Determine Who Has Sandbox Access
Selective Sandbox Access helps you limit access to only required users who are included in a public group. It also removes the additional step for a Salesforce admin to change user email addresses back to their original format.
Required Editions
| User Permissions Needed | |
|---|---|
| To create or edit a public group: | Manage Users |
| To create, refresh, activate, and delete a sandbox: | Manage Dev Sandboxes (Developer or Developer Pro only) or Manage Sandboxes (all sandbox types) |
Do I Have to Use a Public Group to Provide Access to a Sandbox?
When you create or refresh a Developer and Developer Pro sandbox, you must grant access to the sandbox using a public group. For Partial Copy and Full sandboxes, we recommend that you provide access through a public group; however, you still have the option to provide access to all active users.
How Do I Provide Access Through a Public Group?
When creating or refreshing a sandbox, you select a public group for Sandbox Access. To create a public group, see Create and Edit Groups.
- Make sure all members of the group are of type
Users. - To improve security and reduce sandbox creation times, we recommend that the public group contains fewer than 150 members.
How you select the public group depends on how many public groups are defined in your org.
- If the production org has fewer than 60 public groups, select the group from the Public Groups dropdown.
- If the production org has 60 or more public groups, enter the public group name in the Public Groups field.
If the public group is empty, only the sandbox creator has access.
Sandbox Access User Group Options
The Sandbox Access User Group determines the email address formats when creating a sandbox. When you clone a sandbox, Selective Sandbox Access is unavailable. Cloned sandbox access is determined based on access to the source sandbox.
| Sandbox Operation | Sandbox Access User Group | Users With Access | Email Address Format |
|---|---|---|---|
| Create (applies to only Partial Copy and Full sandboxes) | All Active Users (Match Source Org Access) | Matches users who have access in the production org. | The email address of the sandbox creator is copied unmodified from the production org. Email addresses of the remaining users are appended with .invalid. |
| Create (applies to all sandbox types) | Public User Group | The sandbox creator and users belonging to the public user group have access to the sandbox. We freeze remaining users to remove sandbox access. |
The email addresses of all users with sandbox access are copied unmodified from the production org. Email addresses of the remaining users are appended with .invalid. |
| Clone (applies to all sandbox types) | Not selectable. Source sandbox matches production access. | All users with access to the source sandbox. | The email address of the sandbox creator is copied unmodified from the source org. Email addresses of the remaining users are appended with .invalid. |
Provide Access to Additional Users in Existing Sandboxes
You can provide access to additional users by unfreezing their user accounts. See Salesforce Help: Freeze or Unfreeze User Accounts for instructions.
