Which User Permissions Does Shield Platform Encryption Require?
Assign permissions to your users according to their roles regarding encryption and
key management. Some users need permission to select data for encryption, while other users
require combinations of permissions to work with certificates or key material. Enable these
permissions for user profiles just like you do for any other user permission.
Required Editions
Available in both Salesforce Classic (not available in all orgs) and Lightning
Experience.
Available in: Enterprise, Performance, and Unlimited
Editions with the Salesforce Shield or Shield Platform Encryption licenses.
Available for free in Developer Edition.
Note This content relates to Shield
Platform Encryption. Read about implementing field-level encryption using Shield Extension
in Own from Salesforce.
Manage Encryption Keys
Customize Application
View Setup and Configuration
Manage Certificates
View Platform Encryption Setup pages
Generate, destroy, export, import, and upload tenant secrets and
customer-supplied key material
Query the TenantSecret object via the API
Edit, upload, and download HSM-protected certificates with the Shield Platform
Encryption Bring Your Own Key service
Enable features on the Encryption Settings page
The Customize Application and Manage Certificates permissions are automatically enabled for
users with the System Administrator profile.
You can require admins to also have the Manage Encryption Keys permission to complete
encryption policy tasks. These tasks include changing the encryption scheme on fields,
enabling and disabling encryption on fields, files, and attachments, and other data
elements. It also applies to enabling features like Database Encryption or Platform
Encryption for Data 360.
To opt in to this feature, you need the Manage Encryption Keys permission, then opt in from
the Encryption Settings page.
From Setup, in the Quick Find box, enter Encryption Settings,
and then select Encryption Settings.
In the Advanced Encryption Settings section, turn on Restrict Access to
Encryption Policy Settings.
You can also enable Restrict Access to Encryption Policy Settings programmatically. For
more information, see PlatformEncryptionSettings in the Metadata API Developer
Guide.
This restriction applies to actions taken through the API or from Setup pages, such as the
Encryption Policy page or the Object Manager.
Note This page is about Shield Platform Encryption, not Classic
Encryption. What's the difference?
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
