Ask Search:
Steve RubinSteve Rubin 
Hello,  Is there a way to give a Public Group access to an object field through a permission set?  Or is there a better way, maybe through Sharing?

Best Answer chosen by Ed ( 
Kishore B TKishore B T
As you have mentioned you need to give access,
Please add the users to groups based on some condition using process builder.
Please change the entry criteria accordingly, the example is to add all the new users to public group.
Karen BrownKaren Brown 
I have a question about Password Policies.

I have been asked by our security manager to set the following;
  1. Lockout threshold = 10 invalid login attempts
  2. Lockout Duration = 15 minutes
  3. Reset invalid counter after = 5 minutes
So actually i cannot see where to set item 3, so bacially say the 10 attempts are in a 5 minute window and then the 10 invalid logins reset after 5 minutes... so for example they cant do 5 invalid attempts in 5 mins and then another 5 in another 5 minutes.  every 5 minutes would start the 10 invalid attempts counter again.

Does that make sense.
Best Answer chosen by Karen Brown
Artur NovikovasArtur Novikovas
Hello Karen, i dont believe there is time limit on the invalid login attempts instead its a count to the set criteria which in your case is 10, you can enter invalid credentials 10 times in one day or 10 times in one week. If you do reach your limit of 10 invalid log in attempts you will be locked out for 15 minutes ( but as an admin you can locate their account and unlock them prior to the time out )


Claire FieldClaire Field 
I have a user who needs to be able to change Account Record Types. I have created a permission set for them that gives them edit access to the object and to the record types they can change the account to. However, because the Account Record Type field is read only on the page layout their profile is assigned to, they are still unable to edit the record type. 

How can I give them access to change the record type without having to change the page layout?
Best Answer chosen by Claire Field
Barry GreenleesBarry Greenlees
Hi Claire,

If you have assigned them a permission set, then look for a permission called "Edit read only fields" this will allow the user to edit fields that are set to read only
Best Answer chosen by Paulino Garza
Purvi PatelPurvi Patel
Hello Paulino Garza,

May I know you are logged in into both org that is your personal and work account from the same browser?

If you are logged in with the same browser than you are facing this issue because of cookies as your session is getting merged.

I want one Profile A to be able to log as all the users in Profile B.

I tried to create delegated groups and enable the group Login Access. The users in the Profile A still did not have login access. When I checked "Modify All Data" on Profile A, and they were able to log in as any user in any profile. I don't want to keep the modify all data check off.

Is there another way we can accomplish this. I have also enabled "Administrators Can Log In as Any user" option too.

Best Answer chosen by V P
Jeff MayJeff May
What you describe is not possible. Either a user is allowed to log in as any other user (which means they need to have access to all the fields and records of that other user), or they can't.
Niall BrownleeNiall Brownlee 

Does anyone have experience of masking sensitive data in a sandbox?

Our organisation holds lots of sensitive data, specifically in the Account/Contact objects.  We alos use multi sandboxes for development, and as a security step, would like to mask (de-sensitise) selected fields once we have refreshed our sandboxes from production.  This refresh task would likely take place at regular intervals.

On doing a few web searches, I can't find as much info on this type of work as I would have expected.  The only two solutions I can see at the moment are :
  1. Informatica Cloud data masking
  2. Dataloader
I wonder if the options seem to be few and far between simply because the two above are so good?  Or are there other data masking tools which are out there I have missed?

Any advice/guidance greatly appreciated, thanks.
Best Answer chosen by Niall Brownlee
Evan DeckerEvan Decker
Hi Niall, I think you're on the right track with the two solutions mentioned above. Using the dataloader, you can mass update the records to remove any sensitive data. This is a manual process though, and it will need to be done each time the sandboxes are refreshed.
Olivia CannonOlivia Cannon 
One of my colleages accidently set the wrong IP address in the Login IP Range on the System Administrator Profile and now none of the System Administrators can log into the org.

We've opened a case with Salesforce in the hope that they can help, but I thought I'd see if anyone else has made a similar mistake before and, if so, has any suggestions on how to handle it?

Any advice would be very welcome!


Best Answer chosen by Olivia Cannon
Naval SharmaNaval Sharma
Hi Olivia,

There is no other way except the salesforce support team needs to be jumped here.

Brandon HolmesBrandon Holmes 
Hello All-

I understand that Identity Verification when enabled requires Salesforce users to verify their identity via Text or Email when logging in from an unrecognized browser or device.

I'm wondering if it is possible to require a user to verify their identity every time they login, regardless of whether they have previously logged in from a particular device or browser before? 

All the documentation I've been able to find has only referenced verification from unrecognized browsers, etc.

Thank in advance!
Best Answer chosen by Brandon Holmes
Kruse CollinsKruse Collins


What you can do as an admin is create a permission set, and then under system permissions, choose the appropriate 2-Factor authentication preferences you want. This trailhead ( me through it really well. 

I do know that even though you can select on the Salesforce Authenticator app, "Always Verify from here" (which should ideally mean no more 2-factor authentication from that certain location), it still always asks me to verify from locations where I've selected that option. So that might do exactly what you're looking for here in requiring that users authenticate even if it is a required browser.

I hope that answers your question!

-T. Kruse Collins

Daniel SoaresDaniel Soares 
Hello! I've been searching about the checkbox API Enabled that you can check for Profiles, I found many explanations about how to enable and which editions have this available by default, but I'm still having trouble to understand what this checkbox really do. So what does this API Enabled really enables when checked? What can a user do when this is checked that wouldn't be able to do without it?
Best Answer chosen by Daniel Soares
Akhil AnilAkhil Anil
Hi Daniel,

It just means that a user profile with API enabled access can make API requests to your Salesforce org. If this permission is not enabled then they won't be able to make API requests to your instance. When I say API request it basically means accessing the data in your org through a backend mechanism.

If this permission is not enabled then these users won't be able to hit or fetch your data through any of the backend mechanisms. They can still login through the standard interface.

I hope that answers your question !
Best Answer chosen by John Schneider
John SchneiderJohn Schneider
So now that I have said that I realized if I exit the Chrome Desktop my problem is resolved.  If Chrome continues to run in the background, it holds the session open.