In which context could you want to lock your Salesforce Org?
As part of maintenance operations or release deployments, you could require to prevent all users – or a subset of users – connecting to a Salesforce organization, for a limited period of time.
While you could try to find the OFF button in the settings, Salesforce is a SaaS platform and there is no way you can access the application layer and deactivate the web services, whether directly or indirectly through the Salesforce settings.
Still, the following options will allow you to lock the subset of users you need.
Deactivate your Single Sign-On configuration
In case you are leveraging SSO, deactivating the Single Sign On configuration at your org level can be a first easy action to prevent your end users to login to your Salesforce Organisation.
Usually the end users are accessing the organisation using the My Domain URL, where the Single Sign-On option is available for them. Even sometimes hitting MyDomain URL take them seamlessly to the home page of their favorite App.
By deactivating your SSO configuration users will be offered the standard Salesforce login form, where only those having a username/password can log-in. This is not a very user-friendly solution for the majority of the users as you won’t be able to display a maintenance message, still this will do the job for a limited period of time above all during off peak hours.
This can be easily achieved by navigating to Setup -> My Domain. In the Authentication Configuration section, click on Edit : Deselect the Authentication Service matching your SSO configuration and keep only the Login Form checked.
Once you are done and want to set back your Single Sign-On configuration, just follow the same steps and reactivate your SSO setting on My Domain setting page.
Deactivating users or Freezing users
This second option allows you to granularly target and lock the users you want to block.
Freezing/Unfreezing users can be easily achieved in 3 different ways based on your the numbers of users you have to freeze/unfreeze and your preferences.
Freezing users has as a consequence to update the IsFrozen boolean property of the UserLogin standard object, and set it to True in case of locking a user, and to False when unlocking a user. But also Freezing user will not make their licence available.
Freezing Users VS Deactivating Users
Before jumping into the options, let’s understand why in this scenario it is recommanded to freeze and not deactivate users. What is happening behind the scene?
| Deactivating users | Freezing users |
|---|---|
| User licences are freed up | No impact on user licences |
| Sharing is impacted | No impact on sharing |
| Batchs or reports scheduled by the users will fail at execution | No impact on scheduled tasks |
| Check out the Salesforce article here | Check out the Salesforce article here |
Option 1 : Manual freeze and unfreeze
Navigate to the Salesforce Setup -> Users and click on a user you want to freeze. Then use the button on top of the page to Freeze or Unfreeze the users.
Once the user is frozen, the Freeze label changes to Unfreeze.
This has to be done user by user and can be a good way to proceed if you have just a few users.
I’d also recommend that you create 2 users listviews before proceeding:
- One Listview with the users you need to freeze and who are not frozen yet
This will allow you to track your progress and not miss anybody
- One Listview with the users who are frozen
This will allow you to track and control who has been frozen/who need to be unfrozen
You can also add the Is Frozen column to any Listview to see the status of each users.
Option 2 : Use a data loader tool
This option can be relevant when you have a significant number of users and want to avoid manual freeze/unfreeze. Just prepare 2 files ; one to freeze and one to unfreeze and load them using any Salesforce dataload tool.
Salesforce already describes these steps on the following official self explanatory article : Freeze or unfreeze multiple Users at once.
Note that, depending on the criterias you want to use to filter the users you want to freeze, it can require to extract more than one Salesforce object and combining them using MS Excel for instance, before being able to generate the final file to load.
The UserLogin object has only the UserID field but all other convenient and useful attributes are at the User level (Name, UserName, Profile, …).
That’s where option 3 is here to help you!
Option 3 : Use an Anonymous Apex script
For those who are comfortable with Anonymous scripts, the following scripts will be very helpful and can be far quickest than option b.
This script is working fine if you have less than 10 000 users to update. Otherwise another approach has to be taken. Either repeating the actions for each group of 10k users, or have the below scripts converted to an Apex batch for a maximal scalability.
Let’s say you want to freeze all Users whose Profile assigned is Profile1 or Profile2, except a subset of these users because they will need to access the system during this lockdown period.
Here is the overal approach:
- Create listviews to check before and after executing the scripts the results (see option 1)
- Control how many users will be frozen (use variable DryRun in the following code snippet)
- Execute the script to freeze the users (user variable DryRun and FreezeMode)
- Use your listview created previously to check the result
- Execute the script to unfreeze the users (user variable DryRun and FreezeMode)
- Use your listview created previously to check the result
/************************************************************/
/* Re-usable script to freeze/unfreeze usersUser this script
/*
/* - Prerequisite 1: Set the FreezeMode variable to the expected value:
/* True = Freeze
/* False = Unfreeze
/* - Prerequisite 2: Set the DryRun variable to the expected value:
/* True = Count how many users will be frozen/unfrozen and get the list
/* False = Freeze/Unfreeze the users
/*
/************************************************************/
// Parameters
Boolean FreezeMode=True;
Boolean DryRun=True;
//List of Profiles to freeze or unfreeze
List<User> lUsersByProfile = new List<User>([SELECT Id FROM User WHERE ProfileId IN (SELECT Id FROM Profile WHERE Name IN ('Profile1', 'Profile2'))]);
//List of UserName to not freeze or unfreeze
List<User> lExcludedUsers = new List<User>([SELECT Id FROM User WHERE UserName IN ('john.smith@salesforce4ever.com')]);
List<UserLogin> lUsersToUpdate = new List<UserLogin>();
For (UserLogin bUserToUpdate : [SELECT Id FROM UserLogin WHERE isFrozen!=:FreezeMode AND UserId IN (SELECT Id FROM User WHERE isActive = True AND Id IN :lUsersByProfile AND Id NOT IN :lExcludedUsers) LIMIT 10000]) {
bUserToUpdate.isFrozen = FreezeMode;
lUsersToUpdate.add(bUserToUpdate);
}
// Display in debug logs the users for tracking purposes
For (User lSelectedUser:[SELECT Id, Username, Firstname, Lastname, Email FROM User WHERE Id IN (SELECT UserId FROM UserLogin WHERE Id IN :lUsersToUpdate) LIMIT 10000]){
system.debug('Username: '+ lSelectedUser.Username + ', Firstname: ' + lSelectedUser.Firstname + ', LastName: ' + lSelectedUser.Lastname + ', Email: ' + lSelectedUser.Email);
}
system.debug('Nb of users to be updated: ' + lUsersToUpdate.size());
// Update only if the script is not run in DryRun mode
if (!DryRun && lUsersToUpdate != null) {
update lUsersToUpdate;
}
With this example and some Apex and SOQL notions you should be able to adapt the script to your own situation, as soon as you get the idea.
Important notes before freezing users
- Before proceeding, do ensure you’ll still have one system administrator user able to access the Salesforce Org in any circumstances.
- Try and validate the whole process in a sandbox environment, and at least once in a Full Copy sandbox.
- Do not deactivate the users for this sole purpose, as this will free their licence, and this could also have a bigger impact that you didn’t expect if they are part of some configuration components (custom hierarchy field, email alert recipient, dashboard running user…). In some cases this can event prevent you to deactivate the user. Impact of user deactivation should be analysed carefully.
- Do ensure that any activity ran by the user is paused during the period of lock. If an integration user is still having a high level of activity on the org, it can prevent you to freeze the user, in addition to causing data issues and misalignment with your external systems.
Hello.This article was really motivating, especially since I was searching for thoughts on this topic last week.
Thanks for your feedback!