How to Secure Your Salesforce Org with Transaction Security Policy

TRUST is one of the core values of Salesforce and the foundation block that it is built upon. Parker Harris, Salesforce co-founder says, “Nothing is more important to our company than the privacy of our customers’ data”. Trust requires security and Salesforce has developed various features over time to live up to that commitment. One such security feature is called Transaction Security Policy.

Transaction Security Policy in Salesforce

Using Transaction Security Policy, you can define events to monitor and take action when that event happens. Here are a few examples of the events that you can monitor

  1. You want to block and notify the administrator when somebody tries to export the ‘Contact’ information
  2. You want to raise the session security to Two-Factor Authentication (2FA) when a user tries to access Salesforce from two different IP Address within the last 24 hours
  3. You want to block the access when someone tries to log in from a particular country or from a particular operating system or browser
  4. You want to block chatter posts containing particular keywords
  5. You want to limit the concurrent number of sessions for a user or for an administrator
  6. etc…

And when these events occur, you can take these actions

  1. Block – Don’t let the user complete the request
  2. Two-Factor Authentication – Step up the security and prompt the user to confirm identity by using two-factor authentication, such as the Salesforce Authenticator app
  3. Freeze user – Prevent further logins into your org by the user.
  4. End session – Prompt the user to end an existing session when the number of concurrent sessions a user is allowed to have is strictly limited

I hope you get the gist of it now. But for one last time – Transaction Security is a framework that intercepts Salesforce events in real-time and applies appropriate actions and notifications based on the security policies you create. 

One more thing before we go any further. Please do note that Transaction Security Policy requires purchasing Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. TSP, unfortunately, is not free 🙁 

So how do you configure Transaction Security Policy in your Salesforce Org? Here is your less than 30 minutes step-by-step guide on how to configure TSP in Salesforce. In this we are going to apply TSP on two different events – One, we’ll block the user from exporting contact information and second, we will step up the session security to two-factor authentication if a user tries to log in from two different IP addresses within 24 hours.  

NOTE: Certain sections of the guide will appear as locked in the free preview. You can download the unlocked version of the guide in PDF format by subscribing to our “All Access” Pass through the link below.

Not an “All Access” Pass Member Yet?

Get Download Access to this & 150+ More Step-by-Step Guides with “All Access” Pass. A simple and single plan to access our entire library of courses, guides, workshops & masterclasses on Salesforce.

References & Useful URLs

  1. Trailhead Module – Enhanced Transaction Security –  https://trailhead.salesforce.com/content/learn/modules/enhanced_transaction_security
  2. Help Article – Enhanced Transaction Security – https://help.salesforce.com/articleView?id=sf.enhanced_transaction_security_policy_types.htm&type=5
  3. Enhanced Apex Transaction Security Implementation Examples – https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/enhanced_transaction_security_policy_apex_examples.htm
  4. YouTube Video (23:00 mins) – Implementing Real-Time Actions with Transaction Security

7 thoughts on “How to Secure Your Salesforce Org with Transaction Security Policy”

  1. Hi,
    Thanks for explaining it so well. I am not able to figure out how can I create a TSP to restrict an API enabled user from any specific types of requests. Like a third party user may POST data but should not be allowed to GET/DELETE/UPDATE requests. I can’t find request type in condition builder.

  2. Hi,

    The export limits to restrcting report exports. I am looking to do similarly for ListView Print as well. There is a List View Event but I am not able to specifically look for a Print event in there. Do you have any suggestions there?

    1. Ashish Agarwal

      Hi Ajay,

      You can hide printable view for list but this will be done for all users. This feature currently cannot be monitored through Transaction Security Policy. To hide/disable ‘Printable View’ for lists, you can navigate to Setup -> Object Manager ->

  3. Sir Field can be restricted in the report if classified as confidential And the field cannot be dragged to any report for all the users by using Transaction Security Policy is it possible ?

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top