Skip to main content

Checklist before installing a Salesforce integration

We recommend verifying the following requirements before installing the Salesforce integration:

1. Verify your Salesforce edition supports API access

Salesforce editions offer different levels of API access, which can affect how Salesforce integrations work in Ampersand. Before setting up your Salesforce integration, confirm whether your Salesforce edition includes API access. Some editions include full API access by default, while others may offer limited access or require additional purchases. To check if your Salesforce edition supports the necessary API access for this integration, please refer to Salesforce’s official documentation on API access by edition. If your Salesforce edition does not include the required API access, contact your Salesforce account representative to upgrade your edition.

2. Configure token policy settings

Salesforce access tokens expire after a certain period. To ensure your integration continues working without interruption, you need to set your refresh token policy to Refresh token is valid until revoked. Here’s how to configure this setting in Salesforce:
  1. Log in to Salesforce.
  2. Go to Setup.
  3. In the Quick Find box, search for Connected Apps.
  4. Click on Manage Connected Apps.
  5. Find and click on the name of the application you are integrating with.
  6. Scroll down to the OAuth Policies section.
  7. Look for Refresh Token Policy.
  8. Under IP Relaxation, select Relax IP restrictions.
  9. Make sure the refresh token policy is set to Refresh token is valid until revoked.
Refresh Token Settings
  1. Click Save.

3. Check API access control settings

Salesforce allows administrators to restrict which applications can access Salesforce data through APIs. You need to ensure that API access isn’t limited to only specific connected apps. To verify your API access control settings:
  1. Log in to Salesforce.
  2. Go to Setup.
  3. In the Quick Find box, search for Connected Apps OAuth Usage.
  4. Under the list of connected apps, find your app and click Manage App Policies.
  5. In the OAuth Policies section, ensure the Permitted Users status is one of:
  • Admin approved users are pre-authorized - only selected users can access.
  • All users may self-authorize - all users can access the app.
Permitted Users If you need to modify these settings:
  1. Click on Install next to your connected app.
  2. In the OAuth Usage and Policies section, set the appropriate permissions level.
  3. Click Save.

Ensure sufficient permissions

The credentials provided to the integration can be:
  • A human user, such as:
    • a System Administrator. Please note that you still need to ensure that the System Admin has the correct object and field level permissions, they may not be granted by default.
    • a sales team member with the Salesforce User License and the necessary permissions as specified below. This user can either have a standard profile (such as “Standard User”) or a custom profile. Please note that the Salesforce Platform User License is insufficient.
  • A Salesforce integration user This type of user is specifically for integrations, and does not have access to the Salesforce UI.

Human users

1. View and edit permissions for profile

In Setup, search for Profiles in the Quick Find box and open it. Then:
  1. Select the profile you’d like to view and edit.
  2. Click Edit at the top of the page. Edit profile
  3. Ensure the checkboxes for the necessary permissions below are checked.
  4. Click Save at the top or bottom of the page.
Ensure that the following permissions are checked in the profile:
  1. API Enabled
  2. One of the following:
  • Approve Uninstalled Connected Apps
  • Use Any API Client
    • Choose this if API Access Control is enabled. This can be enabled by contacting Salesforce Customer Support.
  1. If your integration is using Subscribe actions:
  • View Setup and Configuration
  • View Roles and Role Hierarchy
  • Manage Custom Permissions
  • Customize Application
  • Modify Metadata Through Metadata API Functions
  • Allows Users to Modify Named Credentials and External Credentials

2a. Field permissions for standard profile

If the user has a standard profile (such as “Standard User”), then follow these instructions:
  1. Click the gear icon in the top-right corner and select Setup.
  2. In the left-hand search bar, type Object Manager and open it. Setup Object Manager
  3. Choose the object you need (for example, Account), then select Fields & Relationships from the left navbar. Setup Object Manager Account
  4. Find the field you want to adjust and click it.
  5. Click Set Field-Level Security. Set Field Level Security
  6. Ensure the checkbox for Visible is selected for the profile you’re interested in. If the profile is not visible in this list, it means that it does not have access to the object. This is not possible to modify.
Check Visible for profile
  1. Repeat steps 4–6 for all fields that the integration needs to read, especially custom fields.

2b. Object and field permissions for custom profile

If the user has a custom profile, then follow these instructions:
  1. Click the gear icon in the top-right corner and select Setup.
  2. In the left-hand search bar, type Object Manager and open it. Setup Object Manager
  3. Choose the object you need (for example, Account) and go to Object Access in the left navbar. Select the Profiles tab at the top. Click Edit and grant the necessary permissions for your custom profile.
  • If the integration needs to read data, ensure that Read, View All Records, and View All Fields are checked.
  • If the integration needs to write data, ensure that all boxes are checked.
Edit Object Access

Salesforce Integration users

The Salesforce Integration user license type is a special type of license that can be used for integrations and does not have UI access.

1. Create a new user

  1. Click the gear icon in the top-right corner and select Setup.
  2. In the left-hand search bar, type Users and open it.
  3. Create a new user:
  • For User License, select Salesforce Integration.
  • For Profile, select Minimum Access - API Only Integrations.

2. Create a Permission Set

  1. Click the gear icon in the top-right corner and select Setup.
  2. In the left-hand search bar, type Permission Sets and open it.
  3. Click on “New” to create a new permission set.
  1. Follow the prompts to create the permission set:
  • For the name, you can call it something general like Integration User Permission Set or something that describes the level of access it has - such as Account and Contact Access.
  • In the License dropdown, you must select Salesforce API Integration.

3. Configure object permissions

  1. Click on Object Settings
  1. For each of the objects that the integration needs to access you need to set up its permissions. Start by clicking on the first object, for example “Accounts”.
  1. Edit the permission so that all relevant boxes under Object Permissions and Field Permissions are checked. Then click on Save.
  1. Repeat for all the other objects that the integration needs to access.

4. Configure system permissions

  1. Select System Permissions.
  1. Ensure that the following checkboxes are selected, and then click Save.
  • Approve Uninstalled Connected Apps
  • Use Any API Client
    • Choose this if API Access Control is enabled. This can be enabled by contacting Salesforce Customer Support.
If your integration is using Subscribe actions, you also need to select the following:
  • View Setup and Configuration
  • View Roles and Role Hierarchy
  • Manage Custom Permissions
  • Customize Application
  • Modify Metadata Through Metadata API Functions
  • Allows Users to Modify Named Credentials and External Credentials

5. Assign permission set to integration user

  1. Click on Manage Assignments.
  1. Click on Add Assignment.
  1. Select the integration user you created in step 1.
  1. Ensure “Expires On” is set to “Never Expires”, and then click on “Assign”.

Salesforce terminology

License

A license is purchased from Salesforce and determines the maximum set of permissions that can be granted to a user with that license.

Profile

A profile is a collection of settings that determines what objects, fields, and features a user can access in Salesforce. Each user has exactly one profile. Standard profiles (e.g. Standard User, System Administrator) are provided by Salesforce; you can also create custom profiles by cloning an existing one. A profile is always associated with one user license, but a user license can have multiple profiles associated with it. When you create a new user, you can pick both the license and profile of that person.

Permission set

A permission set is a collection of permissions that you assign to users to grant access to specific objects, fields, and capabilities. Permission sets extend the default permissions of a profile. Users can have only one profile but multiple permission sets. A permission set is tied to a license, and only users with that license type can be granted the permission set.