Updated on January 22, 2024

Configure Salesforce for API Data Protection

Configure Salesforce for API Data Protection

To configure Salesforce for API Data Protection, you need to authorize Netskope as a web application client to access your Salesforce instance.

There are four parts to this procedure:

  • Configure Salesforce API Access

  • Enable Listing of Private Files of Users

  • (Optional) Install Netskope Audit Reports and Legal Hold Destination Apps

  • Configure Netskope Access for Salesforce

Configure Salesforce API Access

The following steps are validated with Salesforce Lightning mode and may not apply to Classic mode. Lightning mode is not a requirement to run Netskope API Data Protection. You can configure using Classic mode as well. To switch to the Lightning Experience UI, log in to login.salsesforce.com and on the top-right of the home page, click the User menu drop-down list and select Switch to Lightning Experience.

To authorize Netskope as a web application client to access your Salesforce instance, you should create a custom profile on the Salesforce portal.

Netskope recommends creating an exclusive custom profile for the Netskope app. If you intend to run any custom processes or scripts (other than the Netskope app), create a separate custom profile. Do not use the exclusive custom profile intended for the Netskope app for custom processes or scripts (like bulk uploads, etc.) because they may interfere with the Netskope app.

  1. Log in to login.salesforce.com.

  2. On the top right, click Setup > Setup.

  3. In the left navigation bar, go to Administration > Users > Profiles.

    Salesforceprofiles.png

  4. Clone a user profile. You can clone a system administrator, standard user, read-only, or any other profile. Ensure that the user profile has an active “Salesforce” license. In this example, click Clone beside the Custom: Support Profile.

    If you intend use the malware quarantine feature, ensure that you clone the system administrator profile.
    Salesforce Clone User Profile.png

  5. On the Clone Profile page, enter a profile name and make sure the User License shows Salesforce. When finished, click Save.

    Salesforce Clone Profile.png

  6. After creating the custom profile, click Edit to modify the custom profile.

  7. Scroll down to the Administrative Permissions section of the custom profile. Enable the following permissions:

    You must directly assign the permissions to the profile. Do not add the permissions through permission sets.
    Administrative and General User PermissionsDescriptionWhy do you need this?Netskope Features Supported
    Read onlyEdit/ Enforce PolicyAudit Logs

    API Enabled

    Access any Salesforce.com API.

    This is a Basic permission to make API calls. The Netskope API Data Protection can connect to Salesforce. This feature is enabled by default for Unlimited, Enterprise, and Developer Editions.

    Note

    For the Professional Edition, you may need to contact Salesforce Support to enable API access.

    Yes

    Yes

    Yes

    Manage Chatter Messages and Direct Messages

    Allows the user to access all users’ messages sent in Chatter.

    To enable API Data Protection on Chatter Conversations.

    Yes

    Yes

    Manage Unlisted Groups

    Allows the user to view and moderate unlisted Chatter Groups. Only members and users with the “Manage Unlisted Groups” permission can access unlisted groups in list views, feeds, and search results.

    To introspect Feeds and Chatter files posted in Unlisted groups.

    Yes

    Yes

    Manage Encryption Keys

    Allows you to use Salesforce Bring Your Own Key (BYOK) feature.

    Enables you to generate and provide your own tenant secret to derive encryption keys for increased security.

    Note

    This permission is required only if you use the Salesforce BYOK feature.

    View All Data

    Allows the user to view all the data in the Organization. The user does adhere to the Organization wide defaults.

    To do DLP on files which requires Netskope to look at the data.

    Yes

    Yes

    Yes

    View All Users

    Allows the user to view all users’ object, regardless of sharing settings configuration.

    For identifying the list of users in the organization.

    Yes

    Yes

    Yes

    When finished, click Save.

  8. In the left navigation bar, go to Administration > Users > Users.

    Salesforceusers.png

  9. Click Edit to modify an existing user, or New User to define a new user.

  10. In the User Edit > General Information section, set the Profile created in step 4.

    Salesforce Set Profile.png

  11. In the User Edit > General Information section, enable Salesforce CRM Content User. This allows the user to view the CRM content files and is required to list and take actions on the Salesforce CRM Content or Library files.

