Org Security Settings in Salesforce

Welcome to Post 29 of our Salesforce series! In the previous post, we covered User Authentication and SSO — how users prove their identity when logging in. But authentication is just the front door. Once users are inside your org, there’s a whole layer of security settings that govern how sessions behave, what password strength is required, how file access works, what data is encrypted, and how you monitor everything happening in the org.

This post covers the settings that protect your Salesforce org at the platform level. Think of these as the walls, cameras, locks, and alarm systems of your Salesforce house. Authentication is the key that gets you in the door — org security settings are everything else.

Session Settings

Session settings control how Salesforce manages user sessions after login. A “session” is the period between when a user logs in and when they log out (or are automatically logged out). Getting session settings right is a balance between security and user convenience.

Where to Find Session Settings

Go to Setup → Session Settings.

You’ll see a dense page with many options. Let’s break down the important ones.

Session Timeout

This controls how long a session stays active when the user is idle.

Setting	Description	Default
Timeout Value	How long a session remains active without activity	2 hours
Disable session timeout warning popup	Whether users see a warning before their session expires	Unchecked

How to configure:

Go to Setup → Session Settings.
Under Session Timeout, set the Timeout Value dropdown to your desired duration.
Options range from 15 minutes to 24 hours.
Click Save.

Best practices:

For most orgs, 2 hours is a reasonable default.
For orgs handling sensitive data (healthcare, finance), consider 30 minutes to 1 hour.
Keep the timeout warning popup enabled so users can save their work before being logged out.
Remember that a shorter timeout means more frequent re-authentication, which can frustrate users working on long tasks.

Session Security Levels

Salesforce assigns a security level to each session based on how the user authenticated:

Security Level	When It’s Assigned
High Assurance	User logged in with multi-factor authentication (MFA), or via a trusted IP range with MFA
Standard	User logged in with username/password only, or via SSO without step-up authentication

You can require high assurance sessions for specific actions:

Go to Setup → Session Settings.
Under Session Security Levels, you can configure which login methods qualify as High Assurance.
Certain features (like Reports, Connected Apps, or API access) can be configured to require a High Assurance session.

This is how you enforce MFA for specific sensitive operations without requiring it for every login.

Lock Sessions to the IP Address

Setting	What It Does
Lock sessions to the IP address from which they originated	If a session token is used from a different IP address, the session is invalidated
Lock sessions to the domain in which they were first used	Prevents session tokens from being used across different Salesforce domains

Enabling IP-based session locking adds protection against session hijacking. If someone steals a session token and tries to use it from a different network, it won’t work.

Caution: If your users are on mobile networks where IP addresses change frequently (like cellular data), IP-based session locking can cause unexpected logouts.

Other Important Session Settings

Setting	Description	Recommendation
Force logout on session timeout	Immediately terminates the session when timeout is reached	Enable for security-sensitive orgs
Require HttpOnly attribute	Prevents client-side scripts from accessing session cookies	Enable (protects against XSS attacks)
Require secure connections (HTTPS)	Forces all connections to use HTTPS	Always enable
Enable Content Security Policy (CSP)	Adds browser-level protections against cross-site scripting	Enable
Enable clickjack protection	Prevents your Salesforce pages from being loaded inside iframes on malicious sites	Enable all three levels (Setup, non-Setup, Visualforce)
Enable CSRF protection	Protects against cross-site request forgery attacks	Enable
Enable Content Sniffing protection	Prevents browsers from guessing the content type of responses	Enable

Step-by-step for a secure baseline:

Go to Setup → Session Settings.
Under Session Timeout, set to your org’s required idle timeout.
Under Session Settings, enable:
- Lock sessions to the IP address from which they originated (if your users have stable IPs)
- Require HttpOnly attribute
- Enable clickjack protection for Setup pages
- Enable clickjack protection for non-Setup Salesforce pages
- Enable clickjack protection for Visualforce pages with headers enabled
- Enable CSRF protection on GET requests
- Enable CSRF protection on POST requests
- Enable Content Sniffing protection
Click Save.

Note: Some of these settings can break integrations or custom Visualforce pages that rely on embedding Salesforce in iframes. Test in a sandbox before enabling in production.

Session Management

While Session Settings are the org-wide policies, Session Management gives you real-time visibility into active sessions and the ability to terminate them.

Where to Find Session Management

Go to Setup → Session Management.

