Enterprise Recon 2.11.1
Salesforce
To continue scanning Salesforce (sandbox) Targets without interruption, enable enhanced domains for your Salesforce organization. See Enhanced Domains for more information.
This section covers the following topics:
- Overview
- Licensing
- Requirements
- Configure Salesforce Account
- Set Up and Scan a Salesforce Target
- Edit Salesforce Target Path
- Archived or Deleted Salesforce Data
- Salesforce Files and Attachments
- Unsupported Salesforce Standard Objects
- Salesforce API Limits
Overview
When Salesforce is added as a scan Target, ER2 returns all Standard Objects (including Salesforce Files and Chatter), Custom Objects and Big Objects in the Salesforce domain. You can scan the whole domain or select specific Objects when setting up the scan schedule for the Salesforce Target.
For information on scanning archived and deleted Salesforce data, see Archived or Deleted Salesforce Data.
To set up Salesforce as a Target:
To scan specific paths in a Salesforce Target, see Edit Salesforce Target Path.
Licensing
For Sitewide Licenses, all scanned Salesforce Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, Salesforce Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.
See Target Licenses for more information.
Requirements
Requirements | Description |
---|---|
Proxy Agent |
|
TCP Allowed Connections | Port 443 |
Configure Salesforce Account
You will need to perform the following setup to scan Salesforce Targets:
Generate Certificate and Private Key
To scan Salesforce Targets, you will need a digital signature associated with a digital certificate and private key.
To generate the digital certificate and private key:
- Open a Terminal or Windows Command Prompt.
-
Install the OpenSSL package and run the following command:
# Syntax: openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days <number of days> -keyout <*.key private key file> -out <*.crt certificate file> openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout er-salesforce.key -out er-salesforce.crt
Parameter Description (Optional) days Number of days to certify the certificate for. The default is 30 days. keyout Output filename to write the private key to. For example, er-salesforce.key. out Output filename to write the digital certificate to. For example, er-salesforce.crt. -
openssl asks for the following information:
Prompt Answer Country Name (2 letter code) [AU]: Your country's two letter country code (ISO 3166-1 alpha-2). State or Province Name (full name) [Some-State]: State or province name. Locality Name (e.g., city) []: City name or name of region. Organization Name (e.g., company) [Internet Widgits Pty Ltd]: Name of organization. Organizational Unit Name (e.g., section) []: Name of organizational department. Common Name (e.g. server FQDN or YOUR name) []: Fully qualified domain name of the Master Server. Email Address []: Email address of organization's contact person.
The openssl command generates two output files:
- The digital certificate (e.g. er-salesforce.crt) required to create a connected app for ER2, and
- The private key (e.g. er-salesforce.key) required to Set Up and Scan a Salesforce Target.
Create Connected App
To create a connected app in Salesforce for ER2:
- With your administrator account, log in to your organization's Salesforce site and go to Setup.
- In the Setup > Home tab, enter "App Manager" in the Quick Find box, and select App Manager.
- In the Lightning Experience App Manager page, click on New Connected App.
-
In the Basic Information section, fill in the following fields:
Field Description Connected App Name Enter a descriptive display name for ER2. For example, Enterprise_Recon. API Name Enter a unique identifier to use when referring to the app programmatically. For example, Enterprise_Recon. Contact Email Enter an email address that Salesforce can use if they need to contact you about the connected app. - In the API (Enable OAuth Settings) section, select the Enable OAuth Settings checkbox.
-
In the Callback URL field, enter the URL to redirect to after successful authorization of the connected app. For example, https://example.com/callback-enterprise-recon.
The Callback URL is a compulsory field when setting up a connected app, but is not required for scanning Salesforce Targets with ER2. - Select the Use digital signatures checkbox and click Choose File to upload a digital certificate. For example, er-salesforce.crt. See Generate Certificate and Private Key for more information.
-
Under Select OAuth Scopes, select and Add the following permissions for the "Enterprise_Recon" connected app:
Available OAuth Scopes Description - Access the identity URL service (id, profile, email, address, phone)
- Manage user data via APIs (api)
- Perform requests at any time (refresh_token, offline_access)
Required for probing, scanning and remediating Salesforce Targets. - Click Save > Continue.
