Essential Guide for Salesforce Transaction Security Policies

Share This Post

Check out our quick guide to understand what Salesforce Transactions Security Policies are and how can we create one. 

What is a Transaction Security on Salesforce?

Transaction Security on salesforce is a framework that allows you to monitor and subscribe to user activity, intercept in real-time and take an action based on certain events.

It’s easy to set up with a few clicks via condition builder, or with custom apex code for more complex scenarios.

When creating a transaction security policy, you first pick a transaction or event to watch for and then you choose actions that are triggered when the event occurs.

For example, a common security risk case happens when users are allowed to export large volumes of data via reports (exporting a report as in excel sheet to their desktop for example), and this data can no longer be protected by salesforce.

To prevent that from happening, a transaction security policy can be easily set up on the report event to prevent users from exporting reports that has x or more rows, or simply set it up so that you are notified when such event occurs.


Transaction Security Policies are Available in the following editions:

● Enterprise
● Unlimited
● Developer

Type of available events for Transaction security policies

API events monitor API transactions, such as SOQL queries and data exports. More info.

API anomaly event policies monitor anomalies in how users make API calls. More info.

Bulk API Result Event policies detect when a user downloads the results of a Bulk API request. More info.

Credential stuffing event policies monitor when a user successfully logs into Salesforce during an identified credential stuffing attack. Credential stuffing refers to large-scale automated login requests using stolen user credentials. More info.

List View event policies monitor when data is viewed or downloaded from your list views using Salesforce Classic, Lightning Experience, or the API. More info.

Login event policies track login activity and enforce your org’s login requirements. More info.

Permission set event policies monitor when users are assigned critical permissions in a permission set. More info.

Report event policies monitor when data is viewed or downloaded from your reports. More info.

Report anomaly event policies monitor anomalies in how users run or export reports. More info.

Session hijacking event policies monitor when unauthorized users gain ownership of a Salesforce user’s session with a stolen session identifier. More info.

Main difference between condition builder and apex-based policies

Condition Builder is a Setup feature that allows you to build policies with clicks, not code.

When you build your policy using Condition Builder, you choose which fields on these objects you want to monitor for customer activity. Because your policy’s actions are conditional to the fields that users interact with, these fields are called conditions.

However, the conditions available in Condition Builder are a subset of all the event objects fields and vary based on the objects, while if you create a policy based on apex code, you can use any of the event object’s fields.

For example:

Records isn’t available as a Condition Builder condition for the ReportEvent event object however, you can use the ReportEvent.Records field in an Apex class that implements the TxnSecurity.EventCondition interface.

Now, let’s create our first transaction security Policy!


The CEO of a company asked the administrator of their salesforce org to implement a security measure that would prevent large data exports, and he would also like to be notified whenever such action takes place.


The salesforce administrator decides to setup a Transaction security policy of type “Report Event” that would block any users from exporting reports that has 100 or more rows and would notify the relative salesforce user about this breach.

Let's go!

We’re all set ! let’s see our new Transaction security policy in action

Now, whenever a user tries to export a report that meets the conditions, three things will happen:

1- The action will be blocked, and the user will be redirected to a page with the custom message we set:

2- the user we set as recipient will receive an in-app notification in salesforce:

3- they will also receive an email notifying them about the breach:

That is all for now, thank you for your time and we hope you learned some new cool tricks on Salesforce platform. Stay tune! we will expand our Salesforce Transactions Policy guide with different scenarios in future articles.

Need help?

In Nubessom we have more than 10 years helping companies around the world achieve their Salesforce, CRM and business automation needs. 

We are your trusted Salesforce consulting partner, please reach us by clicking here or in our contact form below. 

About the Author
Alex Raheb, Salesforce Developer @ Nubessom

Alex Raheb, Salesforce Developer @ Nubessom

Alex is one of the key members at Nubessom, he has passion to learn new features and mentoring his peer colleagues, and enjoys helping clients to automate everything CRM related!

Let´s talk about your challenge!

    In order to provide you the content requested, we need to store and process your personal data. If you consent to us storing your personal data for this purpose, please tick the checkbox below.

    You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

    Need more Inspiration? keep reading Our related content

    Blog Article

    Working with Time data type in Flows

    Discover innovative solutions to manage time data types in Salesforce Flow, including overcoming time zone challenges and the absence of native Time data support. Learn how to employ Apex classes and custom LWC components to ensure accurate time inputs in local time zones, enhancing data precision and user interaction in your Salesforce applications. 
    Read More »
    Blog Article

    Generate Magic Links for your users in Experience Cloud

    A magic link, or one-time login (OTL) or passwordless login link, is a unique, time-sensitive URL sent to a user’s registered email address as a secure means of authentication. Learn how to generate them in Experience Cloud (Community Cloud)
    Read More »