Prepare for Transaction Security Policy Enhancements

To provide enhanced baseline protection against data exfiltration, Salesforce is rolling out a default Transaction Security Policy (TSP) on ReportEvent for all eligible Salesforce Shield and/or Event Monitoring (EM) customers. For more info on the roadmap of upcoming targeted Security changes for the Salesforce Platform, see: Security-Related Product Updates to the Salesforce Platform.

What’s Changing

• TSP Management Permission: Salesforce is introducing a new Modify Transaction Security Policy user permission. To create, update, delete, enable, or disable TSPs, both the Modify Transaction Security Policy and Customize Application permissions are required. Create, update, delete, enable, and disable operations on TSPs via UI will also require step-up authentication.

• Default ReportEvent TSP: Salesforce is introducing and enabling a default TSP for report exports initiated through the UI. This policy is triggered when an export exceeds 10,000 records. Such report export activities will also require step-up authentication.

Why Is Salesforce Making This Change

Large report exports are a common vector for malicious or unintended data exfiltration. This change upgrades protection via Event Monitoring to actively prevent malicious or unintended data exfiltration through TSP controls.

When Does This Change Take Effect

Availability of new Permission and default TSP

• Sandboxes: Starting June 1, 2026
• Production: Starting June 15, 2026

Enforcement of new Permission and default TSP

• Sandboxes: Starting June 22, 2026
• Production: Starting July 13, 2026
  
  

Who’s Affected

• All Event Monitoring (EM) customers, including those with Salesforce Shield or standalone EM licenses, in both sandbox and production orgs.

• Users who create, update, or delete, enable or disable TSPs.  

• Users who perform report exports that exceed 10,000 records via the Salesforce UI.

What to Expect

• For TSP Management: Only users with both the Customize Application and the new Modify Transaction Security Policy permissions will be able to perform create, update, delete, enable, and disable operations on TSPs. Read-only access will be granted to all other users having only the Customize Application permission. Successful re-authentication via step-up authentication is required each time any TSP is created, updated, deleted, enabled, or disabled via UI.

• For Report Exports: When a report export via UI exceeds 10,000 records the default TSP will be triggered which will require the user to complete a step-up authentication.