Salesforce
This section covers the following topics:
Prerequisites
Component | Description |
---|---|
Proxy Agent | Proxy Agent host with direct internet access. Recommended Proxy Agents: • Windows Agent • Linux Agent |
TCP Allowed Connections | Port 443 |
Configure Salesforce Account
This topic describes how to generate a digital certificate and the private key. These are required to register DDC with a Salesforce account.
Generate Certificate and Private Key
To scan the Salesforce targets, you need a digital signature associated with a digital certificate and the private key.
To generate the digital certificate and the private key:
Open a terminal or the Windows Command prompt.
Install the OpenSSL package and run the following command:
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days <number of days> -keyout <*.key private key file> -out <*.crt certificate file> openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout ddc-salesforce.key -out ddc-salesforce.crt
Parameter Description (Optional) days Number of days to certify the certificate for. The default is 30 days. keyout Name of the output file to write the private key to. For example, ddc-salesforce.key
.out Name of the file to write the digital certificate to. For example, ddc-salesforce.crt
.You will be prompted to enter the required details.
Specify the following details:
Prompt Answer Country Name (2 letter code) [AU] Your country's two letter country code (ISO 3166-1 alpha-2). State or Province Name (full name) [Some-State] State or province name. Locality Name (for example, city) [] City name or name of region. Organization Name (for example, company) [Internet Widgits Pty Ltd] Name of organization. Organizational Unit Name (for example, section) [] Name of organizational department. Common Name (for example, server FQDN or YOUR name) [] Fully qualified domain name of the Master Server. Email Address [] Email address of organization's contact person.
OpenSSL generates two output files:
The private key (for example,
ddc-salesforce.key
) required to set up and scan a Salesforce target.The digital certificate (for example,
ddc-salesforce.crt
) required to create a connected app for DDC.
Create Connected App
Instructions for the Salesforce Lightning and Salesforce Classic interfaces are different. Click the desired tab to view the intstructions.
To create a connected app for DDC in Salesforce:
Log on to your organization's Salesforce site as an administrator.
Got to Setup.
On the Home tab, in the Quick Find field, enter App Manager and select App Manager.
On the Lightning Experience App Manager page, click New Connected App.
In the Basic Information section, specify the following details:
Field Description Connected App Name Descriptive display name for DDC, for example, DDC. API Name Unique identifier for referring to the app programmatically, for example, DDC. Contact Email Email address that Salesforce can use to contact you about the connected app. In the API (Enable OAuth Settings) section, select the Enable OAuth Settings check box.
In the Callback URL field, enter the URL to redirect to after successful authorization of the connected app.
Note
The Callback URL is a compulsory field for setting up a connected app but is not required for scanning the Salesforce targets with DDC.
Select Use digital signatures and click Choose File to upload a digital certificate, for example,
er-salesforce.crt
. Refer to Generate Certificate and Private Key for details.Under Select OAuth Scopes, select and Add the following permissions for the DDC connected app:
Available OAuth Scopes Description • Access the identity URL service (id, profile, email, address, phone)
• Manage user data via APIs (api)
• Perform requests at any time (refresh_token, offline_access)Required for probing, scanning, and remediating Salesforce targets. Click Save and click Continue.
On the Manage Connected Apps page, go to API (Enable OAuth Settings) > Consumer Key and click Copy.
A sample consumer key is
1234567890.ThisIsTheConsumerKeyForTheDDCConnectedAppForSalesforce_1234567
. Save the consumer key at a secure location. This key will be required when configuring the connection for the Salesforce data store.Click Manage > Edit Policies.
Under OAuth Policies > Permitted Users, select Admin approved users are pre-authorized.
Click Save.
Return to the App Manager page, go to the Profiles section, and click Manage Profiles.
On the Application Profile Assignment page, select the profile(s) (for example, System Administrator) that you want to allow to access the DDC connected app.
