Managing Protected Fields

Table of сontents

• Managing protected fields
  • Adding protected fields
  • Selecting hash functions for protected fields inline
• Supported field types and their hash functions
• Hash function examples
  • Mapping fields to hash functions
  • Using the fixed hash function
• Deleting protected fields

note

Management of protected fields is identical for the three-model package and for the legacy package.

Protected fields (regulated fields) are fields that contain information that may be used to identify the person. Due to regulations of different countries, such information must be protected, and in some situations stored in the country of origin.

For each Salesforce object, you can define the protected fields that store the personal identifiable information (PII) or any sensitive information users choose to localize. Such fields will be processed by the package according to the configured data store policy.

Managing protected fields

The package lets you manage protected fields as follows:

• Add protected fields for each Salesforce object

• Delete the no longer needed protected fields for each Salesforce object

Adding protected fields

1. On the menu, select Settings and then select the Regulated objects tab.

2. Select the Salesforce object which protected fields you want to add.

   

3. Click Add protected field.

4. In the Create protected field form, fill out the following parameters:

   • Field - select the field containing sensitive data that you want to store on the InCountry platform.

   • Hashing - select the hash function which will be applied to the field value. Ensure that the applied hash function is valid for data contained within the field, otherwise the produced hash value may be inappropriate for storing in Salesforce database as will not match the pre-defined format pattern.You can use the fixed hash function to apply your own custom value to hashed fields.

   • Searchable - map the Salesforce protected field to the InCountry record’s field, as follows:

     • key - is used to store alphanumeric values. You can have up to 25 searchable protected fields of this type per one Salesforce object.

     • range_key - is used to store integer and date values for protected fields. You can have up to 10 searchable protected fields of this type per one Salesforce object. Dates when they are saved to the range_key field are converted to the Unix timestamp format. The total number of the key + range_key fields is controlled by the RestAPIFieldsAvailable setting in InCountry Value. For example, if you need 25 fields of the key type and 10 fields of the range_key type, the required value for RestAPIFieldsAvailable must be specified as 35.

       

5. Click Save.

note

Using the improper parameters for protected fields may result in problems with value searchability or record saving.

The newly added protected field will appear on the list with other protected fields that are attributed to the currently selected Salesforce object. These fields will be processed by the package and shown according to the configured data regulation policy.

After generation of the deterministic tokenization key, the two new hash functions will appear in the Create protected field form:

• dtkSha256

• formula

note

For the details on generating the deterministic tokenization key, please check our documentation.

Specifics of the dtkSha256 function

note

THIS FUNCTION BECOMES AVAILABLE AFTER GENERATION OF THE DETERMINISTIC TOKENIZATION KEY.

The dtkSha256 as well as the sha256 function is available only for fields with the length equal to or more than 64 symbols. Protected fields can be configured to apply this new hash function dtkSha256. In situations, when you need to apply it against fields that accept fewer than 64 characters you need to use the formula function with the applied character limit.

Specifics of the formula function

note

THIS FUNCTION BECOMES AVAILABLE AFTER GENERATION OF THE DETERMINISTIC TOKENIZATION KEY.

The formula function is an advanced option to redact sensitive values. It allows you to fine tune the hashing function and adjust the outputted redacted value to your actual needs. The formula function can take two functions: sha256 and dtkSha256.

In addition, you can apply the tranform function within the formula function to customize the outputted redacted value. It can take an array of transformation functions including toLowerCase, toUpperCase, and trim.

Below you can see an example of the formula function:

{"fn": "dtkSha256", "transforms": ["trim"], "format":"[A-Za-z0-9]{15}"}

Parameter	Description
fn	The hash function
transforms	The function which will be applied to the original value.
format	The postformatting step for hash. A-Za-z0-9 - the produced hash value will include characters specified within the regular expression.15 - field (hash) length.

note

When using the formula function you need to consider the length of the field. The package shows the maximal number of characters as a hint below the Formula text box.

