Troubleshooting (Compliance)

1. “Timeout” Error

The “timeout” value in the JDBC string indicates the value in seconds until the timeout error is thrown, canceling the operation. If Timeout expires and the operation is not yet complete, the driver throws an exception. If Timeout = 0, operations do not time out. The operations run until they complete successfully or until they encounter an error condition.

2. Resolving Row_Lock Issues Using the Sorting Feature

Salesforce Field History Tracking records changes to selected fields, including the old and new values, along with who made the change and when. While useful for auditing in production, it can expose sensitive data when copied into lower environments like sandboxes.

When refreshing a sandbox, field history tracking is copied by default. If the sandbox will be used for testing or development, especially with masked data, retaining field history may unintentionally reveal pre-masked values.

Turning off field history tracking is a customer-controlled setting. It can be disabled in Salesforce Setup by navigating to the object’s settings and unchecking the fields being tracked. This should be reviewed as part of the sandbox refresh and masking process to reduce risk of data exposure.

3. Proxy Error or Incorrect URL specified

Below is the error message if the user tries to access the incorrect URL or proxy is specified on the server from where connection is made.

Error:

Exception occured while running disable cli

HTTPSConnectionPool(host='delphix--hubs3.sandbox.my.salesforce.com', port=443): Max retries exceeded with url: /services/data/v60.0/sobjects (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7eff71375550>: Failed to establish a new connection: [Errno 111] Connection refused'))

Resolution:

Below are some of the troubleshooting steps that the user can take:

a. We need not use HTTP or HTTPS while defining the URL in the command. Please remove http or https from the URL.

For Example : ./dxrt salesforce disable -ci "{client_id}" -ur “h ttps://example.sandbox.my.salesforce.com" -a "OAUTH" -it

Will lead to the above failure. We need to remove https from the above

command.

b. If any proxy is defined on the server where the command is running, then we need to include the proxy while executing the command. Please refer to https://help.delphix.com/eh/current/content/cli_references__rehearsal_tool_.htm to know about the syntax of including the proxy details.

c. Please do not use test.salesforce.com or login.salesforce.com in the url section.

4. Permissions issue with /var/delphix directory

Error:

Exception occurred while running disable cli

Ensure the directory /var/delphix/sfdc exists, and current user has permission to create a file, [Errno 13] Permission denied: '/var/delphix'

Resolution:

Please ensure that the user with which dxrt is run has the necessary permissions to write into /var/delphix/sfdc directory. This directory is used for writing the logs and intermediate files.

5. FIELD_INTEGRITY_EXCEPTION

Error:

“FIELD_INTEGRITY_EXCEPTION” will appear in the error.

Resolution:

This can happen for multiple reasons.

  1. Incorrect Algorithm assigned that does not meet the data type requirements.

  2. Updating rows that are protected

  3. Updating columns that are read only

6. INSUFFICIENT_ACCESS_OR_READONLY

Resolution: Exclude Read-Only and System Users from Masking Rules

To ensure data masking processes do not interfere with system or integration users, follow these guidelines:

Exclude Read-Only Fields

Some fields are read-only and cannot be updated. Ensure these are excluded from masking rules. Please refer to Appendix – Identify Read Only Fields for more information on how to identify and exclude such fields.

Examples:

Name field in the Contact table

Email field in the User table

Exclude Integration and System Users

Integration users, such as Platform Integration Users, are system-managed and cannot be modified. Attempting to mask these users may result in errors. These users are typically created by Salesforce or third-party apps and must be excluded from masking operations.

a. Steps to Identify Integration Users:

i. Run the following query to find relevant users:

ii. SELECT * FROM User WHERE Name LIKE '%Integration%'

 

b. Apply Filter Criteria in Ruleset

Use filter criteria in your masking rules to exclude system users by Profile ID or User ID. You may either exclude specific User IDs, or preferably exclude by Profile IDs, which ensures that any new users assigned to these system-level profiles are automatically excluded.

Example Filter Criteria:

NOT (
  ProfileId IN (
    '0015g00000ABcdeF1G2AAA',
    '0035g00000XYzAbC3D4BBB',
    '0055g00000PQqRsT5U6CCC',
    '0065g00000LMnOpQ7R8DDD',
    '00D5g00000VWxyZ9A1BEEE ',
  )
  OR Id IN ('')
)

7. DUPLICATE KEY ERROR

Reason : Incorrect Algorithms used.

Resolution : Please run dxrt before initiating masking to disable the constraints.

8. CANNOT_INSERT_UPDATE_ACTIVATE_ENTITY

System.LimitException: Apex CPU time limit exceeded

This issue occurs when managed or unmanaged components ( triggers, flows etc) cause additional records to be updated when masking is attempted on certain objects. The error is thrown when the additional automations cause the total CPU processing time overshoot beyond the max limit allowed by Salesforce.

Resolution steps

  1. Lower batch sizes being used for masking this object.

  2. Disable packages at the org level instead of the object level.

  3. Identify the component causing these executions and attempt to disable them manually.