# Salesforce ### Overview The Veza integration for Salesforce Service Cloud discovers users, authorization entities (such as groups and permission sets), and data objects (accounts). Veza parses group memberships, role assignments, and account shares to show users with access to sensitive records, and reveal who can read, delete, or otherwise alter data and settings. The integration enables: * Automated discovery of Salesforce objects and their permissions * Evaluation of permission sets and object-level access * Discovery of custom object permissions and access patterns * Discovery of Salesforce Sites and Guest User Profiles for public access security analysis See [Notes and Supported Entities](#notes-and-supported-entities) for more information about discovered entities and properties. #### Cross service connections Veza automatically detects relationships between [Okta](/4yItIzMvkpAvMVFAamTf/integrations/integrations/okta.md) identities and Salesforce local users. If you have integrated another identity provider for single sign-on, the provider configuration can include [custom identity mappings](/4yItIzMvkpAvMVFAamTf/integrations/configuration/custom-identity-mappings.md) to Salesforce. #### Deployment architecture Veza connects to Salesforce using OAuth 2.0 authentication with RSA key-pair encryption. Deployment requires creating a Salesforce user with appropriate permissions, configuring an External Client App or Connected App, and establishing the integration within Veza. The connection enables discovery of users, groups, permission sets, sites, and account access relationships. ![Veza for Salesforce](/files/B3Fd4EogPXgWwTqBCsS3) ### Configuring Salesforce To integrate Veza with Salesforce, you will need to: * [Create a user](#create-a-salesforce-user), and grant the [required API permissions](#create-salesforce-permission-set) by creating and assigning a permission set. * Create an SFDC [External Client App or Connected App](#create-a-salesforce-app-for-veza) Veza will use to make API calls. You can [generate a private key and self-signed certificate](#prepare-a-key-and-certificate-for-the-salesforce-app) for the Veza service application, or use an existing key pair. * [Configure the Veza integration](#adding-the-integration-to-veza), providing the generated certificate, user email, and consumer key for the app. > For testing the integration, you will need a developer instance, which you can register at . The Salesforce account to discover must have [API access enabled](https://help.salesforce.com/s/articleView?id=sf.security_api_access_control_about.htm\&type=5). #### Create a Salesforce user To conduct the API calls required for discovery, Veza will need a Salesforce user account. > If an appropriate service account user and permission set with API access enabled already exists, skip to **Create a Salesforce App for Veza** To create the user: 1. In a browser, open the **Setup** section in Salesforce with an administrative account 2. In the left navigation pane, under the **ADMINISTRATION** heading, expand **Users** and click the **Users** link 3. At the top of the **Users** table, click **New User** 4. Enter details for the user account: * **License**: Use `Salesforce` * **Profile**: Use a default profile, or create one. For new profiles, use the built-in role `Minimum Access - Salesforce`. Use the permission set in the next section to explicitly grant permissions. See [Add a user](https://help.salesforce.com/s/articleView?id=sf.adding_new_users.htm\&type=5) in the Salesforce documentation for more details. #### Create Salesforce Permission Set Next, grant the user the API permissions Veza will need to gather entity metadata and authorization information. 1. As an administrator, browse to the Salesforce **Setup** section 2. In the left navigation pane, under the **ADMINISTRATION** heading, expand **Users** and click **Permission Sets** 3. At the upper left hand of the **Permission Sets** table, click **New** 1. Enter a *Label* and optional *Description* 2. The *API Name* field is automatically populated by the label but can be overridden if needed 3. Leave the *License* dropdown field set to *--None--* 4. Click **Save** to create the permission set 4. On the resulting permission set overview page, click **System Permissions** 5. Click **Edit** and enable the options: 1. *API Enabled*: this enables access to the Salesforce.com API 2. *View All Profiles*: required to gather user information 3. *View All Users*: required to gather user information 4. *View Roles and Role Hierarchy*: required to view role hierarchy for evaluating sharing 5. *View Setup and Configuration*: required to get object metadata 6. *View Health Check*: used to identify SaaS misconfigurations 6. At the