Below is a protected field created with the formula:

Viewing the formula for the protected field

1. On the menu, select Settings.

2. On the Regulated objects tab, select the Salesforce object whose protected fields you want to see.

3. Locate the protected field with the configured formula.

4. Click the box with the down arrow and then select Show formula.

The View Formula form opens where you can see all the necessary details about the used formula.

The formula function can be comprised of the following constituents:

Parameter	Description
Function	Name of the function used for redaction of sensitive values. You can use the following: sha256 dtkSha256
Transformation functions	Here you can specify additional transformation functions that will be applied to the original sensitive value for data normalization before redaction with the formula function. You can use the following: toLowerCase adjusts the string to the lower case toUpperCase adjusts the string to the upper case trim removes all spaces from the string.
Field value length	The length of the produced redacted value. By default, the sha256 and dtkSha256 functions return a 64-character string. This string will be cut to the specified length. You need to specify it in the following format: 20. When using the dtkSha256 function, keep the field value length not smaller than 20 characters. Smaller values can potentially cause collision of similar redacted values for different sensitive values.
Regular expression (currently not supported)	This is a rule of how to format the hash value.
Static text	This text will be appended as-is to the redacted value produced by the sha256 or dtkSha256 functions. You can append any alphanumeric string. Please consider the field length not to exceed the maximal number of characters.
Formula	The original formula

Below you can see the configuration of the formula function for the Email and First Name fields.

When creating a new lead, you enter the email address as Useremail@domain.com.

How this value will be hashed with the formula function:

1. The trim function is applied to the Useremail@domain.com value.

2. The toLowerCase function is applied to the Useremail@domain.com value and transforms it to useremail@domain.com.

3. The dtkSha256 function produces a hash for the provided value as bc95131c6fb5e2b2c57604d53283eac6f0a0fa05b910830c5f264d24859cb22f.

4. The trim function cuts the hash value to 12 symbols resulting in bc95131c6fb5.

5. The static text is appended to the hashed value resulting in bc95131c6fb5@redacted.com.

Limitations of the formula function

1. Only two hash functions are supported: sha256 and dtkSha256.

2. If the hash function is sha256, then the function will not be deterministic.

3. The length value can be only a number.

4. When appending a static text string to the redacted value consider the length of the field and adjust the length of the redacted value accordingly.

Selecting hash functions for protected fields inline

You can select or change hash functions for protected fields inline when viewing the list of such fields for a specific Salesforce object.

1. On the list with protected fields, locate the field for which you want to change the hash function.

2. Hover over the field with the hash function.

3. Click the Edit icon.

   

4. Select the appropriate hash function.

The selected hash function will be applied to the current protected field.

Supported field types and their hash functions

	nothing	fixed	sha256	dtkSha256	uniqueHash	uniqueEmailHash	defaultText	defaultDateTime	defaultBoolean	defaultNumber	random	formula
Text
Text Area
Picklist (single-select)
Picklist (Multi-Select)
Time
Date OR Date/Time
Checkbox
Percent
Number
Currency
Phone
Email
URL
Geolocation
Base64

Hash function examples

note

Hash functions work only with values, if there are no values, the hash function is not applied.

