Metadata API Developer’s Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SecuritySettings

Represents an organization’s security settings. Security settings define trusted IP ranges for network access, password and login requirements, and session expiration and security settings.

In the package manifest, all organization settings metadata types are accessed using the “Settings” name. See Settings for more details.

Declarative Metadata File Suffix and Directory Location

SecuritySettings values are stored in a single file named Security.settings in the settings directory. The .settings files are different from other named components because there is only one settings file for each settings component.

SecuritySettings is no longer available in API versions 25.0 and 26.0.

Note

Version

Security settings are available in API version 27.0 and later.

Fields

Field Name Field Type Description
networkAccess NetworkAccess The trusted IP address ranges from which users can always log in without requiring computer activation.
passwordPolicies PasswordPolicies The requirements for passwords and logins, and assistance with retrieving forgotten passwords.
sessionSettings SessionSettings The settings for session expiration and security.

NetworkAccess

Represents your organization’s trusted IP address ranges for network access.

Field Field Type Description
ipRanges IpRange[] The trusted IP address ranges from which users can always log in without requiring computer activation.

In order to add an IP range, you need to deploy all existing IP ranges, as well as the one you want to add. Otherwise, the existing IP ranges are replaced with the ones you deploy. To remove all the IP ranges in an organization, leave the networkAccess field blank (<networkAccess></networkAccess>).

Note

IpRange

Defines a range of trusted IP addresses for network access.

Field Field Type Description
end string The IP address that defines the high end of a range of trusted addresses.
start string The IP address that defines the low end of a range of trusted addresses.

PasswordPolicies

Represents your organization’s password and login policies.

Field Field Type Description
apiOnlyUserHomePageURL string The URL to which users with the “API Only User” permission are redirected instead of the login page.
complexity Complexity (enumeration of type string)
Required. The requirement for which types of characters must be used in a user’s password. Valid values are:
  • NoRestrictionallows any password value and is the least secure option.
  • AlphaNumericrequires at least one alphabetic character and one number. This is the default value.
  • SpecialCharactersrequires at least one alphabetic character, one number, and one of the following characters: ! # $ % - _ = + < >.
  • UpperLowerCaseNumericrequires at least one number, one uppercase letter, and one lowercase letter. This value is available in API version 33.0 and later.
  • UpperLowerCaseNumericSpecialCharactersrequires at least one number, one uppercase letter, and one lowercase letter, and one of the following characters: ! # $ % - _ = + < >. This value is available in API version 33.0 and later.
expiration Expiration (enumeration of type string)
Required. The length of time until all user passwords expire and must be changed. Valid values are:
  • Never
  • ThirtyDays
  • SixtyDays
  • NinetyDays. This is the default value.
  • SixMonths
  • OneYear
minimumPasswordLifetime boolean Indicates whether a one-day minimum password lifetime is required (true) or not (false). This field is available in API version 33.0 and later.
passwordAssistanceURL string The URL that users can click to retrieve forgotten passwords.
passwordAssistanceMessage string The text that appears in the Account Lockout email and at the bottom of the Confirm Identity screen for users resetting their passwords.
historyRestriction string Required. The number of previous passwords saved for users so that they must always reset a new, unique password. Valid values are 0 through 24 passwords remembered. The maximum value of 24 applies to API version 33.0 and later. In earlier versions, the maximum value is 16. The default value is 3.
lockoutInterval LockoutInterval (enumeration of type string)
Required. The duration of the login lockout. Valid values are:
  • FifteenMinutes. This is the default value.
  • ThirtyMinutes
  • SixtyMinutes
  • Forever (must be reset by admin)
maxLoginAttempts MaxLoginAttempts (enumeration of type string)
Required. The number of login failures allowed for a user before they become locked out. Valid values are:
  • NoLimit
  • ThreeAttempts
  • FiveAttempts
  • TenAttempts. This is the default value.
minPasswordLength MinPasswordLength (enumeration of type string)
Required. The minimum number of characters required for a password. Valid values are:
  • FiveCharacters
  • EightCharacters. This is the default value.
  • TenCharacters
  • TwelveCharacters (This value is available in API version 33.0 and later.)
obscureSecretAnswer boolean Hides the secret answer associated with a password (true) or not (false).

If your organization uses the Microsoft Input Method Editor (IME) with the input mode set to Hiragana, when you type ASCII characters they’re converted into Japanese characters in normal text fields. However, the IME does not work properly in fields with obscured text. If your organization’s users cannot properly enter their passwords or other values after enabling this feature, disable the feature.

