Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Platform Encryption
Monitoring Your Organization's Security
Monitor Login History
Track Field History
Monitor Setup Changes
Transaction Security Policies
Set up Transaction Security
Create Custom Transaction Security Policies
Apex Policies for Transaction Security Notifications
Security Tips for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Set up Transaction Security

Activate and configure transaction security on your org before creating your own custom policies. Only an active user assigned the System Administrator profile can use this feature.
Available in: both Salesforce Classic and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions.

Requires purchasing Salesforce Shield or Salesforce Shield Event Monitoring add-on subscriptions.

User Permissions Needed
To create, edit, and manage transaction security policies:

“Author Apex”

AND

“Customize Application”
  1. Enable transaction security policies to make them available for use. This task is done once when you first go to Transaction Security.
    1. From Setup, enter Transaction Security in the Quick Find box, then select Transaction Security.
    2. To enable the policy list view and install the supplied policies, select Enable custom transaction security policies at the top of the page.
    The ConcurrentSessionsLimitingPolicy limits concurrent sessions and is triggered in two ways:
    • When a user with five current sessions tries to log in for a sixth session
    • When an administrator that’s already logged in tries to log in a second time
    You can adjust the number of sessions allowed by changing the Apex policy implementation ConcurrentSessionsPolicyCondition.

    The Data Loader Lead Export policy blocks excessive data downloads done through APIs. It’s triggered when someone uses an API call that runs for more than one second to download more than 2,000 lead records. You can change these values by modifying the DataLoaderLeadExportCondition policy implementation.

  2. After Transaction Security is enabled, set the preferences for your org.
    1. Click Default Preferences on the Transaction Security Policies page.
    2. Select the preference When users exceed the maximum number of Salesforce sessions allowed, close the oldest session.

    Login policies affect programmatic access and access from Salesforce Classic and Lightning Experience. When you create a policy that limits the number of concurrent user sessions, all sessions count toward that limit. Regular logins with a username and password, logins by web applications, logins using Authentication Providers, and all other login types are considered.

    The session limit isn’t a problem in Salesforce Classic or Lightning Experience because you’re prompted to select which session or sessions to end. That choice isn’t available from within a program, so the program receives a Transaction Security exception that the session limit has been reached.

    Selecting When users exceed the maximum number of Salesforce sessions allowed, close the oldest session. prevents this problem. When a programmatic request is made that requires a login but no more sessions are allowed, older sessions are ended until the number of sessions is below the limit. The setting also works for logins from the UI. Instead of being asked to select a session to end, the oldest session is automatically ended, and the new login proceeds for the new session. Here’s how the OAuth flows handle login policies with and without the preference being set.
    Flow Type Action If Preference Is Selected Action If Preference Is Not Selected
    OAuth 2.0 web server Authorization Code and Access Token granted

    Older sessions are ended until you’re within policy compliance.

    		 Authorization Code granted, but Access Token not granted

    Older sessions are ended until you’re within policy compliance.
    OAuth 2.0 user-agent Access Token granted

    Older sessions are ended until you’re within policy compliance.

    		 Access Token granted

    Older sessions are ended until you’re within policy compliance.
    OAuth 2.0 refresh token flow Access Token granted

    Older sessions are ended until you’re within policy compliance.

    		 TXN_SECURITY_END_SESSION exception
    OAuth 2.0 JWT bearer token Access Token granted

    Older sessions are ended until you’re within policy compliance.

    		 TXN_SECURITY_END_SESSION exception
    OAuth 2.0 SAML bearer assertion Access granted

    Older sessions are ended until you’re within policy compliance.

    		 TXN_SECURITY_END_SESSION exception
    OAuth 2.0 username and password Access granted

    Older sessions are ended until you’re within policy compliance.

    		 Access denied due to more than the number of sessions allowed by the policy
    SAML assertion Not applicable Not applicable

    For more information on authentication flows, see Authenticating Apps with OAuth in the Salesforce help.