Required Access for Custom User Profiles

SailPoint recommends that you use a System Administrator user profile to grant the Salesforce connector the minimum necessary access within the Salesforce managed system. However, if your organizational policies prohibit the use of a System Administrator user profile in this way, you can create a custom user profile for the connector to use instead. For most connector operations, the custom user profile must have full access to the following Salesforce objects at a minimum:

Note
The list of objects which require full access can vary for custom attributes, depending on how the attribute is defined. You may need to grant full access to additional Salesforce objects for custom attributes.

• Accounts

• Contact

• CollaborationGroup

• Group

• Profile

• PackageLicense

• PermissionSet

• PermissionSetAssignments

• PermissionSetGroup

• PermissionSetLicense

• PermissionSetLicenseAssign

• PublicGroups

• Queues

• Roles

• User

• UserLicense

• UserPackageLicense

• UserRole

Required Permissions for DelegateGroup

Configure the following permissions before you begin configuring DelegateGroup:

• To manage delegated administration – Customize Application

• To be a delegated administrator – View Setup and Configuration

  Note
  Delegated administrators can only manage user roles. Delegated administrators cannot create new user roles, copy existing roles, or delete existing roles.