Ask Search:
Niall BrownleeNiall Brownlee 
Hello

Does anyone have experience of masking sensitive data in a sandbox?

Our organisation holds lots of sensitive data, specifically in the Account/Contact objects.  We alos use multi sandboxes for development, and as a security step, would like to mask (de-sensitise) selected fields once we have refreshed our sandboxes from production.  This refresh task would likely take place at regular intervals.

On doing a few web searches, I can't find as much info on this type of work as I would have expected.  The only two solutions I can see at the moment are :
  1. Informatica Cloud data masking
  2. Dataloader
I wonder if the options seem to be few and far between simply because the two above are so good?  Or are there other data masking tools which are out there I have missed?

Any advice/guidance greatly appreciated, thanks.
Best Answer chosen by Niall Brownlee
Evan DeckerEvan Decker
Hi Niall, I think you're on the right track with the two solutions mentioned above. Using the dataloader, you can mass update the records to remove any sensitive data. This is a manual process though, and it will need to be done each time the sandboxes are refreshed.
Olivia CannonOlivia Cannon 
One of my colleages accidently set the wrong IP address in the Login IP Range on the System Administrator Profile and now none of the System Administrators can log into the org.

We've opened a case with Salesforce in the hope that they can help, but I thought I'd see if anyone else has made a similar mistake before and, if so, has any suggestions on how to handle it?

Any advice would be very welcome!

Thanks,

Olivia
Best Answer chosen by Olivia Cannon
Naval SharmaNaval Sharma
Hi Olivia,

There is no other way except the salesforce support team needs to be jumped here.

Thanks,
Naval
Brandon HolmesBrandon Holmes 
Hello All-

I understand that Identity Verification when enabled requires Salesforce users to verify their identity via Text or Email when logging in from an unrecognized browser or device.

I'm wondering if it is possible to require a user to verify their identity every time they login, regardless of whether they have previously logged in from a particular device or browser before? 

All the documentation I've been able to find has only referenced verification from unrecognized browsers, etc.

Thank in advance!
Best Answer chosen by Brandon Holmes
Kruse CollinsKruse Collins

Brandon,

What you can do as an admin is create a permission set, and then under system permissions, choose the appropriate 2-Factor authentication preferences you want. This trailhead (https://trailhead.salesforce.com/en/modules/identity_login/units/identity_login_2fa)walked me through it really well. 

I do know that even though you can select on the Salesforce Authenticator app, "Always Verify from here" (which should ideally mean no more 2-factor authentication from that certain location), it still always asks me to verify from locations where I've selected that option. So that might do exactly what you're looking for here in requiring that users authenticate even if it is a required browser.

I hope that answers your question!

-T. Kruse Collins

Daniel SoaresDaniel Soares 
Hello! I've been searching about the checkbox API Enabled that you can check for Profiles, I found many explanations about how to enable and which editions have this available by default, but I'm still having trouble to understand what this checkbox really do. So what does this API Enabled really enables when checked? What can a user do when this is checked that wouldn't be able to do without it?
Best Answer chosen by Daniel Soares
Akhil AnilAkhil Anil
Hi Daniel,

It just means that a user profile with API enabled access can make API requests to your Salesforce org. If this permission is not enabled then they won't be able to make API requests to your instance. When I say API request it basically means accessing the data in your org through a backend mechanism.

If this permission is not enabled then these users won't be able to hit or fetch your data through any of the backend mechanisms. They can still login through the standard interface.

I hope that answers your question !
Best Answer chosen by John Schneider
John SchneiderJohn Schneider
So now that I have said that I realized if I exit the Chrome Desktop my problem is resolved.  If Chrome continues to run in the background, it holds the session open.
Deb WellerDeb Weller 
Has anyone else tackled sharing and access for accounts and contacts that require Enhanced Handling or Special Practices (typically US Fed)? --- these require that only US Citizens on US soil access the accounts/contacts and identifying information like name, email, IP, log data, etc.     I have seen other large enterprises use completely separate SF orgs for these customers, but our org is not that large.   I am trying to figure out the best way to limit who can see specific accounts/contacts and cases for them.  It's a very small group of accounts, so I am trying to keep maintenance to a minimum.