What You Can See

The Session Management page shows all active sessions in your org:

Column	What It Shows
User	The logged-in user
Session Type	UI, API, OAuth, Visualforce, etc.
Login Time	When the session started
Last Active	When the session last had activity
Source IP	The IP address of the session
Login Type	How the user authenticated (SAML, Username/Password, OAuth, etc.)
Session Security Level	Standard or High Assurance

Terminating Sessions

You can forcibly end any active session:

Go to Setup → Session Management.
Find the session you want to terminate.
Click Remove next to the session.

The user is immediately logged out and must re-authenticate.

When to terminate sessions:

An employee has been terminated and you need immediate access revocation (don’t just deactivate their user — kill their active sessions too).
You suspect a compromised account and need to force a re-authentication.
A user reports suspicious activity on their account.
During a security incident response.

Session Management Best Practices

Check session management after deactivating a user. Deactivating a user prevents future logins but does NOT terminate existing sessions. Always revoke active sessions when deactivating a user.
Monitor for unusual session patterns. Multiple concurrent sessions from different geographic locations could indicate credential compromise.
Use session management during security audits. It gives you a real-time snapshot of who is logged in and how.

Password Policies

Password policies control the rules around user passwords — complexity requirements, expiration, lockout, and more. Even if you’re using SSO for most users, you still need password policies for admin accounts and as a fallback.

Where to Find Password Policies

Go to Setup → Password Policies.

Password Policy Settings

Here’s a breakdown of every setting on the Password Policies page:

Setting	Description	Recommended Value
User passwords expire in	How often users must change their password	90 days (or “Never” if using SSO + MFA)
Enforce password history	How many previous passwords are remembered (prevents reuse)	12 passwords remembered
Minimum password length	Minimum characters required	10 or more
Password complexity requirement	What character types are required	Must include alpha + numeric + special character
Password question requirement	Whether a password hint question is required	Disable (security questions are outdated)
Maximum invalid login attempts	How many failed login attempts before lockout	5 attempts
Lockout effective period	How long the account is locked after exceeding attempts	30 minutes
Require a minimum 1 day password lifetime	Prevents users from cycling through passwords quickly to reuse an old one	Enable
Obscure secret answer for password resets	Hides the answer to the security question after it’s set	Enable
Require HttpOnly attribute	Same as session settings — applied to auth cookies	Enable

How to Configure Password Policies

Go to Setup → Password Policies.
Set each value according to your org’s security requirements.
Click Save.

Password Policy Configuration Example

Here’s a solid baseline for a mid-size org:

Setting	Value
User passwords expire in	90 days
Enforce password history	12 passwords remembered
Minimum password length	12
Password complexity	Must mix alpha, numeric, special character, uppercase, and lowercase
Maximum invalid login attempts	5
Lockout effective period	30 minutes
Minimum 1 day password lifetime	Enabled
API-only user lockout	Enabled

Profile-Level Password Policies

You can override the org-wide password policy for specific profiles. This is useful when different user groups have different security requirements.

Go to Setup → Profiles.
Open the profile.
Scroll to (or search for) Password Policies.
Override any of the org-wide settings for this profile.

Example use case: Your standard users follow the org-wide 90-day expiration, but your admin profile requires password changes every 30 days.

Password Policy Best Practices

Move toward passwordless where possible. MFA and SSO reduce the importance of password complexity policies. The strongest password policy is not needing a password at all.
Don’t set expiration too aggressively. Research shows that forcing frequent password changes leads to weaker passwords (users pick predictable patterns like “Summer2026!” → “Fall2026!”). If you have MFA enabled, consider longer expiration periods or no expiration.
Always enforce lockout. Five failed attempts with a 30-minute lockout is a solid default. This protects against brute-force attacks.
Monitor login failures. Use login history reports to identify accounts experiencing repeated failed login attempts — this could indicate an attack.

What Is Event Monitoring

Event monitoring is Salesforce’s auditing and analytics framework that tracks user activity across your org. It captures detailed logs of who did what, when, and from where. If session management is your real-time camera feed, event monitoring is the recorded footage you can review later.

Event Monitoring Overview

Event monitoring is part of the Salesforce Shield add-on (or available as a standalone purchase). It provides two main capabilities:

Event Log Files — Detailed CSV logs of user activity, downloadable via API.
Real-Time Event Monitoring — Streaming events that can trigger automated actions.

