Configure Salesforce for the Next Generation API Data Protection
Configure Salesforce for the Next Generation API Data Protection
To configure Salesforce for the Next Generation API Data Protection, you need to authorize Netskope as a web application client to access your Salesforce instance.
There are three parts to this procedure that you must follow in order:
-
Configure Salesforce API Access for Salesforce User
-
Configure Salesforce Instance in Netskope UI
-
Configure Netskope CASB API Salesforce OAuth Policies
Prerequisite
Before configuring Salesforce for the Next Generation API Data Protection, review the prerequisites.
Ensure you are using Salesforce editions with API access:
-
Enterprise
-
Unlimited
-
Performance
Configure Salesforce API Access for Salesforce User
Create Netskope Next Generation API Permission Set
-
Log in to login.salesforce.com with Salesforce System Admin account.
-
On the top right, click Setup > Setup.
-
In the left navigation bar, go to ADMINISTRATION > Users > Permission Sets.
-
Click New and enter Label as Netskope Next-Gen API. The API Name will be auto-filled accordingly. Then, under License, select Salesforce. Click Save.
-
Scroll down to the System section and click System Permissions.
-
Click Edit and enable the following permissions:
System Permissions Description Netskope Use Case API Enabled Access any Salesforce.com API. The basic permission to make API calls to allow Netskope to access your Salesforce data. Manage Chatter Messages and Direct Messages Allows access to all users’ messages sent in Chatter. Allow access to Salesforce Chatter message for ongoing or retroactive scan. Manage Unlisted Groups Allow the user to view and moderate unlisted Chatter Groups.
Only users with the Manage Unlisted Groups permission can access or modify an unlisted group and its files and feed content without a membership.Allow access to Chatter feeds and files posted in unlisted groups for ongoing or retroactive scan. View All Data Allow the user to view all the data in the organization. Allow access to Salesforce objects to perform ongoing or retroactive scan. Modify All Data Allow the user to modify all data in the organization. Allow file quarantine remediation, or any other remediation action supported in the future. View All Users Allow the user to view all users in the organization, regardless of sharing settings configuration. Allow access to list all users in the organization. When finished, scroll to the top of the page and click Save.
-
Click Save in the pop-up confirmation window.
-
Click the System Permissions drop-down and select App Permissions.
-
Click Edit and enable the following permission:
App Permission Description Netskope Use Case Query All Files With the Query All Files permission, View All Data users can query ContentDocument and ContentVersion and retrieve all files in the organization, including files in non-member libraries and files in unlisted groups. Allow access to all Salesforce files which are private (by default, a users’ file is private in Salesforce) to perform ongoing or retroactive scan. When finished, scroll to the top of the page and click Save.
-
Click Save in the pop-up confirmation window.
Create User and Assign Netskope Next Generation API Permission Set
-
Log in to login.salesforce.com with Salesforce System Admin account.
-
On the top right, click Setup > Setup.
-
In the left navigation bar, go to ADMINISTRATION > Users > Users.
-
Click New User to create a new user dedicated for Netskope usage.
You could also click Edit to modify an existing user, but be aware that Netskope integration can break if the existing user is disabled/deleted. -
In the User Edit > General Information section, ensure User License is set to Salesforce and Profile is set to Minimum Access – Salesforce.
-
In the User Edit > General Information section, enable Salesforce CRM Content User. This allows the user to view the CRM content files and is required to list and take actions on the Salesforce CRM Content or Library files.
When finished, click Save.
-
In the left navigation bar, go to ADMINISTRATION > Users > Permission Sets. Then click the previously created Netskope Next-Gen API.
-
Click Manage Assignments.
-
On the top right, click Add Assignment, and select the user you created in previous steps. Then click Next.
-
Select No expiration date and click Assign on the bottom right.
-
Click Done on the bottom right to finish the permission assignment.
-
Configure Salesforce Instance in Netskope UI
To authorize Netskope to access your Salesforce account, follow the steps below:
-
Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.
-
Under Apps, select Salesforce and click Setup CASB API Instance.
The Setup Instance window opens.
-
Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.
-
Under Site Domain, enter the fully-qualified domain name of your Salesforce account (e.g. example.my.salesforce.com).
-
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Click Grant Access.
You will be redirected to the Salesforce sign-in page.
-
Login using the Salesforce user account you configured in the previous Configure Salesforce API Access for Salesforce User section.
-
In the Salesforce pop up window, click Allow.
Netskope asks for full access OAuth scope, thus the permission list includes all scopes. However, the actual data Netskope can access is restricted by the Administrative Permissions. -
When the configuration results page opens, click Close.
Refresh your browser and you will see a green check icon next to the instance name.
Configure Netskope CASB API Salesforce OAuth Policies
Once you have successfully granted access, the Salesforce administrator should set up OAuth policies as follows to ensure integration with Netskope works as expected.
-
Log in to login.salesforce.com with Salesforce System Admin account.
-
On the top right, click Setup > Setup.
-
On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Connected Apps OAuth Usage.
-
Beside the Netskope CASB API Salesforce app, click Install.
A new window opens. Click Install.
-
On the Netskope CASB API Salesforce Connected app page, click Edit Policies.
-
Under OAuth Policies, set:
-
IP Relaxation to Relax IP restrictions.
-
Refresh Token Policy to Refresh token is valid until revoked.
-
-
Click Save.
Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Salesforce account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.
You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.
Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.