Data Security---->Control Access to the Organization

Salesforce为了保证数据的安全性，可以通过管理用户的登录权限来达到对数据的基本保护，具体的方法有：停用用户，设定密码规则，限制用户访问时间和访问 IP

Deactivate a User

虽然无法删除用户信息，但可以通过停用用户的账号阻止用户的登录。被停用的用户无法访问所有的记录（包括用户的个人记录和他所在team的记录），要停用用户，通过以下步骤完成：

在lightning experience中

1. In Setup, use the Quick Find box to go to Users.
2. Click Edit next to the name of the user you want to deactivate.
3. Clear the Active checkbox and click Save.
   If you can’t immediately deactivate an account (for example, when the user is selected in a custom hierarchy field), you can freeze their account. That prevents the user from logging in to your organization while you’re working on deactivating them.
   1. On the Users page in Setup, click the username of the user whose account you want to freeze.
   2. Click Freeze.

Set Password Policy

你可以通过设定几个用户密码的规则，实现用户密码的安全性和健壮性。

Password policies

设定密码的复杂程度，或指定用户账户的有效期限。

User password expiration

除了设置了“Password Never Expires” permission的用户外，所有的用户都应该有账户到期时间

User password resets

重置指定用户的密码

Login attempts and lockout periods

用户登录尝试次数过多账户被锁定时，可以解锁该账户

设定用户的密码规则，可以通过以下步骤实现：

1. Use the Quick Find box to find Password Policies in Setup.
2. Customize the password settings.
3. Choose what to do about forgotten passwords and locked accounts.
4. Click Save.

Restrict Login Access by IP Address

你可以设定一个IP地址范围作为自己org的信任IP范围（trusted IP range），除此范围内的所有IP都无权访问你的salesforce。

需要注意：

1.在trusted IP range之外的IP也并非完全不能登录salesforce,如果他们能完成一些问题，可以通过向他们的手机或邮箱发送激活码来登录。

They can log in if they complete a challenge question, typically by entering an activation code sent to their phone or email.

2.如果你只为给定的用户配置文件设置了可信IP范围，则该配置文件的所有在受信任范围之外的用户都被锁定。

If you set your trusted IP range only for a given user profile, all users with that profile who are outside the trusted range are locked out.

3.默认情况下，Salesforce不会限制任何IP的登录。

 

限制IP地址访问的步骤如下：

1. Go to your Setup panel.
   • If you're doing this for your whole org, use the Quick Find box to find Network Access.
   • If you're doing this for a profile, find Profiles instead, then click the name of the profile you want to edit.
2. Click New in the Login IP Range related list.
3. Enter the start and end point of the range of trusted IP addresses, and save.

Restrict Login Access by Time

对于每个配置文件，你可以指定其用户的登录实现范围，

1. In Setup, use the Quick Find box to find Profiles.
2. Click the profile you want to change.
3. Under Login Hours, click Edit.
4. Set the days and hours when users with this profile can log in to the organization.
   • To allow users to log in at any time, click Clear all times.
   • To prohibit users from using the system on a specific day, set the start and end times to the same value.

注意：如果用户在登录时间结束后还处于登录状态，他们可以继续查看当前页面，但不能采取任何进一步措施。