Configure Salesforce for the Next Generation API Data Protection
Configure Salesforce for the Next Generation API Data Protection
To configure Salesforce for the Next Generation API Data Protection, you need to authorize Netskope as a web application client to access your Salesforce instance.
There are three parts to this procedure that you must follow in order:
-
Configure Salesforce API Access for Salesforce User
-
Configure Salesforce Instance in Netskope UI
-
Configure Netskope CASB API Salesforce OAuth Policies
Prerequisite
Before configuring Salesforce for the Next Generation API Data Protection, review the prerequisites.
Ensure you are using Salesforce editions with API access:
-
Enterprise
-
Unlimited
-
Performance
Configure Salesforce API Access for Salesforce User
-
Log in to login.salesforce.com with Salesforce System Admin account.
-
On the top right, click Setup > Setup.
-
In the left navigation bar, go to ADMINISTRATION > Users > Profiles.
-
Click Clone beside the System Administrator profile. If you clone any other user profiles, ensure that the user profile has an active Salesforce license.
-
On the Clone Profile page, enter a profile name as Netskope Next-Gen API and make sure the User License shows Salesforce. When finished, click Save.
-
After creating the custom profile, click Edit to modify the custom profile.
-
Scroll down to the Administrative Permissions section of the custom profile. Enable the following permissions:
You must directly assign the permissions to the profile. Do not add the permissions through permission sets.Administrative Permissions Description Netskope Use Case API Enabled Access any Salesforce.com API. This is a basic permission to make API calls. The Netskope API Data Protection can connect to Salesforce. Manage Chatter Messages and Direct Messages Allows access to all users’ messages sent in Chatter. Allow access to Salesforce Chatter message for ongoing or retroactive scan. Manage Unlisted Groups Allow the user to view and moderate unlisted Chatter Groups.
Only users with the Manage Unlisted Groups permission can access or modify an unlisted group and its files and feed content without a membership.Allow access to Chatter feeds and files posted in unlisted groups for ongoing or retroactive scan. View All Data Allow the user to view all the data in the organization. Allow access to Salesforce objects to perform ongoing or retroactive scan. Query All Files With the Query All Files permission, View All Data users can query ContentDocument and ContentVersion and retrieve all files in the organization, including files in non-member libraries and files in unlisted groups. Allow access to all Salesforce files which are private (by default, a users’ file is private in Salesforce) to perform ongoing or retroactive scan. Modify All Data Allow the user to modify all data in the organization. Allow file quarantine remediation, or any other remediation action supported in the future. View All Users Allow the user to view all users in the organization, regardless of sharing settings configuration. Allow access to list all users in the organization. When finished, click Save.
-
Click New User to create a new user dedicated for Netskope usage.
You could also click Edit to modify an existing user, but be aware that Netskope integration can break if the existing user is disabled/deleted. -
In the User Edit > General Information section, ensure User License is set to Salesforce and Profile is set to Netskope Next-Gen API, as created in step 5.
-
In the User Edit > General Information section, enable Salesforce CRM Content User. This allows the user to view the CRM content files and is required to list and take actions on the Salesforce CRM Content or Library files.
-
When finished, click Save.
Configure Salesforce Instance in Netskope UI
To authorize Netskope to access your Salesforce account, follow the steps below:
-
Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.
-
Under Apps, select Salesforce and click Setup CASB API Instance.
The Setup Instance window opens.
-
Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.
-
Under Site Domain, enter the fully-qualified domain name of your Salesforce account (e.g. example.my.salesforce.com).
-
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Click Grant Access.
You will be redirected to the Salesforce sign-in page.
-
Login using the Salesforce user account you configured in the previous Configure Salesforce API Access for Salesforce User section.
-
In the Salesforce pop up window, click Allow.
Netskope asks for full access OAuth scope, thus the permission list includes all scopes. However, the actual data Netskope can access is restricted by the Administrative Permissions. -
When the configuration results page opens, click Close.
Refresh your browser and you will see a green check icon next to the instance name.
Configure Netskope CASB API Salesforce OAuth Policies
Once you have successfully granted access, the Salesforce administrator should set up OAuth policies as follows to ensure integration with Netskope works as expected.
-
Log in to login.salesforce.com with Salesforce System Admin account.
-
On the top right, click Setup > Setup.
-
On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Connected Apps OAuth Usage.
-
Beside the Netskope CASB API Salesforce app, click Install.
A new window opens. Click Install.
-
On the Netskope CASB API Salesforce Connected app page, click Edit Policies.
-
Under OAuth Policies, set:
-
IP Relaxation to Relax IP restrictions.
-
Refresh Token Policy to Refresh token is valid until revoked.
-
-
Click Save.
Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Salesforce account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.
You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.
Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.