Salesforce

Overview

The Veza integration for Salesforce Service Cloud discovers users, authorization entities (such as groups and permission sets), and data objects (accounts). Veza parses group memberships, role assignments, and account shares to show users with access to sensitive records, and reveal who can read, delete, or otherwise alter data and settings.

The integration enables:

• Automated discovery of Salesforce objects and their permissions

• Evaluation of permission sets and object-level access

• Discovery of custom object permissions and access patterns

• Discovery of Salesforce Sites and Guest User Profiles for public access security analysis

See Notes and Supported Entities for more information about discovered entities and properties.

Cross service connections

Veza automatically detects relationships between Okta identities and Salesforce local users.

If you have integrated another identity provider for single sign-on, the provider configuration can include custom identity mappings to Salesforce.

Deployment architecture

Veza connects to Salesforce using OAuth 2.0 authentication with RSA key-pair encryption. Deployment requires creating a Salesforce user with appropriate permissions, configuring a Connected App, and establishing the integration within Veza. The connection enables discovery of users, groups, permission sets, sites, and account access relationships.

Configuring Salesforce

To integrate Veza with Salesforce, you will need to:

• Create a user, and grant the required API permissions by creating and assigning a permission set.

• Create an SFDC Connected App Veza will use to make API calls. You can generate a private key and self-signed certificate for the Veza service application, or use an existing key pair.

• Configure the Veza integration, providing the generated certificate, user email, and client id (key) for the Connected App.

For testing the integration, you will need a developer instance, which you can register at https://developer.salesforce.com/signup. The Salesforce account to discover must have API access enabled.

Create a Salesforce user

To conduct the API calls required for discovery, Veza will need a Salesforce user account.

If an appropriate service account user and permission set with API access enabled already exists, skip to Create a Connected App

To create the user:

1. In a browser, open the Setup section in Salesforce with an administrative account

2. In the left navigation pane, under the ADMINISTRATION heading, expand Users and click the Users link

3. At the top of the Users table, click New User

4. Enter details for the user account:

   • License: Use Salesforce

   • Profile: Use a default profile, or create one. For new profiles, use the built-in role Minimum Access - Salesforce. Use the permission set in the next section to explicitly grant permissions.

See Add a user in the Salesforce documentation for more details.

Create Salesforce Permission Set

Next, grant the user the API permissions Veza will need to gather entity metadata and authorization information.

1. As an administrator, browse to the Salesforce Setup section

2. In the left navigation pane, under the ADMINISTRATION heading, expand Users and click Permission Sets

3. At the upper left hand of the Permission Sets table, click New

   1. Enter a Label and optional Description

   2. The API Name field is automatically populated by the label but can be overridden if needed

   3. Leave the License dropdown field set to --None--

   4. Click Save to create the permission set

4. On the resulting permission set overview page, click System Permissions

5. Click Edit and enable the options:

   1. API Enabled: this enables access to the Salesforce.com API

   2. View All Profiles: required to gather user information

   3. View All Users: required to gather user information

   4. View Roles and Role Hierarchy: required to view role hierarchy for evaluating sharing

   5. View Setup and Configuration: required to get object metadata

   6. View Health Check: used to identify SaaS misconfigurations

6. At the top of the main pane, click Save

See the Salesforce Permission Sets documentation for more details.

Configure Required Permissions

The integration generally requires two permissions for each object to discover:

• Read Permission (Required): Provides basic visibility into object data and structure, and must be enabled for all objects to sync with Veza.

• View All Permission (Required if available): Enables full object visibility. This permission is only available for some objects and must be enabled when present.

On the permission set overview page, under Apps click Object Settings. Enable permissions for any built-in or custom objects Veza will discover:

1. For each object (Contract, Price Book, Account, Opportunity, Product, or supported custom object):

   • Under "Object Settings", locate the object

   • Click Edit

   • Under "Object Permissions":

     • Enable Read

     • If available, enable View All permission

2. At the top of the main pane, click Save after configuring the desired objects.

See Notes and Supported Entities for all supported extension objects and custom objects.

Assign the Permission Set

Go back to the Permission Sets table, find the newly created permission set, and click on it.

