1. Practifi Success
  2. System Administrator
  3. Practifi Add-On Features

Enabling Practifi Protect

Follow
Avatar
Learning Team

Overview

Practifi Protect is an add-on service that brings enterprise-grade security and compliance capabilities to your Practifi organization. It combines three powerful features: Platform Encryption, which protects sensitive client data at the field level so it is unreadable even if accessed without authorization; Field Audit Trail, which creates a complete, tamper-evident history of changes to tracked fields for compliance and governance purposes; and Event Monitoring Analytics, which gives your administrators visibility into who is accessing data, running reports, and performing key actions within the platform.

Together, these capabilities help wealth management firms meet regulatory requirements, demonstrate data stewardship to clients, and maintain the operational transparency that modern compliance programs demand. This article walks your administrators through enabling Practifi Protect in your Practifi organization, so your team can begin operating with these protections in place.

Please note: The steps in this article are only actionable after Practifi Protect has been deployed to your organization and the Shield Extension Pack has been installed. Reach out to your Client Success Manager to get started.

Before You Begin

Practifi Protect is built on the Salesforce Shield platform and uses a companion managed package called the Shield Extension Pack. Before proceeding with the steps in this article, confirm that your Salesforce Shield license is fully provisioned and that the Shield Extension Pack has been installed in your organization. You can verify this by opening the App Launcher and searching for Shield Extension. The following tabs should be visible:

  • Shield Extension Config
  • Platform Encryption Analyzer
  • History Retention Policy Manager
  • Field History Explorer

Please note: If any of these tabs are missing, your Practifi implementation team will need to confirm that the Shield Extension Pack has been installed and that your user account has been assigned the appropriate permissions. Contact your Client Success Manager if you need assistance.

You will also need full administrative access to Salesforce Setup to complete the steps in this article. Allow a minimum of two weeks for the complete setup, testing, and validation of all three Practifi Protect features.

Set Up Platform Encryption

Platform Encryption protects sensitive client data at rest by encrypting field values, making them unreadable outside authorized Practifi sessions. Configuring it requires creating an administrative permission set, generating encryption keys, and enabling the correct platform settings before any fields are encrypted.

Create the Practifi Protect Admin Permission Set

  1. Click the Setup cog in the upper-right corner of Practifi, then click Setup from the dropdown menu.
  2. Use the Quick Find bar to search for Permission Sets and click the result.
  3. Click the New button.
  4. Name the permission set Practifi Protect Admin and click Save.
  5. Click the System Permissions link from the permission set detail page.
  6. Click the Edit button and enable the following permissions:
    • Manage Encryption Keys
    • Customize Application
    • View Setup and Configuration
    • Manage Certificates
  7. Click the Save button.
  8. Click the Manage Assignments button and assign the permission set to your user profile.

Generate Encryption Keys

Encryption keys are the foundation of Platform Encryption. Generating and securely storing your keys before encrypting any data is essential. If keys are lost, encrypted data cannot be recovered.

  1. In Setup, navigate to Platform Encryption and click Encryption Settings.
  2. Toggle Generate Initial Deterministic Tenant Secret to On and click the Save button.
  3. Navigate to Platform Encryption and click Key Management.
  4. Verify that both key types are visible: Fields and Files (Probabilistic) and Fields (Deterministic).
  5. Click Export next to each key and store the exported files in a secure location outside of Salesforce.

Please note: Exporting and securely storing your encryption keys is strongly recommended. These keys are required to decrypt your data if a key rotation or recovery situation arises. Treat exported key files with the same care as any critical security credential.

Enable Encryption Settings

  1. In Setup, navigate to Platform Encryption and click Advanced Settings.
  2. Enable the following settings:
    • Deterministic Encryption
    • Encrypt Custom Fields in Managed Packages
    • Encrypt Field History and Feed Tracking Values
  3. Click the Save button.

Understanding Encryption Types

Salesforce Shield offers two field-level encryption types. Choosing the right type for each field is important because it determines how that field can be used within Practifi. Applying the wrong encryption type to a field used in filters, reports, or Practifi components will cause those features to stop working for that field.

Deterministic Encryption produces the same encrypted output each time a given value is encrypted. This means the field can still be used in report filters, SOQL queries, list views, and Practifi components such as tiles and record lists. Use Deterministic encryption for fields that need to remain searchable or sortable, including external ID fields, fields used in Practifi tiles and components, and fields used in report filters.

Probabilistic Encryption produces a different ciphertext each time the same value is encrypted, providing the highest level of security. However, fields encrypted with Probabilistic encryption cannot be used in filters, sorts, or search operations. Use Probabilistic encryption for highly sensitive data that does not need to be filtered or sorted, such as Social Security Numbers and Tax ID Numbers.

