data must also be granted.

Items below when user do not able to edit a dashboard:
1. The user must be Editor or Manager access to the dashboard's folder
2. The user must have the following permissions:
  • Run Reports
  • Create and Customize Dashboards
  • Manage Dashboards in Public Folders
  • Manage Dynamic Dashboards is requested to edit Dynamic Dashboards
  • View My Team's Dashboards is requested to edit Dynamic Dashboards


Sunday, November 22, 2015

Salesforce: Password Policies and Session Timeout

Salesforce provide ability for administrator to define Password Policies and Session Timeout for their organization. Navigate to Setup | Security Controls | Password Policies to define organization password policies, from: expiry days, remember password history, minimum password length, password complexity, maximum login attempt, lockout period and so on. While Session Timeout is configured from Setup | Security ControlsSession Settings.

But, you also may notice that you can find Password Policies and Session Timeout in Profile setting.

So, which policies and setting will be applied to users and why there are two settings for the same thing? Since Winter '15, Salesforce provide finer control over the user experience by Profile, while earlier available setting at Security Control applied to the entire organization. The settings for session duration and password policies at the profile level override the settings at the organization level.

  • When you setup Salesforce initially, Profiles password policies and session timeout setting will follow setting from Security Control.
  • When you change password policies and session timeout at Security Control, it will apply to all Profiles setting, as long as setting in Profile haven't change manually.
  • You can manually change password policies and session timeout at Profile different with Security Control, and users assigned to this profile will follow setting in Profile rather than Security Control
  • Once you change the setting in Profile differ with Security Control, any changes in Security Control will NOT apply to setting in Profile anymore.
  • When you create a new custom profile, it will follow setting from Security Control, changes in Security Control will apply to the new custom profile, until you manually change in that profile.
  • When you clone a profile with password policies and session timeout has been modified, to a new custom profile, password policies and session timeout in the new profile created will copy from Security Control, not from the original profile used to clone.
  • A custom profile has been changed manually will not able to sync with Security Control setting anymore, even you manually align it with Security Control setting, it will not sync again when Security Control setting changed.


Saturday, November 21, 2015

Salesforce: Two Factors Authentication - 2FA

For Singapore residence, when login to internet banking from Singapore banks, after enter username and password successfully, system will request user to enter security token, it can be generated using a device or delivered by SMS, usually it would be 6 or 8 digits. This is one of usage of two factors authentication (2FA), aka OTP (One Time Password) with what you know (username and password), plus what you have (device), to prove the right person with access and enhance security when username and password only is not secure enough.

For some organization, two factors authentication is required. But, can we have 2FA when login to To build two factors authentication as implemented by banks will need a huge cost and a lot of time, but to implement this on is free of charge. Salesforce has this feature out of the box for all editions. If you are one of the awesome admin, you can configure this for less than an hour (not include training or communication with your users), and you do not need a developer to write any code.

1. Setup
Enable Permission
Create a Permission Set or enable Profile with Two-Factor Authentication for User Interface Logins permission. Users assigned with this profile or added with this permission set will required to enter time-based password.

How user will receive this one-time password? Instead of SMS, user need to install Salesforce Authenticator app in their smart phone as trusted device linked to your Salesforce account, for now only iOS and Android phone.

Install Salesforce Authenticator app
Search for Salesforce Authenticator in App Store for iOS device or in Google Play for Android device.

2. Usage
First Login after Setup
When user login to for the first time, after permission granted, user need to enter two-word phrase.

Open the Authenticator app in your smart phone, then tap + New Account, enter the phrase shown in the app to Salesforce connect page, then click Connect button. Then you also tap Connect button in the app. Salesforce will email you that new verification method was added to your account.

Once verified, admin or user can check in the user detail page, link next to App Registration: Salesforce Authenticator has changed from Connect to Disconnect.

If you have access to multiple login, the mobile app can handle multiple login with the same device, you can swipe the account to left to delete it.

Normal Login
After successful enter username and password, user will be present with a screen that tell user need to use Authenticator app from user phone to approve login to Salesforce.

Tap Approve button in phone app to continue, once approved this will auto let you login to

In Summary:
1. Open from (or your custom my domain)
2. Enter username and password, then Log In
3. Approve from your device with Authenticator app

  • after enter username and password successfully, Salesforce will challenge for approval from device, in the login history this step will show with "two-factor required".
  • after approve from device, login history will show "Success".

  • Salesforce will wait for 90 seconds, otherwise it will tell you "We canceled your request because we didn't receive your approval within 90 seconds".
  • For some reason if you can't approve from the device, you can change the verification method by using code from Authenticator app.

3. Recovery
Let's say user delete the Authenticator app incidentally, or have issue with the mobile phone, or lost his mobile phone.

