It’s easier to configure custom profiles to have the permissions you need. Use the Profile SOAP API object to create custom profiles that start without any permissions enabled. Previously, to create a custom profile, you cloned an existing profile in Setup and then removed permissions that you didn’t want the assigned users to have. The Profile Metadata API type functions as before.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: Use the create() call on the Profile SOAP API object and specify the Description, Name, and UserLicenseId fields. You can enable permissions using the API or, after the profile is created, on the profile’s page in Setup. Required permissions for the profile’s user license are automatically enabled.

Create Custom Profiles from Scratch via the SOAP API (salesforce.com)

To grant your users only the access that they need when they need it, combine the management power of permission set groups with session-based access control. Create a session-based permission set group to grant access to permission sets during an activated user session. Previously, you created individual session-based permission sets, but now you can set sessions at the permission set group level as well.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

Why: For example, you have a customized Salesforce app that accesses confidential information. For security reasons, you want to limit user access to a predetermined length of time. Some users, such as a team manager, require expanded access for the same length of time. You can create a permission set group that includes the different permission sets required for the confidential access. You can create a flow or use the API to create custom logic to activate the session-based permission set group. In this example, the session-based permission set group activates only when the manager-level users authenticate into your environment using a token. When the token expires, the users must reauthenticate to access the application again.

How: To create a session-based permission set group, select Session Activation Required on the Permission Set Group create page. Then, activate the session for the permission set group using a flow or the SessionPermSetActivation SOAP API object.

Grant Access Based on Activated User Sessions for Permission Set Groups (salesforce.com)

Get the benefits of expanded profile and permission management. Use the power of permission set groups to configure session-based access control. Create custom profiles using the API instead of cloning existing profiles.

• Grant Access Based on Activated User Sessions for Permission Set Groups
  To grant your users only the access that they need when they need it, combine the management power of permission set groups with session-based access control. Create a session-based permission set group to grant access to permission sets during an activated user session. Previously, you created individual session-based permission sets, but now you can set sessions at the permission set group level as well.
• Create Custom Profiles from Scratch via the SOAP API
  It’s easier to configure custom profiles to have the permissions you need. Use the Profile SOAP API object to create custom profiles that start without any permissions enabled. Previously, to create a custom profile, you cloned an existing profile in Setup and then removed permissions that you didn’t want the assigned users to have. The Profile Metadata API type functions as before.
• Manage Assignment Expiration in Permission Sets and Permission Set Groups (Beta)
  You can now view and update current assignment expirations for your permission sets and your permission set groups. Previously, to update assignment expirations, you recreated them with the correct expiration date.
• Grant Access to the DeveloperName Field to Users Who Require It
  The DeveloperName field has new permission requirements for multiple Salesforce objects and types across various APIs. Following the Winter ’22 release, some users can lose access to the DeveloperName field on objects that they typically interact with. To view, group, sort, or filter the DeveloperName field on affected API objects, you must have View Setup and Configuration OR View DeveloperName permission.

Profiles and Permissions (salesforce.com)

Reduce noise and unnecessary searches while enhancing your users’ productivity. Based on criteria that you select, you can set rules to help your users see only records that are relevant to them. By adding a scoping rule, you can help users focus on pertinent records and prevent them from accessing records containing sensitive or inessential information. Scoping rules don’t restrict the record access that your users already have. Your users can still open and report on all records that they have access to per your org’s sharing settings

Where: This change applies to Lightning Experience in Performance and Unlimited editions.

How: Scoping rules are available for custom objects and these standard objects.

• Account
• Case
• Contact
• Event
• Lead
• Opportunity
• Task

For information on enabling this feature, contact Salesforce. You can create and modify scoping rules using the Tooling or Metadata API.

Control the Default Records Your Users See with Scoping Rules (Beta) (salesforce.com)

Secure your data and boost productivity by permitting your users to see only the records necessary for their job function. Create restriction rules to control which subset of records you allow specified groups of users to see. Restriction rules are available for custom objects, contracts, tasks, events, time sheets, and time sheet entries. This feature, now generally available, includes some changes since the last release. You can now create and manage restriction rules in Setup as well as with Tooling and Metadata APIs.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions.

How: To create a restriction rule, navigate to Object Manager in Setup. Select the object that you want to add a restriction rule for. Click Restriction Rules. Name and describe the rule and activate it. Select a user field and choose filter settings to determine which users the rule applies to. Then, select a record field and choose filter settings to determine which records are accessible.

Control Access to Sensitive Data with Restriction Rules (Generally Available) (salesforce.com)

To prevent external users, such as portal or partner users, from viewing personal information in your user records, enable the Enhanced Personal Information Management permission. Salesforce then blocks view and edit access to 20 fields that are considered personal information. You can configure which fields you consider personal information from User Management Settings. This permission replaces the less-configurable Hide Personal Information setting, which will be retired in the Winter ’23 release.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions.

Why: When you enable the Enhanced Personal Information Management permission, these fields are masked to external users.