- In the Manage Connected Apps page, go to API (Enable OAuth Settings) > Consumer Key and click Copy. The consumer key will be required when you Set Up and Scan a Salesforce Target.
- Click Manage > Edit Policies.
- Under OAuth Policies > Permitted Users, select Admin approved users are pre-authorized.
- Click Save.
- Back in the App Manager page, go to the Profiles section and click Manage Profiles.
-
In the Application Profile Assignment page, select the profile(s) (e.g. "System Administrator") that you want to allow to access the "Enterprise_Recon" connected app.
The username that is specified for the Salesforce Account field when you Set Up and Scan a Salesforce Target must be assigned to at least one of the profiles that has:- Access to the ER2 connected app (e.g. "Enterprise_Recon"), and
- Minimum "Read" permissions for the Salesforce Objects to be scanned.
- Click Save.
- In the Setup > Home tab, enter "Profiles" in the Quick Find box, and select Profiles.
- Go to the profile(s) selected in Step 15 (e.g. "System Administrator") and click Edit.
- In the Administrative Permissions section, select the following
checkboxes:
- API Enabled
- Query All Files
Enabling the Query All Files permission is an optional step that allows the Salesforce account that is specified when you Set Up and Scan a Salesforce Target to scan all files in your organization's Salesforce site, including those owned / managed by other user accounts.
Without the Query All Files permission, ER2 will only be able to scan the files that are owned by / shared to the specified Salesforce account. - Click Save.
Set Up and Scan a Salesforce Target
- From the New Scan page, Add Targets.
- In the Select Target Type dialog box, select Salesforce.
-
Fill in the following fields:
Field Description Salesforce Domain Enter the organization's domain name. To get the domain name for your organization's Saleforce site, log in to Salesforce and go to Setup > Company Settings > My Domain. The value in the My Domain Name field is your Salesforce domain.New Credential Label Enter a descriptive label for the credential set. Salesforce Account Use the correct username syntax for the Salesforce Account according to the Salesforce site.
Production
- Syntax: <username>
- Example: admin@example.com
Sandbox
- Syntax: sandbox:<username>
- Example: sandbox:admin@example.com.test
The username that is specified for the Salesforce Account field must be assigned to at least one of the profiles that has:- Access to the ER2 connected app (e.g. "Enterprise_Recon"), and
- Minimum "Read" permissions for the Salesforce Objects to be scanned.
Consumer Key Enter the Consumer Key obtained from Create Connected App.
For example, 1234567890.ThisIsTheConsumerKeyForTheEnterpriseReconConnectedAppForSalesforce_1234567.
Private Key Upload the private key file obtained from Generate Certificate and Private Key.
For example, er-salesforce.key.
Agent to act as a proxy host Select a Proxy Agent host with direct Internet access. Recommended Least Privilege User ApproachTo reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.
- Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
-
(Optional) On the Select Locations page, probe the Target to browse and select specific Salesforce Objects to scan.
Probing a Salesforce Target will display the list of Salesforce Objects (that are accessible by the specified Salesforce account) by the Object's API name. Go to Setup > Object Manager in your organization's Salesforce site to get the API name for your Salesforce Objects. - Click Next.
- On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
-
On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.
- (Optional) Configure the Partial Salesforce object scanning parameter,
Scan maximum [N] records, sorted by last modified date in descending
order, where N:
- Is the maximum number of records to scan per Salesforce Object.
- Must be a positive integer (N ≥ 1).
- Must be less than or equal to 2147483647 (N ≤ 2147483647).
See Partial Salesforce Object Scanning for more information.
- Click Next.
- On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.
Exclude Files or Attachments from Scans for Salesforce Targets
To exclude scanning files and/or attachments in Salesforce:
- Do not select Objects that contain files / attachments (Attachments, Documents, ContentVersion Objects, etc.) when selecting scan locations in Step 6, or
- Use the Exclude Location by Prefix Global Filter to exclude the Objects
that contain files (e.g. s/ContentVersion)
when scanning Salesforce Targets.
