Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Login Access Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Login Access Control

            Salesforce allows Salesforce admin to set up your org to allow Salesforce support users, partner support users, or subscribers to log in to a Salesforce org as another user.

            Control Name

            Login Access Policies

            Recommended Configuration

            Enable the Multi-Factor Authentication for login as. Require admin login as to notify customer: Setup>Login Access Policies>Disable Administrators Can Login As Any User. Prevent users from granting access to a publisher: Setup>Login Access Policies - Available to Administrators Only.

            Control Overview

            Salesforce allows Salesforce admin to set up your org to allow Salesforce support users, partner support users, or subscribers to log in to a Salesforce org as another user. Strict control of this Login Access capability helps to control unauthorized action performed using Login Access sessions.

            Security Risk If Not Configured

            Improper Salesforce Login Access setup leads to the risk of permission bypass or Insider Threat window, where sensitive data can be accessed without explicit user consent or a valid business justification by the support or partner support users.

            Threat Scenarios

            A threat actor who has compromised an admin account—silently impersonates a high-level executive to access sensitive financial data or confidential HR records without the executive's knowledge. Because the impersonation session inherits the target user’s full permissions and may not require a re-challenge for MFA, the attacker can exfiltrate proprietary information.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Risk severity depends on the user population size and access privileges granted upon login.

            Higher Risk When

            User identity verification is not in place (MFA or others), no event monitoring in place.

            Low or No Risk When

            This control can be considered low risk when one or more of the following are implemented:

            • MFA Enforcement or identity verification is in place: MFA is enforced for Salesforce users or when login as is used
            • IP Login Restriction at the network layer: IP Login restriction for users with privileges to modify the setup
            • Login timeout: Automatically log users out of the service provider when they log out of Salesforce or login as is terminated.

            Business and Integration Considerations

            Customers should evaluate their business process regarding user login access.

            Recommended Remediation

            To enable user consent for admin login as user and restrict publisher access granting capability by user without admin acknowledgement.

            Security Health Review Guidance

            Security Health Review identifies the platform configuration related to Login Access. As part of the baseline security, Security Health Review evaluates login access controls, including notification and consent when a user account is accessed, to make sure that the feature aligns with general privacy and compliance best practices.

            See Also

             
            Loading
            Salesforce Help | Article