    Salesforcecrmcontent.png

  12. When finished, click Save.

Netskope recommends allowing a pool of Netskope public IP addresses in Salesforce. This will ensure events and notifications are exchanged between Salesforce and API Data Protection without any restrictions. To allow the IP addresses:

  1. Log in to login.salesforce.com.

  2. On the top right, click Setup > Setup.

  3. In the left navigation bar, go to Settings > Security > Network Access.

  4. Click New beside Trusted IP Ranges.

  5. In the Trusted IP Range Edit page, specify the Start IP Address and End IP Address.

    To get a pool of Netskope public IP addresses, log in to your Netskope tenant, and navigate to Settings > Security Cloud Platform > REVERSE PROXY > Office 365 Auth. Scroll down to the Netskope Source IP Address/Range section.

  6. Click Save.

Enable Listing of Private Files of Users

By default, a users’ file is private in Salesforce. Netskope does not have visibility on private files due to the limitation of the Salesforce API. If you need visibility for such files, the Salesforce administrator can create a permission set to query private files of users and assign the permission set to the Netskope instance granting user.

To create a permission set:

  1. Log in login.salesforce.com as an administrator.

  2. On the home page, navigate to ADMINISTRATION > Users > Permission Sets.

  3. On the Permission Sets page, click New.

    The Create form opens.

  4. In Label, enter Query_All_Files.

  5. In Description, enter Enable this permission set to let your View All Data users bypass the restrictions on querying files.

  6. From the License drop-down list, select Salesforce.

  7. Click Save.

    You are navigated to the Query_All_Files permission set overview page.

  8. Under Apps, click App Permissions.

  9. Beside the App Permissions label, click Edit.

  10. Under App Permissions > Content, select the Query All Files checkbox.

    Salesforce Query All Files.png

  11. Click Save and confirm permission changes.

  12. Click Manage Assignments.

  13. Click Add Assignments.

  14. From the All Users list, select the user who will grant access to Netskope and click Assign and Done.

You can install the Netskope Audit Reports and Legal Hold Destinations Apps if you have a requirement to view Salesforce audit events and preserve relevant information in a legal hold destination respectively. However, installing these apps are optional. DLP policy processing works as expected if you do not install these apps.

Netskope can support audit reports and legal hold destinations on your Salesforce account. If you plan to use one or both functionalities, you can get these apps from the Salesforce AppExchange portal.

There are two audit reports apps. Based on your salesforce edition, you can install either version 1.0 or 2.0:

Salesforce EditionAudit Reports Plugin VersionKey Differences
ProfessionalAudit Reports v1.0

  • Audit Reports v1.0 uses synchronous apex triggers to record audit events.

  • If a user performs an edit operation on an audit object, Netskope’s Skope IT displays the old and new values.
EnterpriseAudit Reports v2.0

  • Audit Reports v2.0 uses asynchronous apex triggers with Change Data Capture to record audit events.

  • If a user performs an edit operation on an audit object, Netskope’s Skope IT displays the the new value only.
Unlimited

If you would like to install the apps on your Salesforce sandbox environment (test.salesforce.com), you can use the following links:

It is recommended to install the apps before the API Data Protection instance is set up so that the required custom objects are in place to add records. Custom objects are place holders for audit and/or legal hold data. For more information on custom objects, read this Salesforce article located here.

Install Netskope Audit Reports App

If you install Audit Reports v2.0, you should enable Change Data Capture for the five object types Netskope supports. To do so, follow the steps below:

  1. Log in to login.salesforce.com as an administrator.

  2. In the left navigation bar, go to PLATFORM TOOLS > Integrations > Change Data Capture.

  3. Move the following entities from Available Entities to Selected Entities:

    • Account (Account)

    • Case (Case)

    • Contact (Contact)

    • Lead (Lead)

    • Opportunity (Opportunity)

      Salesforce Cdc.png

  4. Click Save.

To install the Netskope Audit Reports app, follow the steps below:

This procedure applies to Audit Reports v1.0 as well as v2.0.

  1. Access the appropriate link to install the Netskope Audit Reports app:

  2. Log in to login.salesforce.com as an administrator.

  3. On the Install Package page, you can see the package details and the option to select the user base you want to install the app for. Select any one from the options below:

    • Install for Admins Only – Installs the package for Salesforce admin users only. Netskope gets triggers/events for admin users only.

      Salesforceinstalladminsonly.png

    • Install for All Users – Installs the package for all users. Netskope gets triggers/events for all users.

