Permissions Required for Salesforce
Permissions Required for Salesforce
When you grant access to the Salesforce app instance, Netskope seeks consent for the following permissions from the Salesforce account:
There is no read-only permission available to access the Salesforce Metadata API, the only available permission is
Modify Metadata Through Metadata API Functions. Netskope does not currently write any information to Salesforce, but reads in metadata from the Metadata API. A description of the data accessed is available here.| Permissions required by Netskope | Description | Purpose | Trade-off if not allowed |
|---|---|---|---|
| API Enabled | Access any salesforce.com API. | This is a Basic permission to make API calls. The Netskope API Data Protection can connect to Salesforce. This feature is enabled by default for Unlimited, Enterprise, and Developer Editions. Note: For the Professional Edition, you may need to contact Salesforce Support to enable API access. | Mandatory permission. |
| Modify Metadata Through Metadata API Functions | Read and write metadata. | Allow Netskope to access the data through Metadata API. | The SaaS Security Posture Management asset fetching and evaluation process will fail due to the method to access the data is blocked. |
| View All Data | Allows the user to view all the data in the organization. | This is used for onboarding Salesforce instance. Currently, this permission is required for authentication (as part of API Data Protection) but is not used by SSPM. | The SaaS Security Posture Management asset fetch and evaluation will fail due to inaccessible data, causing instance onboarding to fail. |
| View All Users | Allows the user to view all users’ object, regardless of sharing settings configuration. | Get Salesforce user data. Currently required for grant access for authentication (as part of API Data Protection). | The SaaS Security Posture Management asset fetching and evaluation process will fail due to the data being not accessible. |
| View All Profiles | Allows the user to view all profiles' object, regardless of profile filtering enablement. | Get Salesforce profiles data. | The SaaS Security Posture Management asset fetching and evaluation process will fail due to the data being not accessible. |
| View Real-Time Event Monitoring Data | Allows the user to view the real time event settings configuration. | Get the real time event settings data. | The SaaS Security Posture Management asset fetching and evaluation process will fail due to the data being not accessible. |
| Customize Application | Allows the user to get visibility into 3rd Party App information. | Get the list of 3rd Party Apps. | You will not see 3rd Party App information in Netskope SSPM for the Salesforce app. |
| Manage Sharing | Allows the user to get visibility into a few of the sharing settings configurations. | Get the sharing settings data. | The SaaS Security Posture Management asset fetching and evaluation process will fail due to the data being not accessible. |
| Manage Users | Allows the user to get visibility into a few of the security settings configurations. | Get the security and sharing settings data. | The SaaS Security Posture Management asset fetching and evaluation process will fail due to the data being not accessible. |