Note
questionRestriction QuestionRestriction (enumeration of type string)
Required. The restriction on whether the answer to the password hint question can contain the password itself. Valid values are:
  • None
  • DoesNotContainPassword. This is the default value.

SessionSettings

Represents your organization’s session expiration and security settings.

Field Field Type Description
disableTimeoutWarning boolean Indicates whether the session timeout warning popup is disabled (true) or enabled (false).
enableCSRFOnGet boolean Indicates whether Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is enabled (true) or disabled (false).
enableCSRFOnPost boolean Indicates whether Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is enabled (true) or disabled (false).
enableCacheAndAutocomplete boolean Indicates whether the user’s browser is allowed to store user names and auto-fill the User Name field on the login page (true) or not (false).
enableClickjackNonsetupSFDC boolean Indicates whether clickjack protection for non-setup Salesforce pages is enabled (true) or disabled (false).
enableClickjackNonsetupUser boolean Indicates whether clickjack protection for non-setup customer pages is enabled (true) or disabled (false).
enableClickjackSetup boolean Indicates whether clickjack protection for setup pages is enabled (true) or disabled (false).
enablePostForSessions boolean Indicates whether cross-domain session information is exchanged using a POST request instead of a GET request, such as when a user is using a Visualforce page. In this context, POST requests are more secure than GET requests. Available in API version 31.0 and later.
enableSMSIdentity boolean Indicates whether users can receive a one-time PIN delivered via SMS (true) or not (false).
forceLogoutOnSessionTimeout boolean Indicates that when sessions time out for inactive users, current sessions become invalid. Browsers are automatically refreshed and return to the login page. To access the organization again when this occurs, users must log in again. Enabled (true) or not (false). Available in API version 31.0 and later.
forceRelogin boolean Indicates whether an administrator that is logged in as another user is required to log in again to their original session, after logging out as the secondary user (true) or not (false).
lockSessionsToDomain boolean Indicates whether the current UI session for a user, such as a community user, is associated with a specific domain to help prevent unauthorized use of the session ID in another domain. This is enabled by default for organizations created with the Spring ’15 release or later. Available in API version 33.0 and later.
lockSessionsToIp boolean Indicates whether user sessions are locked to the IP address from which the user logged in (true) or not (false).
sessionTimeout SessionTimeout (enumeration of type string)
The length of time after which users without activity are prompted to log out or continue working. Valid values are:
  • FifteenMinutes
  • ThirtyMinutes
  • SixtyMinutes
  • TwoHours
  • FourHours
  • EightHours
  • TwelveHours

Declarative Metadata Sample Definition

This is a sample security.settings metadata file.

1swfobject.registerObject("clippy.codeblock-0", "9");<?xml version="1.0" encoding="UTF-8"?>
2<SecuritySettings xmlns="http://soap.sforce.com/2006/04/metadata">
3    <networkAccess>
4        <ipRanges>
5            <end>127.0.0.1</end>
6            <start>127.0.0.1</start>
7        </ipRanges>
8    </networkAccess>
9    <passwordPolicies>
10        <apiOnlyUserHomePageURL>http://www.altPage.com</apiOnlyUserHomePageURL>
11        <complexity>SpecialCharacters</complexity>
12        <expiration>OneYear</expiration>
13        <passwordAssistanceURL>http://www.acme.com/forgotpassword</passwordAssistanceURL>
14        <passwordAssistanceMessage>Forgot your password? Reset it here.</passwordAssistanceMessage>
15        <historyRestriction>3</historyRestriction>
16        <lockoutInterval>ThirtyMinutes</lockoutInterval>
17        <maxLoginAttempts>ThreeAttempts</maxLoginAttempts>
18        <minPasswordLength>TenCharacters</minPasswordLength>
19        <questionRestriction>None</questionRestriction>
20    </passwordPolicies>
21    <sessionSettings>
22        <disableTimeoutWarning>true</disableTimeoutWarning>
23        <enableCSRFOnGet>false</enableCSRFOnGet>
24        <enableCSRFOnPost>false</enableCSRFOnPost>
25        <enableCacheAndAutocomplete>false</enableCacheAndAutocomplete>
26        <enableClickjackNonsetupSFDC>true</enableClickjackNonsetupSFDC>
27        <enableClickjackNonsetupUser>true</enableClickjackNonsetupUser>
28        <enableClickjackSetup>true</enableClickjackSetup>
29        <enableSMSIdentity>true</enableSMSIdentity>
30        <forceRelogin>true</forceRelogin>
31        <lockSessionsToIp>true</lockSessionsToIp>
32        <sessionTimeout>TwelveHours</sessionTimeout>
33    </sessionSettings>
34</SecuritySettings>
35