Newer Version Available

This content describes an older version of this product. View Latest

Transaction Security Policies

Policies evaluate activity using events that you specify. For each policy, you define real-time actions, such as notify, block, force two-factor authentication, freeze user, or end a session.
Available in: Salesforce Classic and Lightning Experience
Available in: Enterprise, Performance, Unlimited, and Developer Editions

Requires purchasing Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.


When you enable Transaction Security for your org, two policies are created.

  • Concurrent User Session Limit policy to limit concurrent login sessions. The policy is triggered in two ways.
    • A user with five current sessions tries to log in for a sixth session.
    • An administrator who is already logged in tries to log in a second time.
  • Lead Data Export policy to block excessive data downloads of leads. The policy is triggered when a download either:
    • Retrieves more than 2,000 lead records
    • Takes more than one second to complete

The policies’ corresponding Apex classes (ConcurrentSessionsPolicyCondition and DataLoaderLeadExportCondition) are also created in the org. An administrator can enable the policies immediately or edit the Apex classes to customize them.

For example, suppose that you activate the Concurrent User Session Limit policy to limit the number of concurrent sessions per user. In addition, you change the policy to notify you via email when the policy is triggered. You also update the policy’s Apex implementation to limit users to three sessions instead of the default five sessions. (That’s easier than it sounds.) Later, someone with three login sessions tries to create a fourth. The policy prevents that and requires ending one of the existing sessions before proceeding with the new session. At the same time, you are notified that the policy was triggered.

The Transaction Security architecture uses the Security Policy Engine to analyze events and determine the necessary actions.

Transaction Security architecture diagram.

A transaction security policy consists of events, notifications, and actions. For example, when a user tries to export Account data, you can block the operation and get notified by email.