Activity Insights - Salesforce
Note
This page describes a Limited Availability feature. Contact your Customer Success team to opt in.
To display activity data from Activity Insights, you first must create a service account and connected app in Salesforce. You’ll then connect the following Salesforce sources, so Activity Insights can gather your Salesforce accounts information and activity data.
Salesforce | Allows you to manage users and policy-based access controls in IdentityNow. |
Activity Insights – Salesforce | Works with your Salesforce identity governance connector to provide activity data for identities. |
Configuring Salesforce
To connect Salesforce to IdentityNow, you can use an account with the System Administrator profile or create and assign a custom profile with least privilege. Both profiles require the user have a Salesforce license type. The user should not be part of the Customer Portal or Partner Portal. For more information, refer to Salesforce's product documentation.
Configuring a Connected App using Password Grant Type
-
Create a service account in Salesforce. You’ll use these credentials to connect Salesforce to IdentityNow.
-
Create a connected app in Salesforce. You’ll use the consumer key and secret to connect Salesforce to IdentityNow.
-
Set the application's IP relaxation in Salesforce. Go to Setup > App Manager. Find your connected application and select
. Select Manage and set the IP relaxation to Relax IP restrictions.
-
Allow OAuth Username-Password Flows in Salesforce. Go to Setup > OAuth and OpenID Connect Settings. Enable the Allow OAuth Username-Password Flows toggle.
Configuring a Connected App using Client Credentials Type
- Create a service account in Salesforce. You’ll use this account to connect Salesforce to IdentityNow.
- Go to Apps > App Manager. Select New Connected App.
- Enter a name for the connected app and API.
- Enter a contact email address.
- Select the Enable OAuth Settings checkbox.
- Select the Enable for Device Flow checkbox.
- Enter
https://login.salesforce.com/services/oauth2/success
as the callback URL. - Add Manage user data via APIs (api) as a selected OAuth scope.
- Select the Require Secret for Web Server Flow checkbox.
- Select the Require Secret for Refresh Token Flow checkbox.
- Select the Enable Client Credentials Flow checkbox and select OK.
- Select Save to create the connected app.
- Go to the connected app's page and select Edit Policies.
- In the Client Credentials Flow section, search for your service account in the Run As text box. Select Save to save these settings.
Connecting Salesforce to IdentityNow
To connect Salesforce to IdentityNow, you’ll need to configure the following sources in IdentityNow. This will allow IdentityNow to gather account information and activity data from Salesforce.
You may connect your sources in any order.
Configuring Salesforce Identity Governance Source
Follow the directions to create your Salesforce source in IdentityNow. You can also edit an existing source.
Configuring the Activity Insights – Salesforce Source
To display activity data from Activity Insights, you must configure the Activity Insights – Salesforce source in IdentityNow.
Note
To ensure activity data displays in IdentityNow, you must also connect the Salesforce identity governance source.
-
From the IdentityNow navigation menu, select Admin > Connections > Sources.
-
Select Create New to create a new source.
-
Search for and select the Activity Insights - Salesforce connector.
-
Enter a source name.
-
Enter a description for your source.
-
In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.
-
(Optional) Select a governance group for source management.
-
Select Continue to create the source.
-
Select Configuration from the left panel.
-
Enter the following information:
-
OAuth 2.0 Token URL: Your OAuth 2.0 Token URL from Salesforce. Search for "domain" in Salesforce. Under Company Settings, select My Domain. Add your domain from Current My Domain URL to
/services/oauth2/token. -
Grant Type: Choose Client Credentials or Password.
-
For Client Credentials grant type, enter your consumer key and secret.
-
For Password grant type, enter your consumer key and secret. Enter the username and password for your service account.
-
-
-
Select Save to save these settings.
-
Select Test Connection to test the connection between the applications. You must have a successful connection for IdentityNow to gather activity data. If the test is unsuccessful, retry your credentials or contact SailPoint Support.
Your activity data will begin syncing immediately and will update every 24 hours. You must run an aggregation for the Salesforce source to gather accounts, groups, and role information.
Setting Permissions for a Custom Profile with Least Privilege
You can create and assign a profile with the least privilege by creating a custom profile with the following settings:
System Permissions
Create and Customize List View | Create and Set Up Experiences |
Create Libraries | Create Topics |
Customize Application | Edit Events |
Update Consent Preferences Using REST API | Lightning Console User |
Lightning Experience User | Lightning Login User |
Manage All Private Reports and Dashboards | Manage Certificates |
Manage Connected Apps | Manage Custom Permissions |
Manage Lightning Sync | Manage Mobile Configurations |
Manage Multi-Factor Authentication in User Interface | View All Data |
View Event Log Files | View Help Link |
View Real-Time Event Monitoring Data | View Roles and Role Hierarchy |
View Setup and Configuration | View User Records with PII |
User Permissions
Assign Permission Sets | Manage Internal Users |
Manage IP Addresses | Manage Login Access Policies |
Manage Password Policies | Manage Profiles and Permissions Sets |
Manage Roles | Manage Sharing |
Manage Users | Reset User Passwords and Unlock Users |
View All Profiles | View All Users |
Object Settings
For a complete list of object permissions, refer to Salesforce Integration - Object Settings.
App Permissions
Category | Permission Name |
---|---|
Call Center | Manage Macros Users Can't Undo |
Knowledge Management | Allow View Knowledge |
Knowledge Management | Knowledge One |
Sales | Edit Opportunity Product Sales Price |
Sales | Send Stay-in-Touch Requests |
User Metadata
IdentityNow pulls the following user metadata from Salesforce.
Field | Description |
---|---|
Department | The user's department. |
Division | The division associated with the user. |
Forecast Enabled | Indicates whether the user has access to sales forecasts. |
License Description | The description of the license definition key. |
License Label | The user's license label. |
Normalized License Name | The human-readable text of the license definition key. |
User Type | The type of user. |