IP Ranges on Profiles

  November 4, 2014       Digamber Prasad

So you’re the Salesforce admin of a company with over 50, possibly 100 profiles (though I’d question having so many but that’s for another time). After analysis of security implications, your company has decided to have IP-based restriction on accessing your org. The network security team wants that access to be limited either via the office network or through VPN if outside office. The organisation is global in nature and has 500+ possible IP addresses with people of various profiles placed all over. Also, the deployment process involves migration of components through 4 Salesforce orgs (Dev Sandbox -> Test Sandbox -> UAT Sandbox -> Production). What would you do to setup these IP restrictions? You could:

a. Manually add IPs to all profiles so create something like 50+ profiles x 500+ IPs = 25000 IPs entries. Cumbersome to say the least, right? And what if the Networking team wants to test with a few IPs first and then add more in steps?

OR

b. Be a bit smarter (and braver) and use the Force.com IDE to add IP ranges to the profiles. Just add the 500 IPs on one profile and later copy & paste the same in other profiles.

Here’s how you’d go about doing this (I’m talking about option b of course):

1. Create a project in the Force.com IDE and select the specific profiles which need the IP ranges to be specified.

choose-metadata-comp

2. The project will look something like this in the Project Explorer:

project-explorer

3. Open the profile on which you want to add IP ranges.

4. Wrap each IP range within the loginIpRanges tag ensuring that the endAddress tag will come first followed by the startAddress tag as below:

<loginIpRanges>

     <endAddress>2.2.2.2</endAddress>

     <startAddress>2.0.0.1</startAddress>

</loginIpRanges>

5. After adding all the IP Ranges within the respective tags as above, paste the tags in profile in the IDE and save it to the server.

test-ip-ranges

6. Repeat the same for all the other profiles and bam, you’re done in a few minutes what would’ve have taken hours to do.

7. Review it by going to each profile in your browser to ensure that the updates have worked.

profile-test-ip-ranges

Do you have experience with setting up profiles where the numbers are large? Ideas on a better approach? Use the comments section below to share it with the world.