Partial Salesforce Object Scanning
The Partial Salesforce object scanning parameter is optional. If the parameter is left blank, ER2 will proceed to scan all available records in a Salesforce Object.
The maximum number of records to scan per Salesforce Object, N will apply to all Salesforce Targets that are included in the scan schedule.
All records will be scanned if the number of available records in a Salesforce Object is less than N.
Edit Salesforce Target Path
To scan a specific Target location in Salesforce:
- Set Up and Scan a Salesforce Target.
- In the Select Locations section, select your Salesforce Target location and click Edit.
-
In the Edit Salesforce Location dialog box, enter the Path to scan. Use the following syntax:
Salesforce Object Type Path Syntax Standard Object Syntax: s/<object API name>
Example: s/Account
Custom Object Syntax: c/<object API name>
Example: c/Account__c
Big Object Syntax: b/<object API name>
Example: b/Account__b
Go to Setup > Object Manager in your organization's Salesforce site to get the API name for your Salesforce Objects. - Click Test and then Commit to save the path to the Target location.
Archived or Deleted Salesforce Data
ER2 supports the scanning of archived and deleted records in Salesforce Objects. These records will contain the "Archived" or "Deleted" tags in the location's metadata information.
Scanning of archived and deleted files is not supported by ER2.
Salesforce Files and Attachments
When a Salesforce Object is selected during a scan, ER2 scans all attachments and files associated with the parent records under the selected Object.
Each attachment and file is scanned and reported as a distinct location from its parent record. Files with multiple versions are differentiated by the Version N suffix in the location path.
Example
The "ContentVersion" Object contains records for the file "Data.txt". If there are three versions of "Data.txt", and a match is found in two file versions (Version 1 and Version 3), ER2 reports this as:
- Six scanned locations, where the record and file for each version of "Data.txt" are distinct scanned locations, and
- Two match locations, where Version 1 and Version 3 of "Data.txt" are distinct match locations.
Unsupported Salesforce Standard Objects
ER2 currently does not support the following Salesforce Standard Objects:
- AccountUserTerritory2View
- AppTabMember
- ColorDefinition
- ContentDocumentLink
- ContentFolderItem
- ContentFolderMember
- DataStatistics
- DataType
- DatacloudAddress
- EntityParticle
- FieldDefinition
- FlexQueueItem
- FlowVariableView
- FlowVersionView
- IconDefinition
- IdeaComment
- ListViewChartInstance
- NetworkUserHistoryRecent
- OutgoingEmail
- OutgoingEmailRelation
- OwnerChangeOptionInfo
- PicklistValueInfo
- PlatformAction
- RelationshipDomain
- RelationshipInfo
- SearchLayout
- SiteDetail
- UserEntityAccess
- UserFieldAccess
- UserRecordAccess
- Vote
Selecting these Standard Objects when scanning Salesforce Targets will result in ER2 reporting these Objects as Inaccessible Locations.
To prevent unsupported Standard Objects from being reported as inaccessible locations, you are recommended to select specific Salesforce Objects when scheduling scans for Salesforce Targets.
Salesforce API Limits
Salesforce imposes a limit for the total number of inbound API calls that can be made per 24-hour period for an organization. For each API call to Salesforce, ER2 queries and retrieves:
- Up to 2000 records (including Big Objects), or
- A single attachment or file.
If an organization reaches its daily API request limits:
- A critical error will be flagged for the Salesforce domain (or location) with the HTTP 403 error - "REQUEST_LIMIT_EXCEEDED. TotalRequest Limit Exceeded".
- Ongoing Salesforce scans will stop executing with the "Failed" status, and the critical error will be reflected on the last Object that was scanned when the limit was reached.
- Probing a Salesforce Target will result in the HTTP 403 error - "REQUEST_LIMIT_EXCEEDED. TotalRequest Limit Exceeded".
See Salesforce - API Request Limits and Allocations for more information.