      Salesforceinstallforallusers.png
      This install type does not apply to the following users/profiles in Salesforce: Customer Portal User, Customer Portal Manager, High Volume Customer Portal, Authenticated Website, Partner User, and standard profiles.

    • Install for Specific Profiles – Installs the package for users for a specific profile. Netskope gets triggers/events for users who belong to the specific profile.

      Salesforceinstallspecificprofiles.png

      In the Select Specific Profiles section of the page, scroll down to the custom profile you created in Configure Salesforce API Access and assign Full Access as the access level to this profile. In the figure below, Introspection_Admin is the custom profile created.

      Salesforcecustomprofullaccess.png
      By default, access level for the System Administrator installing the app package is set to Full Access.

  4. Select the acknowledge checkbox, and then click Install.

  5. Upon successful installation, click Done.

    Upon successful installation, the necessary apex triggers and a custom object Netskope Audit Log are created.

After installation of the Netskope Audit Reports App, in the Home tab of the Salesforce home page, go to Administration > Users > Profiles and click the custom profile you created in Configure Salesforce API Access. On the custom profile details page, click Edit and scroll down to the Custom Object Permissions section and verify if all the permissions are provided for the Netskope Audit Log. If not, enable all the check-boxes for Netskope Audit Log.

Salesforcecustomobjectperm.png
  • At any point in time, Netskope retains audit data from the last twenty-four hours. Anything older is deleted.
  • Netskope records audit activities only for the profiles / users granted at the time of installing the package.
  • At any point of time if the user intends to enable audit activities for users / profiles, reinstall the package as described in steps 3-5 (above).

Netskope uses the triggers to capture audit events. You can view these events by logging in to the Netskope tenant and navigating to Skope IT > Application Events. For additional information on the audit events, see Salesforce Audit Events.

If you have installed the Audit Reports v2.0 and a user performs an edit operation on an audit object, Netskope’s Skope IT displays the new value only. The old view is not displayed.

Upgrade Audit Reports v1.0 to v2.0

Existing customers who have already installed Audit Reports v1.0 can upgrade to Audit Reports v2.0. However, you can upgrade only if you have an enterprise or unlimited edition of salesforce. Here are the broad steps to upgrade:

  1. Enable Change Data Capture for the five object types Netskope supports on your Salesforce account. Follow the steps in the previous procedure.

  2. Access the Audit Reports v2.0 app from https://login.salesforce.com/packaging/installPackage.apexp?p0=04t0K000001VLOf&isdtp=p1.

  3. When prompted to upgrade, select the user base you want to install the app for, select the acknowledge checkbox, and then click Upgrade.

    Salesforce Upgrade Auditreportsv2 0.png

Install Netskope Legal Hold Destinations App

To install the Netskope Legal Hold Destinations app, access this link at https://login.salesforce.com/packaging/installPackage.apexp?p0=04t28000000VfUV, and then follow the steps 2-5 as described in Install Netskope Audit Reports App.

After the installation of the app package, two custom objects and two tabs get created. The users who are assigned the custom profile or system administrator profile have access to these objects and tabs. These tabs can be accessed from App Launcher in the Salesforce home page.

Salesforceapplauncher.png

In the App Launcher home page, go to Platform Tools > Objects and Fields > Object Manager to view the custom objects which are used as destinations for legal hold.

Salesforceobjectmanager.png

Define Legal Hold Destinations

There are three legal hold destinations used in Salesforce. They are:

  • Netskope Legal Hold Message: This is a custom object to store legal hold copies of Chatter messages present in Chatter conversations. This object and the associated fields get created automatically after installing the Netskope Legal Hold App from the Salesforce AppExchange portal.

  • Netskope Legal Hold Structure Data: This is a custom object to store legal hold copies of Chatter posts and structured data such as account, contact, lead, and more, and a mapping record for legally held messages of a Chatter conversation. This object and the associated fields get created automatically after installing the Netskope Legal Hold App from the Salesforce AppExchange portal.

  • Netskope Legal Hold Group: For legal hold of Salesforce files, documents, attachments, a dedicated destination is required. Netskope uses a Chatter group called Netskope Legal Hold Group for this purpose. Legally held files, documents, attachments can be listed and accessed from this Chatter group. Follow the steps below to create a Chatter group:

    1. Login to login.salesforce.com.

    2. Go to App Launcher > View All and click Salesforce Chatter and click the Chatter tab.

    3. On the left navigation, click the + icon (as part of Recent Groups) to create a new Chatter group.

      Salesforcechatterleftnav.png

    4. In the New Group window, enter the name of the group as Netskope Legal Hold Group.

    5. Select the Disable automatic archiving checkbox. This ensures that the group remains active.

    6. In the *Access Type drop-down list, select Private. This ensures that only members can see updates. Membership requires approval.