• About Me
• Address
• Alias
• Company Name
• Department
• Division
• Email
• Email Sender Address
• Email Sender Name
• Email Signature
• Employee Number
• Extension
• Fax
• Manager
• Mobile
• SAML Federation ID
• Phone
• Title
• User Photo badge text overlay
• Username

How: You can click to access a user record field directly from this org permission in User Management Settings. Add or remove PersonalInfo from the field’s Compliance Categorization area. In the Winter ’23 release, this setting will be enforced and the Hide Personal Information setting will be retired.

Hide More Personal Information Fields from External Users (salesforce.com)

Find out how to hide fields containing personal information from external users with an enhanced user management setting. Manage access to sensitive data on contracts, tasks, events, time sheets, and time sheet entries. And limit the default records that your users see so that they only see what’s necessary.

• Hide More Personal Information Fields from External Users
  To prevent external users, such as portal or partner users, from viewing personal information in your user records, enable the Enhanced Personal Information Management permission. Salesforce then blocks view and edit access to 20 fields that are considered personal information. You can configure which fields you consider personal information from User Management Settings. This permission replaces the less-configurable Hide Personal Information setting, which will be retired in the Winter ’23 release.
• Control Access to Sensitive Data with Restriction Rules (Generally Available)
  Secure your data and boost productivity by permitting your users to see only the records necessary for their job function. Create restriction rules to control which subset of records you allow specified groups of users to see. Restriction rules are available for custom objects, contracts, tasks, events, time sheets, and time sheet entries. This feature, now generally available, includes some changes since the last release. You can now create and manage restriction rules in Setup as well as with Tooling and Metadata APIs.
• Control the Default Records Your Users See with Scoping Rules (Beta)
  Reduce noise and unnecessary searches while enhancing your users’ productivity. Based on criteria that you select, you can set rules to help your users see only records that are relevant to them. By adding a scoping rule, you can help users focus on pertinent records and prevent them from accessing records containing sensitive or inessential information. Scoping rules don’t restrict the record access that your users already have. Your users can still open and report on all records that they have access to per your org’s sharing settings

Sharing (salesforce.com)

Add browser extensions to your cross-origin resource sharing (CORS) list to allow requests for Salesforce REST resources. Previously, the CORS allowlist supported only websites and IP addresses. For example, you can now allow an appointment management browser extension to view and work with your Salesforce records. Browser extensions that aren’t on your CORS allowlist are blocked from requesting resources.

Where: This change applies to Salesforce Classic and Lightning Experience in Developer, Enterprise, Performance, and Unlimited Editions. It also applies to Professional Edition with API access enabled.

How: From Setup, in the Quick Find box, enter CORS, and then select CORS.

Share Resources with Browser Extensions (salesforce.com)

Protect your organization from permanent data loss and corruption by automatically generating backups. With just a few clicks, your data is backed up and can be restored quickly in the event of integration errors, malicious attempts, or incorrect data updates. Use Backup & Restore to prevent data loss, recover from data incidents quickly, and simplify your overall data management strategy.

Where: Backup and Restore is available for Lightning Experience in Professional, Enterprise, Unlimited, and Performance editions.

Who: Backup & Restore requires a platform license and a permission.

Why: With Backup & Restore, you can protect your organization against incorrect data updates, integration execution issues, malicious actors, and ransom ware attacks. Backup & Restore provides:

• Custom and Standard Object backups
• Daily incremental backups
• Backup in the same region
• Backup-to-Current-State comparisons
• Record previews before restoring
• Restoration to original org
• Backup dashboard & statistics
• Run logs on which to build custom triggers and flows

How: When you log in to Backup & Restore, the dashboard displays all recent backups and API activity. If it’s your first time using Backup & Restore, use the Settings tab to provision resources, connect to Backup & Restore by enabling OAuth, or test end-to-end connectivity. These are settings you set just once during setup.

1. To create a backup policy, on the Backup tab, click the Data tile, and click Next. You’ll see all the objects that can be backed up in this tab. Click Save after activating and selecting Related Objects.
2. To restore a backup, on the Restore tab, click the Data tile, and click Next. Select the backup you want to restore from, then click Restore and then Confirm.
3. To get information on previous backup and restore activity, click the Logs tab.

Prevent Data Loss with Backup and Restore (Generally Available) (salesforce.com)

The CORS allowlist now supports browser extension requests to Salesforce REST resources. Prevent data loss and recover quickly from incorrect data updates or integration errors with the new Backup and Restore feature.

• Prevent Data Loss with Backup and Restore (Generally Available)
  Protect your organization from permanent data loss and corruption by automatically generating backups. With just a few clicks, your data is backed up and can be restored quickly in the event of integration errors, malicious attempts, or incorrect data updates. Use Backup & Restore to prevent data loss, recover from data incidents quickly, and simplify your overall data management strategy.
• Share Resources with Browser Extensions
  Add browser extensions to your cross-origin resource sharing (CORS) list to allow requests for Salesforce REST resources. Previously, the CORS allowlist supported only websites and IP addresses. For example, you can now allow an appointment management browser extension to view and work with your Salesforce records. Browser extensions that aren’t on your CORS allowlist are blocked from requesting resources.

Other Security Changes (salesforce.com)