Hash function	How it works	Input value	Value saved to Salesforce	Value saved to the InCountry platform	Recommendations
nothing	The function preserves the original value as-is without any changes.	text	text	text	Avoid using this hash function for PII data as it does not redact values and keeps the clear-text values in the Salesforce database.
fixed	The function applies the specified default value to all records making the same dataset store one value. You can adjust the default value depending of the field type.	50	10	50
			When configuring the default fixed value: 10.
sha256	The function hashes a field value with the SHA-256 algorithm and is applicable for text string values only.	test	n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=	test
dtkSha256	The function produces the same token for the same value every time you use it.	test	b792aedc7cd1a35262308bfade04c1833b015c4d6	test
uniqueHash	The function hashes a field value with a custom algorithm and appends the current date into the resulting hashed value. It is applicable for text string values only.	test	n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg=	test
uniqueEmailHash	The function hashes a field value with the SHA-256 algorithm and adjusts the hashed value to the email format.	test@gmail.com	h5JGBr@QTGo.incountryhash	test@gmail.com	Use this function when you perform validation of email address pattern in Salesforce.
defaultText	The function replaces a field value with an empty string.	test		test	Do not use this hash function for required fields.
defaultDate	The function replaces a field value with the default date (1970-01-01).	5/20/2023	1/1/1970	5/20/2023
blankDate	The function replaces a field value with an empty string.	5/20/2023		5/20/2023	Do not use this hash function for required fields.
defaultDateTime	The function replaces a field value with the default date/time (1970-01-01 00:00:00).	5/20/2023 5:32	1/1/1970 0:00	5/20/2023 5:32
blankDateTime	The function replaces a field value with an empty string.	5/20/2023 5:32		5/20/2023 5:32	Do not use this hash function for required fields.
defaultBoolean	The function replaces a field value with the false value.	true	false	true
defaultNumber	The function replaces a field value with the 0 value.	10	0	10
random	The function replaces a field value with some random value. This hash function generates a random alphanumeric string depending on the field type.	test	bMSzGOd89UXA0PxlmdeUS2ZZArsl2PWt	test
		3	642	3
formula(Email)	{"fn":"sha256","transforms":["trim","toLowerCase"],"format":"[A-Za-z0-9]12@mail.com"} This formula hashes the input value with sha256 algorithm, makes all the letters lower case, trims it to 12 symbols and adds @mail.com at the end.	test@gmail.com	b792aedc7cd1@mail.com	test
formula(URL)	{"fn":"sha256","transforms":["trim"],"format":"https://[A-Za-z0-9]12.com"} This formula hashes the input value with sha256 algorithm, trims it to 12 symbols and adds https:// at the start .com at the end.	https://incountry.com	https://d7jkqbk65sgq.com	https://incountry.com

 

Mapping fields to hash functions

note

While configuring fields, please consider the using of the proper hash function for a specific data format. For example, if you need to tokenize the email address, you should use uniqueEmailHash function. Otherwise, email address will not be properly handled by Salesforce. For names, use the uniqueHash function.

If you use the redaction data regulation policy, you need to apply the correct hash functions to fields. Please check the mappings of hash functions to fields in the following table:

