Skip to content

Activity Insights - Salesforce

Note

This page describes a Limited Availability feature. Contact your Customer Success team to opt in.

To display activity data from Activity Insights, you first must create a service account and connected app in Salesforce. You’ll then connect the following Salesforce sources, so Activity Insights can gather your Salesforce accounts information and activity data.
Salesforce Allows you to manage users and policy-based access controls in IdentityNow.
Activity Insights – Salesforce Works with your Salesforce identity governance connector to provide activity data for identities.

Configuring Salesforce

To connect Salesforce to IdentityNow, you can use an account with the System Administrator profile or create and assign a custom profile with least privilege. Both profiles require the user have a Salesforce license type. The user should not be part of the Customer Portal or Partner Portal. For more information, refer to Salesforce's product documentation.

Configuring a Connected App using Password Grant Type

  1. Create a service account in Salesforce. You’ll use these credentials to connect Salesforce to IdentityNow.

  2. Create a connected app in Salesforce. You’ll use the consumer key and secret to connect Salesforce to IdentityNow.

  3. Set the application's IP relaxation in Salesforce. Go to Setup > App Manager. Find your connected application and select . Select Manage and set the IP relaxation to Relax IP restrictions.

  4. Allow OAuth Username-Password Flows in Salesforce. Go to Setup > OAuth and OpenID Connect Settings. Enable the Allow OAuth Username-Password Flows toggle.

Configuring a Connected App using Client Credentials Type

  1. Create a service account in Salesforce. You’ll use this account to connect Salesforce to IdentityNow.
  2. Go to Apps > App Manager. Select New Connected App.
  3. Enter a name for the connected app and API.
  4. Enter a contact email address.
  5. Select the Enable OAuth Settings checkbox.
  6. Select the Enable for Device Flow checkbox.
  7. Enter https://login.salesforce.com/services/oauth2/success as the callback URL.
  8. Add Manage user data via APIs (api) as a selected OAuth scope.
  9. Select the Require Secret for Web Server Flow checkbox.
  10. Select the Require Secret for Refresh Token Flow checkbox.
  11. Select the Enable Client Credentials Flow checkbox and select OK.
  12. Select Save to create the connected app.
  13. Go to the connected app's page and select Edit Policies.
  14. In the Client Credentials Flow section, search for your service account in the Run As text box. Select Save to save these settings.

Connecting Salesforce to IdentityNow

To connect Salesforce to IdentityNow, you’ll need to configure the following sources in IdentityNow. This will allow IdentityNow to gather account information and activity data from Salesforce.

You may connect your sources in any order.

Configuring Salesforce Identity Governance Source

Follow the directions to create your Salesforce source in IdentityNow. You can also edit an existing source.

Configuring the Activity Insights – Salesforce Source

To display activity data from Activity Insights, you must configure the Activity Insights – Salesforce source in IdentityNow.

Note

To ensure activity data displays in IdentityNow, you must also connect the Salesforce identity governance source.

  1. From the IdentityNow navigation menu, select Admin > Connections > Sources.

  2. Select Create New to create a new source.

  3. Search for and select the Activity Insights - Salesforce connector.

  4. Enter a source name.

  5. Enter a description for your source.

  6. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.

  7. (Optional) Select a governance group for source management.

  8. Select Continue to create the source.

  9. Select Configuration from the left panel.

  10. Enter the following information:

    • OAuth 2.0 Token URL: Your OAuth 2.0 Token URL from Salesforce. Search for "domain" in Salesforce. Under Company Settings, select My Domain. Add your domain from Current My Domain URL to /services/oauth2/token.

    • Grant Type: Choose Client Credentials or Password.

      • For Client Credentials grant type, enter your consumer key and secret.

      • For Password grant type, enter your consumer key and secret. Enter the username and password for your service account.

  11. Select Save to save these settings.

  12. Select Test Connection to test the connection between the applications. You must have a successful connection for IdentityNow to gather activity data. If the test is unsuccessful, retry your credentials or contact SailPoint Support.

Your activity data will begin syncing immediately and will update every 24 hours. You must run an aggregation for the Salesforce source to gather accounts, groups, and role information.

Setting Permissions for a Custom Profile with Least Privilege

You can create and assign a profile with the least privilege by creating a custom profile with the following settings:

System Permissions
Create and Customize List View Create and Set Up Experiences        
Create Libraries Create Topics
Customize Application Edit Events
Update Consent Preferences Using REST API Lightning Console User
Lightning Experience User Lightning Login User
Manage All Private Reports and Dashboards Manage Certificates
Manage Connected Apps Manage Custom Permissions
Manage Lightning Sync Manage Mobile Configurations
Manage Multi-Factor Authentication in User Interface View All Data
View Event Log Files View Help Link
View Real-Time Event Monitoring Data View Roles and Role Hierarchy
View Setup and Configuration View User Records with PII
User Permissions
Assign Permission Sets Manage Internal Users
Manage IP Addresses Manage Login Access Policies
Manage Password Policies    Manage Profiles and Permissions Sets
Manage Roles Manage Sharing
Manage Users Reset User Passwords and Unlock Users
View All Profiles View All Users
Object Settings

For a complete list of object permissions, refer to Salesforce Integration - Object Settings.

App Permissions
Category Permission Name
Call Center Manage Macros Users Can't Undo
Knowledge Management Allow View Knowledge
Knowledge Management Knowledge One
Sales Edit Opportunity Product Sales Price
Sales Send Stay-in-Touch Requests

User Metadata

IdentityNow pulls the following user metadata from Salesforce.

Field Description
Department The user's department.
Division The division associated with the user.
Forecast Enabled Indicates whether the user has access to sales forecasts.
License Description The description of the license definition key.
License Label The user's license label.
Normalized License Name The human-readable text of the license definition key.
User Type The type of user.