Step 5: Masking User Records (Optional)

Updated on January 10, 2023

Step-by-step instructions (assumes an installed product with appropriate permission sets assigned):

1.  Initial configuration, test and validate: Do this in a Dev Sandbox first
a.  Start by creating a SOQL to filter out users that do NOT need to be masked. Test the SOQL from the workbench or other SOQL editors to make sure it works well.
Note: This is a crucial step to get right, as any users not in this query will be masked and inactivated.

 //This query will show the details of the users that WILL BE MASKED.

 //Make sure to put all user ids that do not need to be masked in the SOQL query.     Especially add user ids of Site guest user, Automated, Integration & Platform Integration users.

 //You can also use other criteria such as profile name, role or others that DO NOT CHANGE   between Prod and Sandboxes.

 //Do NOT use username as it changes between prod and sandboxes.

 select id, name, username, profileid from user where Id not in (‘0054K000002hqbxQAA’,     ‘0054K000002hqbxQAA’,’0054K000003PkltQAC’, ‘0054K000003PklrQAC’,

  //Use your user record’s Id, not the ones provided here for example.

2. Copy the filter criteria (Everything after the ‘where’ in the SOQL clause)

 //From the query above, the filter criteria is the following     Id not in (‘0054K000002hqbtQAA’, ‘0054K000002hqbxQAA’,                        ‘0054K000003PkltQAC’, ‘0054K000003PklrQAC’, ‘0054K000003PklvQAC’      )

3. Navigate to Data Masker App  Configuration and modify (or add) a Configuration

4. Navigate to the configuration details view. Click the “New” button and select the record type ‘ Mask Records’ and further add an object for “User” (if one does not exist). Make sure to add the filter criteria as shown below.

Your completed record would look similar to this.

5. Navigate to Setup  Users  User Management Settings and enable “Scramble Specific Users’ Data”.

6. Create a new mapping for the ‘User’ Object, and add the ‘Full Name’ field for replacement with ‘Random’. This is all that is needed. Note: Data Masker uses a Salesforce-provided API that will mask the entire user record, inactivate it and no email or notification will be sent to the user.

7. Invoke Data Masker from ‘Configuration’  ‘Data Masking’ button

8. Select “Mask specific”.

9. Select the “User” object in the next screen and continue till the end of the wizard to begin execution.

10. Validate that the execution was successful by navigating to the data masker’s ‘Execution’ tab.

11. Navigate to the user record to validate that it was successfully anonymized

This concludes the masking of user records in a Salesforce Sandbox.

Optional: Configure in Production so that it gets automatically propagated to full and partial copy sandboxes
Note: Data Masker is designed to not run in Production. We are configuring it here so that all Sandboxes created and refreshed after this step will always have Data Masker as part of the Sandbox image. Full and partial copy sandboxes will also get this configuration. Make sure your Sandbox templates have our Objects ‘Configuration, Object Masking & Field Masking’ selected. However, Data Masker mappings are considered data and will not migrate to Dev and Dev Pro sandboxes. For those, you will have to manually create the configuration/mapping above.