Salesforce
This connectivity package provides support for managing and governing Salesforce environments, allowing you to:
- read, provision and deprovision accounts (deactivation).
- update user details such as name, last name, and email address.
- read, provision, and deprovision permission set assignments.
- read, provision, and deprovision roles assignments.
- read, provision, and deprovision groups assignments.
Supported objects and operations
| Resource | Possible operations |
|---|---|
| User | Accounts |
| User role | Resource |
| Profile | Resource |
| Group | Resource |
| Permission sets | Resource |
| User role assignment | Resource assignment |
| Profile assignment | Resource assignment |
| Groups assignment | Resource assignment |
| Permission set assignment | Resource assignment |
*Profiles are assigned to each user upon creation and can be updated between certain profiles, depending on licensing requirements. You can only switch between profiles that share the same license type. Profiles requiring different licenses than those initially assigned must be updated manually in the Salesforce portal.
Profile assignments are managed through an attribute on the User object (as resource-driven attributes).
The Assignment ID is needed to delete assignments. The IDs have to be saved with a RoPE configuration.
Minimum required permissions
You need to have access to the REST API, including relevant permissions. See Introduction to REST API in Salesforce documentation and REST in Postman documentation for details.
Implementation notes
Salesforce supports managing user roles, profiles, permission sets, and groups to control access and permissions. When creating a user, a profile is assigned, which defines their baseline permissions. The profile cannot be easily modified afterward. Additional permissions can be granted or restricted through assignments to permission sets and groups, although these are ultimately limited by the permissions allowed within the assigned profile.
Prerequisites
The Salesforce API works through applications you need to set up yourself. The applications that you set up can have different privileges, so you can have multiple applications in the same environment.
Setting up Salesforce API access
-
In Salesforce, go to Salesforce classic > Set Up > Manage Apps > Connected Apps. Click New.
-
Fill in the required fields.
-
In the API (Enable OAuth Settings) section, select Enable OAuth Settings.
-
In the Callback URL section, enter the callback URL (for example:
https://login.salesforce.com/services/oauth2/callback). -
Select the available scopes (see the list below this procedure for minimum scopes).
-
Save the Client ID and Client secret. In Salesforce classic, go to Set Up > Manage Apps > the created App. In the API (Enable OAuth Settings), click Manage Consumer Details.
-
For some profiles, it might be necessary to activate the following settings:
- Role and User Settings > Allow using standard external profiles for self-registration, user creation, and login.
- In the Setup view, enter
Userin the Quick Find field, then select User Management Settings. Select the Contactless Salesforce Customer Identity Users option (see Enable Contactless Users in Salesforce documentation).
Minimum Scopes
Access the identity URL service (id, profile, email, address, phone)
Manage user data via APIs (api)
Manage user data via Web browsers (web)
Full access (full)
Access Connect REST API resources (chatter_api)
Access Visualforce applications (visualforce)
Perform requests at any time (refresh_token, offline_access)
Access unique user identifiers (openid)
Access custom permissions (custom_permissions)
Access Analytics REST API resources (wave_api)
Access Analytics REST API Charts Geodata resources (eclair_api)
Manage Pardot services (pardot_api)
Access Lightning applications (lightning)
Access content resources (content)
Manage Data Cloud Ingestion API data (cdp_ingest_api)
Manage Data Cloud profile data (cdp_profile_api)
Perform ANSI SQL queries on Data Cloud data (cdp_query_api)
Access chatbot services (chatbot_api)
Perform segmentation on Data Cloud data (cdp_segment_api)
Manage Data Cloud Identity Resolution (cdp_identityresolution_api)
Access Headless Forgot Password API (forgot_password)
Manage Data Cloud Calculated Insight data (cdp_calculated_insight_api)
Access Headless Registration API (user_registration_api)
Access the Salesforce API Platform (sfap_api)
Access Interaction API resources (interaction_api)
Access all Data Cloud API resources (cdp_api)
Access Einstein GPT services (einstein_gpt_api)
Access Headless Passwordless Login API (pwdless_login_api)