Essential Transaction Security Policies to Enhance Your Security Posture
Transaction Security Policies (TSPs) provide a dynamic and automated way to monitor and control user interactions with your Salesforce data, adding a crucial layer of security by responding to suspicious activities in real-time. These TSPs are some of the best for enhancing your security posture. TSPs are organized by Security Lenses, a group of topics that shows how security teams usually look at risk and enforce policy.
Required Editions
| Available in both Salesforce Classic (not available in all orgs) and Lightning Experience. |
Available in: Enterprise, Unlimited, and Developer Editions Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions. |
The included TSPs are organized into these Security Lenses:
- Data Protection & Classification – Preventing exposure of sensitive or regulated data, such as PII or financial records.
- Access Control (Authentication) – Monitoring login behavior and identifying suspicious or unauthorized access attempts.
- Security Model (Authorization) – Ensuring that user permissions, profiles, and role-based access are used appropriately.
- Integration – Governing data access and behavior of third-party apps and API-based systems.
- Data Loss Prevention (DLP) – Detecting attempts to extract data in bulk or bypass organizational controls.
- Monitoring – Enabling visibility into security-related activity and surfacing meaningful alerts for investigation.
Note Not every policy may be applicable to your environment. Consult with your internal
security team to determine which TSPs align with your organization’s needs. These examples are
intended as starting points. If you choose to implement any of them, try deploying them in a
sandbox environment first for testing and validation before rolling them out to
production.
Data Protection and Classification
| Transaction Security Policy | Description | Why It Matters | Recommended Follow-up Actions |
|---|---|---|---|
| Detect Report Exports Containing Classified (PII) Data | Detect when a user exports a report that contains classified or sensitive fields, such as those marked as Personally Identifiable Information (PII). | Exporting sensitive data, even unintentionally, can lead to compliance violations, data leaks and insider threat risks. This policy helps monitor and take action when confidential information is extracted from Salesforce. | Block the export, notify the security team via Slack or email, alert the user’s manager, or create a case for investigation. |
| Prevent List View Access to Classified Fields | Monitor when extremely sensitive fields, such as passport numbers, Social Security Numbers, financial data etc, are surfaced through list views, which can be used to view or extract large volumes of data quickly. | List views allow users to view multiple records at once, which can be misused to gather bulk sensitive information without running a report. This TSP helps detect or discourage exposure of classified data in a way that might bypass traditional reporting controls. | Block the export, notify the security team via Slack or email, alert the user’s manager or create a case for investigation. |
| Detect Large-Volume API Queries with Classified Fields | Detect when API queries return a large volume of records that include classified or sensitive fields, such as customer PII, financial data, or health information. | Automated API access can be used to extract sensitive data at scale, often without triggering the same alerts as report exports. This TSP helps organizations monitor high-risk data access patterns via integrations or third-party apps. | Block the export, notify the security team via Slack or email, alert the user’s manager, and create a case for investigation. |
Access Control (Authentication)
| Transaction Security Policy | Description | Why It Matters | Recommended Follow-up Actions |
|---|---|---|---|
| Login from Outside Approved Geo Region | Detect when a user logs into Salesforce from a geographic location not included in your organization’s approved list of countries or regions. | Logins from unexpected or restricted locations can indicate credential compromise or policy violations. While this detection is helpful, it’s important to note that VPNs and proxy tools can spoof geographic locations, reducing the reliability of geo-based controls on their own. This policy is best used as a complementary signal alongside stronger security measures like:
|
Block the login, notify the security team along with the user’s manager via email or Slack, or create a case for investigation and tracking. |
| Impossible Travel Detection | Alert when a user logs in from two geographically distant locations within a time window that makes physical travel between them impossible. For example, a login from New York followed by a login from Tokyo within 30 minutes. | Impossible travel is a strong indicator of credential compromise, where a malicious actor logs in using stolen credentials while the real user is active elsewhere. However, this use case can generate false positives when legitimate third-party applications (e.g., API clients hosted in other regions) act on behalf of the user. | Notify the security team and alert the user’s manager via email or Slack, and create a case for investigation and tracking. |
| Block Logins Based on TLS Cipher Suite | Prevent users from logging in if the negotiated TLS cipher suite is considered weak or does not meet organizational security standards. This is especially useful when users log in from unmanaged partner endpoints where enforcing local configurations isn’t possible. | Weak or outdated TLS cipher suites can expose user sessions to interception or downgrade attacks. Organizations with high-value or high-risk data (such as partner portals or financial systems) must ensure that all sessions are negotiated with strong, compliant encryption. This TSP helps enforce cryptographic hygiene at the point of authentication. | Block the login and notify the security team via Slack or email, also create a case for investigation. |
