Login Access
As a Salesforce admin, you can set up your org to allow Salesforce support users, partner support users, or subscribers to log in to a Salesforce org as another user. For example, to help troubleshoot user issues, a support user can log in to a Salesforce org as the user experiencing the problem. You can also configure your org to require users to grant login access to support users or subscribers trying to log in as that user.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
Available in: All Editions Granting administrator access available in: Enterprise, Performance, Unlimited, Developer, and Database.com Editions |
Considerations
For security, these measures apply when Salesforce support users, partner support users, and subscribers log in as other users.
- When logged in as another user, a support user or subscriber can’t authorize OAuth data access for the user. For example, if a support user or subscriber logs in as another user, they can’t authorize OAuth access for third-party applications to user accounts. This restriction includes single sign-on.
- A support user or subscriber logged in as another user can’t perform any action that sends email from Salesforce unless that user’s account email has been verified.
- A support user or subscriber can’t switch to another username while logged in as the user. For example, when a support user or subscriber logs in as another user, they are logged out if a different username is selected from the profile menu in Lightning Experience.
- A support user or subscriber logging in as another user must meet multi-factor
authentication (MFA) requirements when these conditions are true.
- MFA is enforced for the end user by a permission, session-level policy, or the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting.
- Multi-Factor Authentication for UI Logins During Log In As is enabled for the org.
Note The Multi-Factor Authentication for UI Logins During Log In As setting is disabled by default. To enable this setting, contact Salesforce customer support.For example, Multi-Factor Authentication for UI Logins During Log In As is enabled for your org and a user has the Multi-Factor Authentication for User Interface Logins user permission. When a support user or subscriber logs in as the user, the user must provide the code or approval from a verification method that they’ve registered for their account. Verification methods include authenticator apps, security keys, or temporary identity verification codes. Support users and subscribers with high-assurance sessions always bypass MFA verification during login as.
If Multi-Factor Authentication for UI Logins During Log In As isn’t enabled for the org, the support user or subscriber can log in as the user without the user completing MFA verification. This scenario applies even if the Multi-Factor Authentication for User Interface Logins permission is enabled for the user.
- The support user or subscriber logs in without multi-factor authentication and tries to
access a resource that requires a high-assurance session, such as reports. The
high-assurance policy of the org determines whether the support user or subscriber can
access reports. For more information, see Modify Session Security Settings.
For example, if the high-assurance policy for the org is set to Block, then the support user or subscriber can’t access reports. If the policy is set to Raise the session to high assurance, the support user or subscriber must provide a second factor to verify identity.
Configure Login Access
Review these topics to help you in configuring login access for your org.
- Log In as Another User
To help troubleshoot user issues, admins can log in to a Salesforce org as the user experiencing the problem. Depending on your org settings, an individual user can be prompted to grant login access to an admin. - Control Login Access Policies
Control whether your users are prompted to grant account access to Salesforce admins, and whether users can grant access to publishers.