1. From the details view, click Manage Assignments at the top of the main pane

2. Click Add Assignments at the top of the screen

3. Locate the user that will make API calls to the Salesforce endpoint, click the checkbox next to the account, and click Assign at the top of the table

4. Click Done

See the Salesforce Permission Sets documentation for more details.

Prepare a key and certificate for the Connected App

The Connected App uses an X.509 certificate for JWT-based OAuth 2.0 authentication. This certificate and its associated private key enable secure API access to Salesforce. You can either create a self-signed certificate or use an existing certificate.

Certificate Requirements:

• Must be an X.509 certificate with client authentication capabilities (with the attribute "Enhanced Key Usage": "Client Authentication")

• Must be in PEM format (both certificate and private key)

• Can be either self-signed or CA-issued

• Must include both the certificate (.crt) and private key (.key) files

To authenticate using a self-signed certificate:

1. Follow the Salesforce instructions to Create a Private Key and Certificate to create a key pair.

2. Save both files:

   • The .crt for uploading to Salesforce

   • The .key for configuring Veza

If you already have a key and certificate pair to use, you can skip this step and upload the certificate when creating a connected app, provided it meets the requirements above. Upload the private key when configuring the Veza integration.

Create a new Connected App

To add a Salesforce app for Veza, open the Salesforce Setup section.

1. Under the Platform Tools heading, expand Apps, and click App Manager

2. Click New Connected App at the upper right corner

3. In the pop-up, choose Create a Connected App (not an "external client app")

4. Under the Basic Information heading, complete the following:

   1. Connected App Name: a unique name for the application (ex: Veza Salesforce)

   2. API Name: this will be automatically populated by the app name, but can be overridden

   3. Contact Email: enter a valid email for you or your team

5. Under the API (Enable OAuth Settings) header, click the checkbox to Enable OAuth Settings

   1. Click the checkbox for Enable for Device Flow

   2. In the Callback URL field, enter https://localhost (a callback URL is not used for device flow)

   3. Click the checkbox for Use digital signatures and upload the .crt file for the client certificate

   4. In the Selected OAuth Scopes field, add the following two scopes by highlighting them and clicking >

      • Full access (full) to grant access to data accessible by the logged-in user. Actual permissions are still restricted by the applied permission set.

      • Perform requests at any time (refresh_token, offline_access)

6. Click Save at the bottom of the page

7. Click Continue to create the Connected App

See Create a Connected App for more details.

Get the Connected App Consumer Key

From the Salesforce Setup page, under the PLATFORM TOOLS, click Apps > App Manager.

1. Locate the newly created Connected App, click the drop-down arrow next to its name, and click View

2. Click Manage Consumer Details and copy the Consumer Key. You will need this to configure the integration in Veza.

3. Close this tab or navigate back to App Manager

Apply Permission Set to the Connected App

1. In Salesforce App Manager, locate the Veza Connected App

2. Click the drop-down arrow next to the app name, and click Manage

3. Click Edit Policies

   1. Set Permitted Users to Admin approved users are pre-authorized

   2. Set IP Relaxation to Relax IP restriction. Otherwise, you can set this to allow the Veza tenant or Insight Point IP range.

   3. Click Save

4. Under Permission Sets click Manage Permission Sets and assign the one you just created.

It can take up to 10 minutes for Salesforce to fully propagate the configuration. After this finishes, the Salesforce account is ready to add to Veza.

Adding the integration to Veza

1. In Veza, go to the Integrations page

2. Click Add Integration and search for Salesforce. Click on it and click Next

3. Enter the required connection information and configure the objects to sync

4. Click Create Integration to save the configuration

Enabled Salesforce Object Types: To enable default object types, click Select Services and use the dropdown menu to enable built-in objects:

• Contract

• Price Book

• Price Book Entry

• Account

• Opportunity

• Product

To add extension objects and custom objects, click the list of Enabled Salesforce Object Types and type in the extension name, for example, My_Custom_Salesforce_Object__c.

Custom and extension objects must be identified by the exact Object API Name as shown in Salesforce. When enabling these objects, check for correct capitalization and include any underscores and suffixes.

