Salesforce Shield / Platform Encryption with all Blackthorn apps
Overview
If your Salesforce org has implemented data security with Shield Platform Encryption, here's how you can set this up and prevent running into any errors while using our Blackthorn apps.
Salesforce Shield and Blackthorn's apps work with Salesforce Shield aka Platform Encryption enabled. It works with Deterministic based encryption. This must be done in three places. The key, the global option, and per-field.
Setup
Step 0: The running user of each app, typically the person who installed both apps, must have a profile that can view encrypted fields. Alternatively, you can use a dedicated integration user that no one has access to with this profile to query and create records with the necessary fields.
Note:
If you're a system admin and don't have "View Encrypted Data" access on profile, you can create a custom permission set to include the access and assign it to your users. See required user permissions for shield platform encryption here.
To configure this, navigate to Setup, type 'plat' to find the below (short for platform). The red arrows highlight where you'll need to click to get to the configuration areas below:
- Classic navigation
Classic navigation
- Lightning Navigation
Lightning navigation
Step 1: Setup | Platform Encryption | Key Management. Select 'Data in Salesforce (Deterministic)' and generate your key.
Step 2: Visit Setup | Platform Encryption | Advanced Settings. Enable 'Deterministic Encryption'.
Step 3: Setup | Platform Encryption | Encryption Policy then click 'Encrypt Fields'. For the Email field (or any other erroring field you get when enabling Shield and/or installing our apps, whichever comes first, set those fields to Deterministic - Case Insensitive.
To know more about how Shield Platform Encryption Works, see here.
Suggested Configuration for Blackthorn Fields
- The tables below will provide a list of fields from our applications that should NOT be encrypted using Salesforce Shield.
- These fields are used to filter the SOQL result and so they should be excluded from the encryption in order for our apps to work.
- Formula & Reference fields cannot be encrypted.
- After marking all fields for encryption if historical data is present you will need to export and import records to trigger a full encryption of data at rest or log a case with Salesforce Support to have a back end encryption job processed. As of Spring '19 you can now also perform this encryption sync yourself using the self service option in the Salesforce help portal.
- Picklist fields can not be encrypted.
- Blackthorn will maintain the list whenever a new field is added to the apps.
Payments
Object Name | Field Name | Object Type | Encryption Type |
|---|---|---|---|
Contact | Standard | No Encryption | |
Product2 | Product_ID__c | Standard | No Encryption |
Transaction__c | Transaction_Id__c | Custom | No Encryption |
Transaction__c | Transfer_Payment_Id__c | Custom | No Encryption |
Transaction__c | Key__c | Custom | No Encryption |
Payment_Intent__c | Payment_Intent_Id__c | Custom | No Encryption |
Payment_Method__c | Card_Id__c | Custom | No Encryption |
Payment_Method__c | ACH_Key__c | Custom | No Encryption |
Payment_Method__c | Fingerprint__c | Custom | No Encryption |
Payment_Gateway__c | Webhook_Label__c | Custom | No Encryption |
Payment_Gateway__c | Stripe_User_Id__c | Custom | No Encryption |
Plan2__c | Plan_Id__c | Custom | No Encryption |
Coupon2__c | Coupon_Id__c | Custom | No Encryption |
Dispute__c | Dispute_ID__c | Custom | No Encryption |
Stripe_Customer__c | Email__c | Custom | No Encryption |
Stripe_Customer__c | Customer_Id__c | Custom | No Encryption |
Events
Object Name | Field Name | Object Type | Encryption Type |
|---|---|---|---|
Account | Name | Standard | No Encryption |
Attendee__c | Registration_Status__c | Custom | Deterministic |
Attendee__c | Email2__c | Custom | Deterministic |
Attendee__c | Key2__c | Custom | Deterministic |
Attendee__c | Email__c | Custom | Deterministic |
Attendee__c | Attendence_Status__c | Custom | Deterministic |
Email_Template__c | SF_Template_Id__c | Custom | Deterministic |
Email_Template__c | Name | Custom | No Encryption |
Event_Group__c | Name | Custom | No Encryption |
Event__c | Name | Custom | No Encryption |
Event__c | Event_Start_Date__c | Custom | No Encryption |
Event__c | Key2__c | Custom | Deterministic |
Contact | Name | Standard | No Encryption |
Event_Item__c | Item_Name__c | Custom | No Encryption |
Event_Notification__c | Title__c | Custom | No Encryption |
Form_Element__c | Maps_To_Object__c | Custom | Deterministic |
Form_Element__c | Question__c | Custom | No Encryption |
Form_Submission__c | Key__c | Custom | No Encryption |
Lead | Name | Standard | No Encryption |
Session__c | Start_Date__c | Custom | No Encryption |
Speaker__c | Last_Name__c | Custom | No Encryption |
Speaker__c | First_Name__c | Custom | No Encryption |
Sponsor__c | Tier__c | Custom | No Encryption |
Sponsor__c | Display_Name__c | Custom | No Encryption |
Track__c | Name | Custom | No Encryption |
Event_Setting__c | Name | Custom | No Encryption |
Payment_Gateway__c | Name | Custom | No Encryption |
Form__c | Name | Custom | No Encryption |
Campaign | Name | Custom | No Encryption |
- For any fields that are lookups the reference object
Namefield cannot be used to encrypt.- This is not supported in Event Wizard.
- If you are not planning to add these fields in the Event Wizard fieldset, the fields can be encrypted. The type should be Deterministic.
Updated 9 months ago