If you are unsure which type to apply to a given field, use the Platform Encryption Analyzer to evaluate the field based on its actual usage in your organization before encrypting it.

Using the Platform Encryption Analyzer

The Platform Encryption Analyzer is the recommended tool for evaluating and bulk-encrypting fields. Rather than encrypting fields one at a time through Setup, the Analyzer examines each field's actual usage in your organization and tells you whether it is safe to encrypt, what type to use, and whether any configuration changes are needed first. This approach significantly reduces the risk of breaking existing functionality when enabling encryption.

To analyze and encrypt fields using the Platform Encryption Analyzer:

  1. Click the App Launcher and open the Platform Encryption Analyzer tab.
  2. Use the checkboxes to select the fields you want to evaluate. You can use object-based or field-type filters to narrow your selection.
  3. Click the Analyze button to begin the analysis.
  4. Monitor progress using the View Progress indicator. You will receive an email notification when the analysis is complete.
  5. Review the results. Each field will be assigned one of the following result types:
Result Type Description
All Clear Ready for immediate encryption with no functional impact
Blocked by Configuration Can be encrypted after specific configuration changes are made
Blocked by Platform Cannot be encrypted due to Salesforce platform limitations
Encrypted by Shield Already protected with Shield Platform Encryption
Standard Currently using standard encryption settings
Filter Preserving Using Deterministic (filter-preserving) encryption
  1. Select the fields you want to encrypt (typically those showing All Clear or Blocked by Configuration after remediation).
  2. Click the Encrypt Now button.
  3. Select the appropriate encryption type for each field. Hover over any result icon to see detailed information about a field's status before making your selection.
  4. Confirm your settings and click Submit. You will receive an email confirmation when encryption is complete.

Please note: The Analyzer evaluates fields based on their current usage in your organization. Its recommendations account for how fields are used across Practifi components, reports, and automations, making it the safest and most efficient way to implement encryption at scale.

Create Encryption Policies

After enabling platform settings and generating your keys, you can create encryption policies for individual fields. The table below lists the Practifi fields commonly recommended for encryption and the encryption types each supports, providing a focused starting point for protecting the client data most often subject to regulatory and privacy requirements. Use the Platform Encryption Analyzer to confirm the appropriate encryption type for each field based on your organization's specific configuration before encrypting.

Object Field Name Probabilistic Encryption Deterministic Encryption
Contact Birthdate X
Email X
Home Phone X X
Mobile X X
Name X
Other Phone X X
Phone X X
Contact Point Address Address X X
Contact Point Email Email Address X X
Contact Point Phone Phone Number X X
Email Message BCC Address X X
CC Address X X
From Address X X
From Name X X
Headers X X
HTML Body X X
Subject X X
Text Body X X
To Address X X
Email Message Relation Relation Address X X
Entity Description X X
Email X X
Entity Name X
Phone X X
Website X X
Event Description X X
Subject X X
List Email From Address X X
From Name X X
Reply To Address X X
Notes Description X X
Task Description X X
Subject X X
User Email X X

Encrypt Standard Fields

In Setup, go to Encryption Policy and click the Encrypt Fields link. Enable encryption for the desired fields, then select Probabilistic as the Encryption Scheme. Click the Save button.

Encrypt Custom Fields

Encryption is enabled on custom fields individually through the Object Manager. In Setup, go to Object Manager and locate the object containing the field you want to encrypt. Click the field name, then click the Edit button. On the field edit page, enable the Encrypted checkbox and click Save.

Please note: Feed Posts (Chatter) and Files are encrypted differently from standard fields. To encrypt Feed Posts, enable the Encrypt Chatter checkbox on the Encryption Policy page in Setup. To encrypt Files, enable the Encrypt Files and Attachments checkbox on the same page.

Set Up Field Audit Trail

Field Audit Trail creates a long-term, immutable record of changes to tracked fields across your Practifi data model. Where standard Salesforce field history tracking retains data for 18 months and tracks up to 20 fields per object, Practifi Protect raises this to 60 fields per object and archives change history in a dedicated big object for long-term retention. This gives your compliance team a reliable, queryable audit trail covering years of data activity rather than months.

Your Practifi organization already has history tracking enabled for a core set of fields on standard and custom objects. The steps below are only needed if you want to track additional fields beyond those already configured.

Please note: Field history tracking is not supported on all field types. The following are excluded due to Salesforce platform limitations: Task and Event objects, long text fields, multi-select picklist fields, formula fields, Created By fields, and Last Modified By fields. Attempting to enable tracking on these field types will not produce results.

