Salesforce Protect Contact Fields
Blocks Salesforce Contact updates that modify protected fields — ownership, account linkage, contact PII, name, and consent flags.
Blocks Salesforce Contact updates that modify protected fields — ownership, account linkage, contact PII, name, and consent flags.
Restricts Salesforce SOQL queries so only Account, Contact, and Opportunity records can be retrieved.
Restricts the Salesforce MCP server to read-only access.
Redacts personal contact information from Salesforce tool responses before they reach the caller.
Reusable DTwo policies for Salesforce MCP servers (the Salesforce-hosted MCP server and compatible implementations).
| Policy | Direction | Purpose |
|---|---|---|
| protect-contact-fields | ingress | Deny Contact updates that modify protected fields (ownership, account linkage, PII, name, consent flags); other field updates and tools pass through. |
| query-allowlist | ingress | Restrict SOQL queries to Account, Contact, and Opportunity objects; other Salesforce tools and non-Salesforce tools pass through. |
| read-only | ingress | Allowlist Salesforce read tools and deny all writes (fail-closed); non-Salesforce tools pass through. |
| redact-pii | egress | Redact contact PII (email, phone, fax, mailing address, birthdate, SSN, card numbers) from Salesforce responses. Transform-only — never denies. |
DTwo prefixes tool names with the MCP server name configured on the gateway. A Salesforce MCP server registered as salesforce surfaces tools like salesforce-updatesobjectrecord, while one registered under another name would surface <name>-updatesobjectrecord. The policies in this directory match on the suffix (e.g. -updatesobjectrecord) so they stay portable across naming conventions. Always confirm the exact tool name your gateway sends using the dump-input debug technique before deploying.
These policies do not require any specific IdP claims. If you want identity-based exemptions (e.g., a break-glass role that can edit protected fields), gate the relevant rule with object.get(input.subject.claims, "<claim>", "<default>").
To add a Salesforce policy:
apps/salesforce/<policy-slug>/ with policy.md and a tests.yaml test file.apps: ["salesforce"] in the policy frontmatter, plus any industry / bundle slugs that apply.bundles/crm), link to it from the matching landing page.pnpm manifest from the repo root.See CONTRIBUTING.md for the full process.