De-identify personal data associated with related objects that follow a certain hierarchy using the cascade de-identification feature of Cloud Compliance . Cloud Compliance offers an APEX API interface in use cases where the cascade de-identification feature needs to be invoked by an external system,.
Invoke a mapping that is pre-configured via APEX API using a JSON based callout. The API auto-creates a case and de-identifies the parent mentioned in the case record and its child and grandchild records.
The two methods that are available for this APEX API are as follows:-
1. To Execute Cascade De-identification APEX API
This method accepts two parameters –
- Record_ID of the parent object that needs to be de-identified along with its related child and grandchild object.
- Mapping Name is the parent object’s de-identification mapping name defined under the Implement tab > RTBF De-identification Mappings section.
2. To call get case status method
This method accepts the single parameter which will be the case ID generated after the De-identification request.
1. Navigate -> RTBF/De-identification section of the Implement tab of Cloud Compliance UI and open the existing de-identification mapping by clicking on the “View” button.
2. Considering de-identification at three-level – “Account” as a parent, “Contact” as a child and “Asset” as a grandchild. Copy the de-identification mapping name of the parent object. ‘Account Mapping’ in this case. Add this mapping name in the APEX script that needs to be executed for cascade de-identification.
Note – Parent objects can have multiple child objects. Similarly, child objects can have multiple grandchild objects.
3. Make sure that selected mapping is Active and set as default.
4. Navigate -> Salesforce Account record that needs to be de-identified. Make sure it is associated with contact records as a child and asset records as the grandchild. Get the record Id from the URL which is highlighted in the screenshot and paste it in the APEX script that needs to be executed for cascade de-identification
5. The APEX script for execution will be as follows –
Map < String, Object > res = PCCC_DM.DsarDeIdentifyRestService.createDeIdentificationRequest( '0010b00002VQERCAA5', 'Account Mapping'); System.debug('Res:' + res);
6. Open the Salesforce Developer Console. Prepare the createDeIdentificationRequest method.
7. This API returns a Case Id and a success status as hasError = false and failure as hasError =true. Execution log showing successful de-identification along with all the attributes.
8. In case of failure, the error details will be available in a message attribute.
9. Get the Case Id from execution logs and pass it to the method getCaseStatus(). Click the Execute button to invoke the Apex API.
Map < String, Object > res = PCCC_DM.DsarDeIdentifyRestService.getCaseStatus('5000b00001bFwW4AAK'); System.debug('Res:' + res);
10. This getCaseStatus API would return a JSON with case details along with all its attributes.
11. The details of all three records processed under this cascade de-identification are as follows –
Account de-identification logs (Parent Object )
- Contact de-identification logs (Child Object )
- Asset de-identification logs (Grandchild Object )
12. Navigate to Salesforce and open the newly created case records. The related list section will validate that records are successfully de-identified.
13. Click on the record URL of the Account record processed under the Data Subject Record related list, to validate the record de-identification.