Salesforce
Configuring the Veza integration for Salesforce
Last updated
Was this helpful?
Configuring the Veza integration for Salesforce
Last updated
Was this helpful?
Was this helpful?
The Veza integration for Salesforce Service Cloud discovers users, authorization entities (such as groups and permission sets), and data objects (accounts). Veza parses group memberships, role assignments, and account shares to show users with access to sensitive records, and reveal who can read, delete, or otherwise alter data and settings.
The integration enables:
Automated discovery of Salesforce objects and their permissions
Evaluation of permission sets and object-level access
Discovery of custom object permissions and access patterns
Discovery of Salesforce Sites and Guest User Profiles for public access security analysis
See Notes and Supported Entities for more information about discovered entities and properties.
Veza automatically detects relationships between Okta identities and Salesforce local users.
If you have integrated another identity provider for single sign-on, the provider configuration can include custom identity mappings to Salesforce.
Veza connects to Salesforce using OAuth 2.0 authentication with RSA key-pair encryption. Deployment requires creating a Salesforce user with appropriate permissions, configuring a Connected App, and establishing the integration within Veza. The connection enables discovery of users, groups, permission sets, sites, and account access relationships.
To integrate Veza with Salesforce, you will need to:
Create a user, and grant the required API permissions by creating and assigning a permission set.
Create an SFDC Connected App Veza will use to make API calls. You can generate a private key and self-signed certificate for the Veza service application, or use an existing key pair.
Configure the Veza integration, providing the generated certificate, user email, and client id (key) for the Connected App.
For testing the integration, you will need a developer instance, which you can register at https://developer.salesforce.com/signup. The Salesforce account to discover must have API access enabled.
To conduct the API calls required for discovery, Veza will need a Salesforce user account.
If an appropriate service account user and permission set with API access enabled already exists, skip to Create a Connected App
To create the user:
In a browser, open the Setup section in Salesforce with an administrative account
In the left navigation pane, under the ADMINISTRATION heading, expand Users and click the Users link
At the top of the Users table, click New User
Enter details for the user account:
License: Use Salesforce
Profile: Use a default profile, or create one. For new profiles, use the built-in role Minimum Access - Salesforce. Use the permission set in the next section to explicitly grant permissions.
See Add a user in the Salesforce documentation for more details.
Next, grant the user the API permissions Veza will need to gather entity metadata and authorization information.
As an administrator, browse to the Salesforce Setup section
In the left navigation pane, under the ADMINISTRATION heading, expand Users and click Permission Sets
At the upper left hand of the Permission Sets table, click New
Enter a Label and optional Description
The API Name field is automatically populated by the label but can be overridden if needed
Leave the License dropdown field set to --None--
Click Save to create the permission set
On the resulting permission set overview page, click System Permissions
Click Edit and enable the options:
API Enabled: this enables access to the Salesforce.com API
View All Profiles: required to gather user information
View All Users: required to gather user information
View Roles and Role Hierarchy: required to view role hierarchy for evaluating sharing
View Setup and Configuration: required to get object metadata
View Health Check: used to identify SaaS misconfigurations
At the top of the main pane, click Save
See the Salesforce Permission Sets documentation for more details.
The integration generally requires two permissions for each object to discover:
Read Permission (Required): Provides basic visibility into object data and structure, and must be enabled for all objects to sync with Veza.
View All Permission (Required if available): Enables full object visibility. This permission is only available for some objects and must be enabled when present.
On the permission set overview page, under Apps click Object Settings. Enable permissions for any built-in or custom objects Veza will discover:
For each object (Contract, Price Book, Account, Opportunity, Product, or supported custom object):
Under "Object Settings", locate the object
Click Edit
Under "Object Permissions":
Enable Read
If available, enable View All permission
At the top of the main pane, click Save after configuring the desired objects.
See Notes and Supported Entities for all supported extension objects and custom objects.
Go back to the Permission Sets table, find the newly created permission set, and click on it.
From the details view, click Manage Assignments at the top of the main pane
Click Add Assignments at the top of the screen
Locate the user that will make API calls to the Salesforce endpoint, click the checkbox next to the account, and click Assign at the top of the table
Click Done
See the Salesforce Permission Sets documentation for more details.
The Connected App uses an X.509 certificate for JWT-based OAuth 2.0 authentication. This certificate and its associated private key enable secure API access to Salesforce. You can either create a self-signed certificate or use an existing certificate.
