Ask Search:
Sandeep SandurSandeep Sandur 

How can we restrict a user from exporting the data from Salesforce instance.

Hi,

How can we restrict a user from exporting the data from salesforce instance like exporting accounts, contacts and other objects using data loader, export all data from data management and scheduling the job to export data.

The user is not a system administrator.

Regards,
Sandeep
Matthew LambMatthew Lamb
There's an Export profile permission, you can remove that permission from their profile.
Sandeep SandurSandeep Sandur
 Hi Mathew,

Are you referring to "Export Reports"? If it is Export Reports then we have already disabled it but we don't want user to export data from Data loader and Data Export in Data management.

Regards,
Sandeep
Matthew LambMatthew Lamb
Those are admin level features. What profile type is the user in question? Have you confirmed that this user is able to do the things you listed? Non-admin profiles should already be restricted from doing these things.
Sandeep SandurSandeep Sandur
 Hi Mathew,

The user is a Standard platform user and he is not able to view "Data Export" but can login to Apex data loader and export data.

Regards,
Sandeep
Sandeep SandurSandeep Sandur
 Hi Mathew,

The user is a Standard platform user and he is not able to view "Data Export" but can login to Apex data loader and export data.

Regards,
Sandeep
Matthew LambMatthew Lamb
Hm. Platform users by default have API access. Given that the Data Loader is an API tool, I'm not sure if you can restrict this or not. I tweeted a link to this thread, I bet someone else knows.
Sandeep SandurSandeep Sandur
 Thanks Mathew.

Lets see if others can help us.

Regards,
Sandeep
Matthew LambMatthew Lamb
Can you give some more background? What's the platform user doing with that license (which gives them a lot of access to the system) that you don't want them exporting data? Is there a possiblity to give them another license?
Sandeep SandurSandeep Sandur
 Hi Mathew,

The user is using the recruiting application who will be having permissions to edit, delete and modify records like contacts and accounts. We want to disable permissions to export data from the application assigning him the same platform license.

Sandeep
Matthew LambMatthew Lamb
If this user is just performing standard data manipulations through the interface, why do they have a platform license? Why not grant them a CRM license instead?
Sandeep SandurSandeep Sandur
 Hi Mathew,

The user is accessing the recruiting application which has lot of custom objects like job, job applicant, interview and placement. We want him to use the platform license. Please suggest.

Sandeep
Matthew LambMatthew Lamb
I've asked around to many others in the community, and confirmed there is no way to restrict Data Loader access if the user has API access enabled.

In your last clarificaiton, you mention they are working with custom objects. A standard CRM license allows users to access custom objects. If you want to achieve this, you need to give the user something other than a platform license.

Are there specific reasons to give them a platform license, features that a CRM license doesn't give them? Access to custom objects is available in both.
Matthew LambMatthew Lamb
If anyone else finds this page, I've created an idea to provide a specific permission to allow / prevent data loader access. Would appreciate your votes and comments here:

https://sites.secure.force.com/success/ideaView?id=08730000000jlwXAAQ
Ivo BernsIvo Berns
Hi,

A few moments ago I found out that a normal user without any export rights has the availabilitty to export data with the dataloader. Now I don't think that any user is aware of this tool, but in the future they might be.
To grant users acces to export reports is useless anymore if they can export the total database with the dataloader. This is really dangerous! Salesforce does everything for security, but a standard user can export the total database.

I found the API-button. But if I turn it off, what other problems might occur? We have Professional edition and I am not really into API, otherwise than using the dataloader.

Regards, Ivo




Jun LiuJun Liu
One possible solution now would be Transaction Security Policies

https://help.salesforce.com/apex/HTViewHelpDoc?id=security_transactions_about.htm&language=en_US

You can implement a custom transaction security policie to stop user to export any records.

 
Irina ClingtonIrina Clington
The Transaction Security Policies would be the right man for the job. In my case it does not work because I want to be notified if over X rows are exported but the Transaction Security Policies does not work on custom reports, only on the standard ones. 
Hope this idea can get enough votes
https://success.salesforce.com/ideaView?id=0873A000000E57HQAS
Pragadeesh Ravichandran KamalaveniPragadeesh Ravichandran Kamalaveni
@Irina and Jun, My client need the same security policy on their lead object.

I did a little bit of analysis on Transaction Security Policies and here are my findings.
Primarily, we need to enable Event Monitoring before we try to explore about Transaction Security Policy!
Secondarily, we cannot specify this policy for a particular Profile / Role / User.

Correct me If I am wrong and suggest me is there a way to restrict data export either using Data Loader or Data Export native feature of Salesforce. I would really appreciate the response.

Thank you!
Prag
 
Irina ClingtonIrina Clington
Hi Pragadeesh,
"Requires purchasing Salesforce Shield or Salesforce Shield Event Monitoring add-on subscriptions."
I guess this is what you mean. Regarding your second question, we do restrict it  by user in code. In the class that implements TxnSecurity.PolicyCondition.
So answering your question I do not know any native feature.
Truly sorry
Kind regards
Lewis HowelLewis Howel
Hi all,

I'm just picking up this thread as I have been asked the same question by some management.

The reason being, they don't want sales staff to be able to export a list of all accounts, contacts, opportunities and our custom projects. I.e. if they knew they were leaving in a month, they would start donwloading them data potentially.

I am going to look further into how best to avoid this, and monitor it based on some of the suggestions above, but in the UK, I'm sure we can use our standard contract to legally stop them doing such a thing, and if we can monitor and prove they have done it, then that should cover most potential issues.

I have stopped all users bar admin being able to delete and records / data.

Worth noting, our sales staff need to be able to view and clone opps from other sales staff due to the nature of our industry.

Good luck all