Step-by-step instructions (assumes an installed product with appropriate permission sets assigned):
1. Initial configuration, test and validate: Do this in a Dev Sandbox first
a. Start by creating a SOQL to filter out users that do NOT need to be masked. Test the SOQL from the workbench or other SOQL editors to make sure it works well.
Note: This is a crucial step to get right, as any users not in this query will be masked and inactivated.
| //This query will show the details of the users that WILL BE MASKED.|
//Make sure to put all user ids that do not need to be masked in the SOQL query. Especially add user ids of Site guest user, Automated, Integration & Platform Integration users.
//You can also use other criteria such as profile name, role or others that DO NOT CHANGE between Prod and Sandboxes.
//Do NOT use username as it changes between prod and sandboxes.
select id, name, username, profileid from user where Id not in (‘0054K000002hqbxQAA’, ‘0054K000002hqbxQAA’,’0054K000003PkltQAC’, ‘0054K000003PklrQAC’,
//Use your user record’s Id, not the ones provided here for example.
2. Copy the filter criteria (Everything after the ‘where’ in the SOQL clause)
//From the query above, the filter criteria is the following Id not in (‘0054K000002hqbtQAA’, ‘0054K000002hqbxQAA’, ‘0054K000003PkltQAC’, ‘0054K000003PklrQAC’, ‘0054K000003PklvQAC’ )
3. Navigate to Data Masker App Configuration and modify (or add) a Configuration
4. Navigate to the configuration details view. Click the “New” button and select the record type ‘ Mask Records’ and further add an object for “User” (if one does not exist). Make sure to add the filter criteria as shown below.
Your completed record would look similar to this.
5. Navigate to Setup Users User Management Settings and enable “Scramble Specific Users’ Data”.
6. Create a new mapping for the ‘User’ Object, and add the ‘Full Name’ field for replacement with ‘Random’. This is all that is needed. Note: Data Masker uses a Salesforce-provided API that will mask the entire user record, inactivate it and no email or notification will be sent to the user.
7. Invoke Data Masker from ‘Configuration’ ‘Data Masking’ button
8. Select “Mask specific”.
9. Select the “User” object in the next screen and continue till the end of the wizard to begin execution.
10. Validate that the execution was successful by navigating to the data masker’s ‘Execution’ tab.
11. Navigate to the user record to validate that it was successfully anonymized
This concludes the masking of user records in a Salesforce Sandbox. If you want to do this is only one sandbox (or dev instance), then this approach works well. However, if you do not want to repeat it, then refer steps below.
Optional: Configure in Production so that it gets automatically propagated to full and partial copy sandboxes
Note: Data Masker is designed to not run in Production. We are configuring it here so that all Sandboxes created and refreshed after this step will always have Data Masker as part of the Sandbox image. Full and partial copy sandboxes will also get this configuration. Make sure your Sandbox templates have our Objects ‘Configuration, Object Masking & Field Masking’ selected. However, Data Masker mappings are considered data and will not migrate to Dev and Dev Pro sandboxes. For those, you will have to manually create the configuration/mapping above.
1. Repeat the steps from part 1-a to 1-e above
2. Create a new Sandbox (Depending on the Sandbox edition, our next steps will change)
3. Once this is complete, do the following: Make sure to validate the SOQL for user ids in their respective sandboxes. Salesforce maintains the same ids across Sandboxes, but this is not guaranteed.
- Full or partial copy sandbox: Log in and execute data masker configuration (steps 1g – 1j)
- Dev or Dev Pro sandbox: Log in and execute steps 1c – 1j
4. Advanced features – Automate data masker execution for Full or Partial copy sandbox
- Create a ‘PostCopySandboxApex’ class to run automatically.
- Associate the class to the sandbox from your Production ORg Setup Sandbox