top of the main pane, click **Save** {% hint style="info" %} **Connected Apps Discovery (Optional):** To discover Salesforce Connected Applications, enable these additional permissions: * *Customize Application*: required to access Connected App metadata * *Manage Connected Apps*: required to view Connected Applications Both permissions must be enabled together. Without these permissions, the extraction will complete successfully but Connected Applications will not be collected. {% endhint %} See the [Salesforce Permission Sets documentation](https://help.salesforce.com/s/articleView?id=sf.perm_sets_overview.htm) for more details. ### Configure Required Permissions The integration generally requires two permissions for each object to discover: * **Read Permission** (Required): Provides basic visibility into object data and structure, and must be enabled for all objects to sync with Veza. * **View All Permissions** (Required if available): Enables full object visibility. Depending on your Salesforce version, this may appear as a single **View All** checkbox or as two separate options: **View All Records** and **View All Fields**. Enable whichever options are available. On the permission set overview page, under **Apps** click **Object Settings**. Enable permissions for any built-in or custom objects Veza will discover: 1. For each object (**Contract**, **Price Book**, **Account**, **Opportunity**, **Product**, or supported custom object): * Under "Object Settings", locate the object * Click **Edit** * Under "Object Permissions": * Enable **Read** * If available, enable **View All Records** and **View All Fields** (or **View All** if your version shows a single option). Do not enable **Modify All**. 2. At the top of the main pane, click **Save** after configuring the desired objects. See [#notes-and-supported-entities](#notes-and-supported-entities "mention") for all supported extension objects and custom objects. #### Assign the Permission Set Go back to the **Permission Sets** table, find the newly created permission set, and click on it. 1. From the details view, click **Manage Assignments** at the top of the main pane 2. Click **Add Assignments** at the top of the screen 3. Locate the user that will make API calls to the Salesforce endpoint, click the checkbox next to the account, and click **Assign** at the top of the table 4. Click **Done** See the [Salesforce Permission Sets documentation](https://help.salesforce.com/s/articleView?id=platform.perm_sets_overview.htm) for more details. #### Prepare a key and certificate for the Salesforce App Both External Client Apps and Connected Apps use an X.509 certificate for JWT-based OAuth 2.0 authentication. This certificate and its associated private key enable secure API access to Salesforce. You can generate a certificate directly in Veza, create a self-signed certificate with OpenSSL, or use an existing certificate. Certificate Requirements: * Must be an X.509 certificate with client authentication capabilities (with the attribute `"Enhanced Key Usage": "Client Authentication"`) * Must be in PEM format (both certificate and private key) * Can be either self-signed or CA-issued * Must include both the certificate (.crt) and private key (.key) files {% tabs %} {% tab title="Generate with Veza" %} 1. In the Veza integration form, optionally enter a password in the **Auth Certificate Password** field to encrypt the private key. 2. Click **Generate & Download Certificate and Private Key**. Veza generates and downloads two files: a `.crt` certificate and a `.key` private key. 3. Save the `.crt` file — you will upload it to Salesforce when creating the app (see below). 4. Upload the `.key` file when [adding the integration to Veza](#adding-the-integration-to-veza). {% endtab %} {% tab title="OpenSSL (Manual)" %} Generate a private key and certificate using OpenSSL with PKCS#8 format (required by Veza). **Unencrypted PKCS#8 Key:** Create a directory for storing the generated files: ```sh mkdir ~/jwt-keys cd ~/jwt-keys ``` Generate a private key directly in PKCS#8 format (unencrypted): ```sh openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048 ``` Generate a certificate signing request: ```sh openssl req -new -key server.key -out server.csr ``` Generate a self-signed digital certificate: ```sh openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt ``` **Encrypted PKCS#8 Key (with passphrase):** To encrypt the private key with a passphrase, use the `-aes-256-cbc` flag when generating the key: ```sh mkdir ~/jwt-keys cd ~/jwt-keys openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048 -aes-256-cbc ``` You'll be prompted for a passphrase. Provide the passphrase when generating the CSR and certificate: ```sh openssl req -new -key