Recipes by Category

App Distribution (2) Bundle logic, interface and services for distribution. App Logic (37) The Apex programming language, workflow and formulas for logic. Collaboration (6) The Salesforce Chatter collaboration platform. Database (29) Data persistence, reporting and analytics. Integration (33) Web Service APIs and toolkits for integration. Security (9) Platform, application and data security. Tools (4) Force.com tooling User Interface (36) Visualforce MVC and metadata-drive user interfaces. Web Sites (12) Public web sites and apps with optional user registration and login.
Beta Feedback
Cookbook Home » Storing and Displaying Confidential Information

Storing and Displaying Confidential Information

Post by Developer Force  (2010-07-16)

Status: Certified
Level: novice

Problem

You want to store employee Social Security numbers as encrypted data as required by government regulations or industry standards. Only select certain users should be able to view the entire social security number; all other users should only be able to view the last four digits. In addition, you want to ensure that users enter the numbers in the standard social security number format, including the dashes after the third and fifth digits.

Solution

On the standard user object, create an encrypted custom field to store the user's Social Security number. Set the field's Mask Type attribute to hide the first five digits of the social security number, and add field-level help to inform users of the required format. Then, create a validation rule that uses the REGEX() function to verify that the value of the custom field is in the correct format. Finally, create a new custom profile that allows a select group of users to the see the Social Security numbers unmasked.
To enable encrypted fields for your organization, contact salesforce.com Customer Support.
  1. Define the encrypted custom field.
    1. Click Setup | Customize | Users | Fields.
    2. In the User Custom Fields related list, click New.
    3. Select Text (Encrypted), and click Next.
    4. In the Field Label field, enter Social Security Number.
    5. In the Length field, enter 11. This allows the field to accept all nine digits of the Social Security number plus the dashes after the third and fifth digits.
    6. In the Description field, enter Encrypted Social Security Number field.
    7. In the Help Text field, enter information to help your users understand what value to type. For example, Enter your Social Security number. Remember to include dashes after the third and fifth digits.
    8. In the Mask Type field, select Social Security Number. This option hides the first five digits (it hides the first 7 characters) and displays the last four. Only users with profiles that have the “View Encrypted Data” permission selected are able to view all nine digits of the Social Security number.
    9. In the Mask Character field, select the character, either an asterisk (*) or an X, to use for hidden characters.
    10. Click Next.
    11. In Enterprise, Unlimited, and Developer Editions, set the field-level security to determine whether the field should be visible or read only for specific profiles. These settings determine whether or not the field itself is visible, but do not affect whether or not the user sees the masked or full Social Security number. You will specify the type of masking when you create the custom profile.
    12. Click Next.
    13. Leave the Add Field and User Layout checkboxes selected.
    14. Click Save.
  2. Create the validation rule.
    1. Click Setup | Customize | Users | Validation Rules.
    2. Click New.
    3. In the Rule Name field, enter Social Security Number Format Check.
    4. In the Description field, enter Validates that the Social Security Number is in the correct format.
    5. Enter the following error condition formula:
      NOT(
      OR(
      LEN (Social_Security_Number__c) = 0,
      REGEX( Social_Security_Number__c , "[0-9]{3}-[0-9]{2}-[0-9]{4}")
      )
      )
    6. Click Check Syntax to make sure the syntax is correct.
    7. In the Error Message field, enter a message that appears if the user enters a Social Security number in an invalid format. For example, the message might read: The Social Security number you entered is not in the correct format. The correct format is 999-99-9999.
    8. In the Error Location field, specify whether you want the error message you entered above to appear at the top of the page or next to the field. If you choose Field, select the Social Security Number field in the adjacent drop-down list.
    9. Click Save.
  3. Create the custom profile.
    1. Click Setup | Manage Users | Profiles.
    2. Click New.
    3. Select an existing profile to copy.
    4. Name the new custom profile.
    5. Click Save.
    6. Click Edit.
    7. In the General User Permissions section, select the View Encrypted Data checkbox. This allows users with this profile to see the complete value of encrypted fields instead of the masking characters.
    8. Click Save.
  4. Assign the new custom profile to the users allowed to view the encrypted data.

Discussion

Government regulations and industry standards require many companies to use encryption to protect their most sensitive employee and customer data. Encrypted custom fields can help companies comply with these regulations. Salesforce.com encrypts these fields with 128-bit keys and uses the AES (Advanced Encryption Standard) algorithm which has been adopted as an encryption standard by the U.S. government. Encrypted custom fields should only be used when regulations require encryption because they involve additional processing and have search-related limitations.

To further protect the confidentiality of encrypted custom field values, Salesforce.com requires you to specify a mask type for each encrypted field you create. Character masking lets you hide the characters in encrypted field values, allowing users to see the full value of an encrypted custom field only if their profile has the “View Encrypted Data” permission. If your company uses parts of confidential data, such as the last four digits of a person's Social Security or credit card number, to verify the identity of customers, configure your encrypted custom fields to use a mask type that reveals only the those digits, such as the Last Four Characters Clear mask type.

In addition to ensuring your data's confidentiality, you also want to ensure its accuracy. Validation rules improve the quality of your data by verifying that the data a user enters in a record meets the standards you specify before the user can save the record. A validation rule contains a formula expression that evaluates the data in one or more fields and returns a value of “True” or “False.” If the validation rule returns “True,” Salesforce.com lets the user save the record; otherwise, Salesforce.com displays an error message.

The validation rule in this recipe uses the REGEX() function, which compares the custom field to a regular expression. A regular expression is a string used to describe a format of a string according to certain syntax rules. Salesforce.com regular expression syntax is based on Java Platform SE 6 syntax ; however, backslash characters (\) must be changed to double backslashes (\\) because backslash is an escape character in Salesforce.com.

Share

Recipe Activity - Please Log in to write a comment

The reason might be: "custom encrypted fields" is a provisioned feature, so you need to contact saelsforce to enable it.      I am a novice, so sorry if I am wrong~~~

by Lucas Lu  (2013-01-25)

Hi,

I am also facing the similar problem. The field type "Text (Encrypted)" is missing from the list.

by Shivam Gupta  (2012-07-29)

 hi,

i am using developer edition of force.com. i am try to do same thing but i can found  Text (Encrypted) field on user object or any else and also try whith Text field but in that i can't found Mask Type field in it... so how can i do please help me out

by Hitesh Patel  (2011-04-15)

X

Vote to Verify a Recipe

Verifying a recipe is a way to give feedback to others and broaden your own understanding of the capabilities on Force.com. When you verify a recipe, please make sure the code runs, and the functionality solves the articulated problem as expected.

Please make sure:
  • All the necessary pieces are mentioned
  • You have tested the recipe in practice
  • Have sent any suggestions for improvements to the author

Please Log in to verify a recipe

You have voted to verify this recipe.