Notes and Supported Entities

The integration currently supports the following Default Salesforce Objects in Salesforce Service Cloud. You can configure the integration only to enable objects required for your security and compliance needs:

• Salesforce Organization

  • Salesforce User

  • Salesforce Group

  • Salesforce Role

  • Salesforce Profile

  • Salesforce PermissionSet

  • Salesforce Site

  • Salesforce Object

    • Salesforce Account

      • Salesforce Account Share

    • Salesforce Price Book

      • Salesforce Price Book Entry

    • Salesforce Contract

    • Salesforce Product

    • Salesforce Opportunity

Entity Relationships: Both Salesforce Organization and Salesforce Users have relationships to Salesforce Sites. Sites are publicly accessible websites or communities that may have access to certain Salesforce objects through Guest User profiles.

Note that Salesforce Marketing Cloud and Salesforce Sales Cloud are not currently supported by the integration.

Extension and Custom Objects: The integration can extract extension and custom Salesforce objects, including:

• APTS_Price_Matrix__c

• APTS_Pricing_Configuration__c

• APTS_Proposal_Worker_Report_Item__c

• APTS_Subscriptions_Annual_Fee__c

• Apttus_Approval__Approval_Process__c

• Apttus_Approval__ApprovalRule__c

• Apttus_Approval__ApprovalRuleDimension__c

• Apttus_Config2__AssetLineItem__c

• Apttus_Config2__PriceListItem__c

• Apttus_Proposal__Proposal__c

• Apttus__APTS_Agreement__c

• Apttus__AgreementLineItem__c

• SBQQ__DiscountSchedule__c

• SBQQ__PriceRule__c

• SBQQ__ProductRule__c

• SBQQ__QuoteLine__c

• SBQQ__Quote__c

• SBQQ__Subscription__c

• sbaa__ApprovalCondition__c

• sbaa__ApprovalRule__c

• sbaa__Approver__c

If you need to sync an object type not listed above, please contact Veza Support. Note that the permission set for the connected app needs to include read and view permissions on any objects to discover, following the instructions in Create Salesforce Permission Set.

Supported Attributes

The following properties are available to filter results throughout the Veza interface:

Salesforce Sites and Guest User Profiles

Salesforce Sites create public-facing websites with controlled access through Guest User Profiles. Each Site has one designated Guest User that defines public access permissions for unauthenticated visitors to that site. To extract Guest Users:

• Enable "Gather Non-Standard Salesforce Users" to discover Guest User Profiles

• To search for Salesforce Users with guest profiles, apply an attribute filter on Salesforce User Type = "Guest"

• Each Salesforce Site includes a Guest User ID property linking to its associated Guest User Profile

Guest User Profiles can have object-level and field-level permissions, potentially exposing data to unauthenticated users. Veza captures these permissions to help identify what data is publicly accessible through each Site.

Limitations

Groups: Veza discovers the following group types: Organization, Role, RoleAndSubordinates, RoleAndSubordinatesInternal, and Regular, along with AllCustomerPortal and Queue;

• Organization public group including all User records in the organization.

• Role public group including all User records in a particular UserRole.

• RoleAndSubordinates public group including all the User records in a particular UserRole, and all the User records in any subordinate UserRole.

• RoleAndSubordinatesInternal Represents internal roles and their subordinates in the org’s role hierarchy, excluding customer and partner roles.

• Regular Standard public group (typically user-created).

• AllCustomerPortal includes all members with a customer portal license excluding high volume licenses.

• Queue is typically used to assign a single record to many individual users

Licenses: For the AllCustomerPortal license, Veza currently supports the following license types:

• PID_Customer_Portal_Basic

• PID_Customer_Portal_Standard

• PID_Limited_Customer_Portal_Basic

• PID_Limited_Customer_Portal_Standard

• PID_Overage_Customer_Portal_Basic

• POWER_SSP

Veza excludes all High Volume Customer Portal licenses, since these are not included in the AllCustomerPortal group. An example high volume license is: PID_Overage_High Volume Customer Portal.

Account Licenses are not currently included in effective permissions (users may not have a license to access a resource they would otherwise have permissions on).

Permissions: Permissions granted by group types such as ManagerAndSubordinatesInternal, ChannelProgramGroup, PRMOrganization, and others are not currently supported. See member roles for more details on built-in roles and usage.