server.key -out server.csr openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt ``` > **Important**: Veza requires PKCS#8 format private keys. The official Salesforce documentation references older instructions that generate PKCS#1 format keys, which are not compatible with Veza. Save both files: * The `server.crt` for uploading to Salesforce * The `server.key` for configuring Veza {% endtab %} {% endtabs %} If you already have a key and certificate pair, you can skip this step and upload the certificate when creating the Salesforce app, provided it meets the requirements above. Upload the private key when [configuring the Veza integration](#adding-the-integration-to-veza). #### Create a Salesforce App for Veza To add a Salesforce app for Veza, you can create either an **External Client App** (recommended) or a **Connected App** (legacy). Salesforce recommends external client apps for new integrations. For a comparison of both approaches, see [External Client Apps and Connected Apps](https://help.salesforce.com/s/articleView?id=xcloud.external_integrations.htm\&type=5) in the Salesforce documentation.
External Client App (Recommended) To create a new External Client App, open the Salesforce **Setup** section. 1. Under the **Platform Tools** heading, expand **Apps**, expand **External Client Apps** and click **External Client App Manager** 2. Click **New External Client App** at the upper right corner 3. Under the **Basic Information** heading, complete the following: 1. *External Client App Name*: a unique name for the application (ex: Veza Salesforce) 2. *API Name*: this will be automatically populated by the app name, but can be overridden 3. *Contact Email*: enter a valid email for you or your team 4. Under the **API (Enable OAuth Settings)** header, click the checkbox to **Enable OAuth Settings** 1. Click the checkbox for **Enable for Device Flow** 2. In the **Callback URL** field, enter `https://localhost` (a callback URL is not used for device flow) 3. In the **Selected OAuth Scopes** field, add the following two scopes by highlighting them and clicking **>** * *Full access (full)* to grant access to data accessible by the logged-in user. Actual permissions are still restricted by the applied permission set. * *Perform requests at any time* (refresh\_token, offline\_access) 5. Under **Flow Enablement** section, click the checkbox to **Enable JWT Bearer Flow** and upload the `.crt` file for the client certificate 6. Click **Save** at the bottom of the page **Enable app only to previously created user** 1. Locate the newly created External Client App, click the drop-down arrow next to its name, and click **View** 2. From viewing details of the created app, go to tab **Policies**, then click **Edit** 3. Under **OAuth Policies** > **Plugin Policies** > **Permitted Users**, pick **Admin approved users are pre-authorized** 4. Then select the profile created above and permission set created above, then click **Save** **Get the External Client App Consumer Key** 1. Locate the newly created External Client App, click the drop-down arrow next to its name, and click **View** 2. From viewing details of the created app, go to tab **Settings**, under the **OAuth Settings** > **App Settings**, click **Consumer Key and Secret** 3. Copy the **Consumer Key**. You will need this to configure the integration in Veza.
Connected App (Legacy) {% hint style="warning" %} Connected Apps are the legacy approach. Salesforce recommends external client apps for new integrations. New Connected Apps may require approval from Salesforce — contact Salesforce support if you need assistance. Use this method if your Salesforce instance does not support External Client Apps. {% endhint %} To create a new Connected App, open the Salesforce **Setup** section. 1. Under the **PLATFORM TOOLS** heading, expand **Apps**, then **External Client Apps**, and click **Settings**. 2. In the **Connected Apps** section, ensure the **Allow creation of connected apps** toggle is set to **On**. 3. Click **New Connected App** at the bottom of the page. > **Note:** If prompted with "Enable Connected App Creation?", click **Enable**. 