In Salesforce
Only user with Manage User permission, go to user detail and look for App Registration: One-Time Password Generator, then click Disconnect link, this will delete Disconnect link. User need to re-register from Authenticator app when login to

In mobile phone
Re-install the Authenticator app, and re-do registration process again as above. As admin, you will notice the Disconnect link re-appear again in user detail, after user successfully re-register his device.

Last update: 28 Feb 2017 with Spring '17 release and using Salesforce Authenticator app version 2.8.0 on iOS.


Sunday, November 8, 2015

Salesforce: Email Status

This would be our 3rd series of blog related with Email in Salesforce, start with Mass Email in 1st blog, and Bounce Email in the 2nd blog.

Many times as Salesforce admin, we get questions from user if they can trace if email status sent from Salesforce. Using marketing automation tool such as Pardot, Eloqua, etc the answer is definitely yes, buthow about using default Salesforce email tool? The answer is Yes, but only for email sent using HTML format, but not for email in Text only format. It applicable for email send manually from Salesforce and also applicable for Mass Email sent from Salesforce.

You may need to confirm that Enable Email Tracking has been enabled in Activity Setting, navigate to Setup | Customize | Activities | Activity Settings, select Enable Email Tracking.

Vote this idea to get email status for text email - (100 points at this moment).

After sending an HTML email, you can track when the email was first opened, the number of times it has been opened, and the date it was most recently opened.

To see email status in Lead or Contact page layout, make sure you add related list called HTML Email Status to the page layout.

Once added, open the Contact or Lead, and scroll down to HTML Email Status.

In this panel, you will see information on all HTML email sent (again Text only email will be not listed here):
  • Email Subject
  • Date Sent date / time
  • Date Open date / time
  • Number of times opened
  • Last Opened date / time

You also can run a report with report type HTML Email Status. But only for users who sent the HTML email able to generate the HTML Status report. If other user run the report, the HTML Email Status report will not include email not sent by them, even the user is a System Administrator.

In this report you will see both email sent to Lead and Contact in one report, information in this report will include the Contact and Lead name, Email address, Email Template used (if any), if the email has been opened, and all Email Status information available in page layout related list.


Thursday, November 5, 2015

Salesforce: Bounce Email

In previous blog, we've blogged about sending Mass Email from Salesforce. Next, can we track if the email send out is bounced? Yes, Salesforce have this feature out of the box. But make sure you have to activate bounce management.

To check if you have bounce management activated, navigate to Setup | Email Administration | Deliverability.

When bounce management is activated, and a user sends an email (including send with mass email) to a contact, lead, or person account with an invalid email address, Salesforce displays an alert next to that email address and prevents users from sending email (it will be excluded in the list view for mass email) to the address until it is updated or confirmed.

There are 2 options at Bounce Administration:

1. Show bounce alert next to all instances of the email address
When this enabled, this will tell Salesforce to search ALL lead, contact, and person account records in your Salesforce instance of any email address that bounces, and to display a bounce alert next to each record. The Email Bounced Date and Email Bounced Reason will be the same for all other records found.
  • If you do not select this option, Salesforce only displays the bounce alert on the record from which the email was originally sent.
  • This feature applicable only for standard Email field, if you have custom email address field, and the email address match, bounce alert will not be shown there.
  • When the same email added after email bounced, bounce alert will not add to this newly added email.

2. Return bounced emails to sender
When you enable this, sender will receive email for every email bounced with the bounce reason.

When the bounce confirmed?
  • If the mailbox is invalid for a valid domain, you should get email notification and bounce alert almost immediately.
  • But for email address with invalid domain, such as:, where is invalid domain, Salesforce will re-try to deliver the email for 10 times with approximate interval of 0, 10, 10, 20, 40, 80, 160, 320, 640 minutes after the last email sent. After 24 hours of delivery failure, email address will be marked as permanent failure and sender will get bounce email.

Sample email log of email sent to email address with invalid domain:

Mail Event status: R - Reception, D - Delivery, T - Transient Failure, P - Permanent Failure

Salesforce provide Bounced Contacts and Bounced Leads standard report to view all email addresses that have bounced email. The report includes the reason the email was bounced, the date the bounce occurred, and the contact, lead, or person account that bounced the email.

For Lead
Click Lead tab and look for Bounced Leads under Reports:

Or navigate to Report tab, looks for Lead Reports folder, then a report name Bounced Leads

You can modify the report as per normal report creation in Salesforce.

As you see two fields here identify for email bounced:
  • Email Bounced Date
  • Email Bounced Reason
This fields are available as well when you create report using Lead report type.

Although you not really able to see the fields in Lead object, but you can create formula field, validation rule and workflow based on those fields, example for formula field:

For Contact
The same fields and report you can use for Contact the same with Lead, including from Bounced Contacts report from Contacts tab.

