function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
Ron MaffrandRon Maffrand 

How best to change a user with system administrator profile to different profile with non-expiry password

We have an API user with system administator profile that we wish to have cloned to a custom profile with everything the same except the password does not expire.

Is this a bad practice? Reason, we have SOA processes that are failing when the password is set to expire. Need to ensure the dependent processes are not affected by enforced password policy.
Best Answer chosen by Ron Maffrand
Puneet Bajaj 3Puneet Bajaj 3
Hi Ron,
It is not recommended to set it to 'Password never expires', however, for integrations (since you are having API user), this should be fine until and unless you follow below points:
1. As soon as you clone system admin profile and make a new custom profile, disable/hide all the things that is not required for this integration user.
2. Enable IP address restrictions.
3. On the new custom profile, provide access to only objects that are required for this integration.
4. Turn off all the tabs.
5. Follow the principle of least privilege. Please do not give any extra permission that this API user does not require.

Hope this helps!!

Thanks,
Puneet

All Answers

Puneet Bajaj 3Puneet Bajaj 3
Hi Ron,

You can clone the system administrator profile to create a custom profile.
Then go to:
Setup->Manage Users->Profiles->Click on Custom Profile name
Click Edit and scroll down to "Password Policies" section and then select "Never Expires" for "User Password Expires in"

Hope this helps!!

Thanks,
Puneet
 
Ron MaffrandRon Maffrand
Hi Puneet, Yes, I plan to follow your suggestion. However, am I taking any unnecessary risks security-wise by not having the password expire for such a powerful user profile? Thanks, Ron
Puneet Bajaj 3Puneet Bajaj 3
Hi Ron,
It is not recommended to set it to 'Password never expires', however, for integrations (since you are having API user), this should be fine until and unless you follow below points:
1. As soon as you clone system admin profile and make a new custom profile, disable/hide all the things that is not required for this integration user.
2. Enable IP address restrictions.
3. On the new custom profile, provide access to only objects that are required for this integration.
4. Turn off all the tabs.
5. Follow the principle of least privilege. Please do not give any extra permission that this API user does not require.

Hope this helps!!

Thanks,
Puneet
This was selected as the best answer
Ron MaffrandRon Maffrand
Hi Puneet, Perfect! Exactly what I needed to know. Thank you so much!! Ron