Netskope

Salesforce Entities supported in DSL

Identity

Security

Attribute Type Description
caSigned boolean Required. Indicates whether this certificate is signed by the issuer (true) or not (false).
fullName string Unique identifier for the certificate
expirationDate string The date the certificate expires and is no longer usable.
keySize number The size of the key in bits.
Attribute Type Description
attributes sequence A custom attribute of the connected app. Represents the field names that make up a custom attribute when using SAML with a ConnectedApp. Tailor these values to a specific service provider.
 formula string The value of the attribute.
 key string The attribute's identifier.
canvasConfig sequence The configuration options of the connected app if it's exposed as a canvas app.
 accessMethod string Indicates how the canvas app initiates the OAuth authentication flow.
 canvasUrl string The URL of the third-party app that's exposed as a canvas app.
 lifecycleClass string The name of the Canvas.CanvasLifecycleHandler Apex class.
 locations string Indicates where the canvas app can appear to the user.
 options string Indicates whether to hide the share button and header in the publisher for your canvas app, and whether the app is a canvas personal app.
 samlInitiationMethod string If you're using SAML single sign-on (SSO), indicates which provider initiates the SSO flow.
contactEmail string Required. The email address Salesforce uses for contacting you or your support team.
contactPhone string The phone number for Salesforce to use to contact you.
description string An optional description for your app.
iconUrl string Reserved for future use.
infoUrl string An optional URL for a web page with more information about your app.
ipRanges list Specifies the ranges of IP addresses that can access the app without requiring the user to authenticate with the connected app.
 description string Use this field to identify the purpose of the range, such as which part of a network corresponds to this range.
 startAddress string The first address in the IP range, inclusive.
 endAddress string The last address in the IP range, inclusive.
label string Required. The name of the app.
logoUrl string An optional logo for the app. The logo appears with the app's entry in the list of apps and on the consent page the user sees when authenticating. The URL must use HTTPS, and the logo can't be larger than 125 pixels high or 200 pixels wide. The default logo is a cloud.
mobileStartUrl string Users are directed to this URL after they've authenticated when the app is accessed from a mobile device. If you don't give a URL, the user is sent to the app's default start page after authentication completes. If the connected app that you're creating is a canvas app, then you can leave this field blank. The Canvas App URL field contains the URL that gets called for the connected app.
oauthConfig sequence Represents the field names that configure how your connected app communicates with Salesforce.
 assetTokenConfig sequence Specifies an OAuth asset token configuration for the connected app OAuth settings.
  assetAudiences string The audience claim associated with the asset token payload. This claim identifies who the JWT is intended for.
  assetIncludeAttributes boolean If set to true (default setting), custom attributes associated with the connected app are included in the asset token payload. If set to false, these attributes aren't included.
  assetIncludeCustomPerms boolean If set to true (default setting), custom permissions associated with the connected app are included in the asset token payload. If set to false, these permissions aren't included.
  assetSigningCertId string The ID of the JWT certificate's signing secret.
  assetValidityPeriod number The asset token's validity period. The validity must be the expiration time of the assertion within 3 minutes, expressed as the number of seconds from 1970-01-01T0:0:0Z measured in UTC.
 callbackUrl string The endpoint that Salesforce calls back to your connected app during OAuth; it's the OAuth redirect_uri.
 certificate string The PEM-encoded certificate string, if the app uses a certificate.
 consumerKey string A value used by the consumer for identification to Salesforce.
 consumerSecret string A value that is combined with the consumerKey and used by the consumer for identification to Salesforce.
 idTokenConfig sequence Specifies the ID token configuration for the connected app OAuth settings.
  idTokenAudience string The audiences that this ID token is intended for.
  idTokenIncludeAttributes boolean Indicates whether attributes are included in the ID token.
  idTokenIncludeCustomPerms boolean Indicates whether custom permissions are included in the ID token.
  idTokenIncludeStandardClaims boolean Indicates whether standard claims about the authentication event are included in the ID token.
  idTokenValidity number The length of time that the ID token is valid for after it's issued. The value can be from 1 to 720 minutes. The default is 2 minutes.
 isAdminApproved boolean If set to false (default setting), anyone in the org can authorize the app. Users must approve the app the first time they access it. If set to true, only users with the appropriate profile or permission set can access the app. These users don't have to approve the app before they can access it.
