Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Monitor Login History
Field History Tracking
Monitor Setup Changes with Setup Audit Trail
Transaction Security Policies (Legacy)
Set Up Legacy Transaction Security
Create Legacy Transaction Security Policies
Apex Policies for Legacy Transaction Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Transaction Security Policies (Legacy)

Transaction Security is a framework that intercepts real-time Salesforce events and applies appropriate actions and notifications based on security policies you create. Transaction Security monitors events according to the policies that you set up. When a policy is triggered, you can receive a notification and have an optional action taken.

Legacy Transaction Security is scheduled for retirement in all Salesforce orgs as of Summer ’20. For more information, see Legacy Transaction Security Retirement. To create transaction security policies using the new framework, refer to the Enhanced Transaction Security documentation. To migrate legacy policies to the new framework, refer to the migration documentation.

Warning

Available in: Salesforce Classic and Lightning Experience
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

Policies evaluate activity using events that you specify. For each policy, you define real-time actions, such as notify, block, or force multi-factor authentication.

For example, suppose that you activate the Concurrent Sessions Limiting policy to limit the number of concurrent sessions per user. In addition, you change the policy to notify you via email when the policy is triggered. You also update the policy’s Apex implementation to limit users to three sessions instead of the default five sessions. (That’s easier than it sounds.) Later, someone with three login sessions tries to create a fourth. The policy prevents that and requires the user to end one of the existing sessions before proceeding with the new session. At the same time, you are notified that the policy was triggered.

The Transaction Security architecture uses the Security Policy Engine to analyze events and determine the necessary actions.

Transaction Security architecture diagram.

A transaction security policy consists of events, notifications, and actions. For example, when a user tries to export Account data, you can block the operation and get notified by email.