| Monitor Internal Logins that Bypass SSO | Detect and notify the security team when internal standard users log in directly (LoginType = 'Application') instead of using SSO. | Organizations with SSO enforcement want to monitor for break-glass logins or potential misconfigurations. Only emergency accounts should log in natively and visibility into such logins ensures policy compliance and faster response to unauthorized access. | Notify the security team and alert the user’s manager via email or Slack, and create a case for investigation and tracking. |
Security Model (Authorization)
| Transaction Security Policy | Description | Why It Matters | Recommended Follow-up Actions |
|---|---|---|---|
| Restrict Large Data Exports to Specific User Profiles | Detect when large volumes of data are viewed or exported by users outside of approved profiles, for example restricting sensitive report downloads to only users with the "Marketing User" profile. | Data exports can contain sensitive or regulated information. Limiting large-scale access to a small set of trusted roles or profiles reduces the risk of misuse, whether intentional or accidental. | Block the export, notify the InfoSec team via email or Slack, and create a case for investigation. |
| Restrict High Volume API Queries by Guest User | Trigger when the Guest User profile issues a high-volume SOQL query through the Salesforce API, returning a large number of records. This includes public facing Salesforce Sites or Experience Cloud portals. | Guest users operate without authentication and often have access to query exposed objects via public facing Site. A high record count query via the API, especially without authentication, can indicate scraping, enumeration, or misconfiguration that exposes too much data. | Block the API request, notify the InfoSec team via email or Slack, and create a case for investigation. |
| Privilege Escalation Alert | Detect when a user is granted elevated privileges, such as being assigned the Admin profile or a Permission Set that includes “Modify All Data”, outside of a controlled change process. | Unexpected or unauthorized privilege changes are a top indicator of insider threat or misconfiguration risk. This TSP helps catch access escalations early before they’re exploited to exfiltrate data or modify critical records. | Block the action, notify the security team via slack or email, or log a case for investigation. |
Integration
| Transaction Security Policy | Description | Why It Matters | Recommended Follow-up Actions |
|---|---|---|---|
| Block API Access from Specific Third-Party Applications | Detect and potentially block API calls made by specific third-party applications or managed packages, especially those not approved for use with sensitive data. | Some integrations or apps may access more data than necessary, or operate from regions or infrastructures that violate internal security policies. This TSP helps enforce application-level access controls at the API layer. | Block the action and notify the security owner via email or slack. |
| Block API Access from Unapproved Third-Party Applications | Detect and potentially block API calls made by third-party applications or managed packages that are not included in an approved allowlist maintained in Custom Metadata. Only applications explicitly allowlisted will be permitted to interact with the Salesforce API. | Rather than blocking specific apps reactively, this proactive approach enforces API access based on a controlled list of trusted applications. This helps prevent unauthorized or risky integrations from accessing sensitive data and ensures tighter governance over which apps are permitted to interact with production data. By using Custom Metadata to store the allowlist, security teams can easily update the list without code deployments, ensuring safer and more flexible policy management across environments. | Block the action, notify the security team via slack or email, or log a case for investigation. |
Data Loss Prevention (DLP)
| Transaction Security Policy | Description | Why It Matters | Recommended Follow-up Actions |
|---|---|---|---|
| Cumulative Mass Access/Export Behavior Detection | Monitor when a user cumulatively accesses an unusually high number of unique records (such as Leads or Opportunities) over a defined time windows (e.g., 3 hours or 5 days). This applies across multiple report exports, API queries, or list views. | Sophisticated data exfiltration attempts may occur gradually, extracting small batches of data to avoid triggering immediate volume thresholds. This TSP detects long-term patterns of unusual access, especially when a user interacts with a high number of distinct record IDs across multiple sessions. It’s particularly useful for detecting insider threats or compromised accounts attempting to evade real-time detection systems. | Block the action, notify the security team via Slack or email, and create a case for investigation. |
Monitoring
| Transaction Security Policy | Description | Why It Matters | Recommended Follow-up Actions |
|---|---|---|---|
| Get Alerted on Threat Detection Events | Trigger a Transaction Security Policy when a Threat Detection event is generated by Salesforce, for example, when a login anomaly is flagged by Salesforce’s internal ML models. | Threat Detection provides intelligent, ML- driven signals for potential account compromise or malicious activity. By integrating TSP with these events, you can take real-time action, such as alerting your security team or initiating automated response workflows. | Notify the security admin, send a Slack alert to the security team, or create a case for investigation. |
Did this article solve your issue?
Let us know so we can improve!
