Enhanced Transaction Security
These are technical notes I compiled while studying using Trailhead, Salesforce's free self-learning portal.
Get Started with Transaction Security
Describe the benefits of Transaction Security. Explain what policies, actions, and notifications are. State use cases for Transaction Security.- Transaction Security is powerful. An incorrect “Login Event” policy that uses Block as its real-time action locks you out of your org.
- To use Transaction Security, you have to purchase Salesforce Shield or Salesforce Shield Event Monitoring add-on subscription
- To check if your org has Salesforce Shield, search for Platform Encryption in quick find search
- If “Platform Encryption” is available in Setup, it means your org has shield licenses
What is Transaction Security?
- Possible applications for Transaction Security:
- Preventing users from using an unsupported browser
- Preventing users from exporting reports with more than 1000 records on them
- Setting up an alert that notifies someone when users run reports containing sensitive data
- Transaction Security is a feature that monitors Salesforce events in real time. They consist of policies that include events, notifications, and actions:
- Event: anything that happens in Salesforce, user clicks, record state changes, measuring values. Immutable and timestamped.
- Policies rules and actions that are triggered when the event occurs. Can be extended with Apex for customized protection.
- Some of the available Event Types:
- API Event: monitoring and protecting all API queries, which can prevent unauthorized data exports
- List View Event: tracks user’s access to list views from both UI and API queries
- Login Event: monitoring login details. Blocks logins from untrusted locations, unsupported browsers, specific event types
- Report Event: blocks or requires MFA for access to sensitive info
- Actions to take when a policy is triggered:
- Block the operation
- Require a higher level of assurance with MFA
- Do Nothing
- Policy notifications via Email, in-app notifications, etc
- Use case explored next involves ensuring users are not exporting large amounts of data from reports
- Benefits of Transaction Security:
- You can select events to monitor
- You can select actions to take in real time
- Which components can you configure when building Transaction Security policies?
- Actions
- Notification method
Create Transaction Security Policies
Enable Transaction Security. Use Condition Builder to define, edit, enable, and disable your own policies.Enable Transaction Security
- First, enable Transaction Security via Setup > Quick Find > “Transaction Security” > Transaction Security Policies
Create a Policy
- Condition Builder can be used to create policies declaratively, but Apex is needed for some custom use cases.
Event options:
Conditions that trigger the policy:
Action options:
List view of the policies:
Use Apex in Transaction Security Policies
Explain how to create a Transaction Security policy that uses Apex. Describe the basic elements of the Apex class that implements a Transaction Security policy.Create a Policy that Uses Apex
- Condition Builder (declarative policy builder) is powerful but doesn’t support all complex use cases, such as branching logic, querying data, looping over queried data - implement an Apex class for these instead
- Ex: Limiting the number of records a users can view or export to 10, unless the users have the “Data Steward” address
Screen 1:
Screen 2:
Screen 3:
Edit the Apex Class
- Click the “Apex Condition” link in the Policy list view to navigate to the Apex Class.
- Replace the code with the following:
global class PreventLargeDataExportEventCondition implements TxnSecurity.EventCondition {
public boolean evaluate(SObject event) {
switch on event{
when ReportEvent reportEvent {
return evaluate(reportEvent);
}
when null {
// Don't take policy action when event is null
return false;
}
when else{
// Don't take policy action when event is not handled
return false;
}
}
}
/**
* Handle evaluating ReportEvent
*/
private boolean evaluate(ReportEvent reportEvent){
Profile profile = [SELECT Name FROM Profile WHERE Id IN
(SELECT profileId FROM User WHERE Id = :reportEvent.UserId)];
// Take policy action only if the user profile is not 'Data Steward' and
// RowsProcessed greater than 10.
if (!profile.Name.contains('Data Steward')
&& reportEvent.RowsProcessed > 10) {
return true;
}
return false;
}
}
Understand the Apex Code
- Policy action is triggered if:
- User doesn’t have the Data Steward profile
- User views or exports more than 10 records of a report
PreventLargeDataExportEventConditionclass implements theTxnSecurity.EventConditionApex interface, which is a requirement for Apex-based Transaction Security profiles.- Requires a method called
evaluate(SObject), which takes anSObjectparameter and returns a Boolean, which determines if the policy triggers (true) or not (false). - In the method, a switch statement transforms the passed in SObject into an event. In this example, the SObject is transformed into a
ReportEvent. Using a switch means that this same method can handle multiple event types. - The
ReportEventis then passed to a helper method calledevaluate(ReportEvent), which is where the condition testing happens.
- Requires a method called
What’s Next?
- There are many other events you can track, such as list view usage and logins
- Another Example Apex class
global class BlockLargeDataExportEventCondition implements TxnSecurity.EventCondition {
public boolean evaluate(SObject event) {
switch on event{
when ReportEvent reportEvent {
return evaluate(reportEvent);
}
when null {
// Don't take policy action when event is null
return false;
}
when else{
// Don't take policy action when event is not handled
return false;
}
}
}
/**
* Handle evaluating ReportEvent
*/
private boolean evaluate(ReportEvent reportEvent){
Profile profile = [SELECT Name FROM Profile WHERE Id IN
(SELECT profileId FROM User WHERE Id = :reportEvent.UserId)];
if (!profile.Name.contains('System Administrator')
&& reportEvent.RowsProcessed > 100) {
return true;
}
return false;
}
}