Note
The Salesforce account that is specified when you Set Up and Scan a Salesforce Target must be assigned to at least one of the profiles that has:
Access to the DDC connected app (for example, "DDC"), and
Minimum "Read" permissions for the Salesforce Objects to be scanned
Refer to Salesforce Help - Object Permissions for details.
Click Save.
On the Setup > Home tab, in the Quick Find field, enter Profiles and select Profiles.
Go to the profile you selected earlier (for example, System Administrator) and click Edit.
In the Administrative Permissions section, select the following:
API Enabled
Query All Files
Note
Enabling the Query All Files permission is an optional step. This permission allows the Salesforce account to scan all files in your organization's Salesforce site, including those owned / managed by other user accounts. You will specify this Salesforce account when configuring a connection for the data store.
For more information about Salesforce behavior when Query All Files is enabled, refer to ContentVersion.
Without the Query All Files permission, DDC will can only scan the files that are owned by / shared to the specified Salesforce account.
Click Save.
To create a connected app for DDC in Salesforce:
Log on to your organization's Salesforce site as an administrator.
Got to Setup.
In the left pane, under the Build section, expand Create and click Apps.
In the Connected Apps section, click New.
In the Basic Information section, specify the following details:
Field Description Connected App Name Descriptive display name for DDC, for example, DDC. API Name Unique identifier for referring to the app programmatically, for example, DDC. Contact Email Email address that Salesforce can use to contact you about the connected app. In the API (Enable OAuth Settings) section, select the Enable OAuth Settings check box.
In the Callback URL field, enter the URL to redirect to after successful authorization of the connected app.
Note
The Callback URL is a compulsory field for setting up a connected app but is not required for scanning the Salesforce targets with DDC.
Select Use digital signatures and click Choose File to upload a digital certificate, for example,
er-salesforce.crt
. Refer to Generate Certificate and Private Key for details.Under Select OAuth Scopes, select and Add the following permissions for the DDC connected app:
Available OAuth Scopes Description • Access the identity URL service (id, profile, email, address, phone)
• Manage user data via APIs (api)
• Perform requests at any time (refresh_token, offline_access)Required for probing, scanning, and remediating Salesforce targets. Click Save and click Continue. You will be redirected to app details page.
Go to API (Enable OAuth Settings) > Consumer Key and Secret > and click Manage Consumer Details > Copy Consumer Key.
A sample consumer key is
1234567890.ThisIsTheConsumerKeyForTheDDCConnectedAppForSalesforce_1234567
. Save the consumer key at a secure location. This key will be required when configuring the connection for the Salesforce data store.Click Back to Manage Connected Apps > Manage > Edit Policies.
Under OAuth Policies > Permitted Users, select Admin approved users are pre-authorized.
Click Save.
Go to the Profiles section, and click Manage Profiles.
On the Application Profile Assignment page, select the profile(s) (for example, System Administrator) that you want to allow to access the DDC connected app.
Note
The Salesforce account that is specified when you set up and scan a Salesforce target must be assigned to at least one of the profiles that has:
Access to the DDC connected app (for example, "DDC"), and
Minimum "Read" permissions for the Salesforce Objects to be scanned
Refer to Salesforce Help - Object Permissions for details.
Click Save.
Navigate to Setup. In the left pane, under the Administer section, expand Manage Users and select Profiles.
Go to the profile you selected earlier (for example, System Administrator) and click Edit.
In the Administrative Permissions section, select the following:
API Enabled
Query All Files
Note
Enabling the Query All Files permission is an optional step. This permission allows the Salesforce account to scan all files in your organization's Salesforce site, including those owned / managed by other user accounts. You will specify this Salesforce account when configuring a connection for the data store.
For more information about Salesforce behavior when Query All Files is enabled, refer to ContentVersion.
Without the Query All Files permission, DDC will can only scan the files that are owned by / shared to the specified Salesforce account.
Click Save.
Add Salesforce Data Store
To add the Salesforce data store:
Log on to the CipherTrust Manager GUI.
