Uncategorized

Lock out users during maintenance / deployment

SarfarajLeave a comment

Locking out users out of Salesforce platform for deployment, I used to think not needed at all. Recently I realized, sometimes you have to. There are some straightforward way to do this, like deactivating/freezing users using data loader, lock out all login hours in profile, freeze all users using data loader (UserLogin entity). I like a different approach using login flow. Login flow is a powerful tool introduced in Winter’15. I found the following properties that makes it a great fit for locking out users,

  • This gets invoked the moment someone tries to login and there is no way to bypass the flow. The user has to click on the finish button before proceeding to the application.
  • Usually our end user don’t have api access, hence we don’t need to prevent the api login (which login flow does not cover). If this is not true for you, please go with deactivating/freezing users.
  • Your users will be able to login and will see an user friendly message explaining why they are not able to use the application now and since when they will be able to do so. This avoids multiple calls from end users and explain them why they are not able to login.
  • Also you as an admin have more control. Like in this example, I have added a passcode, which I can share with a limited set of end users, if I need them to login.

Two step to set it up,

  • Create a flow with the message that you want to show to your users.
  • Assign this flow as login flow to all user profiles.

Create a flow:

  • Go to Setup > Flow and click on new flow button. This will open Flow designer page
  • Drag and drop a Screen element. This will open a new Screen wizard. Enter a name for your screen.

  • Go to Add a Field tab and add a display text element

  • Click on the added display text element to update its properties. Add the message you want your users to see.

  • Go back to add a field tab and add a password field

  • Click on the password field to update its properties – Give a name, make it required

  • Check the checkbox “Validate” under input validation section to add password validation logic. I love simplistic approach, hence I will just compare with one complex passcode. CAUTION: Please write down this passcode in a safe place. If possible email it to other admins in your org. If you loose it, and you assign this flow to System Administrator profile, you will be locked out.

  • Click ok to return back to flow designer. You will see one element added in the canvas. Mouse hover on the screen element and use the green icon top right to make it start element.

  • Save the flow, give it a name. I am calling it Scheduled Maintenance In Progress.
  • From the detail page of the flow activate the flow version

Assign the flow to each of the end user profiles:

  • Connect the flow with your profile. You have to repeat this step for each of the profile in your org.

Now you are ready to start working on your org. Users will not be able to login. Once you are done, delete the login flow records. Keep the flow for future use.

Let me know your thoughts. Also I would love to know other innovative ways you might be using for locking users out.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.