Login Access Policies control whether admins can grant themselves Login As access to other users. Login As lets an admin impersonate another user for support — but it's a powerful feature requiring careful policy. The Setup page configures the policies.
- Open Setup → Login Access Policies
Setup gear → Quick Find: Login Access → Login Access Policies.
- Tick Administrators Can Log in as Any User
Org-wide toggle. When ON, admins with the right permission can Login As anyone without per-user opt-in. When OFF, users must individually grant access.
- Configure per-user grant requirements
When the org-wide toggle is OFF, each user can grant time-bound access via their personal settings — Settings → Personal Information → Grant Login Access.
- Save
Policy applies. Login As is then governed by the policy.
Org-wide toggle. ON = admins can impersonate anyone. OFF = users opt-in per-grant.
When users opt-in, they pick a duration (1 day, 1 week, 1 month, indefinite).
Login As actions are logged in Setup Audit Trail and Login History — both delegator and impersonated user are visible.
- Administrators Can Log in as Any User is OFF by default in newer orgs. Enabling it makes Login As frictionless but increases blast radius if an admin account is compromised.
- Login As actions are fully logged. Setup Audit Trail and Login History both record both the admin (delegator) and the impersonated user — pull from both columns when investigating.
- Some user permissions can't be exercised via Login As — e.g. password reset for the impersonated user. Document the limits so admins don't get stuck mid-support.