Set Up Additional Field History Tracking for Standard Objects (Optional)

  1. In Setup, go to Object Manager and click the Standard Object you want to enable additional tracking on.
  2. Navigate to the Fields & Relationships page and click the Set History Tracking button in the top right.
  3. Check the fields you want to add to the history tracking, then click the Save button.

Set Up Additional Field History Tracking for Custom Objects (Optional)

  1. In Setup, go to Object Manager and click the Custom Object you want to enable tracking for.
  2. On the main object detail page, click the Edit button.
  3. Enable Track Field History and click the Save button.
  4. Once field history is enabled on the custom object, follow the same process as for Standard Objects to select which fields to track.

Default Retention Policy

By default, all objects with Field History Tracking enabled will have their field history archived in the FieldHistoryArchive big object after 18 months and retained until manually deleted. You can customize these retention parameters for each object using the History Retention Policy Manager, described in the next section.

Accessing the FieldHistoryArchive Big Object

Once field history data has been archived, you can access it using the REST API, SOAP API, or Tooling API. You can also query the FieldHistoryArchive object directly within the Salesforce developer console. Field changes that have not yet reached the archive threshold remain accessible by querying the associated History object for each record type, such as ContactHistory or AccountHistory.

Using the History Retention Policy Manager

The History Retention Policy Manager is the central interface for configuring how long field history data is retained before being archived, and how long archived data is kept. It surfaces all objects with active field history tracking in one place and highlights fields flagged as sensitive through Data Classification, helping your administrators prioritize the most compliance-critical data. Configuring these policies thoughtfully ensures your organization retains the data it needs for audits and regulatory requests without accumulating unnecessary records.

To configure retention policies:

  1. Click the App Launcher and open the History Retention Policy Manager tab.
  2. Locate the object whose retention policy you want to configure and click the dropdown arrow next to it.
  3. Review the fields listed. Fields identified as sensitive through Data Classification are automatically highlighted to help you prioritize.
  4. Configure the following retention parameters:
    • Archive After: The number of months before field history moves to long-term storage. The standard value is 18 months (range: 0 to 18).
    • Archive Retention: How long archived data is retained after being moved to the archive. The standard value is 10 years (range: 0 to 10 years).
    • Grace Period: Additional time before the initial archive process begins (range: 0 to 10 days).
  5. Add a policy description for audit documentation purposes.
  6. Click the Update Policies button to save your settings.

You can also use the History Retention Policy Manager to monitor the current tracking status across your organization. It displays a real-time count of fields tracked per object and identifies objects that contain high-risk fields not yet tracked.

Please note: Practifi Protect supports tracking up to 60 fields per object, compared to the standard Salesforce limit of 20. If you require tracking on more than 60 fields for a particular object, contact your Client Success Manager to discuss available options.

Using the Field History Explorer

The Field History Explorer gives administrators direct visibility into field change history across the Practifi data model. Rather than requiring custom queries or external tools, it provides a dedicated interface for reviewing what changed, when it changed, and who made the change. This is particularly useful for responding quickly to audit inquiries, investigating data discrepancies, or verifying the integrity of key client records.

There are three methods for accessing field history data depending on your technical needs:

Method 1: Standard Access

Use Salesforce Data Loader to export FieldHistoryArchive object data as CSV files, then analyze the data using a spreadsheet tool such as Microsoft Excel. This method is well-suited to periodic compliance reporting and bulk data reviews.

Method 2: Enhanced Access

Deploy third-party AppExchange applications that provide native Practifi integration, allowing field audit trail data to be viewed directly within Practifi. This method is appropriate for teams that want to review field history without leaving the platform or exporting data.

Method 3: API Access

Use the REST API, SOAP API, or Tooling API to programmatically query archived field history data. This approach is appropriate for custom integrations or automated audit trail retrieval in enterprise environments.

Set Up Event Monitoring Analytics

Event Monitoring provides your compliance and operations teams with visibility into how users interact with data within Practifi. Through a set of pre-built CRM Analytics dashboards, administrators can monitor login activity, report exports, page visits, and API activity in near real time. Practifi Protect also captures Practifi-specific events, including process completions, entity lifecycle changes, and record exports, providing operational insight that goes beyond standard Salesforce event monitoring.

Setting up Event Monitoring Analytics involves configuring permissions, enabling the required platform features, creating the analytics app, and scheduling the data refresh.