Open the Data Discovery & Classification application.
Click Data Stores > Data Stores > Add Data Store. The Add Data Store wizard is displayed.
Complete the following steps:
Select Store Type
Under Select Data Store Category, select Cloud.
From Select Cloud Type, select Salesforce.
Click Next.
Configure Connection
Specify the credentials of the Salesforce domain:
Field Description Account Name Email address linked with the Salesforce account to scan.
Production
• Syntax:<email_address>
• Example:admin@example.com
Sandbox
• Syntax:sandbox:<email_address>
• Example:sandbox:admin@example.com
Consumer Key Key obtained when creating the connected app. For example, 1234567890.ThisIsTheConsumerKeyForTheDDCConnectedAppForSalesforce_1234567
. This key was created when creating the connected app.Private Key Cloud service-specific access keys, for example, ddc-salesforce.key
. Refer to Generate Certificate and Private Key for the private key.(Optional) In the Add Label field, enter a label. You can also remove an existing label.
Note
DDC doesn't support selection of multiple agents for the Salesforce data store.
Click Next.
General Info
Specify the following details:
Name: Name for the data store.
Description (Optional): Description for the data store.
Location: Location of the data store. Refer to Managing Branch Locations for details.
Sensitivity Level (Optional): Sensitivity level for the data store. Refer to Sensitivity Levels for details.
Enable Data Store: Whether to enable the newly added data store. Select the check box to enable the data store.
Click Next.
Add Tags & Access Control
(Optional) Grant the
All groups (default)
access for reports. Alternatively, select a group.Click Save.
The data store is added to the Data stores page. If the Ready to Scan column shows Ready, then data store is properly configured.
For more information on tags and access control, expand the section below.
Tags and Access Control
The Add Tags & Access Control screen in the Add Data Store wizard allows you to grant access rights to your data store and add tags. More details below:
ACCESS - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:
All groups: All groups of users can access the data store through reports. This is the default setting.
Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.
TAGS - select a tag from the Add Tag drop-down list. Please check the list of prebuilt tags in Predefined Tags.
Tip
New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.
Add as many tags as needed.
To remove a tag, click the close icon in the tag name.
In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" for details.
In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" for details.
Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store.
Add Salesforce Scan
To add a scan for the Salesforce:
Open the Data Discovery & Classification application.
Click Scans > Add Scan. The Add Scan wizard is displayed.
Complete the following steps:
Refer to Scans for the description of screens of the Add Scan wizard.
General Info
Specify a Name for the scan.
(optional) Add a Description for the scan.
Expand Advanced Configuration and specify advanced configurations such Scan Priority, Memory Usage Limit, and Amount of Data Object Volume. Refer to Advanced Configuration for details.
Click Next.
Select Data Stores
Under Data Store Name, select the desired data store that is Ready for scanning. You can select multiple data stores, if required.
Click Next.
Add Targets
To add a scan target, do one of the following:
Under the Add Target field, specify the correct target path and click Apply.
If no specific target is added, the entire data store will be scanned. Full data store or selected paths will be remediated only if selected.
The following table lists target paths and syntax to specify them with examples.
Salesforce Object Type Syntax Example Complete data store <Empty_Path> All standard objects s s All custom objects c c All big objects b b Specific standard object s/<object API name> s/Account Specific custom object c/<object API name> c/Account__c Specific big object b/<object API name> b/Account__b Note
Target paths are case-sensitive.
Navigate and add target paths.
Click Browse to navigate target paths from the root level.
Alternatively, provide an initial path in the Add Target Path field and click Browse to navigate targets from that point onward.
In the left pane, navigate and select the desired target path.
Click Add Path to add the target path to the right pane. Similarly, add other target paths.
Click Add.
Tip
Either navigate the target paths from the root level (without specifying any path in the Add Target Path field) or make sure you provide the correct path to navigate further locations within it.
Click Next.