Certificate Requirements:
Must be an X.509 certificate with client authentication capabilities (with the attribute "Enhanced Key Usage": "Client Authentication")
Must be in PEM format (both certificate and private key)
Can be either self-signed or CA-issued
Must include both the certificate (.crt) and private key (.key) files
To authenticate using a self-signed certificate:
Follow the Salesforce instructions to Create a Private Key and Certificate to create a key pair.
Save both files:
The .crt for uploading to Salesforce
The .key for configuring Veza
If you already have a key and certificate pair to use, you can skip this step and upload the certificate when creating a connected app, provided it meets the requirements above. Upload the private key when configuring the Veza integration.
To add a Salesforce app for Veza, open the Salesforce Setup section.
Under the Platform Tools heading, expand Apps, and click App Manager
Click New Connected App at the upper right corner
In the pop-up, choose Create a Connected App (not an "external client app")
Under the Basic Information heading, complete the following:
Connected App Name: a unique name for the application (ex: Veza Salesforce)
API Name: this will be automatically populated by the app name, but can be overridden
Contact Email: enter a valid email for you or your team
Under the API (Enable OAuth Settings) header, click the checkbox to Enable OAuth Settings
Click the checkbox for Enable for Device Flow
In the Callback URL field, enter https://localhost (a callback URL is not used for device flow)
Click the checkbox for Use digital signatures and upload the .crt file for the client certificate
In the Selected OAuth Scopes field, add the following two scopes by highlighting them and clicking >
Full access (full) to grant access to data accessible by the logged-in user. Actual permissions are still restricted by the applied permission set.
Perform requests at any time (refresh_token, offline_access)
Click Save at the bottom of the page
Click Continue to create the Connected App
See Create a Connected App for more details.
From the Salesforce Setup page, under the PLATFORM TOOLS, click Apps > App Manager.
Locate the newly created Connected App, click the drop-down arrow next to its name, and click View
Click Manage Consumer Details and copy the Consumer Key. You will need this to configure the integration in Veza.
Close this tab or navigate back to App Manager
In Salesforce App Manager, locate the Veza Connected App
Click the drop-down arrow next to the app name, and click Manage
Click Edit Policies
Set Permitted Users to Admin approved users are pre-authorized
Set IP Relaxation to Relax IP restriction. Otherwise, you can set this to allow the Veza tenant or Insight Point IP range.
Click Save
Under Permission Sets click Manage Permission Sets and assign the one you just created.
It can take up to 10 minutes for Salesforce to fully propagate the configuration. After this finishes, the Salesforce account is ready to add to Veza.
In Veza, go to the Integrations page
Click Add Integration and search for Salesforce. Click on it and click Next
Enter the required connection information and configure the objects to sync
Click Create Integration to save the configuration
Name
Unique name to identify the SFDC provider
Domain
SFDC domain, excluding the full URL. For example, if your Salesforce URL is https://org-dev-1.my.salesforce.com/, the domain is org-dev-1.
User Name
Salesforce user name to connect as
Consumer Key
Consumer key (client id) of the connected app (SFDC App Manager > select connected app > View > Manage Consumer Details)
Private Key
Upload the key for the SFDC app (.pem or .key format)
Salesforce Sandbox Deployment
Select if connecting to a Salesforce Sandbox org. Clear if connecting directly to the production domain.
Gather Non-Standard Salesforce Users
Enable to extract Guest User Profiles and other non-standard user types. Guest User Profiles control public access to Salesforce communities without authentication.
Object Allow List
Comma-separated list of object (account) names to allow for discovery
Object Deny List
Comma-separated list of objects to deny for discovery
License Allow List
Comma-separated list of license names to filter profiles and users
License Deny List
Comma-separated list of license names to filter profiles and users
Enabled Salesforce Object Types: To enable default object types, click Select Services and use the dropdown menu to enable built-in objects:
Contract
Price Book
Price Book Entry
Account
Opportunity
Product
To add extension objects and custom objects, click the list of Enabled Salesforce Object Types and type in the extension name, for example, My_Custom_Salesforce_Object__c.
Custom and extension objects must be identified by the exact Object API Name as shown in Salesforce. When enabling these objects, check for correct capitalization and include any underscores and suffixes.
The integration currently supports the following Default Salesforce Objects in Salesforce Service Cloud. You can configure the integration only to enable objects required for your security and compliance needs:
Salesforce Organization
Salesforce User
Salesforce Group
Salesforce Role
Salesforce Profile
Salesforce PermissionSet
Salesforce Site
Salesforce Object
Salesforce Account
Salesforce Account Share
Salesforce Price Book
Salesforce Price Book Entry
Salesforce Contract
Salesforce Product
Salesforce Opportunity
Entity Relationships: Both Salesforce Organization and Salesforce Users have relationships to Salesforce Sites. Sites are publicly accessible websites or communities that may have access to certain Salesforce objects through Guest User profiles.
