Salesforce stores Customer/Client’s sensitive information like customer demographic information, contact details, sales/service history information, chat information etc. It also stores sensitive files like invoices, financial data, customer verification documents, contract details etc. Salesforce Files/Content is designed to facilitate collaboration, document management, and integration of files.
Salesforce provides a lot of features like permission sets, profiles, roles, sharing rules etc. to secure data. Salesforce provides File Upload and Download Security features to secure the upload and download of specific types of files. This feature will not stop users from previewing or downloading files. Salesforce introduced a new feature FileEvents to strengthen file security. In this blog post, we will see how to enhance Salesforce File Security with FileEvents.
What is FileEvent?
FileEvent allows Salesforce developers to track user activities on files, which can help identify and prevent unauthorized access to sensitive content using UI and API. FileEvent supports transaction security policies so we can track who tried to access sensitive information. We can throw an error and we can send him a personalized email asking the reason for accessing the sensitive page.
User Action Supported in File Event
- File Upload
- File Preview
- File Download
Implement Transaction Security Policy using FileEvents
Salesforce Transaction Security Policies allow us to impose security measures and restrictions for user actions and transactions within Salesforce org. These rules assist in protecting against a variety of threats, including fraud, data breaches, and unauthorised access. Transaction Security Policies enable us to establish rules that cause actions or alerts to be triggered when certain criteria are fulfilled during a transaction. Let us see the steps for implementing a transaction security policy using FileEvents
- Get Salesforce License
- Transaction Security Policy Using Declarative Approach
- Transaction Security Policy using Apex Code
- Test FileEvents Transaction Security Policy
1. Get Salesforce License
FileEvents is part of Salesforce Shield Encryption. We should have a Salesforce Shield or Salesforce Event Monitoring add-on subscription to implement this functionality. This feature is available in Developer org to test this functionality.
2. Transaction Security Policy using a Declarative Approach
File Event Transaction security can be set up using declarative as well custom code in Salesforce Apex. We can create a File Event Transaction Security Policy from Setup → Transaction Security Policies. Select Condition Builder for point-and-click configuration.
2.1 Build Transaction Condition/Criteria
Set criteria for firing file event transaction security policy. For this POC, I have set up criteria for downloading files. Set up below conditions/criteria
| Event | File Event |
| Condition Logic- | All Conditions are met(AND) Condition- FileAction Operator- Equals Value -UI_DOWNLOAD |
2.2 Action to perform when the above policy is triggered
Setup action that will be performed when condition logic is met for File Event policy.
| Action | Block | This will stop any action performed by the user. |
| Block Message | Custom Block Message | Set up any custom message that you want to show to the user. If you don’t want to set up a custom message then choose Default Block Message |
| Notification | 1. Email notification 2. In-app notification | How notification should be sent to the admin user? If Email Notification is selected then we can set up Email Notification Content. In-app notification is used for notification in mobile devices like Android or IOS. |
| Email Notification Content | Default Email Content | This will send email notifications to the admin or recipient. This will only enabled when the notification type is Email Notification. Custom emails can also be created for email notifications. |
| Name | Transaction Security Error | Put a name based on your requirement |
| Status | Enabled | Enable this transaction security. We can disable this when we don’t want this policy. |
2.3 Test Point-to-click Transaction Security Policy
3. Transaction Security Policy using Apex Code
We can use Apex code also to customize transaction security policy for File Event. Using Apex, we have more control over transaction security. We can use our own logic for triggering file event security issues.
What triggers this policy?
Configure which event will trigger the transaction security policy. To create a File Event transaction security policy we have to select the below options.
| *Event | File Event |
| *Apex Class | New Empty Apex Class |
What actions do you want to take when the policy is triggered?
Setup action which will performed when File Event Transaction Policy is triggered. You can use the same setup as mentioned in section 2.2.
Once the action is set up, a boilerplate apex class will be created to customize the policy trigger. The below image shows the generated boilerplate code class.
Customize Apex Class:
Let us take an example, We have the below use case.
Use Case:
If a user who is not part of the Finance Department tries to download files of the Finance Department. They should get the error.
Solution:
To handle this use case, the below apex code will be created.
Test Apex Code for File Security with FileEvent
Summary
FileEvents are a valuable tool for securing the files in our Salesforce org. We can monitor user operations on files, set up transaction security controls, and respond to any risks in real time by employing FileEvents. We can take proactive steps to protect our Salesforce org’s files and keep your customers’ trust.
References
Real-Time Event Monitoring Overview
Enhanced Transaction Security Policy List
