Configure Salesforce Instance for SaaS Security Posture Management

Configure Salesforce Instance for SaaS Security Posture Management

The installation instructions describe how to integrate your Salesforce account with Netskope. To configure Salesforce for SaaS Security Posture Management, you need to authorize Netskope as a web application client to access your Salesforce account. There are two parts to this procedure:

  • Configure Salesforce API Access
  • Configure Salesforce Instance in Netskope UI
If you have already configured API Data Protection for Salesforce, you need not configure the Salesforce API Access. However, you should enable the Modify Metadata Through Metadata API Functions permission under the custom profile you have already created. Thereafter, you can edit the existing Salesforce instance under Settings > Configure App Access > Classic > SaaS and enable the Security Posture checkbox and re-grant the app instance.

Configure Salesforce API Access

There are two modes in Salesforce, Lightning mode and Classic mode. Netskope suggests you switch to the lightning mode to follow this procedure. To switch to the Lightning Experience UI, log in to login.salsesforce.com and on the top-right of the home page, click the User menu drop-down list and select Switch to Lightning Experience.

To authorize Netskope as a web application client to access your Salesforce instance, you should create a custom profile on the Salesforce portal.

Netskope recommends creating an exclusive custom profile for the Netskope app. If you intend to run any custom processes or scripts (other than the Netskope app), create a separate custom profile. Do not use the exclusive custom profile intended for the Netskope app for custom processes or scripts (like bulk uploads, etc.) because they may interfere with the Netskope app.
  1. Log in to login.salesforce.com.

  2. In the left navigation bar, go to Administration > Users > Profiles.

    SalesforceProfiles.png

  3. Clone a system administrator user profile. Ensure that the user profile has an active “Salesforce” license. In this example, click Clone beside the System Administrator.

  4. On the Clone Profile page, enter a profile name and make sure the User License shows Salesforce. When finished, click Save.

  5. After creating the custom profile, click Edit to modify the custom profile.

    You must directly assign the permissions to the profile. Do not add the permissions through permission sets.
  6. Scroll down to the Administrative Permissions section of the custom profile.

    Keep the default permissions as it is and enable the following permissions:

    • API Enabled

    • Modify Metadata Through Metadata API Functions

    • View All Data

    • View All Users

    Keep the default permissions as it is, disable the following permissions:

    • Under Administrative Permissions, uncheck Modify All Data.

    • Under General User Permissions, uncheck Modify Data Classification.

    • Under Standard Object Permissions, uncheck Modify All permission.

    • Under Custom Object Permissions, uncheck Modify All permission.

    When finished, click Save.

    To know more about the permissions, see Permissions Required for Salesforce.

  7. In the left navigation bar, go to Administration > Users > Users.

    SalesforceUsers.png

  8. Click Edit to modify an existing user, or New User to define a new user.

  9. In the User Edit > General Information section, set the User License as Salesforce.

  10. In the User Edit > General Information section, set the Profile created in step 4.

    Salesforce_Set_Profile.png

  11. In the User Edit > General Information section, enable Salesforce CRM Content User. This allows the user to view the CRM content files and is required to list and take actions on the Salesforce CRM Content or Library files.

    SalesforceCRMContent.png

  12. When finished, click Save.

Netskope recommends allowing a pool of Netskope public IP addresses in Salesforce. This will ensure events and notifications are exchanged between Salesforce and SaaS Security Posture Management without any restrictions. To allow the IP addresses:
– Log in to login.salesforce.com.
– In the left navigation bar, go to Settings > Security > Network Access.
– Click New beside Trusted IP Ranges.
– In the Trusted IP Range Edit page, specify the Start IP Address and End IP Address.
– Click Save.
To get a pool of Netskope public IP addresses, Refer Netskope SSPM gateway IP addresses for Salesforce Allowlisting.

Configure Salesforce Instance in Netskope UI

To authorize Netskope to access your Salesforce instance:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Classic > SaaS.
  2. Select the Salesforce icon, and then click Setup Instance.
  3. The Setup Instance window opens. Enter the following details:
    • In the INSTANCE NAME field, enter the organization name or ID of your Salesforce account. To locate the organization name or ID in salesforce.com, log in to the salesforce.com account. Navigate to Setup > Settings > Company Setting > Company Information and note down the Organization Name or Salesforce.com Organization ID.

      Important

      • Under a single organization name, you can create one production and one sandbox instance only in the Netskope tenant.In order to set up more than one Salesforce instance under the same organization name, Netskope recommends using the organization ID of the Salesforce instances as the instance name in the Netskope tenant.
      Instance Type: Select the Security Posture checkbox. Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards.

      Also, you have the option to run the policy at intervals (15 minutes, 30 minutes, 45 minutes, and 60 minutes).

      Select the type of Salesforce account you want for SaaS Security Posture Management; production, or sandbox.

      Note

      Select the production account type if connecting a developer edition instance created in developer.salesforce.com. The sandbox account type is only intended for sandbox organizations, which are copies of production organizations and not the same as a Salesforce organization with a developer edition license.

      Enter the email address of the Salesforce user that will grant access to SaaS Security Posture Management.

      Note

      The email address during instance setup should match the one provided during grant of access.

  4. Click Save, then click Grant Access for the app instance you just created. You will be prompted to log in with your admin username and password, and then click Grant. When the configuration results page opens, click Close.

Refresh your browser, and you will see a green check icon next to the instance name.

Grant Failure Due To Login IP Range

The grant of access may fail if the Salesforce username has any Login IP Ranges configured in Salesforce. Log in to your Salesforce account and verify if the user profile associated with the username has Login IP Ranges configured. If configured, follow the procedure below. The following procedure will ensure that the grant goes through successfully.

  1. Log in to login.salesforce.com.
  2. On the top right, click Setup > Setup.
  3. On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Connected Apps OAuth Usage.
  4. Beside the Netskope Introspection for Salesforce app, click Install.
    Salesforce_Netskope-OAuth-App-Install.png

    A new window opens. Click Install.

  5. On the Netskope Introspection for Salesforce Connected app page, click Edit Policies.
  6. Under OAuth Policies, set IP Relaxation to Relax IP restrictions.
    Salesforce_Netskope-OAuth-App-Relax-IP-Restrictions.png
  7. Click Save.
  8. Log back in to your Netskope tenant and grant access to your Salesforce app.

    The grant should go through successfully.

  9. (optional) Post successful grant, you can roll back IP Relaxation to Enforce IP restrictions.

Netskope SSPM OAuth Refresh Token Policy

Once you have successfully granted access, the Salesforce administrator should ensure that the Refresh Token Policy is set to Refresh token is valid until revoked. To do so:

  1. Log in to login.salesforce.com.
  2. On the top right, click Setup > Setup.
  3. On the left navigation pane, go to PLATFORM TOOLS > Apps > Connected Apps > Manage Connected Apps.
  4. Click the Netskope Introspection for Salesforce app.
  5. Click Edit Policies.
  6. Under OAuth Policies, set Refresh Token Policy to Refresh token is valid until revoked.
    Salesforce_OAuth-Refresh-Token-Policy.png
  7. Click Save.

Next, you should configure a security posture policy. To do so, see SaaS Security Posture Management Policy Wizard.

Share this Doc

Configure Salesforce Instance for SaaS Security Posture Management

Or copy link

In this topic ...