Loading

User Lockout When Apex-Based Transaction Security Policy Fails at Runtime (Spring '19 Behavior Change)

Udgivelsesdato: May 15, 2026
Beskrivelse

This article explains a behavior change introduced in the Spring '19 release related to Apex-based Transaction Security policies in Salesforce.
Transaction Security policies allow Salesforce admins to monitor org events (such as logins, data exports, or API queries) and automatically take actions — such as blocking a user, ending a session, or sending a notification — when specified conditions are met. Policies are implemented using Apex code.
Before Spring '19 — Fail Open: If the Apex code in a Transaction Security policy failed at runtime, the policy was ignored and users were not affected. In network security terms, this is called "failing open" — an error defaults to allowing access.
Starting with Spring '19 — Fail Closed: Now, if the Apex code in a policy fails at runtime or exceeds the org's metering limits, the policy blocks the user. In network terms, this is "failing closed" — an error defaults to blocking access to prevent a security gap. As a result, users can be locked out of Salesforce when the policy code has a bug.

Løsning

When Users Are Locked Out
If a login event policy has incorrect Apex code that causes the policy to fail at runtime, affected users may be unable to log in to the org.
Steps to Regain Access:

  1. Contact Salesforce Customer Support to temporarily disable Transaction Security.
  2. Log in to your org and correct the Apex code in the affected policy.
  3. Contact Salesforce Customer Support to re-enable Transaction Security.

When Non-Login Events Are Affected
If the failing policy is for a non-login event type (for example, a data export or report run event), users are not locked out. You can log in to the org normally and correct the policy's Apex code without involving Support.
Prevention Best Practice: Before activating a Transaction Security policy, test the Apex code in a sandbox to ensure it does not throw unhandled exceptions. Use try-catch blocks in your policy's Apex to handle edge cases gracefully.

Vidensartikelnummer

000382877

 
Indlæser
Salesforce Help | Article