      Salesforcechatternewgroup.png

    7. Click Save & Next > Next > Done to finish the Chatter group creation setup.

Configure Netskope Access for Salesforce

To configure the API connectors, you need to authorize Netskope as a web application client to access your Salesforce instance.

To authorize Netskope to access your Salesforce instance:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Classic > SaaS.

  2. Select the Salesforce icon, and then click Setup Instance.

  3. The Setup Instance window opens. Enter the following details:

    • In the INSTANCE NAME field, enter the organization name or ID of your Salesforce account. To locate the organization name or ID in salesforce.com, log in to the salesforce.com account. Navigate to Setup > Setting > Company Settings > Company Information and note down the Organization Name or Salesforce.com Organization ID.

      • Under a single organization name, you can create one production and one sandbox instance only in the Netskope tenant.
      • In order to set up more than one Salesforce instance under the same organization name, Netskope recommends using the organization ID of the Salesforce instances as the instance name in the Netskope tenant.

    • In the INSTANCE TYPE field, select the appropriate features from the following options:

      • API Data Protection: Select this option to allow Netskope to scan through your SaaS app instance to list files, user, and other enterprise data.

      • To use the Legal Hold feature in Salesforce, enable the Legalhold checkbox. Make sure that you have the Legal Hold app installed from the Salesforce AppExchange portal as described in (Optional) Install Netskope Audit Reports and Legal Hold Destinations Apps. When successfully enabled, you can create policies to place files and chatter messages on legal hold.

      • Malware: Select this option to detect malware in files, emails, attachments, chat messages, posts etc. For more information to set up malware, see Creating a Threat Protection Policy for API Data Protection.

      • To get audit reports in Salesforce, enable the Auditreports checkbox. Make sure you have the Audit Reports app installed from the Salesforce AppExchange portal as described in (Optional) Install Netskope Audit Reports and Legal Hold Destinations Apps.

      • To use the Bring Your Own Key feature in Salesforce, enable the Byok checkbox. Doing so creates a Salesforce Key Management page in the API Data Protection dashboard that allows you to configure the needed secret tenant and certificate. Refer the Salesforce Key Management of the API Data Protection dashboard.

        Salesforce Key Management is a feature that allows customers to use Salesforce’s Bring Your Own Key (BYOK) feature to encrypt Salesforce data at rest. Netskope today provides customers the option of rotating/managing these keys from the Netskope console. Note that this feature is now deprecated, which means Netskope will not support this capability in any new commercial or federal Netskope DC.
        Note that deprecation of this feature only means that you cannot rotate/manage the encryption keys from Netskope. You can continue using the BYOK feature within Salesforce without impacting Netskope’s API Data Protection for Salesforce.
        Fine prints as follows:
        • For new Salesforce app instances, the UI will not have a BYOK checkbox. New instances cannot enable BYOK.
        • For existing Salesforce app instances that have not enabled BYOK, cannot enable it going forward.
        • Existing Salesforce app instances that are using BYOK, can disable BYOK. However, once disabled, you cannot re-enable it.
        • Salesforce Key Management page under Salesforce API-enabled Protection dashboard will not be available for tenants who have not enabled BYOK.
        • For existing Salesforce app instances that have enabled BYOK, the feature will continue to work as expected.

      • Security Posture: Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards.

        This feature is part of the Netskope SaaS Security Posture Management solution. For additional configuration requirement, read SaaS Security Posture Management.

    • Select the type of Salesforce account you want for the API Data Protection; production, or sandbox.

      Select the production account type if connecting a developer edition instance created in developer.salesforce.com. The sandbox account type is only intended for sandbox organizations, which are copies of production organizations and not the same as a Salesforce organization with a developer edition license.

    • Enter the username of the Salesforce user that will grant access to API Data Protection. The username should be the same user who has the Query All Files permission set in Salesforce as per step 14 under Enable Listing of Private Files of Users.

