Salesforce Developer Security High Security Sessions

salesforce-developer-security

// Salesforce - Developer - Security - High Security Sessions:

You can restrict access to certain types of resources based on the level of 
security associated with the authentication (login) method for the user’s 
current session. By default, each login method has one of two security levels: 
Standard or High Assurance. You can change the session security level and define 
policies so specified resources are only available to users with a High 
Assurance level.

By default, the following authentication methods are assigned these security 
levels:

1. Username and Password — Standard
2. Delegated Authentication — Standard
3. Two-Factor Authentication — High Assurance
4. Authentication Provider — Standard
5. SAML — Standard

Currently, the only features that use session-level security are connected apps, 
reports, and dashboards. You can set policies requiring High Assurance on these 
types of resources and specify an action to take if the session used to access 
the resource is not High Assurance. The two supported actions are: 

1. Block: This blocks access to the resource by showing an insufficient 
   privileges error.

2. Raise session level — This redirects you to a Two-Factor Authentication flow 
   for raising the session’s security level to High Assurance. Once you complete 
   the flow successfully, you can access the resource.

To set a High Assurance required policy for accessing a connected app:

1. From Setup, go to Administer -> Manage Apps -> Connected Apps.

2. Click Edit next to the connected app.

3. Select High Assurance session required.

4. Select one of the two actions presented.

5. Click Save.

To set a High Assurance required policy for accessing reports and dashboards:

1. From Setup, go to Build -> Customize -> Reports & Dashboards -> Access 
   Policies.

2. Select the High Assurance session required.

3. Select one of the three actions presented.

4. Click Save.

The session levels have no impact on any resources in the app other than 
connected apps, reports, and dashboards for which explicit security policies 
have been defined.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License