Get Started
Get Started
Get Started
Get Started
Get Started

Masking User Records (Optional)

Picture of akash

akash

Updated on June 18, 2024

Step-by-step instructions (assumes an installed product with appropriate permission sets assigned):

Initial configuration, test, and validate: Do this in a Dev Sandbox first. Start by creating an SOQL to filter out users who do NOT need to be masked.

Test the SOQL from the workbench or other SOQL editors to make sure it works well.

 

Note: This is a crucial step to get right, as any users not in this query will be masked and inactivated. 

				
					 //This query will show the details of the users that WILL BE MASKED.

 //Make sure to put all user ids that do not need to be masked in the SOQL query.     Especially add user ids of Site guest user, Automated, Integration & Platform Integration users.

 //You can also use other criteria such as profile name, role or others that DO NOT CHANGE   between Prod and Sandboxes.

 //Do NOT use username as it changes between prod and sandboxes.

 select id, name, username, profileid from user where Id not in ('0054K000002hqbxQAA',     '0054K000002hqbxQAA','0054K000003PkltQAC', '0054K000003PklrQAC',
 '0054K000003PklvQAC')

  //Use your user record's Id, not the ones provided here for example.

2. Copy the filter criteria (Everything after the ‘where’ in the SOQL clause)

				
					 //From the query above, the filter criteria is the following     Id not in (‘0054K000002hqbtQAA’, ‘0054K000002hqbxQAA’,                        ‘0054K000003PkltQAC’, ‘0054K000003PklrQAC’, ‘0054K000003PklvQAC’      )

3. Navigate to DataMasker App Configuration and modify (or add) a Configuration.

 
Screenshot of DataMasker's Object Maskings table in Salesforce showing user exclusion criteria.

4. Navigate to the configuration details view. Click the “New” button select the record type ‘ Mask Records’ and further add an object for “User” (if one does not exist).

Make sure to add the filter criteria as shown below.

 
DataMasker execution success banner in Salesforce with user interface tabs visible.

Your completed record would look similar to this.

Detailed view of a Salesforce user record post-masking using DataMasker.

5. Navigate to Setup Users User Management Settings and enable “Scramble Specific Users’ Data”.

 
Overview of DataMasker's configuration management for user data masking in Salesforce.

6. Create a new mapping for the ‘User’ Object, and add the ‘Full Name’ field for replacement with ‘Random’. This is all that is needed. 

 

Note: Data Masker uses a Salesforce-provided API that will mask the entire user record, deactivate it, and send no email or notification to the user.

7. Click on ‘Run Masking’ button

 

8. Validate that the execution was successful by navigating to the data masker’s ‘Execution’ tab.

 
Field masking settings for last name in Salesforce DataMasker.

9. Navigate to the user record to validate that it was successfully anonymized

 
Execution log in Salesforce for DataMasker showing detailed data masking statuses.

This concludes the masking of user records in a Salesforce Sandbox.

Optional: Configure in Production so that it gets automatically propagated to full and partial copy sandboxes

Note: Data Masker is designed to not run in Production. We are configuring it here so that all Sandboxes created and refreshed after this step will always have Data Masker as part of the Sandbox image. Full and partial copy sandboxes will also get this configuration. Make sure your Sandbox templates have our Objects ‘Configuration, Object Masking & Field Masking’ selected. However, Data Masker mappings are considered data and will not migrate to Dev and Dev Pro sandboxes. For those, you will have to manually create the configuration/mapping above.