Loading

Prepare for Transaction Security Policy Enhancements

Data pubblicazione: Jun 1, 2026
Descrizione

To provide enhanced baseline protection against data exfiltration, Salesforce is rolling out a default Transaction Security Policy (TSP) on ReportEvent for all eligible Salesforce Shield and/or Event Monitoring (EM) customers. For more info on the roadmap of upcoming targeted Security changes for the Salesforce Platform, see: Security-Related Product Updates to the Salesforce Platform.

What’s Changing

  • TSP Management Permission: Salesforce is introducing a new Modify Transaction Security Policy user permission. To create, update, delete, enable, or disable TSPs, both the Modify Transaction Security Policy and Customize Application permissions are required. Create, update, delete, enable, and disable operations on TSPs via UI will also require step-up authentication.

  • Default ReportEvent TSP: Salesforce is introducing and enabling a default TSP for report exports initiated through the UI for eligible customers. This policy is triggered when an export exceeds 10,000 records. Such report export activities will also require step-up authentication.

Why Is Salesforce Making This Change

Large report exports are a common vector for malicious or unintended data exfiltration. This change upgrades protection via Event Monitoring to actively prevent malicious or unintended data exfiltration through TSP controls.

When Does This Change Take Effect

Availability of new Permission and default TSP

  • Sandboxes: Starting June 1, 2026
  • Production: Starting June 15, 2026

Enforcement of new Permission and default TSP

  • Sandboxes: Starting June 22, 2026
  • Production: Starting July 13, 2026

Who’s Affected

  • All Event Monitoring (EM) customers, including those with Salesforce Shield or standalone EM licenses, in both sandbox and production orgs who don't have an existing ReportEvent TSP built using condition builder.

  • Users who create, update, or delete, enable or disable TSPs.  

  • Users who perform report exports that exceed 10,000 records via the Salesforce UI.

What to Expect

  • For TSP Management: Only users with both the Customize Application and the new Modify Transaction Security Policy permissions will be able to perform create, update, delete, enable, and disable operations on TSPs. Read-only access will be granted to all other users having only the Customize Application permission. If the org's configurable Step-up Authentication period has expired, successful re-authentication via step-up authentication will be required when any TSP is created, updated, deleted, enabled, or disabled via UI.

  • For Report Exports: When a report export via UI exceeds 10,000 records, the default TSP will be triggered which will require the user to complete a step-up authentication.

Risoluzione

Before Enforcement: How to Prepare

After Salesforce deploys the changes in your org:

  • Review your current users who manage TSPs. To allow them to continue to create, update, or delete, enable or disable TSPs, assign them the new Modify Transaction Security Policy permission and ensure that they have step-up authentication configured.

  • Review the default disabled TSP in a sandbox, if it has been deployed in your org. Test this policy to ensure it aligns with your security use cases. You can then choose to enable or modify it. 

Note: The policy will remain fully editable even after automatic enforcement.

After Enforcement: Resolve Errors

  • For TSP Permission management : 

    • Permission Check: Ensure that the user has been assigned the new Modify Transaction Security Policy permission, in addition to the Customize Application permission

    • Authentication Check: If a create, update, delete, enable, and disable action is blocked, ask the user whether they were prompted to re-authenticate. That step-up authentication is required to complete the operation.

  • For Report Exports: If step-up authentication isn’t configured for a user when the default ReportEvent policy is triggered, the report export will be blocked. The user is prompted to set up step-up authentication before the export can be completed.

Common Questions

What if I already have a ReportEvent policy?

If a ReportEvent TSP policy built using condition builder already exists, then the default policy will not be deployed in your org. Otherwise, the default policy will be deployed as a new, disabled, separate policy and will not impact any existing Transaction Security Policies, whether active or disabled. You can review, edit, or disable the default ReportEvent policy. Salesforce will not automatically enable the default policy if another ReportEvent policy already exists in the org.

What if I am still testing the default policy by enforcement date?

If you have edited the default policy in any form, Salesforce will assume you are reviewing the policy hence it won’t auto enable.

After enforcement, is the default TSP permanently enabled, or can it be changed?

The default TSP is not permanently enforced. You can edit, modify, or disable it at any time before or after enforcement takes effect.

Does the default TSP affect Data Loader CLI, API-based report exports?

No. The default TSP applies only to report exports performed through the Salesforce UI. It does not affect report exports performed via API, including Data Loader CLI, and API-based report exports.

Does a step-up authentication challenge still trigger when editing a TSP even after the admin has the new Modify Transaction Security Policy permission?

Yes, the step-up authentication will trigger, unless they previously completed step-up authentication and are still in an active step-up authentication period set at the Session Level Policy level.



Change Log

Date

Change

June 1, 2026

Added new FAQs, clarified scope in the "Who's Affected" section to specify that the default ReportEvent TSP will not be deployed if an existing ReportEvent TSP already exists in the org, and other minor language updates.

May 5, 2026

Initial publication

 

 

Risorse aggiuntive

Additional Resources

ReportEvent

Numero articolo Knowledge

005321565

 
Caricamento
Salesforce Help | Article