Required Access for Custom User Profiles
SailPoint recommends that you use a System Administrator user profile to grant the Salesforce connector the minimum necessary access within the Salesforce managed system. However, if your organizational policies prohibit the use of a System Administrator user profile in this way, you can create a custom user profile for the connector to use instead. For most connector operations, the custom user profile must have full access to the following Salesforce objects at a minimum:
Note
The list of objects which require full access can vary for custom attributes, depending on how the attribute is defined. You may need to grant full access to additional Salesforce objects for custom attributes.
-
Accounts
-
Contact
-
CollaborationGroup
-
Group
-
Profile
-
PackageLicense
-
PermissionSet
-
PermissionSetAssignments
-
PermissionSetGroup
-
PermissionSetLicense
-
PermissionSetLicenseAssign
-
PublicGroups
-
Queues
-
Roles
-
User
-
UserLicense
-
UserPackageLicense
-
UserRole
Required Permissions for DelegateGroup
Configure the following permissions before you begin configuring DelegateGroup:
-
To manage delegated administration – Customize Application
-
To be a delegated administrator – View Setup and Configuration
Note
Delegated administrators can only manage user roles. Delegated administrators cannot create new user roles, copy existing roles, or delete existing roles.
Salesforce Hyperforce Tenant User Access
To support a Hyperforce tenant, the Salesforce connector requires a custom user profile with full access to the standard objects listed below.
-
Accounts
-
Contact
-
Collaboration Group
-
Group
-
Profile
-
Package License
-
Permission Set
-
Permission Set Assignments
-
Permission Set Group
-
Permission Set License
-
Permission Set License Assign
-
Public Groups
-
Queues
-
Roles
-
User
-
User License
-
User Package License
-
User Role