The Shield of Security: Preventing Data Downloads with Data Classification

The Shield of Security: Preventing Data Downloads with Data Classification

Last Updated on November 15, 2023 by Rakesh Gupta

Big Idea or Enduring Question:

  • How can you prevent the downloading of critical data through reports? 


After reading this blog, you’ll be able to:

  • Understand Data Classification
  • Set up Data Classification for Fields 
  • Understand Transaction Security
  • Create a Transaction Security Policy
  • Implement Enhanced Apex Transaction Security
  • And much more

Business Use case

Benjamin Moore works as a Salesforce Architect at Gurukul On Cloud (GoC). GoC has recently acquired the Event Monitoring add-on product from Salesforce. He wants to accomplish the following tasks:

  1. Define the data classification for the Email field on Contact with these specifications:
    1. Data Owner: Rakesh Gupta
    2. Field Usage: Active
    3. Data Sensitivity Level: Restricted
    4. Categorize compliance as:
      1. PII (Personal Identifiable Information)
      2. HIPAA (Health Insurance Portability and Accountability Act)
      3. GDPR (General Data Protection Regulation)
      4. PCI (Payment Card Industry Data Security Standard)
      5. COPPA (Children’s Online Privacy Protection Act)
      6. CCPA (California Consumer Privacy Act)
  2. Utilize the above data classification to prevent users from adding (and downloading) the Email field to report.
  3. Ensure that the System Administrator (Rakesh Gupta) receives notifications about these actions, both through email and in-app notifications.

Data Classification: The First Step in Smart Data Governance

Companies create a lot of data every day, and keeping it safe from theft or harmful actions is becoming very tricky. Some of this data is so important that if it gets stolen or exposed, it could cause big problems for the business and its customers. This kind of data needs strong protection. But there’s also data that can be shared openly without causing any trouble.

Knowing which data needs the highest protection and which doesn’t is critical to mitigating risks and complying with state, federal, and industry regulations. Plus, it helps you make a good plan for keeping all types of data safe with the right level of security.

In simple terms, data classification is a process that helps you identify what types of data you have and how you’re using it – including who needs to access it and how long you need to retain it. It’s a critical step in any business’s data governance plan, or strategy for managing and securing data and making it available across the organization.

Benefits of Data Classification

Organizations that fail to apply data classification expose themselves to elevated risks of data theft and regulatory non-compliance. Implementing a robust data classification is a key part of making a plan that protects your data in a smart way, based on how risky it is, and makes sure you follow the rules. Here’s how data classification can be advantageous:

  1. Data Security: As the first step in any security plan, data classification helps inform nearly all aspects of data security, including authentication, authorization, encryption, backup, etc.
  2. Following Rules: Data classification will help you ensure you stay compliant with information security standards, such as SOC 2, ISO 270001, and PCI, as well as regulations including HIPAA, GDPR, and CCPA.
  3. Incident response: If there’s a data leak or another security problem, you’ll know exactly what kind of data is affected. This saves you a massive amount of stress, as well as reputational and financial damages, and aids any investigations.
  4. Access Control: It helps in setting up clear access controls, so only authorized individuals can access certain data, reducing the chance of internal threats.
  5. Data Lifecycle Management: Knowing what data you have and its importance can guide decisions on how long to retain it and when to safely delete it.

Data Classification Metadata Fields

Salesforce allows you to define the data classification for any standard or custom object field. Salesforce’s data classification framework provides four distinct fields to help organize and define the data in your organization:

Field Description
Compliance Categorization The compliance acts, definitions, or regulations that are related to the field’s data. Default values:

  • CCPA—California Consumer Privacy Act
  • COPPA—Children’s Online Privacy Protection Act
  • GDPR—General Data Protection Regulation
  • HIPAA—Health Insurance Portability and Accountability Act
  • PCI—Payment Card Industry
  • PersonalInfo—Personal information. For use with the Enhanced Personal Information Management feature. Only available if Enhanced Personal Information Management and Digital Experiences are enabled.
  • PII—Personally Identifiable Information

The field corresponds to the ComplianceGroup field on the FieldDefinition Tooling API.

