Appendix
This section covers additional details and references for Salesforce Masking.
User Permissions
| Permission name | Enabled | Required | Description |
|---|---|---|---|
| Access Activities | ✅ |
Y |
Access tasks, events, calendar, and email. |
| API Enabled | ✅ | Y | Access any Salesforce.com API. |
| Author Apex | ✅ | Y | Create Apex classes and triggers. |
| Bulk API Hard Delete | ✅ | N | Delete records in the Bulk API without storing them in the Recycle Bin. |
| Chatter Internal User | ✅ | N | Use all Chatter features. |
| Customize Application | ✅ | Y | Customize the organization using App Setup menu options. |
| Edit Tasks | ✅ | Y | Create, edit, and delete tasks. |
| Lightning Experience User | ✅ | Access Lightning Experience and switch between Lightning Experience and Salesforce Classic. | |
| Manage External Client App (ECA) | ✅ | Manage, create, edit and delete external client applications. | |
| Manage Custom Permissions | ✅ | N | Create, edit and delete custom permissions |
| Manage Data Integrations | ✅ | N | Monitor or abort Bulk API jobs. |
| Manage Users | ✅ | Y | Create, edit, and deactivate users, and manage security settings, including profiles and roles. |
| Modify All Data | ✅ | Y | Create, edit, and delete all organization data, regardless of sharing settings. |
| Modify Metadata Through Metadata API Functions | ✅ | Y | Create, read, edit, and delete org metadata. Users must have appropriate access rights to the metadata they're trying to modify. Be careful if delegating this permission. Some metadata executes in system context, when object permissions, field-level security, and sharing rules that apply to the user are ignored. For example, Apex executes in system context. |
| Update Records with Inactive Owners | ✅ | Y | Update owner and sharing-based fields on records with inactive owners. |
| View All Data | ✅ | Y | View all organizational data, regardless of sharing settings. |
| View Concealed Field Data | ✅ | Y | View field data, such as sensitive or personally identifiable information, that is concealed from other users. |
| View Encrypted Data | ✅ | Y | View the value of encrypted fields in plain text. |
| View Setup and Configuration | ✅ | N | View the App Setup and Administrative Settings pages. |
| View All Users | ✅ | Y | View all users, regardless of sharing settings |
| View All Profiles | ✅ | Y | View all user profiles, regardless of profile sharing setting. |
| Manage Users | ✅ | Y | Create, edit, and deactivate users, and manage security settings, including profiles and roles. |
| Manage Profiles and Permission Sets | ✅ | N | Create, edit and delete profiles and permission sets. |
| Manage Roles | ✅ | N | Create, edit and delete roles |
| Reset User Passwords and Unlock Users | ✅ | N | Unlock users whose accounts are locked, and reset user passwords. |
| Manage IP Addresses | ✅ | N | Create, edit, and delete trusted IP ranges |
| Manage Internal Users | ✅ | N | Manage Internal Users |
| Assign Permission Sets | ✅ | N | Assign permission sets to users. |
Driver Settings
For a Complete list of connection string options allowed for CDATA JDBC Driver, please visit the driver documentation at Connection string options
Callback URL
A callback URL is key when working with OAuth based Authentication between the Delphix Compliance and Salesforce. Callback URL signifies a destination within your organization thats reachable from Salesforce. This URL is used by Salesforce to return the refresh-token and access-token when we want to use OAuth.
Delphix Continuous Compliance uses Headless delegated OAuth – which means that the Oauth tokens are created on a separate server, saved into an encrypted file, and uploaded to Delphix Continuous Compliance. Then via the JDBC url we configure in the Delphix connector, we instruct the Delphix CC engine to use the tokens from the uploaded OAuth file and perform auth between itself and Salesforce.
To create this encrypted OAuth file, we use the Salesforce JDBC Driver. The driver can be run on any server/machine that can access Salesforce. The driver initiates an OAuth connection and then listens at http://localhost:33333. If the ECA (External Client App) is configured with this callback URL, Salesforce returns the tokens to this URL and the driver saves this as an encrypted file on the local file system.
For organizations that have their servers/devices behind firewall and/or proxy, this callback URL may not work. In such cases, it is important for you to work with internal team(s) that can create a server that is reachable from Salesforce so that we can perform the Headless OAuth flow and receive tokens for authentication and authorization.
Governor Limits
Salesforce has defined their guidelines around bulk data reads and writes using Bulk APIs in the form of Governor limits. To learn more about Salesforce Governor limits, refer to this doc.
Delphix Rehearsal Tool (dxrt)
When masking data in Salesforce tables, it is recommended to keep the metadata packages on these tables in a disabled state so that masking can run without any interference.
The Delphix Rehearsal tool (dxrt) can disable Salesforce components such as triggers, workflows, process builders etc., prior to masking the sandbox. After masking the data, the Rehearsal Tool can be used to restore the sandbox's components to their original state. This can be achieved using the enable feature.
The Rehearsal Tool also provides a quick and effective alternative for testing (rehearse) the metadata package deployment process to identify any issues before starting the data masking process.
To learn more, refer to Rehearsal tool dxrt documentation
Identify Read-Only fields
Most often, read only fields do not contain sensitive information that require masking. But, there are always exceptions and we may need to identify and exclude read-only fields. Here are the recommended ways in which you can identify read-only fields for a specific object
If you are not an admin user, certain fields may look read-only because you do not have permissions on the objects/fields. Appropriate permissions must be given to the masking user to address this issue.
API/SOQL Method
You can also query field metadata using SOQL on the FieldDefinition object:
soql
SELECT QualifiedApiName, IsUpdateable
FROM FieldDefinition
WHERE EntityDefinition.QualifiedApiName = 'YourObject'
Developer Console
1. Open Developer Console
2. Go to Debug → Open Execute Anonymous Window
3. Run: System.debug(Schema.SObjectType.YourObject__c.fields.getMap());
4. Check the debug logs for field properties
Workbench (external tool):
1. Go to workbench.developerforce.com
2. Login and select "utilities" → "Describe"
3. Choose your object
4. Look for fields where "Updateable" is false
Object Manager (for admins/users with access):
1. Go to Setup → Object Manager
2. Select your object
3. Click "Fields & Relationships"
4. Look at the "Read Only" column - fields marked as read-only will show "True"
Identify Compound Fields
Compound fields are not editable in Salesforce. Following is how you can identify compound fields
-
Developer Console → Query Editor tab
-
Run this SOQL:
SELECT QualifiedApiName, DataType, Label, IsCompound, ExtraTypeInfo FROM FieldDefinition WHERE EntityDefinition.QualifiedApiName = ‘YourObject‘ AND IsCompound = true