What Events Are Tracked

Event monitoring captures a wide range of activities:

Event Type	What It Tracks
Login	All login attempts (successful and failed), including IP, browser, and login method
Logout	When users end their sessions
URI	Every page view in Classic (which pages users visit)
Lightning Page View	Page views in Lightning Experience
API	API calls — who made them, from where, which endpoints
Report Export	When users export report data
Report	When users run reports (which reports, filters used)
Dashboard	Dashboard views and refreshes
Content Transfer	File uploads and downloads
Apex Execution	Apex code execution events
Apex Trigger	Trigger execution events
SOQL	SOQL queries executed
Visualforce Request	Visualforce page loads
Lightning Error	Errors encountered in Lightning Experience
List View	List view loads and modifications
Search	Search queries performed by users
Bulk API	Bulk API operations
Login As	When an admin logs in as another user
Knowledge Article View	Knowledge article access

How to Access Event Log Files

Event log files are accessed through the Salesforce API (they are not visible in the standard Setup UI):

Using the API (Workbench or similar tool):

Open Workbench or your preferred API tool.
Run a SOQL query: SELECT Id, EventType, LogDate, LogFileLength FROM EventLogFile WHERE LogDate = TODAY
Download the log file using the returned ID.
Open the CSV file to analyze the data.

Using the Event Monitoring Analytics App:

Salesforce provides a pre-built analytics app for event monitoring data:

Go to Setup → Event Monitoring Settings.
Enable Event Monitoring Analytics.
Navigate to the Event Monitoring app in the App Launcher.
Browse pre-built dashboards for login activity, API usage, report exports, and more.

Event Log File Retention

License Type	Retention Period
Event Monitoring (standard)	30 days
Event Monitoring with extended retention	6 months or 10 years (depending on contract)

If you need longer retention, export the log files to an external system (Splunk, Datadog, a data lake, etc.) before they expire.

Common Event Monitoring Use Cases

Security auditing — Track who exported sensitive report data, who logged in from unusual locations, who accessed restricted records.
Compliance — Demonstrate to auditors that you’re monitoring user activity and can produce audit trails.
Performance troubleshooting — Identify slow pages, expensive SOQL queries, and API bottlenecks using Apex execution and API event logs.
Adoption tracking — Monitor which features users are actually using (Lightning page views, reports run, dashboards viewed).
Data loss prevention — Track bulk data exports and content downloads to ensure sensitive data isn’t being exfiltrated.

How to Set Up Transaction Security Policies

Transaction Security is the enforcement arm of event monitoring. While event monitoring logs activity for later review, transaction security policies evaluate events in real time and take automated action.

What Is Transaction Security?

Transaction security policies let you define conditions on events and specify actions to take when those conditions are met. For example:

If a user logs in from an unrecognized IP address, then require MFA step-up authentication.
If a user exports a report containing more than 1,000 rows, then block the export and notify the admin.
If an API session is created from outside the US, then end the session immediately.

Transaction Security Components

Component	Description
Event	The activity being monitored (login, report export, API call, etc.)
Condition	The criteria that triggers the policy (Apex class or Condition Builder)
Action	What happens when the condition is met (Block, MFA, Notification, or custom Apex)

How to Set Up a Transaction Security Policy

Prerequisites:

You need the Salesforce Shield or Event Monitoring license.
Enable Transaction Security in Setup.

Step 1: Enable Transaction Security

Go to Setup → Transaction Security Policies.
If this is your first time, you’ll see a prompt to enable the feature.
Click Enable.

Step 2: Create a Policy Using Condition Builder

The Condition Builder is the declarative (no-code) way to create policies:

Go to Setup → Transaction Security Policies.
Click New (or Create a Policy).
Select the Event Type (e.g., “Login Event,” “Report Event,” “API Event”).
Choose Condition Builder as the evaluation method.
Define your conditions:

Example — Block Logins from Outside Business Hours:

Field	Operator	Value
Login Hour	Less Than	7
OR Login Hour	Greater Than	19

Select the Action:
- Block — Prevents the event from completing.
- Multi-Factor Authentication — Requires MFA step-up before proceeding.
- Notification Only — Logs the event and sends a notification without blocking.
Configure Notifications:
- Select who should be notified (specific users or groups).
- Notifications are sent via email and/or in-app.
Click Save and Enable the policy.

Step 3: Create a Policy Using Apex (Advanced)

For complex conditions that the Condition Builder can’t handle, you can write an Apex class:

global class BlockLargeReportExport implements TxnSecurity.PolicyCondition {
    public boolean evaluate(TxnSecurity.Event e) {
        // Get the number of rows in the report export
        Integer rowCount = Integer.valueOf(e.getAttribute('NumberOfRows'));
        // Block if more than 2000 rows
        return rowCount > 2000;
    }
}

Then create the policy in Setup and select this Apex class as the condition.