Data Owner The person or group associated with this field. The data owner understands the importance of the field’s data to your company and might be responsible for determining the minimum data sensitivity level.

The field corresponds to the BusinessOwnerId field on the FieldDefinition Tooling API.

Data Sensitivity Level The sensitivity of the data contained in this field. Default values:

  • Public—Available to the public to view but not alter.
  • Internal—Available to company employees and contractors. This data must not be shared publicly, but it can be shared with customers, partners, and others under a non-disclosure agreement (NDA).
  • Confidential—Available to an approved group of employees and contractors. This data isn’t restricted by law, regulation, or a company master service agreement (MSA). It can be shared with customers, partners, and others under an NDA.
  • Restricted—Available only to an approved group of employees and contractors. This data is likely restricted by law, regulation, an NDA, or a company MSA.
  • MissionCritical—Available only to a small group of approved employees and contractors. Third parties who are given access could be subject to heightened contractual requirements. This data is almost always restricted by law, regulation, an NDA, or a company MSA.

The field corresponds to the SecurityClassification field on the FieldDefinition Tooling API and the FieldSecurityClassification SOAP API.

Field Usage Tracks whether the field is in use. Default values:

  • Active—In use and visible.
  • DeprecateCandidate—Planned for deprecation and no longer in use.
  • Hidden—Not visible and possibly planned for deprecation. Use with caution.

The field corresponds to the BusinessStatus field on the FieldDefinition Tooling API.

Define the Data Classification Values

In Salesforce, fields can have different Data Classification Values to help organizations comply with privacy policies, regulations, and to ensure that sensitive data is handled correctly. When it comes to an email field, it typically contains personal information that can be used to identify an individual, such as a personal or work email address.

Here are the Data Classification Values for an email field on Contact, based on the specified business requirement:

  1. Click Setup.
  2. In the Object Manager, type Contact and select Contact
  3. Select Fields & Relationships. Select the Email field, and click Edit.
  4. define the values as show below:
  5. Click Save.

What Is Transaction Security?

Implementing transaction security enables organizations to establish protocols to mitigate security threats. As it operates on a synchronous basis, users can respond instantly to potential risks. The possible responses include Blocking access, enforcing Multi-Factor Authentication, or issuing Notifications.

Prior to setting up these protocols, it’s crucial to understand the types of events that can be monitored, the criteria for enforcing policies, and typical scenarios where these measures are applicable. For an in-depth understanding, consider exploring Salesforce event monitoring — under the hood.

Transaction security is part of event monitoring. It includes the following features: 

  1. Define transaction security policies using declarative condition builder or Apex.
  2. Design use case specific custom security policies to respond to insider threats and stop your data from leaving your organization’s boundaries.
  3. Setup notifications to proactively respond to alerts with custom code.

Difference between Condition Builder and Apex-Based Policies

Condition Builder is a feature in Setup that lets you create policies using clicking, without needing to write any code. With Condition Builder, you can select specific fields from certain objects to keep an eye on customer activities. The actions of your policy depend on how users interact with these fields, which is why they are known as conditions.

This example implements a policy that triggers when someone adds a field to a List View with a name containing ‘Email‘.

However, the choices of conditions in Condition Builder are limited. They are just a part of all the possible fields in event objects and depend on the type of object you’re dealing with. On the other hand, if you make a policy using Apex code, you can use any field from the event objects.

For example, if you want to define a transaction security policy using Data Classification, the only option is to use Apex code.

Define the Transaction Security Policy using Apex

It is now time to solve business use cases #2 and #3. We have already defined the Data Classification for the Contact’s Email as mentioned above (Define the Data Classification Values).  

Before proceeding, you should familiarize yourself with the following objects in Salesforce.

Object Name Description
ReportEvent Tracks when reports are run in your org. You can use ReportEvent in a transaction security policy. ReportEvent is a big object that stores the event data of ReportEventStream.
FieldDefinition Represents a standard or custom field, providing row-based access to field metadata. Contrast FieldDefinition with EntityParticle, which represents each element of a field that can be presented in a user interface. FieldDefinition has parity with metadata type Field.

