Compliance prerequisites
API enabled in Sandbox
Delphix Salesforce Compliance uses Bulk APIs to transfer large volumes of data while performing masking. Bulk API must be enabled in the Sandbox.
Compliance User Setup
Ensure that your Salesforce compliance user has the required permissions to on all objects and fields that are being masked. Given below is the guidance on user privileges. It is recommended that the organization’s Salesforce Admin reviews the privileges and creates the user account that has the required permissions.
-
Compliance user must be part of the Salesforce License.
-
Compliance user must have read, write, and delete data permissions on all objects and columns that are being masked.
-
Compliance user must have access to all record types within the objects that are being masked.
-
Compliance user must have the following feature level permissions activated to ensure required access to objects/fields and metadata.
-
Marketing User
-
Flow User
-
Service Cloud User
-
-
It is recommended that the Compliance user be part of the Salesforce Administrator profile and additional permissions be given via Permission Set assignments. If Salesforce Administrator profile assignment is not feasible, then the profile and permission set assignments for the Compliance user must be at par with the System Administrator permissions.
Refer to Appendix - user permissions for detailed information on User Permissions
External Client App (ECA) configuration
Use OAuth authentication with an External Client App (ECA) to authenticate between Delphix Compliance and Salesforce.
| Permission/Config | Value | Note |
|---|---|---|
|
Permitted users
|
All users can self-authorize |
Required if the Compliance user is not part of pre-authorized users list allowed with the ECA (External Client App). |
|
Admin approved users are pre-authorized |
Accepted if the Org admin has configured the Compliance user to work with ECA. | |
| IP restriction | Relax IP restrictions | Recommended during masking. |
| Enforce IP restrictions, but relax for refresh tokens | Minimum required for masking. | |
| Refresh token policy | Refresh token is valid until revoked | Recommended. If this is not allowed based on your organization policy, set the expiration to a longer duration. |
| Enable OAuth settings | Checked | Required |
| CallBack URL | http://localhost:33333 | The callback URL must be reachable from Salesforce. Refer to Appendix – Callback URL for more details. |
| Select OAuth scopes | Manage user data via APIs (api) |
Recommended for quick configuration. A narrower set of scopes can be configured based on the data being masked. Please work with your Org admin to identify the permissions that can be attributed to this App. |
| Perform requests at any time (refresh_token, offline_access) | ||
| Access the Salesforce API Platform (sfap_api) |
Compliance Engine Setup
-
Installing the Salesforce Driver
-
Download the Driver and License
Navigate to this directory on the Delphix Downloads site. From the OEM directory, download:
-
The latest .zip file (Salesforce JDBC Driver).
-
The corresponding .bin file (CDATA License).
-
Creating Salesforce connector
When creating a Salesforce connector in the Delphix Compliance engine following best practices helps ensure optical performance. Below are the key recommendations:
| Parameter | Value | Required | Note |
|---|---|---|---|
| Logfile | /var/delphix/masking/logs/AppLogs/<filename>.log | Y | Logfiles are required when troubleshooting issues. This path is recommended as it gets automatically bundled with Delphix support bundle. |
| UseBulkAPI | True | Y | Determines whether Bulk API is used. |
| AuthScheme | Basic / OAuth | Y | By default this will be set to OAuth. If using username/password authentication, this must be set to Basic |
| WaitForBulkResults | True | Y | Ensures that the engine waits for SF to complete processing the batches. |
| BulkAPIConcurrencyMode | Parallel | Y | Required for concurrent operations. |
| UseSandbox | Y | Y | Required when connecting to sandboxes. |
| BulkPollingInterval | 30000 | N | Recommended to reduce job failures. |
| BulkQueryTimeout | custom | N | Set to higher values ( in minutes) if masking large tables to reduce timeout failures. |
| initiateOAuth | REFESH | Y | When running masking jobs. |
| GETANDREFRESH | Y | When creating the OAuth file for initial OAuth authentication. | |
| OAuthClientId | custom | Y | Required if using OAuth |
| OAuthSettingsLocation | /path/to/OAuthSettings-file | Y | Required if using OAuth |
| UserName | custom | Y | Required if using username/password auth. |
| Password | custom | Y | Required if using username/password auth. |
| SecurityToken | custom | Y | Required if using username/password auth. |
| Timeout | custom | N | Set to higher values. For example, set to 240 ( 4 hours) if masking large tables. |
| Other=BatchSize=custom | custom | N | In very specific cases if setting the batch size at the connector level is absolutely required. |
| SSLServerCert | * | Y |
Sample JDBC URL – Oauth
jdbc:salesforce:UseSandbox=true;UseBulkAPI=true;BulkAPIConcurrencyMode=Parallel;InitiateOAuth=REFRESH;OAuthClientId=<client—id>;OAuthSettingsLocation=/path/to/OAuthSettings.txt;SSLServerCert=*;Logfile=/var/delphix/masking/logs/AppLogs/<logfilename>.log;
Sample JDBC URL – Basic
jdbc:salesforce:AuthScheme=Basic;UseSandbox=true;UseBulkAPI=true;BulkAPIConcurrencyMode=Parallel;SSLServerCert=*;Logfile=/var/delphix/masking/logs/AppLogs/<logfilename>.log;
For a full list of JDBC URL parameters, refer to Appendix - driver settings
Creating your Compliance Inventory
Below are a few key things to consider when setting up masking for the most common out of the box objects in Salesforce.
Type: Read Only Fields
Certain columns in Salesforce are Read Only or References to other columns that exist within the same object or related objects. These columns must be excluded from masking.