Transaction Security Policy Examples

Here are some common policies that organizations implement:

Policy 1: Require MFA for Report Exports

Setting	Value
Event Type	ReportEvent
Condition	Operation = “Export”
Action	Multi-Factor Authentication
Notification	Notify Security Admin group

Policy 2: Block Bulk Data Exports Outside Business Hours

Setting	Value
Event Type	ApiEvent
Condition	Operation = “Query” AND RowsProcessed > 5000 AND LoginHour NOT BETWEEN 8 AND 18
Action	Block
Notification	Notify Security Admin group

Policy 3: Alert on Login from New Device

Setting	Value
Event Type	LoginEvent
Condition	Login from a device not previously associated with the user
Action	Notification Only
Notification	Notify the user and the Security Admin

Transaction Security Best Practices

Start with Notification Only. Before blocking anything, run policies in notification-only mode to understand the impact. You don’t want to accidentally block legitimate users.
Test in sandbox first. Transaction security policies can disrupt workflows if misconfigured. Always validate in a sandbox.
Don’t create too many policies. Each policy adds evaluation overhead to the event. Keep the number reasonable and focused on high-risk events.
Review policy triggers regularly. Check which policies are firing and whether they’re catching real issues or generating false positives.

How to Set Up Event Monitor Reports

While the Event Monitoring Analytics App provides pre-built dashboards, you can also build custom reports on event data for ongoing monitoring. This gives you the flexibility to track exactly what matters to your org.

Using Event Monitoring Analytics App

If you have the Event Monitoring license, the analytics app is the easiest starting point:

Go to Setup → Event Monitoring Settings.
Ensure Event Monitoring Analytics is enabled.
Open the App Launcher and search for Event Monitoring.
The app includes pre-built dashboards:

Dashboard	What It Shows
Login Monitoring	Login trends, failed logins, logins by location, login methods used
Report & Dashboard Monitoring	Which reports are run most, who exports data, dashboard usage
API Monitoring	API call volume, top API consumers, error rates
Page Performance	Slowest pages, page load times, user experience metrics
Adoption	Feature adoption rates, user engagement trends

Even without the Event Monitoring add-on, every Salesforce org has access to Login History, which you can report on:

Go to Setup → Login History (for a quick view).
To build a report:
- Go to the Reports tab.
- Click New Report.
- Search for the Login History report type (under Administrative Reports).
- Add columns: Username, Login Time, Source IP, Login Type, Status, Browser, Platform.
- Add filters as needed (e.g., Status = “Failed” to see failed login attempts).
- Group by Username to see login patterns per user.
- Save the report.
Schedule the report to run daily or weekly and email results to the security team.

Building Custom Reports on Setup Audit Trail

The Setup Audit Trail tracks changes to your org’s configuration (not user data, but admin changes):

Go to Setup → View Setup Audit Trail (for recent changes).
To build a report or download the full history:
- On the Setup Audit Trail page, click Download to get the last 180 days of setup changes as a CSV.
- The CSV includes: Date, User, Action, Section, Delegate User.
For an ongoing report, use the SetupAuditTrail object in a custom report type or query it via API:

SELECT CreatedDate, CreatedBy.Name, Action, Section, Display
FROM SetupAuditTrail
WHERE CreatedDate = LAST_N_DAYS:30
ORDER BY CreatedDate DESC

Building Dashboards for Security Monitoring

Create a security monitoring dashboard with these components:

Component	Report Source	Chart Type
Failed Logins This Week	Login History (Status = Failed)	Bar chart by day
Logins by Location	Login History grouped by Source IP or Country	Map or table
Setup Changes This Month	Setup Audit Trail grouped by Section	Stacked bar
Report Exports This Week	Event Log Files (ReportExport type)	Table
Top API Consumers	Event Log Files (API type)	Donut chart by user

Step-by-step to build the dashboard:

Create each of the reports listed above.
Go to the Dashboards tab.
Click New Dashboard.
Name it “Org Security Monitoring.”
Drag components onto the dashboard canvas.
For each component, select the source report and choose the chart type.
Set the Running User to an admin who has access to all the data.
Save the dashboard.
Schedule the dashboard to refresh daily.

Note: Event Log File reports require the Event Monitoring license. Login History and Setup Audit Trail reports are available in all editions.

Files Security

Salesforce stores files (attachments, Salesforce Files, documents) in its cloud infrastructure. File security settings control how files are scanned, shared, and accessed.

Where to Find File Security Settings

Go to Setup → Files → Content Deliveries and Public Links and Setup → Files → General Settings.

