Salesforce B2C Commerce 24.7 > Administering Your Organization > Global Preferences > Security Settings

Configure Access Settings

Limit access based on IP addresses. If you don't provide a allowlist or blocklist, the feature isn't active and these settings have no effect.

Business Manager IP allowlists and blocklists serve to lock out attackers who have, though illegitimate means, obtained valid credentials. For example, a former employee who obtained credentials when employed, or non-employees who obtained them via social engineering. These lists aren't intended to prevent brute force attacks.

If you log into Business Manager, and you aren't using Unified Authentication, these lists apply before your credentials are verified.

If you log in using WebDAV or the agent user login process, and you aren't using Unified Authentication, the lists apply after your credentials are verified.

If you log in using Unified Authentication, regardless of how you log in, these lists apply after your credentials are verified.

Select Administration > Global Preferences > Security.
On the Access Restriction tab, enter a range of allowlisted IP addresses allowed to access Business Manager.
Enter a range of blocklisted IP addresses not allowed to access Business Manager.
If an IP address is both blocklisted and allowlisted, it's denied access.
Select whether you want invalid login attempts recorded to the error log.
To have an email sent when an invalid login attempt occurs, enter one or more email addresses, separated by a semicolon.
If you don't provide an email address, no email is sent.
Select whether you want to block login access to non-specifically allowlisted IP addresses.
If this option is not selected, non-specifically allowlisted IP addresses can access Business Manager.
Select whether you want invalid login attempts to count toward the Failed Login Count.
Choosing this option can result in a user being locked out.
Click Apply.