We have a community setup and it uses Visualforce Page and ReactJS to display a customized UI. After a security scan, we found out that we can still see the standard salesforce community page just by changing the URL from
from this example, we are able to view the Multi-User Calendar that displays all the names of internal users that we have. Also, just by adding the 3 digit Object Id at the end, like "/001" , will redirect the external user to a standard salesforce community page for Accounts.
Is there a way to stop this from happening and restrict the external user to just view the visualforce page?
After googling, I found out about the "allowStandardPortalPages" under Custom Sites. Changing this at the metadata level to "<allowStandardPortalPages>false</allowStandardPortalPages>" might help. Unfortunately, when I tried it, it returned an error that our version of Site is still on 36.0 and "allowStandardPortalPages" is only available on 39.0 and up.
To summarize, I have two questions:
- Is there a way to restrict the external user from accessing Standard Salesforce Community Pages?
- How to upgrade the version of Custom Sites to 39.0?
I was able to get the metadata api 39.0 of Sites by updating the version field from 36.0 tp 39.0 inside package.xml using eclipse. Since it was updated to 39.0, when I refresh from server, the allowStandardPortalPages is available. I changed its value to false and saved to server. This fix our issue which blocks external users from viewing standard salesforce community pages.
For a more "free" approach based on a "not logged in within last 30 days" you might consider a scheduled batch apex job to automate this process.
Another option is to manually, once a week (or whenever) use a tool like Enabler for Excel (http://www.taralex.us/) or the Salesforce Data Loader to export active users with login date within last 30 days, do a quick excel change, then update the affected records.
All these events are stored in event log files. An event log file is generated when an event occurs in your organization and is available to view and download after 24 hours. The event types you can access and how long the files remain available depends on your edition. -- Developer Edition (DE) organizations have free access to all 30+ log types with one-day data retention. -- Enterprise, Unlimited, and Performance Edition organizations have free access to the login and logout log files with one-day data retention. For an extra cost, you can access all log file types with 30-day data retention.
Now remember that when you have event monitoring added, you will have some sort of automation downloading those files on a daily basis:
So it is totally upto you that how long you want to keep the files for.
Is it possible to control which users see which templates?
There is no such possibility to hide Quote templetes from certain users.However there is an Idea posted on Ideaexchange for this.
As you have mentioned you need to give access,
Please add the users to groups based on some condition using process builder.
Please change the entry criteria accordingly, the example is to add all the new users to public group.
I have been asked by our security manager to set the following;
- Lockout threshold = 10 invalid login attempts
- Lockout Duration = 15 minutes
- Reset invalid counter after = 5 minutes
Does that make sense.
How can I give them access to change the record type without having to change the page layout?
May I know you are logged in into both org that is your personal and work account from the same browser?
I want one Profile A to be able to log as all the users in Profile B.
I tried to create delegated groups and enable the group Login Access. The users in the Profile A still did not have login access. When I checked "Modify All Data" on Profile A, and they were able to log in as any user in any profile. I don't want to keep the modify all data check off.
Is there another way we can accomplish this. I have also enabled "Administrators Can Log In as Any user" option too.