If anyone has details on what has worked well/not worked, or creative solutions, I'm all ears!  
Best Answer chosen by Deb Weller
Bhavna BanodhaBhavna Banodha
HI Deb,

You can acheive that via Sharing Settings/OWD, Roles and Profiles.
You can create a Group with all US Users.
1. To share ther records - You can make OWD for your Org as Private and with Sharing Rules: share the data between the group memebers
2. In case records needs to be shared with everyone and only certain fields needs to be hidden - With Field Level Security at Profile level you can hide certain fields and Usrs of that profile will not be able ot see those field data in records.

Hope it helps!!
Thanks and Regards,
Bhavna Banodha
Erik PetersonErik Peterson 
Hello all,

I have allowed "edit" on email opt out check box at the profile level.  I also created a permission set, to allow edit of this checkbox.  I have a small subset of support desk and call center users that need access to this, so the permission set would be better.  Currently neither of these changes are allowing them to do so.  check box is still locked.  
Any assistance would be helpful.
thank you.
Best Answer chosen by Erik Peterson
Arpit JainArpit Jain
Have you check if this field Email Opt out (HasOptedOutOfEmail) is Read-only on page layout assigned to the support Desk or call center users.
Maximilian BehnMaximilian Behn 
Hello, 

I have been researching this topic quite a while now but could not get a definite answer.

The situation is as follows:
We have two kinds of Opportunities currently distinguished by record types.
One Type of Opp is only for B2C Opps and the other is for B2B Opps.

The employees handling the B2C Opps should not have any access to the B2B Opps and vice versa. 

I know that record types are basically only used as "themes" and can not be used to restrict access but how would it be possible in this scenario to limit the access as described above? 

Thanks for the help.

 
Best Answer chosen by Maximilian Behn
Sunil SarillaSunil Sarilla
Hi Maximilian,
You are right record types do not control data access.
Since you want to restrict the data based on the record types, you will have to do the below
First make the OWD for Opportunities to Private
secondly, you will need to look into the role hierarchy ( the users in the higher rolle hiearchy will always have access to Opportunities that are owned by the Subordinates)
finally, in order to share the Opportunities within the teams, you will need to create Criteria based sharing rules based on the record type.
Marie-Sophie LegoMarie-Sophie Lego 
Hi, my colleague receives a message to prove her identity with a code being sent to her in a seperate mail every time (!!!) she logs into SF... No one else in our department has to verify like she does.
Could anyone help or has an idea how to fix? Any suggestions would be great :)
Best Answer chosen by Marie-Sophie Lego
Amit SinghAmit Singh
Hello Marie,

Please ask your colleague to add his/her IP into Network Access using following steps.

Setup -> Security Controls -> Network Access -> Trusted IP Ranges and Add his/her IP.

Also refer below articles
Set Trusted IP Ranges for Your Organization (https://help.salesforce.com/articleView?id=security_networkaccess.htm&language=en_US&type=0" target="_blank)
https://help.salesforce.com/articleView?id=users_profiles_epui_login_ip_ranges_edit.htm&language=en_US&type=0 (https://help.salesforce.com/articleView?id=users_profiles_epui_login_ip_ranges_edit.htm&language=en_US&type=0" target="_blank)
Identity Verification Code prompt appears on every login attempt (https://help.salesforce.com/articleView?id=000232553&type=1" target="_blank)
Jerzy SobonJerzy Sobon 
Hi everyone:

Would like to know under what security context does Process Builder run? Is it possible for a user to create/edit a record that launches Process Builder that updates another record they don't have the right to update? If it is possible, what happens? Does the user get an error, the sys admin, or nobody is notified.

In other words, is it possible for a user ti launch a Process Builder process that updates some data they don't have the right to update?

Thanks a lot!
Jerzy
 
Best Answer chosen by Jerzy Sobon
Mayank SrivastavaMayank Srivastava
Jerzy, Process Builder runs in the system mode so the object and field level permissions both will be ignored for the user who triggers the Process.
However, if a Process is launching a Flow (which runs in system mode), the whole automation will ru in the system mode.
Hope that makes sense.