Accessing Encrypted Data in Process Builder

Accessing Encrypted Data in Process Builder

Last Updated on February 10, 2022 by Rakesh Gupta

Have heard about, and implemented, Shield Platform Encryption (SPE), Right? No? No worries – Trailhead is at your rescue! Trailhead has an amazing module  Get Started with Shield Platform EncryptionThe module will teach you the ins and outs of platform encryption!

In this blog, my primary focus is to show you how we can use Process Builder to access encrypted data. But before we explore this concept, let us take a closer look at Platform Encryption. To state briefly, Platform Encryption gives your data a new layer of security while preserving most of the Salesforce functionality you rely on. It enables you to encrypt sensitive data at rest – and not just when transmitted over a network. As a result, your organization can confidently comply with regulatory requirements, privacy policies, and contractual obligations for handling private data. 

One of the salient features of SPE is that it helps you to build on the data encryption options that Salesforce already offers out of the box. Data stored in many standard and custom fields, and in files and attachments, are encrypted using an advanced Hardware Security Modules – based key derivation system. As a result, the data is protected even when other lines of defense have been compromised. Another critical feature of SPE is that your data encryption key is never saved or shared across organizations; instead, it is derived on demand from a master secret and your organization-specific tenant secret. And then, the key is cached on an application server.

Reference – Salesforce Doc

Preceding screenshot displays how fields get encrypted when SPE is enabled for an object. People with the View Encrypted Data permission can see the data of encrypted fields. You can control it by implementing Permission Set. 

Please note, if you enable  Turn Off Masking for Encrypted Data – Critical Updates then, field masking will be decoupled from SPE. As a result, the View Encrypted Data permission, and its resulting masking behavior will no longer be available in SPE. 

As a result – of enabling ‘Turn Off Masking for Encrypted Data Critical Update’ – now you have to use field-level security and object-level security features to control who can access the data, regardless of whether the data is encrypted. In other words, data are now displayed in plain text rather than displayed in the encrypted form, as shown in the following screenshot:

Let us start with an example, in preceding screenshot, we have enabled platform encryption for Account Name, Phone, Fax, and Website fields. If you try to access these fields (Update Account Name field) from Process Builder, you will get an error message as shown in the following screenshot: 

To overcome this limitation you have to reach out to Salesforce support to enable Access Encrypted Data in Process Builder – beta feature. 

Business Use Case

Let us start with a business use case. Pamela Kline is working as System administrator at GurukulOnCloudShe has received following requirement – when an Account is created, auto sync Account Name from Account Number. 

Solution for the Above Business Requirement

To solve the preceding requirement, we have to create a Process on the Account object to update Account Name from Account Number field. Before going ahead with solution make sure to raise a support case to enable, Access Encrypted Data in Process Builder – beta feature in your Salesforce org. 

  1. Click on Name | Setup | App Setup | Create | Workflows & Approvals | Process Builder
  2. To create a new process from scratch, click on the New Button available on Process Management page. A popup will appear where you have to enter the Name (Use Sync Account Name and Account Number  as name)API Name and Description as shown in the below screenshot:
  3. Once you are done, click on the Save button.
  4. Click on the Object node to add object and then select the Account object. For the entry criteria, Select only when a record is created, as shown in the below screenshot:
  5. Once you are done, click on the Save button.
  6. The next task is to add Process Criteria. To do this click on Add Criteria, enter NameType of action and set filter conditions as shown in the following screenshot:
  7. Once you are done, click on the Save button.
  8. Now we have to add an Immediate action into the Process to update the Account Name field. Click on Add Action (Under Immediate actions), Select the type of action (In our case Update Records), and then fill the values into fields to define the action – as shown in the following screenshot:
  9. Once you are done, click on the Save button. As I have already enabled Access Encrypted Data in Process Builder – beta feature in my developer org, I did not encounter any error while saving the immediate action. 
  10. In the end, your Process will look like the following screenshot:
  11. Don’t forget to active the Process by clicking on the Activate button.

It’s time to test this feature

Next time, when an Account is created Account Name will sync with Account Number. 

Technical Editor and Proofreader: - Munira Majmundar
Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.