Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Monitor Login History
Field History Tracking
Monitor Setup Changes with Setup Audit Trail
Transaction Security Policies (Legacy)
Set Up Legacy Transaction Security
Create Legacy Transaction Security Policies
Apex Policies for Legacy Transaction Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
API End-of-Life
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Create Legacy Transaction Security Policies

Create your own custom legacy policies triggered by specific events. Only an active user assigned the System Administrator profile can use this feature.

Legacy Transaction Security is scheduled for retirement in all Salesforce orgs as of Summer ’20. You can no longer create, edit , or enable transaction security policies using the legacy framework and will receive an error message if you try to do so. For more information, see Legacy Transaction Security Retirement. To create transaction security policies using the new framework, refer to the Enhanced Transaction Security documentation. To migrate legacy policies to the new framework, refer to the migration documentation.

Warning

Available in: Salesforce Classic and Lightning Experience
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

User Permissions Needed
To create, edit, and manage transaction security policies:

Customize Application
To manage transaction security policies:

Author Apex

This topic discusses only how to create a legacy transaction security policy. For details on creating an enhanced policy, see Build a Transaction Security Policy with Condition Builder or Create an Enhanced Transaction Security Policy That Uses Apex.

Important

You can create multiple policies for the same type of event, but we recommend that your policies and their actions don't overlap. If multiple policies with the same action for a given event execute when the event occurs, their order of execution is indeterminate.

  1. From Setup, enter Transaction in the Quick Find box, select Transaction Security Policies, and then click New.
  2. Click Apex then Next.
  3. Click Transaction Security Policy (the legacy version of transaction security).
  4. Select the event type and associated resource that your policy monitors.

    AccessResource event policies don't trigger when Dashboard Subscriptions send an email. These policies still trigger when users access resources directly from a dashboard. Lightning Experience supports only the Feed Comment and Feed Item resources, while Salesforce Classic supports all Chatter resources. You can’t create a Data Export event policy for joined reports, historical reports, or custom report types.

    Note

  5. If you’re creating an Apex-based policy in a non-production environment, in Apex Class, select New Empty Apex Class. (Transaction Security creates a stub, or placeholder, Apex policy condition.) Otherwise, use an existing Apex policy condition.
  6. Select what the policy does when triggered and who is notified and how. Any users you select must have Modify All Data and View Setup permissions.

    Although you’re required to enter a user in the Execute Policy As field, the automated process user always executes the policy.

    Note

    The actions available vary depending on the event type. For login and resource events, you can also block the action or require a higher level of access control with multi-factor authentication. For Chatter events, you can freeze the user or block the post. For Login events, you can require ending an existing session before continuing with the current session. You can set the default action for ending a session to always close the oldest session. For more information, see What Are Transaction Security Actions?

    If you’re creating an Apex-based policy and use an API callout in the Apex class, you must select an action. If you select None as the action, the policy can’t execute.

    Multi-factor authentication is not available in the Salesforce app or Lightning Experience for the Resource Access event type. The Block action is used instead.

    Note

    Enter a user that has Modify All Data and View Setup permissions in the Execute Policy As field. However, the automated process user always executes the policy, regardless of the user you enter.

  7. Choose a descriptive name for your policy. Your policy name can contain only underscores and alphanumeric characters, and must be unique in your org. It must begin with a letter, not include spaces, not end with an underscore, and not contain two consecutive underscores.
  8. To enable the policy after you create it, in Status, switch to Enabled. (You can always disable it later from the Transaction Security Policies page.)
  9. Click Finish.

If you’re in a non-production environment and you selected New Empty Apex Class for your new policy, modify the generated Apex class now before activating your policy. Click the Apex class name to get started, and add the condition that triggers the policy. See Apex Policies for Legacy Transaction Security for examples.