Key File Security Settings

Setting	Description	Where to Configure
Content Deliveries	Allow users to create public links to files	Setup → Content Deliveries and Public Links
Public Links	Allow file sharing via a public URL (no login required)	Setup → Content Deliveries and Public Links
File Upload and Download Security	Control which file types can be uploaded and how they’re rendered	Setup → File Upload and Download Security
Prevent file downloads on public links	Block downloads while still allowing preview	Content Delivery settings

File Upload and Download Security

This is a critical setting that controls how different file types are handled when users try to download or preview them:

Go to Setup → File Upload and Download Security.
You’ll see a list of file types (HTML, SVG, XML, etc.).
For each type, set the behavior:

Behavior	Description
Download (Recommended)	File is downloaded to the user’s device. The browser doesn’t execute the file.
Execute in Browser	File is opened and rendered in the browser. Warning: This can execute malicious HTML/JavaScript.
Hybrid	Some file types render, others download, based on content

Best practice: Set HTML, SVG, and other executable file types to Download mode. This prevents stored cross-site scripting (XSS) attacks where a malicious user uploads an HTML file containing JavaScript, and another user opens it in their browser.

Content Deliveries and Public Links

Content deliveries let users create shareable links to files — even for recipients who don’t have a Salesforce login:

How to enable/disable:

Go to Setup → Content Deliveries and Public Links.
Enable or disable:
- Content Deliveries feature — Master toggle for the feature.
- Allow Content Deliveries to be created — Per-user control via profiles/permission sets.

Security considerations:

Public links bypass all Salesforce authentication. Anyone with the link can access the file.
Consider disabling public links for orgs handling sensitive data.
If you allow public links, use the password protection option on deliveries.
Set expiration dates on content deliveries so links don’t remain active indefinitely.
Disable the option to allow recipients to download if you only want them to preview files.

File Scanning and Malware Protection

Salesforce provides basic file scanning capabilities:

Files uploaded through Salesforce are scanned for known malware signatures.
Infected files are quarantined and cannot be downloaded.
File scanning works automatically — no configuration needed.

For enhanced file security, consider integrating with a third-party file scanning solution via the ContentVersion trigger or an AppExchange package.

Platform Encryption (Shield)

Platform Encryption is part of Salesforce Shield and provides encryption at rest for sensitive data stored in Salesforce. It goes beyond the standard encryption that Salesforce applies to all data, giving you control over which specific fields and files are encrypted with keys that you manage.

Standard Encryption vs. Shield Platform Encryption

Feature	Standard Encryption	Shield Platform Encryption
What’s encrypted	Data in transit (HTTPS) and at rest (transparent disk encryption)	Specific fields, files, and attachments you choose
Key management	Salesforce manages the keys	You manage the keys (or use Salesforce Key Management)
Granularity	All-or-nothing at the infrastructure level	Field-level encryption on specific objects
Compliance	Meets basic compliance needs	Meets advanced compliance (HIPAA, PCI, GDPR, FINRA)
Cost	Included	Additional license (Salesforce Shield)
Searchability	Full search capability	Encrypted fields have limited search capability (deterministic encryption enables exact-match search)

What Can Be Encrypted

Platform Encryption can encrypt:

Standard Fields:

Account: Name, Phone, Fax, Description
Contact: Name, Email, Phone, Mailing Address
Case: Subject, Description
And many more across standard objects

Custom Fields:

Text, Text Area, Long Text Area, Email, Phone, URL, Date, DateTime fields on custom objects

Files and Attachments:

Salesforce Files (ContentVersion)
Attachments
File previews and thumbnails

Other Data:

Chatter posts and comments
Search index
Custom metadata (with certain limitations)

How to Set Up Platform Encryption

Step 1: Enable Shield Platform Encryption

Go to Setup → Platform Encryption → Encryption Policy.
If prompted, accept the terms and enable the feature.

Step 2: Generate or Upload an Encryption Key

Go to Setup → Platform Encryption → Key Management.
Click Generate Tenant Secret (for Salesforce-managed keys).
Select the secret type:

Secret Type	What It Encrypts
Data in Salesforce	Standard and custom fields
Data in Analytics	Analytics data
Data in Chatter	Chatter posts and messages
Data in Files	Files and attachments
Data in Search Index	Search index entries
Event Bus	Platform event data

Click Generate.

Alternatively, upload your own key material using Bring Your Own Key (BYOK) for maximum control:

Go to Key Management → Bring Your Own Key.
Upload a 256-bit AES key wrapped with a Salesforce-provided certificate.
Salesforce uses your key to encrypt the data.

Step 3: Select Fields to Encrypt

Go to Setup → Object Manager → [Object] → Fields.
Open the field you want to encrypt.
If the field type supports encryption, you’ll see an Encrypted checkbox or option.
Check the box and save.