4. Under the **Basic Information** heading, complete the following: 1. *Connected App Name*: a unique name for the application (ex: Veza Salesforce) 2. *API Name*: this will be automatically populated by the app name, but can be overridden 3. *Contact Email*: enter a valid email for you or your team 5. Under the **API (Enable OAuth Settings)** header, click the checkbox to **Enable OAuth Settings** 1. Click the checkbox for **Enable for Device Flow** 2. In the **Callback URL** field, enter `https://localhost` (a callback URL is not used for device flow) 3. Click the checkbox for **Use digital signatures** and upload the `.crt` file for the client certificate 4. In the **Selected OAuth Scopes** field, add the following two scopes by highlighting them and clicking **>** * *Full access (full)* to grant access to data accessible by the logged-in user. Actual permissions are still restricted by the applied permission set. * *Perform requests at any time* (refresh\_token, offline\_access) 6. Click **Save** at the bottom of the page 7. Click **Continue** to create the Connected App See [Create a Connected App](https://help.salesforce.com/s/articleView?id=sf.connected_app_create.htm\&type=5) for more details. **Get the Connected App Consumer Key** From the Salesforce **Setup** page, under the **PLATFORM TOOLS**, click **Apps** > **App Manager**. 1. Locate the newly created Connected App, click the drop-down arrow next to its name, and click **View** 2. Click **Manage Consumer Details** and copy the **Consumer Key**. You will need this to configure the integration in Veza. 3. Close this tab or navigate back to App Manager **Apply Permission Set to the Connected App** 1. In Salesforce App Manager, locate the Veza Connected App 2. Click the drop-down arrow next to the app name, and click **Manage** 3. Click **Edit Policies** 1. Set **Permitted Users** to **Admin approved users are pre-authorized** 2. Set **IP Relaxation** to **Relax IP restriction**. Otherwise, you can set this to allow the Veza tenant or Insight Point IP range. 3. Click **Save** 4. Under **Permission Sets** click **Manage Permission Sets** and assign the one you just created.
It can take up to 10 minutes for Salesforce to fully propagate the configuration. After this finishes, the Salesforce account is ready to add to Veza. ### Adding the integration to Veza 1. In Veza, go to the **Integrations** page 2. Click **Add Integration** and search for Salesforce. Click on it and click **Next** 3. Enter the required connection information and configure the objects to sync 4. Click **Create Integration** to save the configuration | Field | Description | | -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Name* | Unique name to identify the SFDC provider | | *Domain* | SFDC domain, excluding the full URL. For example, if your Salesforce URL is `https://org-dev-1.my.salesforce.com/`, the domain is `org-dev-1`. | | *User Name* | Salesforce `user name` to connect as | | *Consumer Key* | Consumer key (client id) of the Salesforce app. See [Create a Salesforce App for Veza](#create-a-salesforce-app-for-veza) for how to retrieve the consumer key for your app type. | | *Private Key* | Upload the [PKCS#8 private key](#prepare-a-key-and-certificate-for-the-salesforce-app) for the SFDC app (`.pem` or `.key` format) | | *Salesforce Sandbox Deployment* | Select if connecting to a Salesforce [Sandbox](https://help.salesforce.com/s/articleView?id=sf.data_sandbox_create.htm) org. Clear if connecting directly to the production domain. | | *Gather Non-Standard Salesforce Users* | Enable to extract Guest User Profiles and other non-standard user types. Guest User Profiles control public access to Salesforce communities without authentication. | | *Object Allow List* | Comma-separated list of object (account) names to allow for discovery | | *Object Deny List* | Comma-separated list of objects to deny for discovery | | *License Allow List* | Comma-separated list of license names to filter profiles and users | | *License Deny List* | Comma-separated list of license names to filter profiles and users | **Enabled Salesforce Object Types**: To enable default object types, click **Select Services** and use the dropdown menu to enable built-in objects: * Contract * Price Book * Price Book Entry * Account * Opportunity * Product To add extension objects and custom objects, click the list of **Enabled Salesforce Object Types** and type in the extension name, for example, `My_Custom_Salesforce_Object__c`. > Custom and extension objects must be identified by the exact Object API Name as shown in Salesforce. When enabling these objects, check for correct capitalization and include any underscores and suffixes. For integrations with many custom objects, you can upload a CSV file to configure all object types at once. Two formats are supported: * Comma-separated on a single line: `Account,Opportunity,MyCustomObject__c` * One object name per line {% hint style="warning" %} Uploading a CSV **replaces** any previously selected object types. It does not merge with existing selections. Include every object you want enabled in the CSV file, including any that were previously configured manually. {% endhint %} #### Notes and Supported Entities The integration currently supports the following **Default Salesforce Objects** in Salesforce Service Cloud. You can configure