Metadata API Developer Guide

Getting Started
Using Metadata API
Reference
File-Based Calls
CRUD-Based Calls
Utility Calls
Result Objects
Metadata Types
Metadata Components and Types
Unsupported Metadata Types
Special Behavior in Metadata API Deployments
ActionLinkGroupTemplate
AnalyticSnapshot
ArticleType
ApexClass
ApexComponent
ApexPage
ApexTestSuite
ApexTrigger
AppMenu
ApprovalProcess
AssignmentRules
AuraDefinitionBundle
AuthProvider
AutoResponseRules
CallCenter
CampaignInfluenceModel
Certificate
CleanDataService
Community (Zone)
CommunityTemplateDefinition
CommunityThemeDefinition
ConnectedApp
ContentAsset
CorsWhitelistOrigin
CustomApplication
CustomApplicationComponent
CustomFeedFilter
CustomLabels
Custom Metadata Types (CustomObject)
CustomObject
CustomObjectTranslation
CustomPageWebLink
CustomPermission
CustomSite
CustomTab
CustomValue
Dashboard
DataCategoryGroup
DelegateGroup
Document
DuplicateRule
EmailTemplate
EntitlementProcess
EntitlementTemplate
EscalationRules
ExternalDataSource
FlexiPage
Flow
FlowDefinition
Folder
GlobalPicklist
GlobalPicklistValue
GlobalValueSet
GlobalValueSetTranslation
Group
HomePageComponent
HomePageLayout
InstalledPackage
KeywordList
Layout
Letterhead
LiveChatAgentConfig
LiveChatButton
LiveChatDeployment
LiveChatSensitiveDataRule
ManagedTopics
MatchingRule
Metadata
MetadataWithContent
MilestoneType
ModerationRule
NamedCredential
Network
Package
PathAssistant
PermissionSet
PlatformCachePartition
Portal
PostTemplate
Profile
Queue
QuickAction
RemoteSiteSetting
Report
ReportType
Role
RoleOrTerritory
SamlSsoConfig
Scontrol
Settings
AccountSettings
ActivitiesSettings
AddressSettings
BusinessHoursSettings
CaseSettings
ChatterAnswersSettings
CompanySettings
ContractSettings
EntitlementSettings
ForecastingSettings
IdeasSettings
KnowledgeSettings
LiveAgentSettings
MobileSettings
NameSettings
OpportunitySettings
OrderSettings
OrgPreferenceSettings
PathAssistantSettings
ProductSettings
QuoteSettings
SearchSettings
SecuritySettings
Territory2Settings
SharedTo
SharingBaseRule
SharingRules
SharingSet
SiteDotCom
Skill
StandardValueSet
StandardValueSetTranslation
StaticResource
SynonymDictionary
Territory
Territory2
Territory2Model
Territory2Rule
Territory2Type
TransactionSecurityPolicy
Translations
WaveApplication
WaveDataflow
WaveDashboard
WaveDataset
WaveLens
WaveTemplateBundle
Workflow
Headers
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

SecuritySettings

Represents an organization’s security settings. Security settings define trusted IP ranges for network access, password and login requirements, and session expiration and security settings.

In the package manifest, all organization settings metadata types are accessed using the “Settings” name. See Settings for more details.

Declarative Metadata File Suffix and Directory Location

SecuritySettings values are stored in a single file named Security.settings in the settings directory. The .settings files are different from other named components because there is only one settings file for each settings component.

SecuritySettings is no longer available in API versions 25.0 and 26.0.

Note

Version

Security settings are available in API version 27.0 and later.

Fields

Field Name Field Type Description
networkAccess NetworkAccess The trusted IP address ranges from which users can always log in without requiring computer activation.
passwordPolicies PasswordPolicies The requirements for passwords and logins, and assistance with retrieving forgotten passwords.
sessionSettings SessionSettings The settings for session expiration and security.

NetworkAccess

Represents your organization’s trusted IP address ranges for network access.

Field Field Type Description
ipRanges IpRange[] The trusted IP address ranges from which users can always log in without requiring computer activation.

In order to add an IP range, deploy all existing IP ranges, as well as the one you want to add. Otherwise, the existing IP ranges are replaced with the ones you deploy. To remove all the IP ranges in an organization, leave the networkAccess field blank (<networkAccess></networkAccess>).

Note

IpRange

Defines a range of trusted IP addresses for network access.

