Required Access for Custom User Profiles
SailPoint recommends that you use a System Administrator user profile to grant the Salesforce connector the minimum necessary access within the Salesforce managed system. However, if your organizational policies prohibit the use of a System Administrator user profile in this way, you can create a custom user profile for the connector to use instead. For most connector operations, the custom user profile must have full access to the following Salesforce objects at a minimum:
Note
The list of objects which require full access can vary for custom attributes, depending on how the attribute is defined. You may need to grant full access to additional Salesforce objects for custom attributes.
-
Accounts
-
Contact
-
CollaborationGroup
-
Group
-
Profile
-
PackageLicense
-
PermissionSet
-
PermissionSetAssignments
-
PermissionSetGroup
-
PermissionSetLicense
-
PermissionSetLicenseAssign
-
PublicGroups
-
Queues
-
Roles
-
User
-
UserLicense
-
UserPackageLicense
-
UserRole
Required Permissions for DelegateGroup
Configure the following permissions before you begin configuring DelegateGroup:
-
To manage delegated administration – Customize Application
-
To be a delegated administrator – View Setup and Configuration
Note
Delegated administrators can only manage user roles. Delegated administrators cannot create new user roles, copy existing roles, or delete existing roles.