When user go to contact or lead with email bounced, click Confirm Email Address link and click Save and Remove Bounce Alert.

This will make the both fields Contact Email Bounced Date & Email Bounced Reason fields become blank.

The Lead or Contact will be removed from Bounced Lead or Bounced Contact reports.

Note: Salesforce will mark the email address as bounced if only get response from MTA (Message Transfer Agent) that owns the domain, presented the recipient to them and they have rejected it with a 5xx error that amounts to user unknown. If error messages received is not in Salesforce list, the email may not be marked as bounced. See the complete list of reply from MTA that will be used to mark email as bounce in reference below.


Wednesday, November 4, 2015

Salesforce: Mass Email

Although Salesforce is not an email broadcast tool, but it provides with email broadcast capability for Professional Edition and above. Each organization has a limit of daily email broadcasts from Salesforce.

Advantages of using Salesforce for mass email:
  • Able to schedule when email blasts should be sent out
  • Automatically exclude Lead or Contact marked as Email Opt Out
  • Automatically exclude Lead or Contact marked Bounced
  • Option to store as Activity for Lead or Contact for each message send out
  • Merged fields for email content from Salesforce data

Salesforce allows mass email to a maximum of 1,000 external emails per day per organization based on Greenwich Mean Time (GMT). The maximum number of external addresses you can include in each mass email depends on your edition, based on the filter in List View:
  • Professional Edition: maximum 250 emails in a single blast
  • Enterprise Edition: maximum 250 emails in a single blast
  • Unlimited Edition: maximum 250 emails in a single blast

This means if you are on Enterprise Edition, and you need to blast 2400 emails, you need to send in 3 days:
  • 1st day - 2 email blasts: 500 + 500 
  • 2nd day - 2 email blasts: 500 + 500 
  • 3rd day - 1 email blast: 400
You can separate the recipients using Fields as Filter Criteria or using Campaign.

this screenshot is taken from Enterprise Edition when the list view returns more than 500 recipients.

If your admin enables notification when the mass email is completed, from Setup | Email Administration | Deliverability, select Notify sender when mass email completes, you will receive an email with information on how many emails are intended to send out, and how many have been sent out successfully, but this doesn't tell you how many emails bound.

Question: when using mass email and hitting the borderline of 1000 daily emails, for example, 998 emails have been sent out. The next user going to mass email to 30 Leads. Salesforce will tell the user that he or she is only able to mass-send 2 emails today.

Single emails sent using the Salesforce application don't count toward this limit. There’s no limit on sending individual emails to contacts, leads, person accounts, and users in your organization directly from the account, contact, lead, opportunity, case, campaign, or custom object pages.

The single and mass email limits don't take unique addresses into account. For example, if you have in your email 10 times, that counts as 10 against the limit.

You can send an unlimited amount of emails to your organization’s internal users, which includes portal users.


Sunday, November 1, 2015

Salesforce: How to call Flow from Visualforce page

In this blog, we are going to explain how to use Visualforce page to call Autolaunched Flow.

Use case: business would like to record Contacts deleted by user from Salesforce page layout to a custom object.

With apex trigger, this should be no issue, but is there any other way?

Let's using Autolaunched Flow, Autolaunched Flow is famous to be used by Process Builder, but Process Builder cannot catch deletion process, it only support record creation and update.

Use Autolaunched Flow called from Visualforce page, and the Visualforce page to overwrite the Delete button.

1. Prepare Custom Object

2. Create Flow
  • Flow Unique Name = Delete_Contact_Flow
  • Type = Autolaunched Flow

A. Create 2 variables and 1 constant

Variable varContactId use to receive Contact Id from screen, type = Input Only

Variable varContactName use to query Contact Name using varContactId, type = Private

Constant consObject use to store the process for Contact object

B. Create 3 record processes: lookup, delete, create

Overall Flow Processes

Query Contact with variable varContactId to get Contact Name and store it to varContactName
** you may to skip this process if Contact Name passed in as parameter, but for this blog, we would like to show record lookup process.

Delete Contact record with variable varContactId

Create a custom Object record with necessary fields to record the Contact deleted

Save the Flow and remember to Activate it.

3. Create Visualforce Page
This would be a simple page to pass Contact Id and call the Flow. Name the page as Overwrite_Contact_Delete.

 <apex:page standardController="Contact">  
   <flow:interview name="Delete_Contact_Flow" finishLocation="{!URLFOR('/003')}">  
     <apex:param name="varContactId" value="{!Id}" />  
     <apex:param name="varContactName" value="{!Contact.Name}" />  

4. Enable Visualforce Page for Profile
Go to users Profile and enable Overwrite_Contact_Delete Visualforce page.

5. Overwrite Delete button for Contact

6. Deleted Records log
Use custom tab or report to monitor deleted Contacts.


Page-level ad