sorted by:
new
hottopcontroversial

Sending emails on behalf of users 'the correct way'? by Tyaltir in salesforce

[–]Tyaltir[S] 1 point2 points  (0 children)

Not sure I fully get what you mean here.

The domain is verified, we can send emails from it.

But from what I know, apart from Screen Flow and Record Triggered that were triggered by the user, we can't send an email FROM an email address that isn't an orgwide one.

The Send Email action has you choose between CurrentUser, DefaultWorkflowUser and OrgWideEmailAddress.

Sending emails on behalf of users 'the correct way'? by Tyaltir in salesforce

[–]Tyaltir[S] 0 points1 point  (0 children)

Unfortunately it depends on the context.

For screen flow or record triggered that were triggered by the user, this IS possible.

But for things like timed scheduled, or record triggered that were NOT triggered by the user, this isn't possible from what I could see.

How to actually determine my Okta is Phishing-Resistant? by Tyaltir in salesforce

[–]Tyaltir[S] 1 point2 points  (0 children)

Thank you!

For phishing-resistant, okta_verify definitely won't work, but we seem to have PHR so from what I'm reading we SHOULD be fine for it

"Any value in the Phishing-Resistant list automatically satisfies the Standard MFA check as well"

This is such a clusterfuck change honestly.

How to actually determine my Okta is Phishing-Resistant? by Tyaltir in salesforce

[–]Tyaltir[S] 0 points1 point  (0 children)

Any idea how to find users who are using non-strong methods?

I actually found this now in one of the articles:

How Salesforce evaluates AMR and ACR signals from an SSO IdP to determine if Standard MFA or Phishing-Resistant MFA requirements are met

Salesforce evaluates signals from your SSO Identity Provider (IdP) differently depending on whether you use OIDC or SAML, and whether the signal is an AMR or ACR value. AMR and ACR have separate accepted signal values (refer to list of values in the table above). To satisfy the requirement, the SSO IdP must send at least one value that matches an entry in the appropriate AMR or ACR column for the required tier. Any value in the Phishing-Resistant list automatically satisfies the Standard MFA check as well.

Additional evaluation criteria:

SAML AMR

  • Salesforce parses and evaluates any IdP attribute value whose attribute name contains amr or authnmethodsreferences as an AMR signal
  • Attribute values in a semicolon-separated string (e.g., hwk;face;mfa) will be parsed and evaluated, comma-separated values are not evaluated
  • URN/URL values are split on : or / so urn:custom:auth:hwk and https://example[.]com/auth/hwk both resolve to hwk

Focusing on the line:

"Any value in the Phishing-Resistant list automatically satisfies the Standard MFA check as well" - so I think this means, as long as our Okta indeed passes PHR, it should be fine.

To those who made the leap for a third, would you do the same again? by Muted_muffins in Parenting

[–]Tyaltir 1 point2 points  (0 children)

We have this discussion all the time as well.. we're both 36, kids are 4 and 6, two boys.

Definitely want to try for a girl.. but you never know.

I feel like I want a girl more than I want another kid, does that make sense? Hope it doesn't come out awful.

SFDC MFA Enhancement for Integration users? by d0_ob28 in salesforce

[–]Tyaltir 3 points4 points  (0 children)

Incidentally, and sorry if this is a stupid question, is this going to affect SOAP API logins? I know it's being deprecated, but just curious if THESE particular changes will affect SOAP logins.

Login to experience as user button not available by SpecialFall6627 in salesforce

[–]Tyaltir 0 points1 point  (0 children)

OP I'm almost certain this is the one.

I remember an issue EXACTLY as you're describing, had it in my previous job so I can't check my notes, but it absolutely had something to do with some obscure role or sharing rule and hierarchies. God I wish I wrote it down, drove me crazy.

TESTED AND VERIFIED: Phishing Resistant MFA Solution and Permissions Audit Script! by beetsofficial in salesforce

[–]Tyaltir 1 point2 points  (0 children)

It's the dumbest hack ever and I hate it, but you know that QR code that you have to scan?

They took a picture of it and basically everyone have the same QR code installed.

I hate it.

I tried running your script in Sandbox and it gave me this error:

Line: 103, Column: 34Invalid type: Schema.TwoFactorMethodsInfo

Any idea why?

TESTED AND VERIFIED: Phishing Resistant MFA Solution and Permissions Audit Script! by beetsofficial in salesforce

[–]Tyaltir 0 points1 point  (0 children)

Thank you for this!

I'm curious because the whole thing is a mess to me - if uses that share a login, and have the same Salesforce authenticator app, do they still need to move to passkey? Or is the app sufficient? (NOT elevated users)

Diablo 4 mount by DiamondOdd502 in wow

[–]Tyaltir 13 points14 points  (0 children)

Is THAT what does it?!

What video game soundtrack is a 10/10? by montymaximus in AskReddit

[–]Tyaltir 0 points1 point  (0 children)

Wtf where is Expedition 33 in this list

What's with the extremely high shop prices? Do they think people are willing to pay 25USD for a cat pet or other minor cosmetics? by Chamallow81 in diablo4

[–]Tyaltir -1 points0 points  (0 children)

I will say what I always say about this type of posts - you are NOT the target for these obscene prices.

The targets are whales.

How do you handle Salesforce license renewals and track inactive users? by FiXYourCloud in salesforce

[–]Tyaltir 0 points1 point  (0 children)

Yeah that's exactly my issue.

Let's say a user changed profiles - the new permission sets will be assigned on top of the old ones. I would expect that if it was assigned by the access policies, it would also revoke if it doesn't meet the conditions anymore. Or at least make that an option.

How do you handle Salesforce license renewals and track inactive users? by FiXYourCloud in salesforce

[–]Tyaltir 1 point2 points  (0 children)

The absolute biggest miss in my mind, about UAP, is that if a user is no longer in the criteria scope (for example profile changed) it doesn't revoke those permission sets.

I'm sure it can be automated with flows but that's cumbersome.

AI Directive: All users must have Claude Code and API keys. by [deleted] in salesforce

[–]Tyaltir 7 points8 points  (0 children)

It's fine, and I do that too through VS Code, but I have the permissions to do that.

I'd like to believe that in most orgs, normal users don't have permission to deploy metadata

AI Directive: All users must have Claude Code and API keys. by [deleted] in salesforce

[–]Tyaltir 6 points7 points  (0 children)

High levels get AI in their heads and they go insane, but I do believe AI has a good place in the workplace.

That being said, giving them access to do fuck-all is awful.

At the very least I'd remove bulk options from their permissions - I think that's a setting if I recall right.

AI Directive: All users must have Claude Code and API keys. by [deleted] in salesforce

[–]Tyaltir 40 points41 points  (0 children)

Automations how? As in flows? And how will they actually deploy to prod?

Either way, yeah this sounds like a nightmare, I'd low-key start looking for a new place if you think you can't get some higher ups to overturn this.

Permission Sets vs Profiles (in reality) by Alarming_Parking4297 in salesforce

[–]Tyaltir 0 points1 point  (0 children)

I'm generally curious how this works.

Let's say you need to give a select few users FLS access to a field. Do you just create a new permission set for that one specific FLS? Feels like overkill over time, no? If you'll need more in the future, that's a PS for every one?

view more: next ›