 isConsumerSecretOptional boolean If set to false (default setting), the connected app's client secret is required in exchange for an access token in the OAuth 2.0 web server flow.
 isIntrospectAllTokens boolean If set to true, authorizes the connected app to introspect all access and refresh tokens within the entire org. If set to false (default), the connected app can introspect its own tokens.
 isSecretRequiredForRefreshToken boolean If set to true (default), the app's client secret is required in the authorization request of a refresh token and hybrid refresh token flow. If set to false and an app sends the client secret in the authorization request, Salesforce still validates it.
 scopes list A list of scopes associated with the connected app. The scopes refer to permissions given by the user running the connected app.
  scope string The name of the scope.
 singleLogoutUrl string The single logout endpoint. This URL is the endpoint where Salesforce sends a logout request when users log out of Salesforce.
oauthPolicy sequence Specifies Oauth access policies associated with your connected app.
 ipRelaxation string Specifies whether a user's access to the connected app is restricted by IP ranges.
 refreshTokenPolicy string Specifies how long a refresh token is valid for.
 singleLogoutUri string If single logout is enabled, specify the single logout URL.
permissionSetName string Specifies the permissions required to perform different functions with the connected app.
plugin string The name of a custom Apex class that extends Auth.ConnectedAppPlugin to customize the behavior of the app.
pluginExecutionUser string Specifies the user to run the plugin as.
profileName string Specifies the profile (base-level user permissions) required to perform different functions with the connected app.
samlConfig sequence Specifies how an app uses single sign-on.
 acsUrl string The assertion consumer service URL from the service provider.
 certificate string The PEM-encoded certificate string, if the app uses a certificate.
 entityUrl string The entity ID from your service provider.
 encryptionCertificate string The name of the certificate to use for encrypting SAML assertions to the service provider. This certificate is saved in the organization's Certificate and Key Management list.
 encryptionType string When Salesforce is the identity provider, the SAML configuration can specify the encryption method used for encrypting SAML assertions to the service provider. The service provider detects the encryption method in the SAML assertion for decryption.
 issuer string A URI that sends the SAML response. A service provider can use this URI to determine which identity provider sent the response.
 samlIdpSLOBinding string The SAML HTTP binding type from the service provider used for single logout.
 samlNameIdFormat string Indicates the format the service provider (SP) requires for the user's single sign-on identifier.
 samlSigningAlgoType string Indicates the signing algorithm applied to SAML requests and responses when Salesforce is the identity provider.
 samlSloUrl string The SAML single-logout endpoint of the connected app service provider (SP). This endpoint is where SAML LogoutRequests and LogoutResponses are sent when users log out of Salesforce. The SP provides this endpoint.
 samlSubjectCustomAttr string If the samlSubjectType is CustomAttr, include that custom value here; otherwise, leave empty.
 samlSubjectType string The single sign-on identifier for the user.
sessionPolicy sequence Specifies the configuration options for a connected app's session policies. Use these policies to define how long a user's session can last before reauthenticating, to block user access to the connected app, or to require multi-factor authentication (MFA) to access the app.
 policyAction string If the High Assurance session security level is applied to the connected app, specify associated high assurance action.
 sessionLevel string Applies the High Assurance session security level to the connected app. This session level requires users to verify their identity with multi-factor authentication when they log in to the connected app.
 sessionTimeout number The length of time the connected app's session lasts.
startUrl string If the app isn't accessed from a mobile device, users are directed to this URL after they've authenticated.
Attribute Type Description
urlPattern string A URL pattern for the origin. The origin URL pattern must include the HTTPS protocol and a domain name, and may include a port. The wildcard character (*) is supported and must be in front of a second-level domain name. For example, https://*.example.com adds all subdomains of example.com to the allowlist. The origin URL pattern can be an IP address. However, an IP address and a domain that resolve to the same address are not the same origin and must be added to the CORS allowlist as separate entries.
Attribute Type Description
dispositions sequence Represents the metadata used to manage file type behavior.
 behavior string File download behavior
 filetype string The file type that this disposition applies to
 securityRiskFiletype boolean Indicates file types that cannot have behavior set to EXECUTE, due to security risks.
noHtmlUploadAsAttachment boolean Indicates whether to allow HTML uploads as attachments or document records.
