Creating a scoped-down Salesforce account
The Conveyor Salesforce integration uses OAuth to grant authorization for Conveyor's Salesforce Connected App. We then use that authorization to fetch your Salesforce data.
Whichever account you use to authenticate, Conveyor will get the permissions on that account when fetching your Salesforce data. That means if, for example, you authenticate using your Salesforce admin's account, Conveyor will likely get permissions to fetch more Salesforce data than we need. If that does not pose an issue for your organization, then authenticating Conveyor using your Salesforce admin's account is the quickest way to complete setup.
However, if scoping down to the minimum permissions is important to your organization, we recommend creating a new user that has only the minimum permissions Conveyor needs to make this integration work.
Creating a scoped-down Salesforce user to integrate with Conveyor
In order to create a user with the minimum permissions required for the Conveyor integration to work, you need to:
- Create a new Salesforce profile;
- Grant access to Conveyor's required objects;
- Check the Field-Level Security for each of Conveyor's required fields; and,
- Create a new user with the new profile assigned.
Note: Examples here will be given in the Salesforce Classic experience, and not the Lightning Experience.
Create a new Salesforce profile
- Go to "Setup"
- In the left panel's quick search input, type "Profiles"
- Click on the search result "Profiles" under "Manage Users"
- On the "Profiles" page, click the button "New Profile"
- Choose an existing profile to clone from. If you pick a profile that already has very minimal permissions, it will be easier to modify it to what Conveyor needs (e.g. Salesforce has a default profile called "Minimum Access - Salesforce" on the "Salesforce" user license)
- Enter a "Profile Name" - something like "Conveyor Integration" would suffice
Grant access to Conveyor's required objects
- After you have cloned a profile, you need to click "Edit"
- You need to uncheck everything except the following:
- "API Enabled" under "Administrative Permissions"
- "Edit Events" under "General User Permissions"
- "Accounts", "Contacts", "Leads", and "Opportunities" under "Standard Object Permissions"
- If you plan on sending events and completed questionnaires to Salesforce, you need to check "Modify All" for the objects that you want to create events / attachments on (e.g. Account). Otherwise, just checking "View All" will suffice
- Set whatever your organization's policies dictate for "Session Settings" and "Password Policies"
- Click "Save"
Check the Field-Level Security for each of Conveyor's required fields
Unfortunately, just granting View All / Read access to the object might not cover everything. We need to check that the specific fields Conveyor needs are allowed. To do this, we need to check the profile's Field-Level Security.
- From your new "Conveyor Integration" profile's view page, scroll down to the section called "Field-Level Security"
- For each of "Account", "Contact", "Lead", and "Opportunity" objects, do the following:
- Click "View" beside the object name
- Click "Edit" at the top
- Ensure each of the below fields are checked for the listed Access
- Click "Save"
Object | Access | Fields |
---|---|---|
Account | Read Access | Account Name, Website. If you are using our NDA bypass feature, you also need to grant access to the field that indicates Conveyor needs to bypass NDA (see docs here). If you are customizing your revenue charts, you also need to grant access to the field(s) that you added. |
Contact | Read Access | Account Name (Lookup), Email |
Lead | Edit Access | LastName, Company, Website, Email, LeadSource, Description |
Opportunity | Read Access | Account Name (Lookup), Amount, Is Won (if you have it), CloseDate, Opportunity Name. If you are customizing your revenue charts, you also need to grant access to the field(s) that you added. |
Note: For any object that you have to "Modify All" (e.g. Lead), make sure to check your "Validation Rules" for the object to see if anything is required. E.g. Sometimes Lead Source is required. If so, make sure you fill in that value in Conveyor.
Create a new user
- In the left panel's quick search input, type "Users"
- Click on the search result "Users" under "Manage Users"
- Click "New User"
- Enter the details you would like for the service account user
- Make sure that the "Profile" is set to the one you created for Conveyor. Note that the "User License" determines which profiles can be selected. Check the profile you created to see which user license it falls under.
- Click "Save"
That's it! You now have a user with the minimum permissions that Conveyor needs, and no more.
Using the Salesforce Integration license
In March, 2023, Salesforce announced a new license type called "Salesforce Integration". If you wish to use this license type on the user you are integrating with Conveyor, the above-mentioned approach will not work for you, since "Salesforce Integration" does not allow access out-of-the-box to certain objects, such as Accounts (which Conveyor needs).
Instead, you will need to create a Permission Set that either has no license or has a license that allows access to standard objects, like Accounts (e.g. the "Salesforce API Integration" license - which is different from the new "Salesforce Integration" license). For this new Permission Set, give it the same permissions we outline above.
Once you have created this new Permission Set, you can apply it to the user with the "Salesforce Integration" license, and everything should work as desired.
Next step
Return to the Salesforce documentation to finish setting up your Salesforce account.
Updated 9 months ago