Or use the Encryption Policy page:

Go to Setup → Platform Encryption → Encryption Policy.
Click Encrypt Fields.
Select the object and fields to encrypt.
Choose the encryption scheme:
- Probabilistic — Stronger encryption but no search/filter support on the field.
- Deterministic — Slightly less entropy but supports exact-match search, filtering, and SOQL WHERE clauses.
Save.

Step 4: Encrypt Files (Optional)

Go to Setup → Platform Encryption → Encryption Policy.
Under Encrypt Files, toggle the setting to On.
All new files will be encrypted. Existing files can be encrypted using the background encryption service.

Key Rotation

Encryption best practices require periodic key rotation:

Go to Setup → Platform Encryption → Key Management.
Click Generate Tenant Secret to create a new key.
The new key is used for all new data encryption.
Existing data remains encrypted with the old key until you run Background Encryption.
Go to Setup → Platform Encryption → Encryption Statistics.
Click Encrypt to re-encrypt existing data with the new key.
Archive the old key (don’t destroy it until re-encryption completes).

Platform Encryption Considerations

Encrypted fields have limitations. Some features don’t work with encrypted fields: formula references, workflow field updates to encrypted fields, SOQL LIKE queries on probabilistically encrypted fields, and some validation rule functions.
Performance impact is minimal. Salesforce designed Shield encryption to have negligible performance impact for most operations.
Plan your encryption strategy before enabling. Changing a field from encrypted to unencrypted (or vice versa) requires careful planning and testing.
Deterministic vs. probabilistic is a key decision. Use deterministic encryption for fields you need to search/filter on. Use probabilistic for maximum security on fields that don’t need search.
Test in sandbox first. Enable encryption in a full-copy sandbox and test all your reports, searches, workflows, and integrations before rolling out to production.

Field PII Settings

PII (Personally Identifiable Information) classification in Salesforce helps you identify and manage fields that contain sensitive personal data. This is critical for compliance with privacy regulations like GDPR, CCPA, and HIPAA.

What Are Field PII Settings?

Salesforce lets you classify fields based on the type of data they contain. This classification doesn’t enforce any security on its own — it’s a labeling system that helps you:

Identify which fields contain PII.
Report on PII field usage across your org.
Apply appropriate security controls (encryption, FLS, masking) to those fields.
Respond to data subject access requests (DSARs) by knowing exactly where personal data lives.

Data Classification Fields

Each field in Salesforce has optional classification metadata:

Classification Field	Description	Example Values
Compliance Categorization	The regulatory framework the data falls under	CCPA, COPPA, GDPR, HIPAA, PCI, none
Data Sensitivity Level	How sensitive the data is	Public, Internal, Confidential, Restricted, MissionCritical
Data Owner	The team or person responsible for the data	”Privacy Team,” “HR Department”
Field Usage Description	How the field is used	”Stores the customer’s mailing address for shipping”

How to Set PII Classifications

For individual fields:

Go to Setup → Object Manager → [Object] → Fields & Relationships.
Click on the field name.
Scroll down to the Data Classification section (or Data Sensitivity section).
Set the classification values:
- Compliance Categorization
- Data Sensitivity Level
- Data Owner
- Field Usage Description
Click Save.

For bulk classification:

Go to Setup → Data Classification (or search “Data Classification” in Quick Find).
Use the Data Classification tab to view all fields and their current classifications.
Edit classifications in bulk using the inline editing interface.
Click Save.

Building a PII Inventory

A PII inventory is a complete map of where personal data lives in your org. Here’s how to build one:

Step 1: Export all field metadata using the Metadata API or a tool like Salesforce Inspector.

Step 2: For each field, determine:

Does it contain PII? (Name, email, phone, address, SSN, date of birth, etc.)
What category of PII? (Direct identifier, quasi-identifier, sensitive data)
What regulations apply? (GDPR for EU residents, CCPA for California residents, etc.)

Step 3: Set the Data Classification metadata on each field in Salesforce.

Step 4: Create a report or dashboard that shows:

All fields classified as “Confidential” or “Restricted”
All fields with a compliance categorization of “GDPR” or “CCPA”
All fields without a classification (these need review)

PII Best Practices

Classify ALL fields, not just the obvious ones. Custom text fields, formula fields, and even lookup fields can contain PII. A lookup to Contact contains the contact’s name.
Review new fields regularly. Add data classification to your field creation process — every new field should be classified before deployment.
Use encryption for high-sensitivity PII. Fields classified as “Restricted” or “MissionCritical” should be encrypted with Shield Platform Encryption.
Restrict FLS for PII fields. Users who don’t need to see PII fields should have those fields hidden via field-level security.
Document your PII inventory. Regulators and auditors will ask for it. Having it in Salesforce’s native data classification makes it easy to produce.

