Restrict Employees From Exporting Salesforce Data
An important part of securing your Salesforce org is making sure your Sales Cloud data is protected. To achieve that, Users (who are not supposed to) shouldn’t be able to export data from your organization.
Before we begin, there is no way to completely stop employees from exporting data from Salesforce. However, it can be customized to restrict data exports, and, in certain cases, add significant friction to the exporting process.
Exporting Salesforce Data
A common example of a User trying to export data from Salesforce is when a Sales rep is preparing to leave an organization. They try to export their Leads, Accounts, and Contact records to give themselves an advantage at their new job. There is no way to completely block Users from exporting data from Salesforce without blocking their access to that data. The best practice is to add friction to employees attempting to export data. The more onerous the process, the more you minimize the chances a User will steal data.
In this post we’ll cover how to add friction to stop Users from exporting data by disabling:
- Printable View
- Report Export Permission
And by enabling:
- Allowlisting Apps (formerly Whitelisting Apps)
How to Disable Print Screen
If “Print Screen” is enabled, Users can print a List View of a 1,000 records at a time. This is a quick way to export data from Salesforce. Also, there is no record of this type of activity in the Audit Trail, so an Admin can’t flag that a User has done this.
By disabling “Print Screen”, Users will be forced to screenshot each individual screen one at a time if trying to export data. It’s not a perfect solution, but it does add a considerable amount of effort on the User’s end.
Here’s how to disable print screen in Salesforce:
Step 1: Under User Interface in Setup, Uncheck “Enable Printable list views”
How to Disable Export Report
A very powerful Salesforce feature is the ability to export reports, as a CSV, directly from your org. While this feature can be tremendously valuable, it can also be dangerous if the wrong Users have access to it.
For a more secure instance, the Admin(s) should configure who can export data as a Permission Set, not on the Profile level. As an Admin, it is important to know exactly which Users have this permission available to them so it can be quickly removed, if necessary.
Here’s how to Disable Export Reports in Salesforce:
Step 1: Under General User Permissions uncheck “Export Reports”. This cannot be changed on the Standard User Profile. The Admin(s) have to clone the Standard User and edit that custom profile.
One of the reasons Salesforce is such a powerful business tool is the ability to integrate with other tools. Salesforce has the largest B2B App ecosystem in the world, and more and more companies are extending the value they get from Salesforce by leveraging integrations.
However, there are extremely powerful Apps that only certain Users should have access to. As an example, Data Loader is a tool that only certain Users should be able to install in Salesforce (Data Loader allows Users to export data from Salesforce in a CSV file).
Enabling App Allowlisting (formerly Whitelisting) to prevent malicious end Users from installing a package like Data Loader to quickly export Salesforce data.
Enabling App Allowlisting (formerly Whitelisting) in Salesforce allows the Admin(s) to specify which Apps Users can grant access to. This can be managed at the org-wide level (all Users), or for specific Users. This allows the Admin(s) to specify which Users can install an App like Data Loader in Salesforce and which cannot. Enabling App Allowlisting is a scalable solution because it applies the same limitations to new Users, and provides a centralized location to manage User authorization.
How to Enable App Allowlisting:
Step 1: App Allowlisting (formerly Whitelisting) must be set up by Salesforce for your Org. The Admin(s) of your instance needs to submit a case or call Salesforce to have this feature enabled.
After Salesforce has enabled App Allowisting in your Org, you can assign certain Profiles and Permission Sets access to specific Apps. For the purpose of the next few steps, we’ll use Data Loader as an example. While it’s a commonly used and very powerful App, not every User should have access to it.
Step 1: Under “Managed Connected Apps”, click edit next to Dataloader Partner.
Step 2: Under OAuth policies, Permitted Users select “Admin approved users are pre-authorized”.
Step 3: Under “Manager Connected Apps” if you click the Data Loader label to bring up the Connected App Detail, you may assign Profiles and Permission Sets to have access to the App.
We hope you learned a few ways you can add friction to Users exporting data from Salesforce. If you enjoyed this post then you may also like our post on the Top Five Salesforce Security Tips to Make Your Instance More Secure.
Have questions about how to optimize your Salesforce instance for security? Sign up for our newsletter! We send out a monthly recap of our latest Salesforce content, including articles on Salesforce security best practices, actionable insight on Salesforce optimization for enterprises, and more.