Understanding Salesforce Org Access for BAs

As Business Analysts, we are tasked with gathering requirements, defining processes, and ensuring systems are configured to meet the needs of our businesses. When it comes to Salesforce, one critical area that BAs must have a solid grasp on is organization access and security.

Why Understanding Salesforce Org Access is Crucial for BAs

Organization access in Salesforce determines who can log into your company's Salesforce environment, from where, and when. Failing to properly configure and control access can leave your sensitive data vulnerable to security breaches or unauthorized changes.

As BAs, we need to understand the key access control mechanisms available so we can make informed recommendations during requirements gathering and design phases. The core access controls to consider include:

Profile-Level Access

• Login IP ranges restrict logins to allowed IP address ranges
• Login hours enforce time windows when users can access Salesforce

Network Access

• Adds an extra verification step via email/text for unknown devices
• Can bypass verification for trusted corporate IP ranges

Activations

• Maintains history of IP addresses and devices that have had access
• Allows revoking access from specific IPs or devices easily

Understanding these controls is important so BAs can gather requirements around which profiles need which IP/schedule restrictions, whether location-based two-factor verification is needed, and how strictly corporate device policies should be enforced.

Beyond just access controls, the BA might need to understand the process of what happens "behind the scenes" when a user attempts to log into a Salesforce org - providing useful context for BAs to better understand the authentication flow. The sequence is as follows:

1. The user attempts to log into the Salesforce org
2. The login page checks if the user's IP is in the allowed login IP ranges defined in their profile (If valid IP, access is granted; If invalid IP, it checks login hours).
3. If the login hours are valid, access is granted (If invalid hours, it checks if the IP is trusted in network access settings).
4. If trusted IP, access is granted (If untrusted IP, it sends a verification code to the user).
5. The user receives and enters the verification code
6. If code is valid, access is granted (If invalid, access is denied).
7. Regardless of outcome, the login IP and browser details are logged in the Activations object
8. If all checks fail, access is denied

As Salesforce admins translate our requirements into actual configurations, we as BAs need to ensure we understand org access concepts thoroughly. Improper access controls can undermine governance, business policies, regulatory compliance, and overall security posture. Taking the time to learn this critical area will allow BAs to have more informed discussions and make better decisions when designing secure Salesforce solutions.

How to Leverage the Knowledge of Salesforce Org Access Control

A BA can leverage their understanding of Salesforce organization access controls during requirements elicitation as well as creating user stories, acceptance criteria, and UAT test scenarios. Here are some examples:

Requirements Elicitation:

• Identify which user profiles require restrictions on login IP ranges based on their roles and data access needs
• Determine if any user profiles should have time-based login hour restrictions enforced
• Understand if multi-factor authentication via verification codes is required for any profiles when logging in from unrecognized devices/IPs
• Gather requirements around trusted corporate IP ranges that should.
• Clarify processes for revoking access from specific IPs, browsers or devices when needed

User Stories:

"As a sales manager, I want my team to only be able to log into Salesforce from corporate IPs during business hours, so proprietary data isn't accessed remotely."

"As an IT admin, I need to restrict developer profile logins to my corporate network range to prevent unauthorized deployments to production."

Acceptance Criteria:

• Specific IP ranges are configured in the login IP ranges on the relevant profiles
• Login hours are set appropriately on each profile based on requirements
• Network access settings for the company's trusted IP ranges
• Verification is required when logging in from unknown IPs for applicable profiles

UAT Test Scenarios:

• Attempt to log in with a user from a restricted profile outside allowed IP range, verify access is blocked
• Attempt to log in with a user from an IP-restricted profile during disallowed hours, verify access is blocked
• Validate MFA email verification is sent when logging in.
• Revoke access for a test IP in Activations then confirm you can no longer log in from that IP

By understanding Salesforce org access controls, BAs can have more informed requirements gathering sessions and ensure key security needs are thoroughly documented. This knowledge allows the creation of meaningful user stories, unambiguous acceptance criteria, and comprehensive test cases validating the access rules are properly configured.