How To

Access Classically Encrypted Fields Using Flow

jenwlee

EncryptedData

Note: This flow solution runs only in Lightning Experience.

Ever have a need to take action on changes on a classically encrypted field? Your only option is not a trigger. Did you know that flow has the ability to read classically encrypted fields too? YES!

The flow built in this blog post shows the ability for flow to determine whether there was a change to the SSN field to then take further action on the field change.

Shout-Out

I want to give a shout out to Neil Jamison of eightCloud for the solution of using flow to compare classically encrypted text fields.

Also, another shout out to Sam Friedewald, who came up with the idea of a blank flow screen to ran a hidden flow upon record page load.

Here are a few lessons learned from implementing this use case:

  • Learn how to add flow a Lightning record page.
  • Provide descriptions, where provided, in Salesforce. This may be tedious step, I know, but your future self will thank you when you are trying to remember what you configured or assist other/future admins when troubleshooting or enhancing what was built. This includes variables, the purpose of a flow, what each flow element does, etc.
  • If the classically encrypted field already exists in your org, you will need to populate the value in the encrypted field to the compare encrypted field via an anonymous apex before you start this process. Otherwise, if the compare field is blank, it will consider it as a change.
  • For flow to use the classically encrypted fields in flow, you need to store the encrypted value in a text variable. When I tried using a record variable, I was not able to get the flow to recognize a null text field.

Business Use Case:  Addison Dogster is the system administrator at Universal Containers.  Mary Markle is the Director of Operations. SSN is a classically encrypted field and she wants to know what the field is updated but she does not want the field to be tracked in field history. Instead, she wants it noted in the Description field.

Addison knows that process builder does not recognize/see a classically encrypted field but knows that flow does. She decides, rather than use a process to invoke a flow, she was going to drop the flow component on the page and have it run as a hidden flow upon contact record page load.

Quick Steps:

Pre-requisites:

  • Create a custom text encrypted field to match the original text encrypted field. Note: for our use case, our text encrypted field is a 9 character SSN field.

1. Now, let’s create the flow. In Lightning Experience, it is found under Process Automation | Flows.

Here is the flow we are going to create. This flow will lookup the two text encrypted fields associated to the contact record to store into two text variable fields. Next, we decide whether we have a new record, a change to an existing record or no change to an existing record. If the record is new, we will update the SSN Compare field with the value of the original SSN field. If there is a change to an existing record, we will update the description field to note that there was a SSN field and we will update the SSN Compare field with the updated SSN value. For all outcomes, we will finish with a blank screen.

SSNUpdateFlow.GIF

A. Let’s create our flow resources.

The first variable resource is called “recordId.” This is case sensitive and is a reserved variable name used by Salesforce to denote the record Id of the detailed record page. This needs to be specified as “Input Only” under the Availability Outside this Flow section. We will be passing the recordId from the Lightning record page into this flow.

Best practice tip: Provide a description so you and other/future admins know what this flow resource is used for.

recordId.GIF

The variable “varSSN” will hold the encrypted SSN value. The Data Type selected is Text.

  1. Best practice tip: Provide a description so you and other/future admins know what this flow resource is used for.

varSSN.GIF

The variable “varSSNCompare” will hold the encrypted SSN comparison value. The Data Type selected is Text.

Best practice tip: Provide a description so you and other/future admins know what this flow resource is used for.

SSNCompare.GIF

B. First, we will add a Get Records flow element on the contact record to pull  SSN and SSN Compare text encrypted fields where the Id equals the recordId. We will store the SSN value in the varSSN variable and SSN_Compare value in the varSSNCompare variable.

Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.

SSNUpdateFlow-GetRecords.GIF

C. Next, we are going to determine whether the record is new or if existing, whether the SSN field is changed using the Decision flow element.

Outcome:

New Record: {!varSSN} Does Not Equal {!varSSNCompare} AND {varSSNCompare} is null $GlobalConstant.True

Existing Record | No Change: {!varSSN} Equals {!varSSNCompare}  AND

Existing Record | Change: {!varSSN} Does Not Equal {!varSSNCompare} AND {varSSNCompare} is null $GlobalConstant.True

Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.

SSNUpdateFlow-Decision.GIF

D. Next, we will use a Update Records flow element for the outcome where there are changes to an existing contact. We will update the description field and the SSN Compare field with the SSN field where the Contact’s Id equals recordId.

Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.

SSNUpdateFlow-UpdateRecords-Existing.GIF

E. We will use a Update Records flow element for the outcome where there is a new record. We will update the SSN Compare field with the SSN field where the Contact’s Id equals recordId.

Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.

SSNUpdateFlow-UpdateRecords-New.GIF

F. Now, we need to create our blank Screen flow element. Under the Configure Frame section, deselect both Show Header and Show Footer.

Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.

SSNUpdateFlow-Screen.GIF

H. Add the subflow Send Flow Fault Email. For instructions on how to create this, go to Step 2 of blog post: Maximize Maintainability With Process Builder and Componentized Visual Workflow.

Best practice tip: Provide a description so you and other/future admins know what this flow element is used for.

Set the following attributes:

  • varCallingFlowName: SSN Update
  • varFaultMessage: {!Flow.FaultMessage}

I. Connect the flow elements, outcome connector and the fault connectors to match the below…

SSNUpdateFlow-Connectors.GIF

J. Save/Save As with the name SSN Update and a description about the flow.

Best practice tip: Provide a description so you and other/future admins know what this flow is used for.

K. Click the “Back” button.

L. Locate the flow and click on the SSN Update flow name.

M. On the flows screen, activate the flow.

SSNUpdateFlow-Activate.GIF

3. Now, we need to add the Flow standard components to the Contact Lightning record page via Lightning App Builder.

SSNUpdateFlow-LightningAppBuilder.GIF

View image full screen

Locate the Flow component that we configured in Step 2 and drag it to the desired location on the page. Don’t forget to check the box next to “Pass record ID into this variable”, which is the recordId variable.

Click the Save button and hit Back.

That’s it! You’ve configured the changes.

Now, before you deploy the changes to Production, don’t forget to test your configuration changes.

  1. Create a new contact record. Verify that the SSN Compare field has the SSN value.
  2. On an existing contact record, update the SSN field. Verify that the SSN Compare field was updated with the SSN value and “Updated SSN” was updated in the Description field.

Deployment Notes/Tips:

  • The flow, custom field and lightning record page can be deployed to Production in a change set (or can be deployed using a tool such as Dreamfactory’s Snapshot).
  • Don’t forget to update the custom field’s FLS for the profiles that will use the flow.
  • You will find the flow in a change set under the Flow Definition component type.
  • Activate the flow post deployment as they deploy inactive in Production, unless with Winter ’19, you have opted in on the Process Automation Settings screen, to “Deploy processes and flows as active.” NOTE: With this change, in order to successfully deploy a process or flow, your org’s Apex tests must launch at least 75% of the total number of active processes and active autolaunched flows in your org.

 

 

2 thoughts on “Access Classically Encrypted Fields Using Flow

Leave a comment