      API Data Protection can send a notification to the instance administrator if the API token that is used to grant access has expired. Netskope sends an email notification to the instance administrator (instance setup page > admin email field) every 24 hours until the administrator performs a re-grant access. Ensure that the administrator email address is an actual user.
      In Salesforce, the administrator email is a Salesforce email ID. Salesforce requires setting up of email service to handle inbound emails to such email addresses. If the email service is not configured, the email delivery will fail. Ensure that the email service is set up for the administrator email in Salesforce. To learn more: Email Services.

  4. Click Save, then click Grant Access for the app instance you just created. You will be prompted to log in with your admin username and password, accept the permissions, and then click Grant. When the configuration results page open, click Close.

    API Data Protection can monitor Salesforce Chatter posts. A Chatter post is a feature in Salesforce where you can post a message in a private or public Chatter group. To allow API Data Protection to monitor Chatter posts, contact Netskope Support. Once API Data Protection monitors Chatter posts, it should be noted that Salesforce may send multiple notifications to API Data Protection. And this may result in the consumption of more API calls.

Refresh your browser and you will see a green check icon next to the instance name.

Grant Failure Due To Login IP Range

The grant access may fail if the Salesforce username has any Login IP Ranges configured in Salesforce. Log in to your Salesforce account and verify if the user profile associated with the username has Login IP Ranges configured. If configured, follow the procedure below. The following procedure will ensure that the grant goes through successfully.

  1. Log in to login.salesforce.com.

  2. On the top right, click Setup > Setup.

  3. On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Connected Apps OAuth Usage.

  4. Beside the Netskope Introspection for Salesforce app, click Install.

    Salesforce Netskope Oauth App Install.png

    A new window opens. Click Install.

  5. On the Netskope Introspection for Salesforce Connected app page, click Edit Policies.

  6. Under OAuth Policies, set IP Relaxation to Relax IP restrictions.

    Salesforce Netskope Oauth App Relax Ip Restrictions.png

  7. Click Save.

  8. Log back in to your Netskope tenant and grant access to your Salesforce app.

    The grant should go through successfully.

  9. (optional) Post successful grant, you can rollback IP Relaxation to Enforce IP restrictions.

Netskope API Data Protection OAuth Refresh Token Policy

Once you have successfully granted access, the Salesforce administrator should ensure that the Netskope API Data Protection OAuth refresh token is valid until revoked. To do so:

  1. Log in to login.salesforce.com.

  2. On the top right, click Setup > Setup.

  3. On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Manage Connected Apps.

  4. Click the Netskope Introspection for Salesforce app.

  5. Click Edit Policies.

  6. Under OAuth Policies, set Refresh Token Policy to Refresh token is valid until revoked.

    Salesforce Oauth Refresh Token Policy.png

  7. Click Save.

What File does Netskope Inspect for DLP?

Salesforce’s API integration with Netskope can inspect files that are uploaded and accessible by other users in the account. Netskope uses APIs and permissions specified by Salesforce to scan these files for sensitive content as per policies set in the Netskope UI. The policies can either take an alert or legal hold action based on the policy definition and when a file matches a DLP profile.

However, there are some limitations to this based on how the Salesforce API works, and the information that is returned to Netskope through an API call. Refer the following table for more information:

LocationUploaded by UserDLP Scanning Possible?Notes
Files tabAdministrator or Non-Administrator

Note

For non-administrator user, Enable Listing of Private Files of Users.

Yes
ChatterAdministrator or Non-AdministratorYesContact Netskope Technical Support to get this enabled.
Documents tabAdministrator or Non-AdministratorYesSalesforce API returns files and folders that are configured as “Accessible to all users”. Files and folders set as “Private” or shared only with specific users, are not returned by the API.
Attachments to standard objectsAdministrator or Non-AdministratorYes
Salesforce CRM contentAdministrator or Non-AdministratorYesSalesforce API returns content for shared libraries only. It does not return content for private libraries.
Salesforce Knowledge BaseAdministrator or Non-AdministratorNo

(Optional) Delete the Salesforce App Instance

This procedure should be followed only if you want to decommission the Salesforce and Netskope integration.

If you intend to delete the Salesforce app instance from the Netskope UI, ensure that you uninstall the Netskope Audit Reports and Legal Hold Destinations apps from your Salesforce account. To do so, log in to your Salesforce account. On the setup home page, navigate to PLATFORM TOOLS > Apps > Packaging >Installed Packages. Under Action, click Uninstall.

Share this Doc

Configure Salesforce for API Data Protection

Or copy link

In this topic ...