Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Monitor Login History
Field History Tracking
Monitor Setup Changes
Transaction Security Policies
Set Up Transaction Security
Create Transaction Security Policies
Apex Policies for Transaction Security
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Create Transaction Security Policies

Create your own custom policies, triggered by specific events. Only an active user assigned the System Administrator profile can use this feature.
Available in: Salesforce Classic and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions

Requires purchasing Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

User Permissions Needed
To create, edit, and manage transaction security policies:

Customize Application
To manage transaction security policies:

Author Apex

You can create multiple policies for the same type of event, but we recommend that your policies and their actions don't overlap. If multiple policies with the same action for a given event execute when the event occurs, their order of execution is indeterminate.

  1. From Setup, enter Transaction in the Quick Find box, select Transaction Security Policies, and then click New.
  2. If you are participating in the Real-Time Events pilot, select whether you want to create a policy with the Condition Builder wizard or with an Apex class. If you’re not in the pilot, skip to step 3.
  3. Select the event or entity that your policy monitors.

    AccessResource event policies don't trigger when Dashboard Subscriptions send an email. These policies still trigger when users access resources directly from a dashboard. Lightning Experience supports only the Feed Comment and Feed Item resources, while Salesforce Classic supports all Chatter resources. You can’t create a Data Export event policy for joined reports, historical reports, or custom report types.

    Note

  4. If you’re creating an Apex policy, in Apex Class, select New Empty Apex Class unless you have an existing policy condition to use.
    Transaction Security creates a stub, or placeholder, Apex policy condition. You’ll expand it after creating the policy.
  5. Next select what the policy is to do when triggered, who is to be notified and how, and the user that the policy executes as. The user selected for Execute Policy As must have the System Administrator profile.
    The actions available vary depending on the event type. For login and resource events, you can also block the action or require a higher level of access control with two-factor authentication. For Chatter events, you can freeze the user or block the post. For Login events, you can require ending an existing session before continuing with the current session. You can set the default action for ending a session to always close the oldest session.

    Two-factor authentication is not available in the Salesforce app or Lightning Experience for the Resource Access event type. The Block action is used instead.

    Note

  6. Choose a descriptive name for your policy. Your policy name can contain only underscores and alphanumeric characters, and must be unique in your org. It must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
  7. Click Finish.

If you didn’t select an existing Apex class for your new policy, modify the generated Apex class now, before activating your policy. Click the Apex class name to get started and add the condition that triggers the policy. See Apex Policies for Transaction Security for examples.