Field Audit Trail

Field Audit Trail is a Salesforce Shield feature that extends the standard field history tracking from a 18-to-24-month retention to up to 10 years. It stores historical field values in a big object called FieldHistoryArchive, giving you a long-term audit trail of changes to sensitive data.

Standard Field History Tracking vs. Field Audit Trail

Feature	Standard Field History Tracking	Field Audit Trail (Shield)
Retention	18–24 months (then data is deleted)	Up to 10 years
Fields per object	20 fields per object	60 fields per object
Storage	Standard Salesforce storage	Big Object storage (separate from standard storage limits)
Query	Standard reports, related list	SOQL on `FieldHistoryArchive`, async queries
Cost	Included	Salesforce Shield license
Data volume	Limited by retention window	Can store billions of records

How Field Audit Trail Works

You define a Field History Retention Policy that specifies which objects and fields to track.
When a tracked field is changed, Salesforce captures the old value, new value, who made the change, and when.
Data within the standard retention window (18–24 months) is stored in the regular [Object]History objects (e.g., AccountHistory, OpportunityHistory).
When data ages past the retention window, it’s archived to the FieldHistoryArchive big object instead of being deleted.
The FieldHistoryArchive retains the data for up to 10 years (configurable).

How to Set Up Field Audit Trail

Step 1: Define a Field History Retention Policy

You define the policy using a metadata file. This is done through the Metadata API or a deployment tool (Salesforce CLI, VS Code, change sets with metadata).

The policy is defined in an XML file called HistoryRetentionPolicy:

<?xml version="1.0" encoding="UTF-8"?>
<HistoryRetentionPolicy xmlns="http://soap.sforce.com/2006/04/metadata">
    <archiveAfterMonths>18</archiveAfterMonths>
    <archiveRetentionYears>10</archiveRetentionYears>
    <description>Field Audit Trail policy for Account and Contact</description>
    <gracePeriodDays>1</gracePeriodDays>
    <historyRetentionPolicyDetails>
        <fieldHistory>
            <field>Account.AnnualRevenue</field>
        </fieldHistory>
        <fieldHistory>
            <field>Account.OwnerId</field>
        </fieldHistory>
        <fieldHistory>
            <field>Account.Rating</field>
        </fieldHistory>
        <fieldHistory>
            <field>Contact.Email</field>
        </fieldHistory>
        <fieldHistory>
            <field>Contact.Phone</field>
        </fieldHistory>
    </historyRetentionPolicyDetails>
</HistoryRetentionPolicy>

Step 2: Deploy the Policy

Deploy the metadata file to your org using Salesforce CLI:

sf project deploy start --metadata HistoryRetentionPolicy

Or include it in a change set or metadata package.

Step 3: Enable Field History Tracking on the Target Fields

For the audit trail to capture changes, the underlying field history tracking must be enabled:

Go to Setup → Object Manager → [Object] → Fields & Relationships.
Click Set History Tracking.
Check the fields you want to track.
Click Save.

The fields listed in your retention policy should also be enabled in field history tracking.

Step 4: Query Archived Data

To query the archived data, use SOQL on the FieldHistoryArchive object:

SELECT ParentId, FieldHistoryType, Field, OldValue, NewValue,
       CreatedDate, CreatedById
FROM FieldHistoryArchive
WHERE ParentId = '001XXXXXXXXXXXX'
AND FieldHistoryType = 'Account'
ORDER BY CreatedDate DESC

Note: Queries on FieldHistoryArchive are asynchronous for large datasets. Use the queryMore pattern for pagination.

Field Audit Trail Configuration

Setting	Description	Recommended Value
archiveAfterMonths	When to move data from standard history to the archive	18 months (minimum allowed)
archiveRetentionYears	How long to keep data in the archive	5–10 years (depends on compliance needs)
gracePeriodDays	Buffer period before archiving begins	1 day
Fields per object	Maximum tracked fields	Up to 60 (plan carefully — field additions require redeployment)

What to Track with Field Audit Trail

Focus on fields where you need a long-term record of changes for compliance or legal reasons:

Category	Example Fields
Financial	AnnualRevenue, Amount (Opportunity), Discount, Price
Ownership	OwnerId on any object, Account Team changes
Status	Stage (Opportunity), Status (Case, Lead), Phase (Project)
PII	Email, Phone, Address fields (track changes for GDPR compliance)
Compliance-Critical	Rating, Risk Level, Compliance Status
Contractual	Contract terms, renewal dates, SLA fields

