04 February 2013

How to Create an Org Wide Maintenance Window using Login Hours

I traded tweets with Matt Lamb (@SFDCMatt) about this topic recently. It's a little known solution to a common problem: when performing org maintenance, how do you log out all users so that they can't make changes while the maintenance is being performed?

I think it's about time there was somewhere on the blogsphere I can point people to on how to use the workbench to change user's profiles *and* create an org wide maintenance window using Login Hours on profiles.

The reason why we can use Login Hours on profiles is that when you set the start and end times to the same hour in the day, it automatically invalidates the user's session and logs them out on their next click or API transaction. Changing a user's IP Range on their profile can also lock a user out, but only when their current session id expires which could be up to twelve hours after resetting the IP Range.

The basic solution outlined below will require changing everyone's profile to a 'Maintenance Window' profile with limited Login Hours. But it's important that you don't lose their existing profile assignments by accident since you will want to replace their 'Maintenance Window' profile with their original assignment once the window of time is complete. Also, while the solution below highlights changing profiles for users that share the same user profile, it's a good idea to consider doing this flow in chunks by user license and creating multiple Maintenance Window profiles, one for each type of license in your org.

Finally, it's important to note that simply inactivating users to accomplish the same thing is the wrong way to go since inactivating users can have a profound impact on your user's sharing and record assignments.

Steps to changing all User profile Ids except for the Maintenance Window Administrators:
  1. Create a new ‘Maintenance Window’ Profile
    1. Setup | Administration Setup | Manage Users | Profiles | New
    2. Use any profile as a template (Read-Only or Standard User is fine since no one will have access during this time but if you want to be overly safe, revoke all permissions from the cloned profile before saving it) and name the new profile ‘Maintenance Window’
    3. Create a Login Hours entry
      1. Enter a time range other than the Maintenance Window
        1. For instance, if the Maintenance window is Tuesday evening starting at 10:00PM and concluding by Wednesday Morning at 4:00AM, set the Login Hours to exclude this period of time or just set Login Hours from 12:00 am to 12:00 am every day of the week.
      2. If a user tries to login during this time, they will fail. If they are logged in, the next action they take (click on a tab for instance), they will be automatically logged out
    4. (Optional) Create a single IP Address Range Entry to an IP Address that no user may access such as 
      1. Unlike Login Hours, this will not automatically log a user out, but will prevent any user with this profile from logging in     
    5. (Optional) Edit the ‘Maintenance Window’ Profile
    6. (Optional) Remove all permissions (Deselect all App Settings except Sales, Change all Tab Settings to Tab Hidden, Deselect all Object Permissions, Deselect all User Permissions)
    7. (Optional) Remove all Apex Class and Visualforce page access
  2. Copy the ProfileId from the newly created Maintenance Window profile. This may be done through the data loader or through the URL in the address bar by navigating to the Profile record.
  4. Copy the UserIds for any user who will need to access the org during the Maintenance Window.  This may be done through the data loader or through the URL in the address bar by navigating to each user record.
  5. Open Workbench (http://workbench.developerforce.com) and login as an administrator with ‘Manage User’ Profile Permission
  6. Jump to: SOQL Query to extract your users
  7. Select the User object and store your results locally in a csv file
  8. Select the following columns
    1. Id
    2. LastName
    3. FirstName
    4. ProfileId 
  9. Add the following constraint
    1. WHERE Id != '<ID of any admin involved in the Maintenance window>'
  10. Select the Bulk CSV radio button to make sure you get a CSV with all of your users you want to block from logging in during the Maintenance Window
  11. The resulting SOQL query should look something like: Select Id, LastName, FirstName, ProfileId FROM User WHERE Id != '00530000001rI6A'
  12. Select the Query button to extract your results
  13. Download and save the CSV file as ‘MaintenanceWindowOriginal.csv’. This file is important in order to not lose your original profile assignments you'll need for the end of the maintenance window.
  14. Change all ProfileIds to the ‘Maintenance Window’ ProfileId you’ve copied and save as a new file: MaintenanceWindowUpdate.csv
  15. Update the Users in the Workbench  
  16. Select the User Object and browse to your MaintenanceWindowUpdate.csv file
  17. Create a mapping of CSV to User Object fields
  18. Click Map Fields
  19. Process records asynchronously via Bulk API and Confirm Update
  20. Verify the Import was successful by navigating to the Manage Users screen and viewing the users.  All Users except the admins participating in the Maintenance window should be set to the Maintenance Window Profile.
  21. Perform any necessary changes to configurations during the Maintenance Window, making sure not to delete any profile during the maintenance.
  22. When you’re ready for users to have access again, load the MaintenanceWindowOriginal CSV back into the org using the Workbench and the same Update flow as you did to change their profiles the first time.
  23. Verify the update was successful by navigating to the Manage Users screen and ensuring that the profiles were returned to their original state before the Maintenance Window.

You can use these same steps to mass update user's profiles using the API and a tool like the Workbench.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.