Configure Salesforce Instance for SaaS Security Posture Management
Configure Salesforce Instance for SaaS Security Posture Management
The installation instructions describe how to integrate your Salesforce account with Netskope. To configure Salesforce for SaaS Security Posture Management, you need to authorize Netskope as a web application client to access your Salesforce account. There are two parts to this procedure:
- Configure Salesforce API Access
- Configure Salesforce Instance in Netskope UI
Configure Salesforce API Access
To authorize Netskope as a web application client to access your Salesforce instance, you should create a custom profile on the Salesforce portal.
-
Log in to login.salesforce.com.
-
In the left navigation bar, go to Administration > Users > Profiles.
-
Clone a
system administrator
user profile. Ensure that the user profile has an active “Salesforce” license. In this example, click Clone beside the System Administrator. -
On the Clone Profile page, enter a profile name and make sure the User License shows Salesforce. When finished, click Save.
-
After creating the custom profile, click Edit to modify the custom profile.
You must directly assign the permissions to the profile. Do not add the permissions through permission sets. -
Scroll down to the Administrative Permissions section of the custom profile.
Keep the default permissions as it is and enable the following permissions:
-
API Enabled
-
Modify Metadata Through Metadata API Functions
-
View All Data
-
View All Users
Keep the default permissions as it is, disable the following permissions:
-
Under Administrative Permissions, uncheck Modify All Data.
-
Under General User Permissions, uncheck Modify Data Classification.
-
Under Standard Object Permissions, uncheck Modify All permission.
-
Under Custom Object Permissions, uncheck Modify All permission.
When finished, click Save.
To know more about the permissions, see Permissions Required for Salesforce.
-
-
In the left navigation bar, go to Administration > Users > Users.
-
Click Edit to modify an existing user, or New User to define a new user.
-
In the User Edit > General Information section, set the User License as Salesforce.
-
In the User Edit > General Information section, set the Profile created in step 4.
-
In the User Edit > General Information section, enable Salesforce CRM Content User. This allows the user to view the CRM content files and is required to list and take actions on the Salesforce CRM Content or Library files.
-
When finished, click Save.
– Log in to login.salesforce.com.
– In the left navigation bar, go to Settings > Security > Network Access.
– Click New beside Trusted IP Ranges.
– In the Trusted IP Range Edit page, specify the Start IP Address and End IP Address.
– Click Save.
To get a pool of Netskope public IP addresses, Refer Netskope SSPM gateway IP addresses for Salesforce Allowlisting.
Configure Salesforce Instance in Netskope UI
To authorize Netskope to access your Salesforce instance:
- Log in to the Netskope tenant UI and go to Settings > Configure App Access > Classic > SaaS.
- Select the Salesforce icon, and then click Setup Instance.
- The Setup Instance window opens. Enter the following details:
- In the INSTANCE NAME field, enter the organization name or ID of your Salesforce account. To locate the organization name or ID in salesforce.com, log in to the salesforce.com account. Navigate to Setup > Settings > Company Setting > Company Information and note down the Organization Name or Salesforce.com Organization ID.Instance Type: Select the Security Posture checkbox. Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards.
Important
- Under a single organization name, you can create one production and one sandbox instance only in the Netskope tenant.In order to set up more than one Salesforce instance under the same organization name, Netskope recommends using the organization ID of the Salesforce instances as the instance name in the Netskope tenant.
Also, you have the option to run the policy at intervals (15 minutes, 30 minutes, 45 minutes, and 60 minutes).
Select the type of Salesforce account you want for SaaS Security Posture Management; production, or sandbox.Enter the email address of the Salesforce user that will grant access to SaaS Security Posture Management.Note
Select the production account type if connecting a developer edition instance created in developer.salesforce.com. The sandbox account type is only intended for sandbox organizations, which are copies of production organizations and not the same as a Salesforce organization with a developer edition license.
Note
The email address during instance setup should match the one provided during grant of access.
- In the INSTANCE NAME field, enter the organization name or ID of your Salesforce account. To locate the organization name or ID in salesforce.com, log in to the salesforce.com account. Navigate to Setup > Settings > Company Setting > Company Information and note down the Organization Name or Salesforce.com Organization ID.
- Click Save, then click Grant Access for the app instance you just created. You will be prompted to log in with your admin username and password, and then click Grant. When the configuration results page opens, click Close.
Refresh your browser, and you will see a green check icon next to the instance name.
Grant Failure Due To Login IP Range
The grant of access may fail if the Salesforce username has any Login IP Ranges configured in Salesforce. Log in to your Salesforce account and verify if the user profile associated with the username has Login IP Ranges configured. If configured, follow the procedure below. The following procedure will ensure that the grant goes through successfully.
- Log in to login.salesforce.com.
- On the top right, click Setup > Setup.
- On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Connected Apps OAuth Usage.
- Beside the Netskope Introspection for Salesforce app, click Install.
A new window opens. Click Install.
- On the Netskope Introspection for Salesforce Connected app page, click Edit Policies.
- Under OAuth Policies, set IP Relaxation to Relax IP restrictions.
- Click Save.
- Log back in to your Netskope tenant and grant access to your Salesforce app.
The grant should go through successfully.
- (optional) Post successful grant, you can roll back IP Relaxation to Enforce IP restrictions.
Netskope SSPM OAuth Refresh Token Policy
Once you have successfully granted access, the Salesforce administrator should ensure that the Refresh Token Policy is set to Refresh token is valid until revoked. To do so:
- Log in to login.salesforce.com.
- On the top right, click Setup > Setup.
- On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Manage Connected Apps.
- Click the Netskope Introspection for Salesforce app.
- Click Edit Policies.
- Under OAuth Policies, set Refresh Token Policy to Refresh token is valid until revoked.
- Click Save.
Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.