Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Platform Encryption
Monitoring Your Organization's Security
Monitor Login History
Track Field History
Monitor Setup Changes
Transaction Security Policies
Set up Transaction Security
Create Custom Transaction Security Policies
Apex Policies for Transaction Security Notifications
Security Tips for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Create Custom Transaction Security Policies

Create your own custom policies, triggered by specific events. Only an active user assigned the System Administrator profile can use this feature.
Available in: both Salesforce Classic and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions.

Requires purchasing Salesforce Shield or Salesforce Shield Event Monitoring add-on subscriptions.

User Permissions Needed
To create, edit, and manage transaction security policies:

“Author Apex”

AND

“Customize Application”
  1. From Setup, enter Transaction Security in the Quick Find box, select Transaction Security, and then click New in Custom Transaction Security Policies.
  2. Enter the basic information fields for your new policy.
    • For clarity and easier maintenance, use similar names for the API and the policy. This name can contain only underscores and alphanumeric characters, and must be unique in your organization. It must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
    • Event Type—Determines the available actions. It can be one of the following:
      • Login—A user login. Login lets you set any combination of notifications, plus these actions:
        • Block access completely
        • Continue, but require two-factor authentication
        • Continue, but require the end of a current login session
      • Entity—An object type. Select a specific resource and the type of notifications desired.
      • Data Export—Notifies you if the selected object type has been exported using the Data Loader API client.
      • AccessResource—Notifies you when the selected resource has been accessed. You can block access or require two-factor authentication before access is allowed.
    • Notifications—You can select all, some, or no notification methods for each policy.
    • Recipient—Must be an active user assigned the System Administrator profile.
    • Real-time Actions—Specifies what to do when the policy is triggered. The actions available vary depending on the event type. Email and In-App notifications are always available. For login and resource events, you can also block the action or require a higher level of access control with two-factor authentication. For login events, you can require ending an existing session before continuing with current session. You can set the default action for ending a session to always close the oldest session.

      Two-factor authentication is not available in Salesforce1 or Lightning Experience for the AccessResource event type. The Block action is used instead.

      Note

      Don’t create a policy requiring the two-factor authentication action without first providing your users a way to get a time-based, one-time password. This password is their second authentication factor. Otherwise, if your users encounter a situation that requires a second authentication factor, they can’t finish their task, such as logging in or running a report.

      Important

    • You can use an existing class for Apex Policy or select Generate Apex to have a default policy class created that implements the TxnSecurity.PolicyCondition interface.
    • The user selected for Execute Policy As must have the System Administrator profile.
  3. You can optionally create a condition for a specific property as part of the policy. For example, you can create a policy that’s triggered when a report or dashboard is accessed from a specific source IP. The source IP is the property you’re checking.
    • The available properties depend on the event type selected.
    • For example, with Login events, property changes that occurred within a given number of days or an exact match to a property value are available.
  4. To enable a policy, select the policy’s checkbox. You can enable and disable policies according to your requirements.
  5. Click Save.

After saving your selection, you’re shown the editing page for your new policy. You can modify your policy here and review its Apex class.

If you didn’t specify a condition value before you generated the Apex interface for a policy, you can add the condition later. If you want to change the condition, you can edit it. Edit the Apex code to include a condition before you activate your policy. If you never include a condition, your policy is never triggered. See Apex Policies for Transaction Security Notifications for examples.

You can create multiple policies for the same type of event, but we recommend that your policies and their actions don’t overlap. All the policies for a given event execute when the event occurs, but their order of execution is indeterminate. For example, if you have two policies enabled for an exported contact, you can’t be sure which policy is triggered first. If one policy copies the contact and the other policy deletes the contact, the copy operation fails if the deletion is done first.