Attribute Type Description
start ip The IP address that defines the low end of a range of trusted addresses.
end ip The IP address that defines the high end of a range of trusted addresses.
Attribute Type Description
complexity string The types of characters that must be used in a user's password. Valid values are NoRestriction, AlphaNumeric, SpecialCharacters, UpperLowerCaseNumeric, UpperLowerCaseNumericSpecialCharacters, Any3UpperLowerCaseNumericSpecialCharacters
expiration string The length of time until a user password expires and must be changed. Valid values are Never, ThirtyDays, SixtyDays, NinetyDays, SixMonths, OneYear
historyRestriction number The number of previous passwords saved for users so that they must always reset a new, unique password. Valid values are 0 through 24 passwords remembered. The maximum value of 24 applies to API version 31.0 and later. In earlier versions, the maximum value is 16.
lockoutInterval string The duration of the login lockout. Valid values are FifteenMinutes (this value is the default value), ThirtyMinutes, SixtyMinutes, Forever (must be reset by admin)
maxLoginAttempts string The number of login failures allowed for a user before the user is locked out. Valid values are NoLimit, ThreeAttempts, FiveAttempts, TenAttempts. This value is the default value.
minimumPasswordLength number The minimum number of characters required for a password. The number can contain from 5 to 50 characters (default is 8). Available in API version 35.0 and later. Before API version 35.0, specify minimum password length with the enumeration minPasswordLength, with valid values FiveCharacters, EightCharacters (default), TenCharacters, TwelveCharacters (API version 31.0 and later), and FifteenCharacters (API version 34.0 and later).
minimumPasswordLifetime boolean If enabled (true), passwords can't be changed more than one time during a 24-hour period.
obscureSecretAnswer boolean If enabled (true), hide answers to security questions as the user types.
questionRestriction string The restriction on whether the answer to the password hint question can contain the password itself. Valid values are None, DoesNotContainPassword
Attribute Type Description
RealTimeEvents list A list of Real-Time Event entities
 entityName string The name of the storage or streaming entity to be modified. For example, ApiEvent or ApiEventStream.
 isEnabled boolean Indicates whether to enable storage or streaming capability.
StreamingApiConcurrentClients sequence The number of Concurrent CometD clients (subscribers) across all channels and for all event types
 max number The maximum number of Concurrent CometD clients (subscribers) across all channels and for all event types
 remaining number The remaining number of Concurrent CometD clients (subscribers) across all channels and for all event types that can subscribe
Attribute Type Description
description string The description explaining what this remote site setting is used for.
disableProtocolSecurity boolean Indicates whether code within Salesforce can access the remote site regardless of whether the user's connection is over HTTP or HTTPS (true) or not (false). When true, code within Salesforce can pass data from an HTTPS session to an HTTP session, and vice versa.
fullName string The name can only contain characters, letters, and the underscore (_) character, must start with a letter, and cannot end with an underscore or contain two consecutive underscore characters.
isActive boolean Indicates if the remote site setting is active (true) or not (false).
url string The URL for the remote site.
Attribute Type Description
allowUserAuthenticationByCertificate boolean If enabled (true), users can authenticate with a PEM-encoded X.509 digital certificate. Not enabled by default. Available in API version 47.0 and later.
canConfirmIdentityBySmsOnly boolean Prevents identity verification by email for users who have registered other verification methods, such as SMS or Salesforce Authenticator. If no other verification methods are configured, users are verified by email. By default, this setting is disabled (false) for existing orgs. For new orgs, this setting is enabled (true) by default. Available in API version 48.0 and later.
canUsersGrantLoginAccess boolean If true, users can grant login access to Support. If false, only an admin can grant login access.
enableAdminLoginAsAnyUser boolean If true, the "Administrator Can Log in as Any User" field is enabled
enableAuditFieldsInactiveOwner boolean If true, this setting enables audit fields and updating the owner for records that are owned by inactive users. The default value is false. This field is available in API version 47.0 and later.
enableCSPOnEmail boolean Indicates whether a content security policy is enabled for the email template. A content security policy helps prevent cross-site scripting attacks by listing allowed sources of images and other content.
enforceIpRangesEveryRequest boolean If true, the IP addresses in Login IP Ranges are enforced when a user accesses Salesforce (on every page request), including access from a client app. If false, the IP addresses in Login IP Ranges are enforced only when a user logs in. This field affects all user profiles that have login IP restrictions. Available in API version 34.0 and later.