Note that Salesforce Marketing Cloud and Salesforce Sales Cloud are not currently supported by the integration.
Extension and Custom Objects: The integration can extract extension and custom Salesforce objects, including:
APTS_Price_Matrix__c
APTS_Pricing_Configuration__c
APTS_Proposal_Worker_Report_Item__c
APTS_Subscriptions_Annual_Fee__c
Apttus_Approval__Approval_Process__c
Apttus_Approval__ApprovalRule__c
Apttus_Approval__ApprovalRuleDimension__c
Apttus_Config2__AssetLineItem__c
Apttus_Config2__PriceListItem__c
Apttus_Proposal__Proposal__c
Apttus__APTS_Agreement__c
Apttus__AgreementLineItem__c
SBQQ__DiscountSchedule__c
SBQQ__PriceRule__c
SBQQ__ProductRule__c
SBQQ__QuoteLine__c
SBQQ__Quote__c
SBQQ__Subscription__c
sbaa__ApprovalCondition__c
sbaa__ApprovalRule__c
sbaa__Approver__c
If you need to sync an object type not listed above, please contact Veza Support. Note that the permission set for the connected app needs to include read and view permissions on any objects to discover, following the instructions in Create Salesforce Permission Set.
The following properties are available to filter results throughout the Veza interface:
User
Is Active
Boolean if user is active
User
Last Login At
User last login time if available
User
User Type
The category of user license for the user.
User
manager_id
Salesforce ID of user manager if set
User
ExternalUser
If User is external
User
UserLicense
License Attributes, ID, LicenseDefinitionKey, Name, MasterLabel
Group
Type
Group type
Group
Owner Id
User ID of Group owner
Account
Attributes
type and URL of the SFDC object
Account
Name
SFDC Account name
Account
OwnerId
User ID of the account owner
Account
ParentId
Parent object ID
Account
Domain
SFDC Domain for the account
Account
Shares
Account Share details: TotalSize, Done, Shares
Account Share
AccountId
ID of the Account associated with the share
Account Share
UserOrGroupId
ID of the User or Group granted access
Account Share
AccountAccessLevel
Level of access granted (READ, EDIT, ALL)
Account Share
RowCause
Reason that this sharing entry exists
Account Share
Domain
Account share domain
Salesforce Sites create public-facing websites with controlled access through Guest User Profiles. Each Site has one designated Guest User that defines public access permissions for unauthenticated visitors to that site. To extract Guest Users:
Enable "Gather Non-Standard Salesforce Users" to discover Guest User Profiles
To search for Salesforce Users with guest profiles, apply an attribute filter on Salesforce User Type = "Guest"
Each Salesforce Site includes a Guest User ID property linking to its associated Guest User Profile
Guest User Profiles can have object-level and field-level permissions, potentially exposing data to unauthenticated users. Veza captures these permissions to help identify what data is publicly accessible through each Site.
Groups: Veza discovers the following group types: Organization, Role, RoleAndSubordinates, RoleAndSubordinatesInternal, and Regular, along with AllCustomerPortal and Queue;
Organization public group including all User records in the organization.
Role public group including all User records in a particular UserRole.
RoleAndSubordinates public group including all the User records in a particular UserRole, and all the User records in any subordinate UserRole.
RoleAndSubordinatesInternal Represents internal roles and their subordinates in the org’s role hierarchy, excluding customer and partner roles.
Regular Standard public group (typically user-created).
AllCustomerPortal includes all members with a customer portal license excluding high volume licenses.
Queue is typically used to assign a single record to many individual users
Licenses: For the AllCustomerPortal license, Veza currently supports the following license types:
PID_Customer_Portal_Basic
PID_Customer_Portal_Standard
PID_Limited_Customer_Portal_Basic
PID_Limited_Customer_Portal_Standard
PID_Overage_Customer_Portal_Basic
POWER_SSP
Veza excludes all High Volume Customer Portal licenses, since these are not included in the AllCustomerPortal group. An example high volume license is: PID_Overage_High Volume Customer Portal.
Account Licenses are not currently included in effective permissions (users may not have a license to access a resource they would otherwise have permissions on).
Permissions: Permissions granted by group types such as ManagerAndSubordinatesInternal, ChannelProgramGroup, PRMOrganization, and others are not currently supported. See member roles for more details on built-in roles and usage.