Names
Salesforce handles “Name” fields differently depending on the object and record type. They often appear as composite fields in the UI and API, and in some cases they are read-only because Salesforce derives them from underlying components.
| Object | Field | Read only? | Workaround |
|---|---|---|---|
| User | Name | Y | Mask FirstName and LastName |
| Account | Name | Editable for Business Accounts | |
| Name | Read Only for Person Accounts | Mask Contact object’s FirstName and LastName instead | |
| Contact | Name | Y | Mask FirstName and LastName |
| Lead | Name | Y | Mask FirstName and LastName |
| Opportunity | Name | Editable |
To broadly identify and exclude read only fields, please refer Appendix - identify read only fields
Addresses
Salesforce handles addresses as a compound field, meaning an address is stored as split across underlying components such as Street / City / State / PostalCode / Country/Latitude / Longitude. The compound itself is read-only in the API (you can’t directly update Address as one JSON object in Bulk API ), while you can update the component fields.
If State/Country picklists are enabled, then the masked values must match the ISO codes or picklist values and MUST NOT be free text. You must create and use a masking algorithm that matches the expected picklist values of these fields.
Other Read Only Fields
In addition to compound fields mentioned above, there are system-derived, formula-style or linkage fields that you cannot update or override via API. A few examples for these fields are
-
Compound Fields
-
LoginHistory / LoginGeo related fields.
-
Behavioral/Derived values such as LastActivityDate, SystemDates, IsClosed, IsWon etc
-
Any ID fields which are references to records in Salesforce
Refer to Appendix - identify compound fields how to identify compound fields for a specific object.
Type: Picklists
In the rare event that picklists contain sensitive information, masking picklist values must be done with precision. Picklists can be restricted or unrestricted.
Unrestricted picklists
Unrestricted picklists accept any value even if it’s not in the picklist definition and hence, can be masked using any algorithm that conforms to the data type of the picklist.
Restricted Picklists
When masking restricted picklists, Salesforce will validate the value being saved to the picklist field. If the masked values do not match the picklist’s allowed list of values, Salesforce will reject the request and masking will fail. There are two approaches to follow when masking restricted picklists:
-
Choose appropriate algorithm
This approach involves creating a secure lookup algorithm with the list of accepted values in the picklist, thereby ensuring that the masked value will always be one of the accepted picklist values.
-
Disable Picklist Validation during masking
This approach relies on disabling the picklist field validation during the masking process. Use Delphix Rehearsal Tool or consult your Salesforce admin to disable picklist fields in the org before masking.
Type: Required Fields
Just like relational databases have NOT NULL constraints, Salesforce has a Required constraint that can be applied to fields. Required constraint mandates that the field be populated with a non-null value. When using certain algorithms, if the input value to an algorithm is Null or Empty, then the masked output will also be empty. This may cause masking to fail due to the required constraint. Proper care must be taken while choosing the algorithm to mask columns that have required constraint.
Type: Derived or Formula Fields
Certain fields in Salesforce are derived based on the value of other fields. These fields are auto populated by Salesforce through automation and cannot be updated. Fields like 'State Code' are derived from other fields (e.g., 'State') and cannot be masked directly. Masking the source field will mask the derived/formula fields.
Type: Auto-Number Fields
Certain fields in Salesforce are auto-numbered and cannot be updated. Examples include CaseNumber and AssetNumber.
Object: Users
Following categories of users must be excluded from masking using Delphix CC Table filters. Refer to Managing rule sets - edit filter
Exclude Integration/System Users
1. Automated Process User: used for background processes and cannot be modified.
2. Chatter Expert Users: system generated users created by Salesforce for internal functions.
3. Platform Integration Users: sometimes called the System Users, are an internal, API-only set of users that integrates features across Salesforce.
4. Custom Integration Users: users that are tied to ECAs or managed packages and are subject to app-defined restrictions.
Identifying Users to exclude
Since every Org is unique based on the types of features enabled, the customizations and apps installed, you must work with your Salesforce Org Admin to identify these users and/or profiles and exclude them using appropriate filters.
An easy way to identify such users is to run queries like below
SELECT * FROM User WHERE Name LIKE '%Integration%'
SELECT * FROM User WHERE Name LIKE '%Automat%'
Excluding users using Filters
To exclude system users or user profiles, you may use the following filter or its variants
1. Exclude using Profile
ProfileId NOT IN (‘profileid#1’,’profileid#2’...)
2. Exclude using ID
Id NOT IN (‘user-id#1’,’user-id#2’,...)
3. Exclude using Profile OR ID
NOT ( ProfileId IN (‘profileid#1’,’profileid#2’,... ) OR Id IN ( ‘user-id#1’,’user-id#2’,...))
Object: Account
Account object is one of the most masked objects in Salesforce. Based on the features enabled by your Salesforce Org, here are the key things to consider.
Exclude Person Account Columns
If your organisation has person account feature enabled, then certain columns on the Account record are views/references of data that reside on the related contact record. In such cases, these columns must not be masked directly in Account but masked through Contact object masking.
Identifying Person Account Columns
Columns that start with “Person” in their labels or have __pc suffix are person account columns. These must be excluded from being masked in the Account object.
Object: Lead
Lead object also has some unique behaviors when masking.
Converted Leads
To mask converted leads, the masking user must enable the View and Edit Converted Leads permissions on their account. For more information, read Salesforce - What happens when I convert leads
ConvertedDate column for leads is read-only and must be excluded from masking.
Other
The Email field is commonly used as the primary attribute to identify duplicates. You must ensure that the algorithm assigned to the Email field produces unique outputs.
Object: Opportunity
Opportunities can be one of the most challenging standard objects to mask because the financial data is both highly sensitive and essential for day-to-day operations. As a result, to preserve business intelligence capabilities, most organizations choose to scramble amounts rather than completely masking them.
Unlike other objects, most sensitive data in opportunity is embedded in descriptive text fields and custom relationship fields.