Best Practices for Salesforce User Accounts, Security Tokens and Password Settings

created

Problem

Salesforce is really secure about how it manages users and passwords, too secure sometimes! In a brand-new Salesforce account, the default setting has passwords set to automatically expire for all users every 90 days and requires users to choose a new unique password. This can be really cumbersome for users and a big problem for 3rd-party tools like Salesforce in Nonprofit Soapbox and Soapbox Engage that need to be able to use those credentials to authenticate with Salesforce's API to pull and push data from your database.

On top of this, to access your database through the API, Soapbox also needs something called a "security token" - a unique key that Salesforce generates for each user. Once the security token has been generated, Salesforce will send it by email and it cannot be viewed or found anywhere online within Salesforce.com. The token will stay valid until a user resets it manually, changes their password, or has their password reset by the system or an Administrator.

Solution and Best Practices

Here is the solution to all your password/token woes for 3rd-party tools (well maybe not all of them but most):

1. Setup one dedicated user account for 3rd-party integrations

We recommend setting up at least one user account that is dedicated to 3rd-party integrations, noting that you may need this login for more than one tool. The username, email and password on this account can be whatever makes the most sense to you. Note that usernames must be unique but do not need to be valid email addresses. So you could use "webtools@ournonprofit.org" or "api@ournonprofit.org" as the username even if the email does not exist. Email addresses can be used for more than one username. We suggest using your System Administrator's email for this account.

2. Generate the security token once, store it in a safe place and then don't change your password unless you have to!

To get the security token, first make sure you are logged in to Salesforce with the correct user account that you need the token for. Remember that tokens vary per user. Then go to your User Menu (at the top of the page) > Setup. From the setup area, in the left column under Personal Setup go to My Personal Information > Reset My Security Token.

On the page that comes up, note the Salesforce warning message "Clicking the button below invalidates your existing token. After resetting your token, you will have to use the new token in all API applications" - they aren't kidding! If you haven't generated your token yet, go ahead and click that button. You'll receive your token in an email. If you have an existing token and need to regenerate one, be sure to have a list of all your 3rd-party tools handy that you'll need to update (such as the Soapbox integration plugin, any email app like Vertical Response or Constant Contact, or other app from the Appexchange).

Once you get the token, hold onto it! That email is the only record of that number, so keep it in a safe place or store it in a password storing system so you won't have to reset it simply because you can't track it down. So long as you don't change your user password, that token will be valid.

3. Change password policies for your Salesforce instance or the Profile of the user account entered into Soapbox Engage so passwords don't expire automatically.

This last one is important. The simplest way to accomplish this is to disable password expiration for your entire Salesforce instance but this has security implications you must consider. If you still wish to do so:

  1. Log in to Salesforce as a System Administrator
  2. Go to Setup
  3. From the Setup page, in the left column, go to the section at the bottom titled Administration Setup
  4. Navigate to Security Controls > Password Policies
  5. Change "User passwords expire in" to "Never expires"
  6. Click Save

You can also disable password expiration for the Profile of the dedicated User account. Doing so will disable password expiration for not just the dedicated User but all other Users associated with this Profile. To do so:

  1. Log in to Salesforce as a System Administrator
  2. Go to Setup
  3. From the Setup page, in the left column, go to Manage Users > Profiles
  4. Click on the Profile with which the dedicated User is associated
  5. Change "User passwords expire in" to "Never expires"
  6. Click Save

If you wish to disable password expiration for only the dedicated User account, you can clone the existing Profile with which the User is associated, disable password expiration for the new cloned Profile, as noted above, and then associate the dedicated User with that cloned Profile. For more on cloning Profiles, see Cloning Profiles in Salesforce's documentation.


Have more questions? Submit a request
Article is closed for comments.