Field Audit Trail Best Practices

Be selective about which fields to track. You have a limit of 60 fields per object. Prioritize fields where historical changes have compliance, legal, or business significance.
Don’t track fields that change constantly. Fields like “Last Modified Date” or formula fields that recalculate frequently will generate enormous volumes of history data.
Plan for querying. The FieldHistoryArchive big object is designed for write-heavy, read-moderate workloads. Complex ad-hoc queries may be slow. Build scheduled reports or extract data to an analytics platform for regular analysis.
Combine with Platform Encryption. For the most sensitive fields, use both Field Audit Trail (to track who changed the data) and Platform Encryption (to protect the data at rest).
Test the retention policy in sandbox. Deploy and validate in a full-copy sandbox before production. Verify that archived data is accessible and that your queries return expected results.

Putting It All Together: An Org Security Checklist

Here’s a practical checklist for configuring org security in a Salesforce org. Use this as a starting point and adjust based on your organization’s specific compliance and security requirements.

Session and Authentication Security

Task	Setting	Status
Set session timeout to 2 hours or less	Setup → Session Settings	☐
Enable clickjack protection (all three levels)	Setup → Session Settings	☐
Enable CSRF protection	Setup → Session Settings	☐
Enable HttpOnly attribute on session cookies	Setup → Session Settings	☐
Require secure connections (HTTPS)	Setup → Session Settings	☐
Configure login IP ranges on sensitive profiles	Profile → Login IP Ranges	☐
Configure login hours on sensitive profiles	Profile → Login Hours	☐

Password Security

Task	Setting	Status
Set minimum password length to 10+ characters	Setup → Password Policies	☐
Require mixed character types	Setup → Password Policies	☐
Enforce password history (12+ passwords)	Setup → Password Policies	☐
Set lockout after 5 failed attempts	Setup → Password Policies	☐
Set lockout period to 30 minutes	Setup → Password Policies	☐
Enable minimum 1-day password lifetime	Setup → Password Policies	☐

Monitoring and Auditing

Task	Setting	Status
Review Login History regularly	Setup → Login History	☐
Review Setup Audit Trail for config changes	Setup → View Setup Audit Trail	☐
Enable Event Monitoring (if licensed)	Setup → Event Monitoring	☐
Set up transaction security policies for high-risk events	Setup → Transaction Security Policies	☐
Schedule security monitoring reports and dashboards	Reports/Dashboards	☐

Data Protection

Task	Setting	Status
Classify all fields with PII data	Setup → Data Classification	☐
Enable Platform Encryption for sensitive fields (if licensed)	Setup → Platform Encryption	☐
Enable Field Audit Trail for compliance fields (if licensed)	Metadata Deployment	☐
Set file download security for executable types	Setup → File Upload and Download Security	☐
Review content delivery and public link settings	Setup → Content Deliveries and Public Links	☐

Section Notes

Here are the key takeaways from this post:

Session settings are your first line of defense after authentication. Configuring timeouts, clickjack protection, CSRF protection, and secure connections protects against a wide range of attacks. Don’t leave these at defaults — review and harden them for your org.
Password policies should balance security with usability. Long, complex passwords with MFA are better than short passwords that change every 30 days. If you’ve adopted SSO and MFA, consider relaxing password expiration requirements.
Event monitoring turns your org into a glass box. With event log files, you can see exactly what every user is doing — from API calls to report exports to page views. This data is essential for security investigations and compliance audits.
Transaction security policies give you real-time enforcement. Instead of reviewing logs after the fact, transaction security policies block or challenge suspicious activity as it happens. Start with notification-only policies and graduate to blocking after you understand your org’s patterns.
Platform Encryption meets compliance requirements that standard Salesforce encryption doesn’t cover. If you’re in a regulated industry (healthcare, finance, government), Shield Platform Encryption is likely a requirement, not an option.
Field PII classification is a labeling system, not an enforcement mechanism. It doesn’t secure data on its own, but it makes it dramatically easier to identify where sensitive data lives so you can apply the right security controls.
Field Audit Trail extends your audit history from months to years. For fields where you need to prove who changed what and when — for legal, regulatory, or contractual reasons — Field Audit Trail is the tool. Combine it with encryption for defense in depth.
Security is layered. No single feature makes your org secure. The combination of session settings + password policies + event monitoring + encryption + audit trails creates a robust security posture. Think of it as defense in depth.

This is Part 29 of the Salesforce series. Next up: Creating Translations in Salesforce — how to make your Salesforce org multilingual with the Translation Workbench, translated labels, and language-specific customizations.