08 February 2013

Log in as Any User Without First Having Access Granted



A year ago, we released an enhancement to the Grant Login-as screens that changed how long a user could grant access to an administrator or salesforce.com customer support representative. Instead of being able to set an expiration date sometime in the far away future, we began to limit it to no longer than one year of login access.

This had a significant impact on administrators and implementation consultants alike who use the login access feature to:

  • troubleshoot user issues
  • train users
  • phase in new configurations

In the past, administrators and consultants would work around the fact that users had the right to grant and revoke access. In some cases, they would change a user's email to their own, reset the password, login as the user, and grant login access indefinitely. In other cases, administrators would just instruct their users during on-boarding to set grant login access as far in the future as possible. Finally, some would create videos and tutorials explaining to end-users how to grant login access. In any case, the process of granting access could be an obstruction for administrators who just wanted to help their users as quickly as possible.

Shortly after the release, I heard from some of our MVPs(Most Valued Players) about their difficulties trying to actively support their users.

What I learned from them is that login access is such a critical tool for administrators and consultants that providing the ability and security settings for an user to grant or revoke access was secondary to helping their users out when critical issues arise. In some situations, it is appropriate for these administrators and consultants to have login access regardless of whether their users granted it or not. In fact, because explaining the steps to grant login access could be such a time consuming exercise, administrators were resetting email addresses and passwords to do this for their users before any issue came up, which in itself is a security issue.

As a result, we developed a feature in the Summer '12 release that allows an organization to opt-in to the ability for organization administrators to login as any standard user without first having the user grant access. By having this feature enable in your organization, an administrator with Manage Users permission can then enable or disable it as it applies to them through the Login Access Policies page using an organization preference that they control.  When enabled, their end-users lose the ability to grant access and administrators can automatically login as them. When disabled, their end-users can once again choose whether to grant or revoke login access to their administrators.

From a segregation of duties perspective, users with Modify All Data or Delegated Administrators can login as other users, but because Manage Users permission is required to enable the organization preference on the Login Access Policies page, these login-as proxy users cannot control whether this policy applies to all users in the organization.

If you are interested in having this feature enabled in your organization, please contact salesforce.com customer support or your account team.

6 comments:

  1. So does that mean user in Delegated Admin with Login-As access can login as one of the administrators? The paragraph starting with segregation of duties perspective was a bit unclear.

    ReplyDelete
    Replies
    1. It is possible for a Delegated Admin with Login-As access to login as one of the administrators depending on how you define 'administrator'. One way to segregate duties here is to exclude system administrators from being assigned a role or not assigning an admin's role to a delegated admin group. This would prevent the login-as an admin scenario. Thanks for the comment!

      Delete
    2. I am setting up delegated administration and even though I have this feature enabled and I have Enable Group for Login Access set on the delegated administration group the assigned users to the group are not able to login as the users that they should be able to.

      I found several posts online with this same issue and no solution.

      Delete
    3. Hi Shannon,

      I can't reproduce this unfortunately. When I have Login As Any User enabled at the org level and I log in as a user in a delegated admin group with an access to users in the role hierarchy, they can login as them. Any chance you can file a ticket with customer support to investigate?

      Delete
  2. I want to have Login As USer option available via permissions set (not dleegated Admin). I have given the permission set Modify All Date permission, alongside every permission in Users category but still don't see the option of login as user if i assign this permission to anyone in my org?

    ReplyDelete
    Replies
    1. Hi,

      You shouldn't have to assign Modify All Data to any user in order to see this setting - only the admin needs Modify All Data to see it.

      If you have Modify All Data permission on your permission set, then you need to either have your user grant you login access (https://help.salesforce.com/HTViewHelpDoc?id=granting_login_access.htm) or you need to enable Login as Any User which is an opt-in feature (https://help.salesforce.com/apex/HTViewSolution?urlname=Enabling-Organization-Admins-Can-Login-as-Any-User). If the latter has been configured, you should just see the login link on the user lists for any standard user type and the login button on the user detail page. Can you confirm? Thanks!

      Delete