Creating and Configuring a Salesforce System of Record

Prerequisites

Permissions Required

  • A service account with permissions to read any of the objects that need to be synchronized to SGNL
  • Permissions to access the Salesforce API

Configuring Salesforce

  1. As a first step, identify your unique Salesforce sub-domain, this should form part of the URL you use to access salesforce, such as https://acme-corp.my.salesforce.com - note this sub-domain for configuring SGNL
  2. Create a new Connected App within your Salesforce Instance based on your desired configuration settings
  3. Enable the Connected App to use the Salesforce OAuth2 Client Credentials Flow. Please ensure the following OAuth Scopes are selected:

  • Manage user data via APIs (api)

  • Perform requests any time (refresh_token, offline_access)

    Salesforce - Required OAuth Scopes

  1. Choose to “Manage Consumer Details”, and copy the Consumer Key (OAuth Client Id) and Consumer Secret (OAuth Client Secret) - note these for use in SGNL

    Salesforce - Copy Consumer Key

Configuring SGNL

  1. Login to the SGNL Console

  2. From the left menu, select Systems of Record

  3. Click “Add System of Record” or “Add”.

  4. The SGNL SoR Catalog will show up on the screen:

    SGNL - Catalog

  5. Click on “Salesforce” which will open up the New System of Record screen with some configuration options pre-populated from the Salesforce SoR template:

    SGNL - Edit Salesforce SoR

  6. Choose the correct adapter that matches the System of Record Type.

  7. Replace all fields that have the {{Input Required:}} placeholder with relevant information. Choose OAuth2 Client Credentials as the Authentication Method. For Salesforce, the following fields are required:

    • Address: The subdomain of your Salesforce instance, e.g., acme-corp, if you go to https://acme-corp.my.salesforce.com to login
    • Client ID: The Consumer Key from the “Configuring Salesforce” section above
    • Client Secret: The Consumer Secret from the “Configuring Salesforce” section above
    • Token URL: Replace {{Input Required:}} field with the subdomain of your Salesforce instance.

  8. Click “Continue” to save your Salesforce System of Record. You will be taken to the Salesforce System of Record page.

    SGNL - Salesforce SoR

  9. All entities and relationships are created as defined in the Salesforce template. If applicable, you can edit an entity and modify any properties of the entity or the associated attributes. Hover over the entity on the screen above to see the Edit button as shown above.

  10. You can check the relationships created through the Relationships tab. However, relationships cannot be modified. You will need to delete an existing one, and create a new relationship.

  11. Note that synchronization is disabled by default when a new System of Record is created. You can choose to enable synchronization on Entities individually. Hover over the entity to see the Enable Sync button, and click on it.

  12. Repeat for all Entities you want to synchronize to SGNL. Finally, Enable synchronization for the System of Record.

    SGNL - Salesforce SoR Enable Sync for Entity

  13. After some time, SGNL should complete ingesting the data from your Salesforce instance into the SGNL graph. The number of objects ingested per entity are displayed on the Salesforce screen. You should then be able to construct policies based on your Salesforce data and make access evaluation calls to SGNL.

  14. Once ingestion is complete and Salesforce data is in the SGNL graph, you can use Data Lens to explore the SGNL graph.

Synchronization Filters

In most cases, you will want to reduce the data coming from Salesforce to only the entities, attributes, and objects that you need to sucessfully evaluate your policies or take action within SGNL. Given that, it’s likely that you will want to make use of filters to reduce that data.

As with other SoRs, you can apply the native filtering syntax from the SoR, in this case Salesforce, to the Adapter Config for the System. Filters are configured per Entity and are passed directly to the System of Record at Synchronization time to be evaluated and have only the right data made available to SGNL.

SGNL uses the Salesforce WHERE query parameter to filter data from the Salesforce APIs using SOQL. Salesforce has thorough documentation for the mechanism for using this query parameter, though samples are included below

To use Salesforce filters, simply add the appropriate filter (i.e. the text you would include after WHERE on the Salesforce API) to the relevant entity in the Adapter config.

Sample Adapter Config

{
    "requestTimeoutSeconds": 10,
    "apiVersion": "58.0",
    "filters": {
        "User": "isActive=true",
        "Case": "isClosed=false"
    }
}

Adapter Config Fields

  • requestTimeoutSeconds - how long to wait for a request to AAD to complete before failing and retrying, default 10
  • apiVersion - the version of the Salesforce API, default "58.0"
  • filters - the SOQL filters to apply to each of the entities in Salesforce.
    • The Field Name (e.g. User, Group, Case, etc) will be the ExternalId of each of the Entities in SGNL, available from the SoR -> Entities -> Entity Page (e.g. User), and the externalId of each of the attributes that you want to filter
    • The value will be the externalId of the Attributes you want to use to filter, these are the raw attribute names in Salesforce and are available in SGNL by looking at the ExternalId of the Attributes you want to filter from within the SoR