Create a Data Detect Policy and Run a Scan
Data Detect scans search for sensitive data across chosen objects and fields. Create multiple policies that help you find sensitive data that users inadvertently enter into fields across your Salesforce Org.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
Data Detect requires the Salesforce Shield add-on subscription.
| User Permissions Needed | |
|---|---|
| To create, edit, and view Data Detect policies | Manage user access to Data Detect feature |
Note When creating a policy to scan, know your limits. These limits include no account
objects in person account enabled orgs. Users can only view and scan objects that they have
access to. For selected objects, Data Detect scans these fields: text, long text, long text
area, text (encrypted), and rich text (only plain text is scanned for sensitive information)
in standard and custom objects.
Note To successfully view scan results for fields using Classic Encryption, you must have the
View Encrypted Datauser permission. Because encrypted data must be
processed differently than standard data, scanning these fields takes longer. Including
encrypted fields in a scan configuration can increase the total scan duration by
approximately one-and-a-half times.
- From the App Launcher, locate and selectData Detect from the Shield app.
- Select the Polices tab and select New to create your first policy. The Policies tab is where your policies reside after they’re created.
- Enter a name for your policy. The policy name can contain characters A–Z, a–z, 0–9, Hyphen (-), and Underscore (_). You can optionally add a description. The current user’s name is added as the policy’s creator.
-
For the policy’s time frame, select a duration in the past to scan for your data. You
canselect a custom time frame or choose from the last: 30 or 90 days; 6 or 12 months, or
all time. All time goes back to the date the org was created.
Data Detect scans for any new or changed data made within the selected time frame. You can select a random time frame to collect a historical subsection of sensitive data.
- Select whether your scan runs one time, or recurs on an automated schedule. For recurring scans, select the time interval to scan and how often to repeat the scan. Review the summary to confirm the schedule is correct.
-
If available, select as many exclusions from this list as you want for your policy. Or,
skip to the next step. Exclusions are compliance, data sensitivity, and field usage items
that you don’t want to scan because you already know they contain sensitive data for your
operational needs and don't need to be identified.
- Compliance Category to Exclude: For example, compliance acts, definitions, or regulations that are related to the field’s data.
- Data Sensitivity Level to Exclude: For example, categorize data based on sensitivity level.
- Field Usage Category to Exclude: Examples are: the field is in active use and visible, planned for deprecation, or intended to be hidden, or your own.
- Save your changes. Your policy is viewable from the Detection Rules, where you can add the objects or fields, and (if necessary), any custom patterns or keywords that you want to scan.
- In the Detection Rules section, select Add Object. You see the Available Objects section.
- From Available Objects, select an object. You can select up to 100 objects (that you have access to) per scan. It shows on the right-hand side of the tab with all associated supported fields that you can access.
- Select any necessary (or all) fields for scanning, and select Done. Select Edit Objects to add another object, select it, and select Done. You can remove an object by selecting Delete from the dropdown menu.
- To make any other changes to the policy, select Edit Policy and move through pages to find the area to change.
- Select sensitive data categories from the left side of the Detection Rules Policy tab, and selectAdd sensitive data categories.
- Scroll through the list and select any categories that apply, and select Done when finished. Reduce scan time by selecting only the categories that you need. Refer to Sensitive Data Categories for the complete list of categories.
- If custom patterns are needed, then add up to ten regular expression patterns.
- If keywords are needed, then add up to ten keywords.
- To review the policy you just created, select the Overview tab.
- To edit a policy that you created, select the Data Detect Policy tab. Select Edit Policy for the policy that you want to edit. You can also use the dropdown menu from the Policy Details page.
- Make any fixes to the policy, and save your work.
-
Select Start Scan from the Policy Overview or Detection Rules
tab. Or, select Start Scan from a specific policy from the policy list, and when you’re
ready select Scan Policy.
There’s a preview of the policy details so that you can confirm before starting the scan. After it’s started, you see a scan confirmation message. As the scan progresses, updates to the Scan Status show up on the right-hand side of the page.
- After you've started a scan, you can view the status of a policy scan by selecting the job ID under Name from the Data Detect Job Sessions tab.
Did this article solve your issue?
Let us know so we can improve!