the integration only to enable objects required for your security and compliance needs: * Salesforce Organization * Salesforce User * Salesforce Group * Salesforce Role * Salesforce Profile * Salesforce PermissionSet * Salesforce Connected Application * Salesforce Site * Salesforce Object * Salesforce Account * Salesforce Account Share * Salesforce Price Book * Salesforce Price Book Entry * Salesforce Contract * Salesforce Product * Salesforce Opportunity **Entity Relationships**: Both Salesforce Organization and Salesforce Users have relationships to Salesforce Sites. Sites are publicly accessible websites or communities that may have access to certain Salesforce objects through Guest User profiles. Note that Salesforce Marketing Cloud and Salesforce Sales Cloud are **not** currently supported by the integration. AI/ML models are also **not** currently extracted by the Salesforce integration. **Extension and Custom Objects**: The integration can extract extension and custom Salesforce objects, including: * `APTS_Price_Matrix__c` * `APTS_Pricing_Configuration__c` * `APTS_Proposal_Worker_Report_Item__c` * `APTS_Subscriptions_Annual_Fee__c` * `Apttus_Approval__Approval_Process__c` * `Apttus_Approval__ApprovalRule__c` * `Apttus_Approval__ApprovalRuleDimension__c` * `Apttus_Config2__AssetLineItem__c` * `Apttus_Config2__PriceListItem__c` * `Apttus_Proposal__Proposal__c` * `Apttus__APTS_Agreement__c` * `Apttus__AgreementLineItem__c` * `SBQQ__DiscountSchedule__c` * `SBQQ__PriceRule__c` * `SBQQ__ProductRule__c` * `SBQQ__QuoteLine__c` * `SBQQ__Quote__c` * `SBQQ__Subscription__c` * `sbaa__ApprovalCondition__c` * `sbaa__ApprovalRule__c` * `sbaa__Approver__c` If you need to sync an object type not listed above, please contact Veza Support. Note that the permission set for the Salesforce app needs to include read and view permissions on any objects to discover, following the instructions in [#create-salesforce-permission-set](#create-salesforce-permission-set "mention"). #### Supported Attributes The following properties are available to filter results throughout the Veza interface: | Entity | Property | Value | | --------------------- | -------------------- | ------------------------------------------------------------------------- | | User | `Is Active` | Boolean if user is active | | User | `Last Login At` | User last login time if available | | User | `User Type` | The category of user license for the user. | | User | `manager_id` | Salesforce ID of user manager if set | | User | `ExternalUser` | If User is external | | User | `UserLicense` | License `Attributes`, `ID`, `LicenseDefinitionKey`, `Name`, `MasterLabel` | | Group | `Type` | Group type | | Group | `Owner Id` | User ID of Group owner | | Account | `Attributes` | `type` and `URL` of the SFDC object | | Account | `Name` | SFDC Account name | | Account | `OwnerId` | User ID of the account owner | | Account | `ParentId` | Parent object ID | | Account | `Domain` | SFDC Domain for the account | | Account | `Shares` | Account Share details: `TotalSize`, `Done`, `Shares` | | Account Share | `AccountId` | ID of the Account associated with the share | | Account Share | `UserOrGroupId` | ID of the User or Group granted access | | Account Share | `AccountAccessLevel` | Level of access granted (READ, EDIT, ALL) | | Account Share | `RowCause` | Reason that this sharing entry exists | | Account Share | `Domain` | Account share domain | | Connected Application | `salesforce_id` | Salesforce ID of the Connected App | | Connected Application | `is_active` | Boolean if Connected App is active | | Connected Application | `native_id` | Native identifier for the Connected App | #### User custom properties Veza supports extracting custom properties for Salesforce User objects, enabling you to enrich user profiles with additional attributes for access reviews, lifecycle management, and query filters. The integration supports both direct and indirect (referenced) properties. **Property Types:** * **Direct properties**: Attributes that exist directly on the User object itself. These are standard or custom fields stored on the User record. * Examples: `Id`, `Username`, `Email`, `UserType`, `Department`, `Division`, `Custom_Field_Integ_Test__c` * **Indirect (referenced) properties**: Properties that reference related objects through dot notation. The User object holds a reference ID to another object, and you can access that object's properties using the relationship name. * Examples: `Profile.Name`, `Manager.Id`, `Manager.Email`, `UserRole.Name` **Important considerations:** * **Case sensitivity**: Property names are case-sensitive and must exactly match the field names as returned by the [Salesforce User object API](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_user.htm). Incorrect