Follow the steps below to create an Apex class and a Transaction Security policy to address the given business use case.

Step 1: Create an Apex Class that Implement the TxnSecurity.EventCondition Interface

  1. Create an Apex Class, ReportSecurityEvaluator, use to evaluate the security of data in reports. It implements the TxnSecurity.EventCondition interface, which is part of Salesforce’s transaction security framework. The class contains methods to assess if a report accesses sensitive data based on predefined data classification levels.
    global class ReportSecurityEvaluator implements TxnSecurity.EventCondition {
        public boolean evaluate(SObject event) {
            switch on event {
                when ReportEvent reportEvent {
                    if (reportEvent.QueriedEntities.contains('Contact')) {
                        return hasRestrictedColumn(reportEvent.ColumnHeaders);
                    return false;
                when null {
                    return false;   
                when else {
                    return false;
        private boolean hasRestrictedColumn(String ColumnHeaders) {
            Map<String, String> fieldToSecurityLevel = getFieldSecurityMap();
            List<String> columnNames = parseColumnHeaders(ColumnHeaders);
            for (String columnName : columnNames) {
                String securityLevel = fieldToSecurityLevel.get(columnName);
                if ('Restricted'.equalsIgnoreCase(securityLevel)) {
                    return true;
            return false; 
        private Map<String, String> getFieldSecurityMap() {
            Map<String, String> securityMap = new Map<String, String>();
            List<FieldDefinition> fieldDefinitions = [
                SELECT SecurityClassification, QualifiedApiName
                FROM FieldDefinition
                WHERE EntityDefinition.QualifiedApiName = 'Contact'];
            for (FieldDefinition fieldDefinition : fieldDefinitions) {
                if (fieldDefinition.SecurityClassification != null) {
                    securityMap.put(fieldDefinition.QualifiedApiName, fieldDefinition.SecurityClassification);
            return securityMap;
        private List<String> parseColumnHeaders(String columnHeadersCSV) {
            List<String> sanitizedColumnNames = new List<String>();
            try {
                Integer closingBracketIndex = columnHeadersCSV.indexOf(']');
                if (closingBracketIndex != -1) {
                    columnHeadersCSV = columnHeadersCSV.substring(0, closingBracketIndex + 1);
                String cleanHeaders = columnHeadersCSV.trim().replaceAll('\\[|\\]', '');
                List<String> columnHeaders = cleanHeaders.split(',\\s?');
                for (String header : columnHeaders) {
                    Integer lastDotIndex = header.lastIndexOf('.');
                    String columnName = lastDotIndex != -1 ? header.substring(lastDotIndex + 1) : header;
            } catch (Exception e) {
                return new List<String>();
            return sanitizedColumnNames;

Step 2: Create an Enhanced Transaction Security Policy That Uses Apex

  1. Click Setup.
  2. In the Quick Find box, type Transaction Security.
  3. Select Transaction Security Policies, then click on the New.
  4. Select Apex, then Click Next.
  5. Select the following data
    1. Event: ReportEvent
    2. Apex Class: ReportSecurityEvaluator
  6. Click Next.
  7. Select the action that the policy performs when triggered.
    1. Action: Block
    2. Block Message: Default Block message
    3. Notification:
      1. Email notification
      2. In-App notification
    4. Recipient: Rakesh Gupta
    5. Email Notification Content: Default Email Content
    6. Name: Someone tried to download a report with restricted fields.
    7. Status: Enabled    
  8. Click Finish.

Proof of Concept

From now on, if a user tries to add a contact email to any report, they will receive the error message as shown below:

At the same time, the recipient, Rakesh Gupta in this case, will receive an email notification.


Formative Assessment:

I want to hear from you!

What is one thing you learned from this post? How do you envision applying this new knowledge in the real world? Feel free to share in the comments below.

Have feedback, suggestions for posts, or need more information about Salesforce online training offered by me? Say hello, and leave a message!

Preferred Timing(required)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.