Field Field Type Description
description string The description of the trusted IP range. Use this field to identify the range, such as which corporate network corresponds to this range. This field is available in API version 34.0 and later.
end string The IP address that defines the high end of a range of trusted addresses.
start string The IP address that defines the low end of a range of trusted addresses.

PasswordPolicies

Represents your organization’s password and login policies.

Field Field Type Description
apiOnlyUserHomePageURL string The URL to which users with the “API Only User” permission are redirected instead of the login page.
complexity Complexity (enumeration of type string)
Required. The requirement for which types of characters must be used in a user’s password. Valid values are:
  • NoRestriction—allows any password value and is the least secure option.
  • AlphaNumeric—requires at least one alphabetic character and one number. This value is the default value.
  • SpecialCharacters—requires at least one alphabetic character, one number, and one of the following characters: ! # $ % - _ = + < >.
  • UpperLowerCaseNumeric—requires at least one number, one uppercase letter, and one lowercase letter. This value is available in API version 31.0 and later.
  • UpperLowerCaseNumericSpecialCharacters—requires at least one number, one uppercase letter, and one lowercase letter, and one of the following characters: ! # $ % - _ = + < >. This value is available in API version 31.0 and later.
expiration Expiration (enumeration of type string)
Required. The length of time until user passwords expire and must be changed. Valid values are:
  • Never
  • ThirtyDays
  • SixtyDays
  • NinetyDays. This value is the default value.
  • SixMonths
  • OneYear
minimumPasswordLifetime boolean Indicates whether a one-day minimum password lifetime is required (true) or not (false). This field is available in API version 31.0 and later.
passwordAssistanceURL string The URL that users can click to retrieve forgotten passwords.
passwordAssistanceMessage string The text that appears in the Account Lockout email and at the bottom of the Confirm Identity screen for users resetting their passwords.
historyRestriction string Required. The number of previous passwords saved for users so that they must always reset a new, unique password. Valid values are 0 through 24 passwords remembered. The maximum value of 24 applies to API version 31.0 and later. In earlier versions, the maximum value is 16. The default value is 3.
lockoutInterval LockoutInterval (enumeration of type string)
Required. The duration of the login lockout. Valid values are:
  • FifteenMinutes. This value is the default value.
  • ThirtyMinutes
  • SixtyMinutes
  • Forever (must be reset by admin)
maxLoginAttempts MaxLoginAttempts (enumeration of type string)
Required. The number of login failures allowed for a user before they become locked out. Valid values are:
  • NoLimit
  • ThreeAttempts
  • FiveAttempts
  • TenAttempts. This value is the default value.
minimumPasswordLength string

Required. The minimum number of characters required for a password. Valid values are from 5 to 50. The default value is 8. This field is available in API version 35.0 and later.

Before API version 35.0, specify minimum password length with the enumeration minPasswordLength, with valid values FiveCharacters, EightCharacters (default), TenCharacters, TwelveCharacters (API version 31.0 and later), and FifteenCharacters ( API version 34.0 and later).
obscureSecretAnswer boolean Hides the secret answer associated with a password (true) or not (false).

If your org uses the Microsoft Input Method Editor (IME) with the input mode set to Hiragana, when you type ASCII characters, they’re converted in Japanese characters in normal text fields. However, the IME doesn’t work properly in fields with obscured text. If your org’s users cannot properly enter their passwords or other values after enabling this feature, disable the feature.

Note
questionRestriction QuestionRestriction (enumeration of type string)
Required. The restriction on whether the answer to the password hint question can contain the password itself. Valid values are:
  • None
  • DoesNotContainPassword. This value is the default value.

SessionSettings

Represents your organization’s session expiration and security settings.