capitalization will prevent the property from being extracted. * **Referenced object fields**: For indirect properties using dot notation (such as `Profile.Name`), ensure the referenced object and field names match the Salesforce API schema exactly. * **Nesting depth**: Only one level of dot notation is supported (e.g., `Profile.Name`, `Manager.Email`). Multi-level references (e.g., `Manager.Profile.Name`) are not supported by the Salesforce API and will be ignored during extraction. * **Custom fields**: Custom field names typically end with `__c` (e.g., `My_Custom_Field__c`). **Configuring custom properties:** You can configure **Custom Properties** for Salesforce Users when creating or editing the Salesforce integration in Veza: 1. In the integration wizard, proceed through the standard configuration steps 2. The **Custom Properties** step will appear in the wizard navigation 3. For each custom property you want to extract: * Click **Add Custom Property** * Enter the **Property Name** exactly as it appears in the Salesforce API (case-sensitive) * For referenced properties, use dot notation (e.g., `Profile.Name`, `Manager.Email`) * Select the **Property Type** (Text, Number, Boolean, etc.) * Optionally mark properties as **Sensitive** to control access 4. Save the integration configuration Properties are validated against the Salesforce schema during extraction. Invalid property names or properties that don't exist in your Salesforce org are filtered from extraction and logged. Once configured, custom properties are available throughout Veza for filtering users in queries and reports, creating access review campaigns, and attribute-based access control decisions. Custom properties configured here are automatically available for synchronization in [Salesforce Lifecycle Management](/4yItIzMvkpAvMVFAamTf/integrations/integrations/salesforce/provisioning.md#sync-identities) policies. #### Salesforce Sites and Guest User Profiles Salesforce Sites create public-facing websites with controlled access through Guest User Profiles. Each Site has one designated Guest User that defines public access permissions for unauthenticated visitors to that site. To extract Guest Users: * Enable **"Gather Non-Standard Salesforce Users"** to discover Guest User Profiles * To search for Salesforce Users with guest profiles, apply an attribute filter on Salesforce `User Type` = "Guest" * Each Salesforce Site includes a `Guest User ID` property linking to its associated Guest User Profile Guest User Profiles can have object-level and field-level permissions, potentially exposing data to unauthenticated users. Veza captures these permissions to help identify what data is publicly accessible through each Site. #### Limitations **Groups**: Veza discovers the following group types: `Organization`, `Role`, `RoleAndSubordinates`, `RoleAndSubordinatesInternal`, and `Regular`, along with `AllCustomerPortal` and `Queue`; * `Organization` public group including all User records in the organization. * `Role` public group including all User records in a particular UserRole. * `RoleAndSubordinates` public group including all the User records in a particular UserRole, and all the User records in any subordinate UserRole. * `RoleAndSubordinatesInternal` Represents internal roles and their subordinates in the org’s role hierarchy, excluding customer and partner roles. * `Regular` Standard public group (typically user-created). * `AllCustomerPortal` includes all members with a customer portal license excluding high volume licenses. * `Queue` is typically used to assign a single record to many individual users **Licenses**: For the `AllCustomerPortal` license, Veza currently supports the following license types: * `PID_Customer_Portal_Basic` * `PID_Customer_Portal_Standard` * `PID_Limited_Customer_Portal_Basic` * `PID_Limited_Customer_Portal_Standard` * `PID_Overage_Customer_Portal_Basic` * `POWER_SSP` Veza excludes all `High Volume Customer Portal` licenses, since these are not included in the `AllCustomerPortal` group. An example high volume license is: `PID_Overage_High Volume Customer Portal`. Account Licenses are not currently included in effective permissions (users may not have a license to access a resource they would otherwise have permissions on). **Permissions**: Permissions granted by group types such as `ManagerAndSubordinatesInternal`, `ChannelProgramGroup`, `PRMOrganization`, and others are not currently supported. See [member roles](https://help.salesforce.com/s/articleView?id=sf.users_group_member_types.htm\&type=5) for more details on built-in roles and usage. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/salesforce.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.