Configure Permissions

  1. In Setup, go to Permission Sets and click the New button.
  2. Name the permission set View Event Logs and click Save.
  3. Click System Permissions, then click Edit and enable the following permissions:
    • View Event Log Files
    • API Enabled User
  4. Click the Save button, then click Manage Assignments to assign the permission set to the appropriate users.
  5. Create a second permission set named Event Monitoring Analytics Apps User.
  6. Enable the following System Permissions on this permission set:
    • Use CRM Analytics Templated Apps
    • Access Event Monitoring Analytics Templates and Apps
  7. Click the Save button and assign this permission set to users who need dashboard access.
  8. In Setup, navigate to Company Information and locate Event Monitoring Analytics Apps under Feature Licenses.
  9. Click Manage Assignments and assign a license to each user who requires access. Up to 10 users can be assigned this license.
  10. Ensure that the appropriate users are also assigned the Event Monitoring Analytics Apps Admin and Event Monitoring Analytics App User permissions. The Admin permission allows users to create custom dashboards and dataflows in Analytics Studio; the User permission allows them to view dashboards.

Enable Platform Features

  1. In Setup, use the Quick Find bar to search for Getting Started under Analytics and click the result.
  2. Click the Enable CRM Analytics button in the upper right corner.

Please note: If you encounter an error when enabling CRM Analytics, switch to Salesforce Classic Setup by navigating to Analytics> Getting Started and clicking Enable CRM Analytics. Then return to Lightning Experience and continue.

  1. In Setup, search for and click Event Monitoring Settings in the Quick Find bar.
  2. Enable the following settings and click the Save button:
    • View event log data in analytics apps
    • Generate Log Files
  3. To retain event data beyond the default period, navigate to Setup and click Event Manager.
  4. For each event type you want to retain for extended periods, click the dropdown next to the event type and click Enable Storage. The following event types are recommended:
    • Login
    • Login As
    • Report Export
    • Setup Audit Trail
    • API Event
    • URI

Create the Event Monitoring Analytics App

  1. Launch CRM Analytics from the App Launcher.
  2. Click Create, then click App, then click Event Monitoring Analytics App, and click Continue.
  3. Choose your configuration method. Incremental Refresh is recommended for most organizations as it adds only new event log data to existing datasets, reducing storage consumption and speeding up daily refreshes. Configure a 30-day data retention period for all datasets, name the app, and click Create.

Please note: If you choose Full Refresh instead, set the retention window to at least 4 days and configure all available datasets before clicking Create. Full Refresh rebuilds all datasets from scratch on each run and is more resource-intensive than Incremental Refresh.

  1. Monitor app creation progress in Data Manager under the Jobs tab. App creation typically takes 5 to 15 minutes.
  2. Verify the job completes with a Success status before proceeding.

Test and Schedule the Dataflow

  1. In Analytics Studio, click Data Manager on the left side of the screen and navigate to the Dataflows tab.
  2. Locate the pre-built Event Monitoring eltDataflows dataflow and click Run Now from the dropdown to the right.
  3. Navigate to the Jobs tab and wait for the job to complete. Warnings are expected and typically indicate that the dataflow found no log entries of a certain type, which is not an issue. Errors should be investigated and resolved before proceeding.
  4. Once the test run completes without errors, return to the Dataflows tab and click the dropdown next to the Event Monitoring dataflow, then click Schedule.
  5. Configure the schedule with the following settings and click the Save button:
    • Time: 6:00 AM to 7:00 AM in your organization's local time zone
    • Frequency: Daily
    • Active: Enabled

Please note: Event Monitoring log files are generated at approximately 3:00 AM at the Salesforce instance location. Scheduling the dataflow for 6:00 AM or 7:00 AM provides a 3- to 4-hour buffer to ensure all log files are available before the dataflow runs. Check your organization's instance and time zone when scheduling to ensure accurate timing.

Review the Dashboards

  1. In Analytics Studio, locate your Event Monitoring app from the Home screen.
  2. Open the app and inspect the Logins, Reports, Report Downloads, and Page URLs dashboards to confirm they are populated with data.
  3. Navigate to the Share option on the app tile and assign access levels to users or groups who need visibility:
    • Viewer: Standard dashboard access
    • Editor: Can modify dashboards and create lenses
    • Manager: Full app management capabilities

Please note: Because Event Monitoring log uploads occur in the early morning hours, dashboards may not be populated until the day after the scheduled dataflow runs for the first time.

Practifi Custom Event Monitoring

In addition to standard Salesforce event types, Practifi logs a set of custom events that capture activity specific to the Practifi platform. These events are available as of July 2025 and appear in your Event Monitoring dashboards alongside standard events. Custom events currently tracked include the export action on record lists, as well as the following App Analytics interactions: when a Task is completed, when a Process is completed or cancelled, when an Entity is created, when an Entity becomes a Prospect, when an Entity becomes a Client, when an Entity becomes a Lost Client, and when Entity, Prospect, and Client record pages are opened. These events give your team deeper visibility into the specific workflows and data interactions that matter most for wealth management operations.