Field Field Type Description
disableTimeoutWarning boolean Indicates whether the session timeout warning popup is disabled (true) or enabled (false).
enableCSPOnEmail boolean Indicates whether a content security policy is enabled for the email template. A content security policy helps prevent cross-site scripting attacks by whitelisting sources of images and other content.
enableCSRFOnGet boolean Indicates whether Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is enabled (true) or disabled (false).
enableCSRFOnPost boolean Indicates whether Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is enabled (true) or disabled (false).
enableCacheAndAutocomplete boolean Indicates whether the user’s browser is allowed to store user names and auto-fill the User Name field on the login page (true) or not (false).
enableClickjackNonsetupSFDC boolean Indicates whether clickjack protection for non-setup Salesforce pages is enabled (true) or disabled (false).
enableClickjackNonsetupUser boolean Indicates whether clickjack protection for customer Visualforce pages with standard headers turned on is enabled (true) or disabled (false).
enableClickjackNonsetupUserHeaderless boolean Indicates whether clickjack protection for customer Visualforce pages with standard headers turned off is enabled (true) or disabled (false). Available in API version 34.0 and later.
enableClickjackSetup boolean Indicates whether clickjack protection for setup pages is enabled (true) or disabled (false).
enablePostForSessions boolean Indicates whether cross-domain session information is exchanged using a POST request instead of a GET request, such as when a user is using a Visualforce page. In this context, POST requests are more secure than GET requests. Available in API version 31.0 and later.
enableSMSIdentity boolean Indicates whether users can receive a one-time PIN delivered via SMS (true) or not (false).
enforceIpRangesEveryRequest boolean If true, the IP addresses in Login IP Ranges are enforced when a user accesses Salesforce (on every page request), including access from a client application. If false, the IP addresses in Login IP Ranges are enforced only when a user logs in. This field affects all user profiles that have login IP restrictions. Available in API version 34.0 and later.
forceLogoutOnSessionTimeout boolean Indicates that when sessions time out for inactive users, current sessions become invalid. The browser refreshes and returns to the login page. To access the org, the user must log in again. Enabled (true) or not (false). Available in API version 31.0 and later.
forceRelogin boolean If true, an administrator that is logged in as another user is required to log in again to their original session, after logging out as the secondary user. If false, the administrator is not required to log in again.
lockSessionsToDomain boolean Indicates whether the current UI session for a user, such as a community user, is associated with a specific domain. This check helps prevent unauthorized use of the session ID in another domain. The value is true by default for organizations created with the Spring ’15 release or later. Available in API version 33.0 and later.
lockSessionsToIp boolean Indicates whether user sessions are locked to the IP address from which the user logged in (true) or not (false).
logoutURL string The URL to which users are redirected when they log out of Salesforce. If no value is specified, the default is https://login.salesforce.com unless MyDomain is enabled. If My Domain is enabled, the default is https://customdomain.my.salesforce.com. Available in API version 34.0 and later.
sessionTimeout SessionTimeout (enumeration of type string)
The length of time after which users without activity are prompted to log out or continue working. Valid values are:
  • FifteenMinutes
  • ThirtyMinutes
  • SixtyMinutes
  • TwoHours
  • FourHours
  • EightHours
  • TwelveHours

Declarative Metadata Sample Definition

The following is a sample security.settings metadata file.

1<?xml version="1.0" encoding="UTF-8"?>
2<SecuritySettings xmlns="http://soap.sforce.com/2006/04/metadata">
3    <networkAccess>
4        <ipRanges>
5            <end>127.0.0.1</end>
6            <start>127.0.0.1</start>
7        </ipRanges>
8    </networkAccess>
9    <passwordPolicies>
10        <apiOnlyUserHomePageURL>http://www.altPage.com</apiOnlyUserHomePageURL>
11        <complexity>SpecialCharacters</complexity>
12        <expiration>OneYear</expiration>
13        <passwordAssistanceURL>http://www.acme.com/forgotpassword</passwordAssistanceURL>
14        <passwordAssistanceMessage>Forgot your password? Reset it here.</passwordAssistanceMessage>
15        <historyRestriction>3</historyRestriction>
16        <lockoutInterval>ThirtyMinutes</lockoutInterval>
17        <maxLoginAttempts>ThreeAttempts</maxLoginAttempts>
18        <minimumPasswordLength>10</minPasswordLength>
19        <questionRestriction>None</questionRestriction>
20    </passwordPolicies>
21    <sessionSettings>
22        <disableTimeoutWarning>true</disableTimeoutWarning>
23        <enableCSRFOnGet>false</enableCSRFOnGet>
24        <enableCSRFOnPost>false</enableCSRFOnPost>
25        <enableCacheAndAutocomplete>false</enableCacheAndAutocomplete>
26        <enableClickjackNonsetupSFDC>true</enableClickjackNonsetupSFDC>
27        <enableClickjackNonsetupUser>true</enableClickjackNonsetupUser>
28        <enableClickjackSetup>true</enableClickjackSetup>
29        <enableSMSIdentity>true</enableSMSIdentity>
30        <forceRelogin>true</forceRelogin>
31        <lockSessionsToIp>true</lockSessionsToIp>
32        <sessionTimeout>TwelveHours</sessionTimeout>
33    </sessionSettings>
34</SecuritySettings>