Salesforce

Overview

The Salesforce integration discovers users, authorization entities (such as groups and permission sets), and data objects (accounts). Veza parses group memberships, role assignments, and account shares to show users with access to sensitive records, and reveal who can read, delete, or otherwise alter data and settings.

The integration enables:

• Automated discovery of Salesforce objects and their permissions

• Evaluation of permission sets and object-level access

• Discovery of custom object permissions and access patterns

See Notes and Supported Entities for more information about discovered entities and properties.

Cross service connections

Veza automatically detects relationships between Okta identities and Salesforce local users.

If you have integrated another identity provider for single sign-on, the provider configuration can include custom identity mappings to Salesforce.

Configuring Salesforce

To integrate Veza with Salesforce, you will need to:

• Create a user, and grant the required API permissions by creating and assigning a permission set.

• Create an SFDC Connected App Veza will use to make API calls. You can generate a private key and self-signed certificate for the Veza service application, or use an existing key pair.

• Configure the Veza integration, providing the generated certificate, user email, and client id (key) for the Connected App.

The Salesforce account to discover must have API access enabled.

Required Permissions

To enable the integration, you will need to configure appropriate permissions in Salesforce. The integration generally requires two permissions for each object to discover:

• Read Permission (Required): Provides basic visibility into object data and structure, and must be enabled for all objects to sync with Veza.

• View All Permission (Required if available): Enables full object visibility. This permission is only available for some objects and must be enabled when present.

Create a Salesforce user

To conduct the API calls required for discovery, Veza will need a Salesforce user account.

If an appropriate service account user and permission set with API access enabled already exists, skip to Create a Connected App

To create the user:

1. In a browser, open the Setup section in Salesforce with an administrative account

2. In the left navigation pane, under the ADMINISTRATION heading, expand Users and click the Users link

3. At the top of the Users table, click New User

4. Enter details for the user account:

   • License: Use Salesforce

   • Profile: Use a default profile, or create one. For new profiles, use the built-in role Minimum Access - Salesforce. Use the permission set in the next section to explicitly grant permissions.

See Add a user in the Salesforce documentation for more details.

Create Salesforce Permission Set

Next, grant the user the API permissions Veza will need to gather entity metadata and authorization information.

1. As an administrator, browse to the Salesforce Setup section

2. In the left navigation pane, under the ADMINISTRATION heading, expand Users and click Permission Sets

3. At the upper left hand of the Permission Sets table, click New

   1. Enter a Label and optional Description

   2. The API Name field is automatically populated by the label but can be overridden if needed

   3. Leave the License dropdown field set to --None--

   4. Click Save to create the permission set

4. On the resulting permission set overview page, click System Permissions

5. Click Edit and enable the options:

   1. API Enabled: this enables access to the Salesforce.com API

   2. View All Profiles: required to gather user information

   3. View All Users: required to gather user information

   4. View Roles and Role Hierarchy: required to view role hierarchy for evaluating sharing

   5. View Setup and Configuration: required to get object metadata

   6. View Health Check: used to identify SaaS misconfigurations

6. At the top of the main pane, click Save

7. On the resulting permission set overview page, under Apps click Object Settings. Enable permissions for each object to be discovered:

   • Click on the Accounts object.

     • Click Edit. Under Object Permissions, select Read permission.

   • For Product discovery:

     • Click on the Products object type. Click Edit and enable Read object permissions.

   • For Price Book discovery:

     • Click on the Price Book object type. Click Edit and enable Read object permissions.

   • For Opportunity discovery:

     • Click on the Opportunities object type. Click Edit and enable Read and View All object permissions.

   • For custom and extension objects, enable permissions for each object Veza will discover:

     • Enable Read permission

     • Enable View All permission if available

8. At the top of the main pane, click Save

Go back to the Permission Sets table, find the newly created permission set, and click on it.

1. From the details view, click Manage Assignments at the top of the main pane

2. Click Add Assignments at the top of the screen

3. Locate the user that will make API calls to the Salesforce endpoint, click the checkbox next to the account, and click Assign at the top of the table

4. Click Done

See the Salesforce Permission Sets documentation for more details.

Prepare a key and certificate for the Connected App

The Connected App uses an X.509 certificate for JWT-based OAuth 2.0 authentication. This certificate and its associated private key enable secure API access to Salesforce. You can either create a self-signed certificate or use an existing certificate.

Certificate Requirements:

• Must be an X.509 certificate with client authentication capabilities (with the attribute "Enhanced Key Usage": "Client Authentication")

• Must be in PEM format (both certificate and private key)

• Can be either self-signed or CA-issued

• Must include both the certificate (.crt) and private key (.key) files

To authenticate using a self-signed certificate:

1. Follow the Salesforce instructions to Create a Private Key and Certificate to create a key pair.

2. Save both files:

   • The .crt for uploading to Salesforce

   • The .key for configuring Veza

If you already have a key and certificate pair to use, you can skip this step and upload the certificate when creating a connected app, provided it meets the requirements above. Upload the private key when configuring the Veza integration.

Create a new Connected App

To add a Salesforce app for Veza, open the Salesforce Setup section.

