Our Case Triggers script enables you to map access to SendSafely packages on a Salesforce Case to changes in the status or assignment of that Case. The Case Triggers script is an AWS Lambda function deployed via CloudFormation template. In this article, we’ll walk you through how to deploy and configure it to tighten up who in your Salesforce environment has access to sensitive customer data.

Overview

When the status or assignment of a Salesforce Case changes, this script performs specified actions on all SendSafely packages in that Case’s Chatter Feed.

Prerequisites

• An AWS account with permission to deploy the CloudFormation and the resources it generates (a Lambda function, Secrets Manager entry, IAM role, CloudWatch logs, SNSTopic for error reporting, etc.)
• A Salesforce System Admin account
• A SendSafely Admin account with API access

Part 1: AWS Configuration

Step 1: Deploy the CloudFormation Template

1. Deploy the CloudFormation template provided by your account rep.
2. After deployment, note the Output URL from the CloudFormation stack. You'll use this as the webhook to invoke the Lambda from Salesforce.

Step 2: Configure Secrets Manager Entries

Store the following credentials in AWS Secrets Manager:

Part 2: Salesforce Configuration

Navigate to Salesforce Setup.

Step 1: Create External Credentials

1. In Setup, search for and select Named Credentials.
2. Click the External Credentials tab.
3. Click New.
4. Enter a Label and Name of your choice.
5. For Authentication Protocol, select No Authentication.
6. Click Save.
7. Scroll down to the Principals section and click New.
8. Enter Named Principal as the Parameter Name.
9. Click Save.

Step 2: Create Named Credentials

1. Click the Named Credentials tab.
2. Click New.
3. Enter a label of your choice.
4. Paste the CloudFormation output URL into the URL field.
5. Select Enabled for Callouts.
6. For External Credential, select the credential you created in Step 1.
7. Leave Client Certificate blank.
8. Uncheck Generate Authorization Header.
9. Click Save.

Step 3: Create Custom Metadata Type for Security

This stores a shared key used to verify requests are coming from your Salesforce org.

Create the Metadata Type

1. In Setup, search for Custom Metadata Types and select it.
2. Click New Custom Metadata Type.
3. Fill in the following:
   • Label: SendSafely Secret
   • Plural Label: SendSafely Secrets
   • Object Name: SendSafely_Secret
   • Description: Shared Secret used for SendSafely-Salesforce case triggers
4. Set visibility based on your org standards.
5. Click Save.

Add a Custom Field

1. On the Custom Metadata Type page, select SendSafely Secret.
2. In the Custom Fields section, click New.
3. Select Text as the data type and click Next.
4. Configure the field:
   • Field Label: HMAC Secret Key
   • Length: 255
   • Field Name: HmacSecretKey
5. Check Required.
6. Click Next, then Next, then Save.

Create the Metadata Record

1. Return to Custom Metadata Types and click Manage Records next to SendSafely Secrets.
2. Click New.
3. Fill in:
   • Label: Default
   • SendSafely Secrets Name: Default
   • HMAC Secret Key: Generate a 32-character random string (see commands below)
4. Check Protected Component.
5. Click Save.

Generate a random key:

On macOS/Linux:

openssl rand -base64 128

On Windows PowerShell:

$bytes = New-Object byte[] 128
[Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
[Convert]::ToBase64String($bytes)

Step 4: Create Apex Classes

Open the Salesforce Developer Console (click the gear icon, then Developer Console).

Create the Utility Class

1. Go to File > New > Apex Class.
2. Name it appropriately (e.g., CaseLambdaInvoker).
3. Paste the contents of CaseLambdaInvoker.java from the SalesforceApexClasses directory.
4. Update line 3: Replace Named_Credentials with your Named Credential name.
5. Save the file.

Create the Trigger

1. Go to File > New > Apex Trigger.
2. Name it appropriately (e.g., CaseCloseLambdaTrigger).
3. Paste the contents of CaseCloseLambdaTrigger.java from the SalesforceApexClasses directory.
4. Save the file.

Create the Test Class

1. Go to File > New > Apex Class.
2. Name it appropriately (e.g., CaseLambdaInvokerTest).
3. Paste the contents of CaseLambdaInvokerTest.java from the SalesforceApexClasses directory.
4. Save the file.

Step 5: Configure Permission Sets

External Credential Access

1. In Setup, search for Permission Sets.
2. Click New.
3. Enter a name and description.
4. Click Save.
5. Open the new Permission Set.
6. Click External Credential Principal Access.
7. Click Edit.
8. Add your External Credential to the Enabled list.
9. Click Save.
10. Click Manage Assignments.
11. Select your support agents and click Add Assignment.

Chatter API Access

1. Create another Permission Set following steps 1-4 above.
2. Click Object Settings.
3. Select Cases.
4. Click Edit.
5. Enable Read, View All Records, and View All Fields.
6. Click Save.
7. Click Manage Assignments.
8. Select the user whose credentials the Lambda will use.
9. Click Add Assignment.

Request Body Examples

Single Action

Revoke access when case closes:

{
  "case_id": "{{case.id}}",
  "action": "revoke_access_to_packages"
}

Add a user to packages:

{
  "case_id": "{{case.id}}",
  "action": "add_user_to_packages",
  "email": "user@example.com"
}

Add a contact group:

{
  "case_id": "{{case.id}}",
  "action": "add_contact_group_to_packages",
  "contactGroupId": "your-contact-group-id"
}

Delete all packages:

{
  "case_id": "{{case.id}}",
  "action": "delete_packages"
}

Multiple Actions

You can execute multiple actions in sequence:

{
  "case_id": "{{case.id}}",
  "action": ["add_contact_group_to_packages", "add_user_to_packages"],
  "contactGroupId": "your-contact-group-id",
  "email": "user@example.com"
}

Actions execute in the order specified in the array.

To Get Started

If you have questions about this integration, contact your SendSafely account rep.