Internal Salesforce field	UI field	Hash function	Conditions	Notes
ANYTYPE	N/A			This function is on our roadmap and is not available yet.
BASE64	N/A	uniqueHash	If the field length is greater than or equal to 50 characters.	Supporting the backward compatibility.
BASE64	N/A	sha256 dtkSha256	If the field length is greater than or equal to 64 characters.	Supporting the backward compatibility.
BOOLEAN	Checkbox/0	defaultBoolean
CALCULATED	N/A			This function is on our roadmap and is not available yet.
COMBOBOX	N/A	defaultText
CURRENCY	Currency	defaultNumber		A new function is to be implemented.
DATACATEGORY REFERENCE	N/A			This function is on our roadmap and is not available yet.
DATE	Date	defaultDate
DATETIME	DateTime	defaultDateTime
DOUBLE	Number	defaultNumber		A new function is to be implemented.
EMAIL	Email/80	uniqueEmailHash		Use the uniqueEmailHash as the main function for the Email field. It generates the unique hash every time for this field.
EMAIL	Email/80	sha256EmailHash		Use the sha256EmailHash function to generate the same hash for the same values of this field.
ENCRYPTEDSTRING	Text (Encrypted)/175			This function is on our roadmap and is not available yet.
HIERARCHY	N/A			This function is on our roadmap and is not available yet.
ID	N/A			This function is on our roadmap and is not available yet.
INTEGER	N/A	defaultNumber
LOCATION	Geolocation	defaultNumber		A new function is to be implemented.
LONG	N/A			This function is on our roadmap and is not available yet.
LOOKUP	N/A			This function is on our roadmap and is not available yet.
MULTIPICKLIST	Picklist (Multi-Select)/4099			This function is on our roadmap and is not available yet.
PERCENT	Percent	defaultNumber		A new function is to be implemented.
PHONE	Phone/40	defaultText		A new function is to be implemented.
PICKLIST	Picklist/255	sha256 dtkSha256		A new function is to be implemented.Use the sha256 function if the pick list field is not restricted and it can take more than 64 characters. Otherwise use the defaultText function.
PICKLIST	Picklist/255	defaultText		A new function is to be implemented.
REFERENCE	Lookup Relationship/18			This function is on our roadmap and is not available yet.
REFERENCE	External Lookup Relationship			This function is on our roadmap and is not available yet.
STRING	AutoNumber/30	uniqueHash formula	If the field length is greater than or equal to 50 characters.	Preparing the backward compatibility.Use the uniqueHash function to generate a unique hash value for this field every time. Otherwise use the defaultText function.
STRING	Text/255	sha256 dtkSha256 formula	If the field length is greater than or equal to 64 characters,	Use the sha256 function if the field can take more than 64 characters.
STRING		defaultText formula	If the field length is less than 30 characters,
TEXTAREA	Text Area (Long)/32768	uniqueHash formula	If the field length is greater than or equal to 50 characters.
TEXTAREA	TextArea/255	sha256 dtkSha256 formula	If the field length is greater than or equal to 64 characters,
TEXTAREA	Text Area (Rich)/32768	defaultText formula
TIME	Time			A new function is to be implemented.
URL	URL/255	sha256 dtkSha256
URL	URL/255	defaultText
Specifics of the compound Address field
STRING	City/40	uniqueHash formula defaultText
PICKLIST	Accuracy/40	defaultText		Use the sha256 if the picklist field is not restricted and its length is greater than 64 characters. Otherwise use defaultText.
PICKLIST	Country/80	sha256 dtkSha256 defaultText		Use the sha256 if the picklist field is not restricted and its length is greater than 64 characters. Otherwise use defaultText.
PICKLIST	CountryCode	sha256 dtkSha256 defaultText		Use the sha256 if the picklist field is not restricted and its length is greater than 64 characters. Otherwise use defaultText.
DOUBLE	Latitude/18.15			A new function is to be implemented.
DOUBLE	Longitude/18.15			A new function is to be implemented.
STRING	PostalCode/20	uniqueHash formula defaultText
STRING	State/80	uniqueHash sha256 dtkSha256 formula defaultText
PICKLIST	StateCode	sha256 dtkSha256 defaultText		Use the sha256 if the picklist field is not restricted and its length is greater than 64 characters. Otherwise use defaultText.
TEXTAREA	Street/255	uniqueHash sha256 dtkSha256 formula defaultText

Using the fixed hash function

You can use the fixed hash function to apply custom values that you need instead of using the built-in hash functions returning random strings.

This function supports the following fields types:

1. STRING

2. TEXTAREA

3. PICKLIST

4. MULTIPICKLIST

5. COMBOBOX

6. TIME

7. DATE

8. DATETIME

9. BOOLEAN

10. PERCENT

11. INTEGER

12. LONG

13. DOUBLE

14. CURRENCY

15. PHONE

16. EMAIL

17. URL

The length of the values that the fixed hash function can apply depends on the field type.

Deleting protected fields

note

You delete protected fields from the configuration of the InCountry Data Residency for Salesforce package only. These fields will be preserved in Salesforce itself.

You can delete the not needed protected fieds from the data store policy for a specific Salesforce object. Such fields will be no longer protected by the package when showing their values in the interface of Salesforce.

1. Select the Salesforce object which protected fields you want to delete.

2. On the list with protected fields, locate the one you want to delete.

   

3. Click the box with the down arrow and then select Delete.