Onboarding Salesforce applications

Configuration steps

CASB for Salesforce scans standard objects such as Accounts, Contacts, Campaigns, and Opportunities, as well as custom objects.

Enable CRM content

For DLP scanning to work with Salesforce, the Enable CRM setting must be enabled in Salesforce for all users. To enable Salesforce CRM content, log in to your Salesforce account and perform the following steps:

  1. Using the Quick Find box at the top left, search for Salesforce CRM Content.

    P1746#yIS1

  2. From the search results, click the Salesforce CRM Content link.

    The Salesforce CRM Content settings box appears.

  3. If the Enable Salesforce CRM Content and Autoassign feature licenses to existing and new users options are not checked, check them.

    P1750#yIS1

Enable scanning for structured data

If you are working with structured data, be sure that the Structured Data option is enabled.

Enable permissions for DLP scanning

System administrators have global access to Salesforce standard and custom objects. For non-administrators, the Push Topics and API Enabled permissions must be enabled for DLP to work, as follows.

To set the Push Topics option:

  1. From the Manage Users menu, select Users.

  2. From the All Users page, select a user.

  3. In the User Detail page for that user, click the Standard Platform User link.

    P1759#yIS1

  4. Scroll to the Standard Object Permissions section.

    P1761#yIS1

  5. Under Basic Access/Push Topics, be sure that Read, Create, Edit, and Delete are checked.

To set the API Enabled option:

  1. On the Standard Platform User page, scroll to the Administrative Permissions section.

    P1765#yIS1

  2. Be sure that API Enabled is checked.

Enable permissions for viewing event log files

To view event monitoring data, user permissions must be enabled for the View Event Log Files and API Enabled settings.

Users with View All Data permissions also can view event monitoring data. For more information, refer to the following link:

https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/using_resources_event_log_files.htm

Enable permissions for Audit Trail events

To process Audit Trail events, permissions must be enabled for View Setup and Configuration.

P1773#yIS1

Enable permissions for Login History events

To process Login History events, permissions must be enabled for Manage Users, which also enables permissions for the following settings:

Requires Reset User Passwords and Unlock Users

View All Users

Manage Profiles and Permission Sets

Assign Permission Sets

Manage Roles

Manage IP Addresses

Manage Sharing

View Setup and Configuration

Manage Internal Users

Manage Password Policies

Manage Login Access Policies

Manage Two-Factor Authentication in User Interface

Enable permissions for querying files

In order to enable CASB to access all file events, you must enable permissions for the admin user that you will use to onboard Salesforce.

  1. In your Salesforce account, go to Setup and use the search box to search for Permission Sets.

  2. Create a new permission set, giving it any name of your choosing.

  3. Select App Permissions.

  4. In the Content section, check the box for Query All Files.

  5. Save the permission set.

  6. Use the Setup search box to search for Users.

  7. Click the name of the admin user that you will use to onboard Salesforce.

  8. In the Permission Set Assignments section, click Edit Assignments.

  9. Select the permission set that you created in step 2 above.

  10. Save the user account.

Enable permissions for viewing and modifying data

In order to enable CASB to access all data, you must enable permissions for the admin user that you will use to onboard Salesforce.

  1. In your Salesforce account, go to Setup and use the search box to search for Users.

  2. Click the name of the admin user that you will use to onboard Salesforce, and click the Edit button.

  3. In the Administrative Permissions section, make sure that the View All Data and Modify All Data checkboxes are selected.

  4. Save the user account.

Onboarding steps

  1. Go to Administration > App Management and click New.

  2. Select Salesforce from the list

  3. Enter a Name (required) and a Description (optional) and click Next.

  4. Select one or more protection modes:

  • API Access

  • Cloud Security Posture

  • Cloud Data Discovery

  1. Click Next and enter configuration settings. The fields you see depend on the deployment and the protection modes you chose in the previous step.

  • For API Access – Enter a Salesforce Subdomain.

      P1806#yIS1

  • For Cloud Security Posture – No other details are needed.

  • For Cloud Data Discovery -- No other details are needed.

  1. Click Authorize.

    P1813#yIS1

  2. Select the Salesforce instance from the dropdown list.

  3. If this authorization is for a custom or a sandbox domain, click the box. Then, click Continue.

    P1816#yIS1

  4. Enter the administrator login credentials for this Salesforce account. Make sure to use the same administrator account that you assigned permissions to in the Enable permissions for querying files section above. Then, click Log In.