Encryption Limitations

Platform Encryption is a powerful tool, but it introduces constraints that are important to understand before you begin encrypting fields. Being aware of these limitations upfront will help you plan your encryption strategy and avoid unexpected impacts on existing Practifi functionality.

Salesforce Platform Limitations

Encrypted fields are excluded from criteria-based record sharing rules. Some automation scenarios and Salesforce features do not support encrypted fields, and certain formula field operators have limited compatibility with encrypted data.

Practifi-Specific Limitations

Probabilistic-encrypted fields cannot be used for sorting within Practifi record lists. When a default sort field is encrypted with Probabilistic encryption, such as the Name field in the Directory, Practifi will automatically fall back to sorting by Last Modified Date. If sorting on a key field is important to your users, use Deterministic encryption for that field instead.

Certain Practifi tiles and components may require configuration adjustments when the fields they reference are encrypted. If a tile or component stops displaying data as expected after encryption is applied, verify that the fields it uses are encrypted with Deterministic encryption rather than Probabilistic.

Troubleshooting

The following sections cover common issues encountered during Practifi Protect setup, along with steps to resolve them.

The Shield Extension Config Tab Is Not Visible After Installation

Wait 10 to 15 minutes after installation, then log out completely and log back in. Check the App Launcher for the Shield Extension apps. If the tab is still missing, add it manually by clicking the pencil icon in the navigation bar, clicking Add More Items, and searching for Shield Extension.

Encryption Keys Are Not Being Generated

Confirm the user has the Manage Encryption Keys permission and that the Customize Application permission is also enabled. Verify that Shield Platform Encryption shows as active under Company Information in Setup. Clear your browser cache and try again. If the issue persists, contact Salesforce Support directly, as key generation failures are typically a platform-level provisioning issue.

Practifi Components Are Not Working After Encrypting Fields

Verify which encryption type was applied to the affected fields. Probabilistically encrypted fields cannot be used in filters, sorts, or WHERE clauses, so tiles, record lists, and reports that reference them will not function as expected. To resolve this, decrypt the affected field and re-encrypt it using Deterministic encryption. Update any affected Practifi tiles to use non-encrypted or Deterministic-encrypted fields for filtering. Update report filters to exclude Probabilistic-encrypted fields.

Field History Is Not Tracking Changes

Verify that field history tracking is enabled for both the object and the specific field. Check that you have not exceeded the 60-field limit per object. Confirm that the user making changes has the appropriate permissions. Test by making a simple, visible change, such as updating a Contact name, then check whether the change appears in the field history.

Archived Data Is Not Appearing in FieldHistoryArchive

Confirm that the retention period has elapsed. Data is only written to FieldHistoryArchive after the Archive After threshold configured in the History Retention Policy Manager has passed. Verify the retention policy shows the correct Archive After and Archive Retention values. Confirm you have the View All Data permission when querying.

Event Monitoring Dashboards Are Empty or Show No Data

Wait 24 to 48 hours after app creation, as event log files have a built-in 24-hour delay. Check the dataflow status in Data Manager under the Jobs tab. Verify that both Event Monitoring Settings are enabled in Setup. Confirm CRM Analytics is enabled and that the correct permission sets have been assigned. If the problem persists, check whether the row count has exceeded the 50 million limit.

The Event Monitoring Dataflow Is Showing Errors

Click the failed job in the Jobs tab to view error details. Common errors and their resolutions include the following: if you see "Object not found," edit the dataflow to remove missing objects or re-enable the relevant event types in Event Manager; if you see "Insufficient permissions," re-run the permission set assignments; if you see "Row limit exceeded," reduce retention periods; if you see "Dataset not found," recreate the Event Monitoring app from scratch. Verify that all required datasets exist in Data Manager under the Datasets tab.

Users Cannot Access the Event Monitoring App

Verify that the correct permission sets are assigned in Setup. Check that the Event Monitoring Analytics Apps license is assigned to the user under Company Information. Confirm that the app sharing settings include the affected user or their group. Verify the user profile has the CRM Analytics User permission enabled. Ask the user to clear their browser cache and log back in.

Disabling Practifi Protect

If your firm no longer wants to use Practifi Protect, reach out to your Client Success Manager or Practifi Support to request deactivation.

Please note: Disabling Practifi Protect without following the proper protocols can result in data obfuscation. Please contact the Practifi team before taking any steps to remove Practifi Protect functionality from your organization. 
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.

Articles in this section