Under the Platform Tools heading, expand Apps, and click App Manager. Click New Connected App at the upper right corner.

1. Under the Basic Information heading, complete the following:

   1. Connected App Name: a unique name for the application (ex: Veza Salesforce)

   2. API Name: this will be automatically populated by the app name, but can be overridden

   3. Contact Email: enter a valid email for you or your team

2. Under the API (Enable OAuth Settings) header, click the checkbox to Enable OAuth Settings

   1. Click the checkbox for Enable for Device Flow

   2. In the Callback URL field, enter https://localhost (a callback URL is not used for device flow)

   3. Click the checkbox for Use digital signatures and upload the .crt file for the client certificate

   4. In the Selected OAuth Scopes field, add the following two scopes by highlighting them and clicking >

      • Full access (full) to grant access to data accessible by the logged-in user. Actual permissions are still restricted by the applied permission set.

      • Perform requests at any time (refresh_token, offline_access)

3. Click Save at the bottom of the page

4. Click Continue to create the Connected App

See Create a Connected App for more details.

Apply Permission Set to the Connected App

From the Salesforce Setup page, under the PLATFORM TOOLS, click Apps > App Manager.

1. Locate the newly created Connected App, click the drop-down arrow next to its name, and click View

2. Click Manage Consumer Details and copy the Consumer Key and close the tab

3. At the top click Manage to update the policies associated with the Connected App

4. Click Edit Policies

   1. Set Permitted Users to Admin approved users are pre-authorized

   2. Set IP Relaxation to Relax IP restriction. Otherwise, you can set this to allow the Veza tenant or Insight Point IP range.

   3. Click Save

5. Under Permission Sets click Manage Permission Sets and assign the one you just created.

It may take up to 10 minutes for Salesforce to fully propagate the configuration. After this finishes, the Salesforce account is ready to add to Veza.

Adding the integration to Veza

1. In Veza, go to the Integrations page

2. Click Add Integration and search for Salesforce. Click on it and click Next

3. Enter the required connection information and configure the objects to sync

4. Click Create Integration to save the configuration

Enabled Salesforce Object Types: To enable default object types, click Select Services and use the dropdown menu to enable built-in objects:

• Contract

• Price Book

• Price Book Entry

• Account

• Opportunity

• Product

To add extension objects and custom objects, click Select Services and enter the extension name, for example, Price_Table__c. Custom and extension objects must be specified using their exact API names, including any underscores and the __c suffix.

• You can discover only users and IAM entities by adding all objects to the deny list by entering a wildcard *.

• Exclude users by license type by adding entries to the configuration's license deny or allow lists. Possible SFDC licenses include Knowledge Only User (users who only have access to the Salesforce Knowledge app) and External Identity (intended for customers and partners).

Notes and Supported Entities

The integration currently supports the following Default Salesforce Objects:

• Salesforce Organization

  • Salesforce User

  • Salesforce Group

  • Salesforce Role

  • Salesforce Profile

  • Salesforce PermissionSet

  • Salesforce Object

    • Salesforce Account

      • Salesforce Account Share

    • Salesforce Price Book

    • Salesforce Product

The integration also supports custom and extension Salesforce objects:

1. Extension Objects from packages like Salesforce CPQ+ and Apptus. These must be added manually using exact API names, e.g. SBQQ__Quotes__c, SBAA__ApprovalConditions__C.

2. Custom Objects: Organization-specific objects can be discovered by configuring the integration using their exact API names, e.g. Price_Table__c, Trial_Org__c.

Entity properties

The following properties are available to filter results throughout the Veza interface:

Limitations

Groups: Veza discovers the following group types: Organization, Role, RoleAndSubordinates, RoleAndSubordinatesInternal, and Regular, along with AllCustomerPortal and Queue;

• Organization public group including all User records in the organization.

• Role public group including all User records in a particular UserRole.

• RoleAndSubordinates public group including all the User records in a particular UserRole, and all the User records in any subordinate UserRole.

• RoleAndSubordinatesInternal Represents internal roles and their subordinates in the org’s role hierarchy, excluding customer and partner roles.

• Regular Standard public group (typically user-created).

• AllCustomerPortal includes all members with a customer portal license excluding high volume licenses.

• Queue is typically used to assign a single record to many individual users

Licenses: For the AllCustomerPortal license, Veza currently supports the following license types:

• PID_Customer_Portal_Basic

• PID_Customer_Portal_Standard

• PID_Limited_Customer_Portal_Basic

• PID_Limited_Customer_Portal_Standard

• PID_Overage_Customer_Portal_Basic

• POWER_SSP

Veza excludes all High Volume Customer Portal licenses, since these are not included in the AllCustomerPortal group. An example high volume license is: PID_Overage_High Volume Customer Portal.

Account Licenses are not currently included in effective permissions (users may not have a license to access a resource they would otherwise have permissions on).

Permissions: Permissions granted by group types such as ManagerAndSubordinatesInternal, ChannelProgramGroup, PRMOrganization, and others are not currently supported. See member roles for more details on built-in roles and usage.