enableLightningLoginOnlyWithUserPerm boolean If enabled (true), only users with the Lightning Login User permission can log in with Salesforce Authenticator instead of a password. Available in API version 47.0 and later.
enableOauthCorsPolicy boolean If set to true, enables Cross-Origin Resource Sharing (CORS) for these OAuth endpoints: /services/oauth2/token /services/oauth2/revoke /services/oauth2/introspect Default setting is false. Available in API version 50.0 and later.
enablePostForSessions boolean Indicates whether cross-domain session information is exchanged using a POST request instead of a GET request, such as when a user is using a Visualforce page. In this context, POST requests are more secure than GET requests. Available in API version 31.0 and later.
enableU2F boolean If enabled (true), users can use a physical U2F-compatible security key for multi-factor authentication (MFA) and identity verification. The default is false. Available in API version 47.0 and later.
enableSamlLogin boolean If you enable 'SAML Enabled' (true), users can SSO into Salesforce from providers via SAML. The default isn't enabled (false).
enforceUserDeviceRevoked boolean If enabled, and a UserDevice's status is set to revoked, that device can't log in from a Salesforce app. Logins from browsers aren't affected. This field is available in API version 50.0 and later.
forceRelogin boolean If true, an admin who is logged in as another user must log in again to their original session, after logging out as the secondary user. If false, the admin isn't required to log in again.
hasRetainedLoginHints boolean If you enable 'Remember me until logout' (true), usernames (login hints) are cached until the user logs out. If a session times out, usernames appear on the Switcher as inactive. If false (default), usernames aren't cached for SSO sessions.
hasUserSwitching boolean If 'Enable user switching' is true (default), users can log in to other orgs by selecting their profile picture and using the Switcher. You must also enable the 'Enable caching and autocomplete on login page' setting. If false, the Switcher isn't enabled and your org doesn't appear in Switchers on other orgs.
lockSessionsToDomain boolean Indicates whether the current UI session for a user is associated with a specific domain. This check helps prevent unauthorized use of the session ID in another domain. The value is true by default for orgs created with the Spring '15 release or later. Available in API version 33.0 and later.
lockSessionsToIp boolean Indicates whether user sessions are locked to the IP address from which the user logged in (true) or not (false).
Attribute Type Description
canConfirmEmailChangeInLightningCommunities boolean When users change their email address, they receive an email at the new address with a link. After they click the link, their new email address takes effect.
disableTimeoutWarning boolean Indicates whether the session timeout warning popup is disabled (true) or enabled (false).
enableCSPOnEmail boolean None
enableCSRFOnGet boolean Indicates whether Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is enabled (true) or disabled (false).
enableCSRFOnPost boolean Indicates whether Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is enabled (true) or disabled (false).
enableCacheAndAutocomplete boolean Indicates whether the user's browser is allowed to store usernames and auto-fill the User Name field on the login page (true) or not (false).
enableClickjackNonsetupSFDC boolean Indicates whether clickjack protection for non-setup Salesforce pages is enabled (true) or disabled (false).
enableClickjackNonsetupUser boolean Indicates whether clickjack protection for customer Visualforce pages with standard headers turned on is enabled (true) or disabled (false).
enableClickjackNonsetupUserHeaderless boolean Indicates whether clickjack protection for customer Visualforce pages with standard headers turned off is enabled (true) or disabled (false).
enableClickjackSetup boolean Indicates whether clickjack protection for setup pages is enabled (true) or disabled (false).
enableContentSniffingProtection boolean Indicates if the browser is prevented from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. This field is available in API version 39.0 and later.
enableLightningLogin boolean If enabled (true), users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. Available in API Version 47.0 and later.
enableSMSIdentity boolean If enabled (true), the default, users can receive a one-time password in a text message (SMS) to verify their identity. Users must verify their mobile phone number before they can receive SMS messages.
enableUpgradeInsecureRequests boolean Indicates if HTTPS is required for connecting to third-party domains.
enableXssProtection boolean Indicates if protection against reflected cross-site scripting attacks is enabled. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. This field is available in API version 39.0 and later.
