The word “Transaction Security” sounds like you are making a secure transaction in day to day life while selling/buying certain things! But at Salesforce, it’s a different terminology used to monitor salesforce events to spot the issue and take an action right away! Admin picks a transaction (i.e., event) to watch for and choose what to be done when that event occurs.

Admins are not less than super heroesmanaging the Salesforce org involving users, apps, objects, reports & dashboards, and what not! Let’s say, you are an admin at XYZ Solutions and you are quite held up in management stuff! Now the IT head asks you to make sure that no one has a bunch of sessions active at once! He explains why? Let’s say someone starts work on a desktop computer, switches to a tablet, and then walks away from the desk without logging out from the desktop. Since the desktop session is still active, anyone can exploit this situation to get the risky info!

What about trying out transaction security as the solution to tackle this? Yes! you’d pick the login event and create a transaction policy. Policies are the rules and actions you create for the specific event. In this case, you can mention that if users already have three active sessions, they must end one of the sessions before logging in to a new session. You can also include whether to receive notification when this event occurs. In other way, for the login event, here the rule criteria is “Number of sessions > 3” and the action is blocking.

You may be wondering what are the other use cases to choose transaction security as the solution!

Below are few:

  • Blocking unsupported browsers / older android versions => Let’s say you don’t support Internet Explorer or below Android 6 versions, so you set up a policy to watch for Internet Explorer or older version android users logging in. When someone does try to log in with, the policy is triggered and blocks the user. It also notifies you when it’s triggered, by sending you an email.
  • Lock out specific geographical areas => Your org has remote offices and you want to restrict access to the org. Set up policies to obtain alerts when unusual login activity happens, like the same user logging in from two different places.

Enough of theory! Let’s dive!

You can write triggers on ChatterMessage to ensure that messages obey your company’s messaging policies and don’t contain blacklisted words. What if we can do same thing to via point and click?

  1. Enable transaction security:
    Setup => Enter “Transaction” in the Quick Find box => Locate and click Transaction Security => Select “Enable custom transaction security policies” and click “Save” to activate Transaction Security and install the supplied policies.
  1. Create a transaction policy:
    Setup => Enter “Transaction” in the Quick Find box => Locate and click Transaction Security again => You will see “Transaction Security Policies” list view page => Click “New” button to create one.

    • Under “Basic Information” section fill out the following:
      • Enable:<SET IT TO TRUE>
      • Name:<MEANING FULL NAME>. Let’s keep, Black list words in chatter message.
      • Event Type:There are four types as follows:
          • Login => Limits sessions or requires additional authentication.
          • Entity => Entity for authentication providers and sessions, client browsers, and login IP. Provides notification when a specific resource (entity) is accessed.
          • DataExport => Data Export for Account, Case, Contact, Lead, and Opportunity objects. Prevents unauthorized downloads.
          • AccessResource => Access Resource for connected apps and reports and dashboards. Blocks access to sensitive information or requires 2FA before access is allowed.

        Let’s choose Entity because ChatterMessage is an entity to watch for. After selecting Entity, Resource Name will be rendered with supported entities.

        • Resource Name:Select “ChatterMessage”.
        • Notifications:Select “Email Notification”.
        • Recipient:Select the Administrator who will receive the notification.
        • Real-Time Actions: Select “Block”.
        • Apex Policy:Leave the default option i.e, Generate Apex. (This will create an apex class code at the backend on save of this policy. If you want to change the policy in future, you should edit this code)
        • Execute Policy As:Choose the same person that you selected for Recipient
  • Under “Define Policy Conditions” section fill out the following:
    • Create condition for: Select “Body” as the field and the criteria as “If the Body contains”. Enter the value : “kill you”.

Make sure you screen looks like this:


    Click on the the class name which may have following code:
global class BlacklistwordsinmessagePolicyCondition implements TxnSecurity.PolicyCondition {

public boolean evaluate(TxnSecurity.Event e) {
 if('Body').contains('kill you')){
 return true;

return false;

Did you notice? It is using string method “contains” against black listed word “kill you”. This is a case-sensitive matching! You can replace it with “containsIgnoreCase”, if needed.

  • Testing time:
    Send a chatter message to someone with  a black listed word.

You got a popup saying operation is not allowed. Also, Recipient of the policy must have got an email with “Transaction Security Alert” subject with all the details.