Select Profiles
Under Classification Profile Name, select the desired classification profiles to search for in the data store. You can select multiple data stores, if required. Refer to Classification Profiles for details on classification profiles.
Click Next.
Add Filters
This step is optional.
Select the desired filter from the Select Filter drop-down list.
To filter the locations to scan an Salesforce data store, consider the following syntax.
Note
Exclude locations by prefix, suffix, and expression filters support wildcard characters. See Using Wildcard Characters to learn how wildcards work.
Exclude locations by prefix
Excludes search locations and nested locations with paths that begin with a given string. It can be used to exclude entire directory trees. Specify
<string>
.Filter Item Syntax Example Folder <FolderName> C Object <FolderName/<Object> c/usecase_data Exclude locations by suffix
Excludes search locations and nested locations with paths that end with a given string. Specify
<string>
.Note
You cannot exclude targets, folders, and objects using suffix filter. To exclude items within any object, provide the complete path or ending string of the item path.
Example - If target path is c/Usecase_data3__c and actual path of the object item is c/Usecase_data3__c/a0H5G00000R5GygUAF/AMX 346761705951424, then provide
AMX 346761705951424
as suffix to exclude this object item.Exclude locations by expression
This filter is majorly used with wildcard characters.
Excludes search locations and nested locations that matches the given expression. Specify
<string>
.For example, to exclude locations that contain 'blob' in their path, use expression *blob*.
Filter Item Syntax Example Folder *<FolderName>* *C* Object *<FolderName>/<ObjectName>* *c/ddc_c* Include locations modified recently
Includes search locations modified within N number of days from the current date, where the value of N ranges from 1 to 99 days. After selecting this filter, specify Days from current date.
Exclude locations greater than file size
Excludes files that are larger than a given file size (in MB). After selecting this filter, specify the file size in MB.
Include locations within modification date
Includes search locations modified within a given range of dates. After selecting this filter, specify Start and End dates.
Click Apply.
Repeat the above steps to apply multiple filters. Click Remove to remove any applied filter.
Click Next.
Schedule Run
Specify the scan run frequency. The two options are:
Manual: This is the default option. Select this option run the scan manually. Select the Run Now check box to start the scan run after you save the changes.
Scheduled: Select this option to configure the scan to run automatically at the specified time.
Refer to Schedule Scan for more details on scheduling scan runs.
Click Save.
Salesforce API Limits
Salesforce imposes a limit on the total number of inbound API calls that can be made per 24-hour period for an organization. For every API call to Salesforce, DDC queries and retrieves:
Up to 2000 records (including Big Objects), or
A single attachment or file.
If an organization reaches its daily API request limit:
A critical error is flagged for the Salesforce domain (or location) with the HTTP 403 error -
REQUEST_LIMIT_EXCEEDED. TotalRequest Limit Exceeded
.Running Salesforce scans stop executing with the Failed status. A critical error is reflected on the last Object that was scanned when the limit was reached.
Probing a Salesforce target results in the HTTP 403 error -
REQUEST_LIMIT_EXCEEDED. TotalRequest Limit Exceeded
.
Refer to Salesforce - API Request Limits and Allocations for details.
Unsupported Salesforce Standard Objects
Currently, DDC doesn't support the following Salesforce Standard Objects:
AccountUserTerritory2View
AppTabMember
ColorDefinition
ContentDocumentLink
ContentFolderItem
ContentFolderMember
DataStatistics
DataType
DatacloudAddress
EntityParticle
FieldDefinition
FlexQueueItem
FlowVariableView
FlowVersionView
IconDefinition
IdeaComment
ListViewChartInstance
NetworkUserHistoryRecent
OutgoingEmail
OutgoingEmailRelation
OwnerChangeOptionInfo
PicklistValueInfo
PlatformAction
RelationshipDomain
RelationshipInfo
SearchLayout
SiteDetail
UserEntityAccess
UserFieldAccess
UserRecordAccess
Vote