FileUploadAndDownloadSecurityRules list A list of rules representing the security settings for uploading and downloading files.
 dispositions string Represents the metadata used to manage file type behavior.
 noHtmlUploadAsAttachment boolean Indicates whether to allow HTML uploads as attachments or document records.
forceLogoutOnSessionTimeout boolean If enabled (true), the default, when sessions time out for inactive users, current sessions become invalid. The browser refreshes and returns to the login page. To access the organization, the user must log in again.
forceRelogin boolean If true, an admin who is logged in as another user must log in again to their original session, after logging out as the secondary user. If false, the admin isn't required to log in again.
hstsOnForcecomSites boolean Indicates whether Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. Available in API version 41.0 and later.
identityConfirmationOnEmailChange boolean Indicates if a user's identity is confirmed when changing their email address, instead of requiring a re-login. This field is available in API version 42.0 and later.
identityConfirmationOnTwoFactorRegistrationEnabled boolean Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. (Multi-factor authentication was formerly called two-factor authentication.) This field is available in API version 40.0 and later.
redirectionWarning boolean Indicates whether users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. Available in API version 42.0 and later.
referrerPolicy boolean Indicates whether the referer header hides sensitive information that could be present in the full URL. If true, then the referer header displays only salesforce.com. If false, then the header displays the entire URL. For a Visualforce user, if referrerPolicy is set to true, then the referer header displays only force.com. If false, then the header displays the entire URL. Available in API version 42.0 and later.
requireHttps boolean Determines whether HTTPS is required to log in to or access Salesforce.
sessionTimeout string The length of time after which users without activity are prompted to log out or continue working. Valid values are FifteenMinutes, ThirtyMinutes, SixtyMinutes, TwoHours, FourHours, EightHours, TwelveHours
Attribute Type Description
enableSecureGuestAccess boolean When true, guest users have organization-wide defaults set to Private. To share records with them, guest user sharing rules must be used.
deferGroupMembership boolean Indicates whether group membership calculations are suspended (true) or not (false). This field has a default value of false. This field is available in API version 49.0 and later.
deferSharingRules boolean Indicates whether sharing rule calculations are suspended (true) or not (false). This field has a default value of false. This field is available in API version 49.0 and later.
enableAccountRoleOptimization boolean Indicates whether person roles are assigned to new site users in accounts without existing users (true) or if regular site roles are created for new users (false). This field has a default value of false.
enableAssetSharing boolean Indicates whether sharing is enabled for assets (true) or asset access is determined by the parent object's sharing rules (false). This field has a default value of false.
enableCommunityUserVisibility boolean Indicates whether site users in the same site can see each other regardless of the organization-wide defaults (true) or not (false). This field has a default value of false. In orgs created in API version 47.0 and later, this setting doesn't apply to guest users.
enableManagerGroups boolean Indicates whether users can share records with their managers and manager subordinates groups (true) or not (false). This field has a default value of false. To use this field, you need the 'View and Manage Users' permission.
enableManualUserRecordSharing boolean Indicates whether users can share their own user record (true) or not (false). This field has a default value of false.
enablePartnerSuperUserAccess boolean Indicates whether you can grant super user access to partners in sites (true) or not (false). This field has a default value of false. To use this field, you need the 'Customize Application' permission.
enablePortalUserVisibility boolean Indicates whether portal users in the same customer or partner portal account can see each other regardless of the organization-wide defaults (true) or not (false). This field has a default value of false. To enable this field, contact Salesforce Support.
enableRemoveTMGroupMembership boolean Removes group membership info for the original territory management feature after migrating to Enterprise Territory Management when set to true. This field has a default value of false. Once this field is set to true, it can't be set to false again.
enableRestrictAccessLookupRecords boolean Indicates whether users must have read access to a record to see the record's name in lookup and system fields (true) or not (false). This field has a default value of true in Salesforce orgs created in Spring '20 or later and a default value of false in all other orgs. This field is available in API version 48.0 and later.
enableStandardReportVisibility boolean Indicates whether users can view reports based on standard report types that may expose data of users to whom they don't have access (true) or not (false). This field has a default value of false.
enableTerritoryForecastManager boolean Indicates whether forecast managers can act as delegated administrators for territories below them in the hierarchy (true) or not (false). This field has a default value of false.
Attribute Type Description
isLoginWithSalesforceCredentialsDisabled boolean If true, users are redirected to third-party identity providers for authentication.