Netskope Help

Configure Salesforce Instance for Security Posture

The installation instruction describes how to integrate your Salesforce account with Netskope. To configure Salesforce for SSPM, you need to authorize Netskope as a web application client to access your Salesforce account. There are two parts to this procedure:

  • Configure Salesforce API Access

  • Configure Salesforce Instance in Netskope UI


If you have already configured API Data Protection for Salesforce, you need not configure the Salesforce API Access. However, you should enable the Modify Metadata Through Metadata API Functions permission under the custom profile you have already created. Thereafter, you can edit the existing Salesforce instance under Settings > API-enabled Protection > SaaS and enable the Security Posture checkbox and re-grant the app instance.

Configure Salesforce API Access


The following steps are validated with Salesforce Lightning mode and may not apply to Classic mode. Lightning mode is not a requirement to run Netskope SSPM. You can configure using Classic mode as well. To switch to the Lightning Experience UI, log in to and on the top-right of the home page, click the User menu drop-down list and select Switch to Lightning Experience.

To authorize Netskope as a web application client to access your Salesforce instance, you should create a custom profile on the Salesforce portal.


Netskope recommends creating an exclusive custom profile for the Netskope app. If you intend to run any custom processes or scripts (other than the Netskope app), create a separate custom profile. Do not use the exclusive custom profile intended for the Netskope app for custom processes or scripts (like bulk uploads, etc.) because they may interfere with the Netskope app.

  1. Log in to

  2. In the left navigation bar, go to Administration > Users > Profiles.

  3. Clone a user profile. You can clone a system administrator, standard user, read-only, or any other profile. Ensure that the user profile has an active "Salesforce" license. In this example, click Clone beside the Custom: Support Profile.

  4. On the Clone Profile page, enter a profile name and make sure the User License shows Salesforce . When finished, click Save.

  5. After creating the custom profile, click Edit to modify the custom profile.

  6. Scroll down to the Administrative Permissions section of the custom profile. Enable the following permissions:


    You must directly assign the permissions to the profile. Do not add the permissions through permission sets.

    • API Enabled

    • Modify Metadata Through Metadata API Functions

    • View All Data

    • View All Users

    To know more about the permissions, see Permissions Required for Salesforce.

    When finished, click Save.

  7. In the left navigation bar, go to Administration > Users > Users.

  8. Click Edit to modify an existing user, or New User to define a new user.

  9. In the User Edit > General Information section, set the Profile created in step 4.

  10. In the User Edit > General Information section, enable Salesforce CRM Content User. This allows the user to view the CRM content files and is required to list and take actions on the Salesforce CRM Content or Library files.

  11. When finished, click Save.


Netskope recommends allowing a pool of Netskope public IP addresses in Salesforce. This will ensure events and notifications are exchanged between Salesforce and Netskope SSPM without any restrictions. To allow the IP addresses:

  1. Log in to

  2. In the left navigation bar, go to Settings > Security > Network Access.

  3. Click New beside Trusted IP Ranges.

  4. In the Trusted IP Range Edit page, specify the Start IP Address and End IP Address.

  5. Click Save.

To get a pool of Netskope public IP addresses, log in to your Netskope tenant, and navigate to Settings > Security Cloud Platform > REVERSE PROXY > Office 365 Auth. Scroll down to the Netskope Source IP Address/Range section.

Configure Salesforce Instance in Netskope UI

To authorize Netskope to access your Salesforce instance:

  1. Log in to the Netskope tenant UI: https://<tenant hostname> and go to Settings > API-enabled Protection > SaaS.

  2. Select the Salesforce icon, and then click Setup Instance.

  3. The Setup Instance window opens. Enter the following details:

    • In the INSTANCE NAME field, enter the organization name of your Salesforce account. To locate the organization name in, log in to the account. Navigate to Setup > Setting > Company Settings > Company Information and note down the Organization Name.


      • Under a single organization name, you can create one production and one sandbox instance only in the Netskope tenant.

      • Netskope uses the organization name to identify individual Salesforce instances. In order to set up more than one Salesforce instance, they would need to be under a different organization name.

    • Instance Type: Select the Security Posture checkbox. Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards.

      Also, you have the option to run the policy at intervals (15 minutes, 30 minutes, 45 minutes, and 60 minutes).

    • Select the type of Salesforce account you want for SSPM; production, or sandbox.


      Select the production account type if connecting a developer edition instance created in The sandbox account type is only intended for sandbox organizations, which are copies of production organizations and not the same as a Salesforce organization with a developer edition license.

    • Enter the username of the Salesforce user that will grant access to SSPM.

  4. Click Save, then click Grant Access for the app instance you just created. You will be prompted to log in with your admin username and password, and then click Grant. When the configuration results page open, click Close.

Refresh your browser and you will see a green check icon next to the instance name.

Next, you should configure a security posture policy. To do so, see Security Posture Policy Wizard.