Overview
Before connecting Incydr to Salesforce, you need to set up a custom profile in Salesforce and assign that profile to the Incydr service account. This article lists the specific permissions required in the custom profile.
Permissions required by the Incydr service account user
Incydr monitors your Salesforce environment for report download activity via a series of secure API requests. As a service account API user, Incydr requires specific permissions in your Salesforce environment for the Salesforce Event Manager to accept those requests. The table below lists the permissions required by the Incydr service account and explains what they allow the service account to do.
Least privilege
The Incydr Salesforce data connection adheres to the principle of least privilege. The permissions below describe the minimum requirements for the service account to monitor report download activity.
| Permission | Description |
|---|---|
| Administrative permissions | |
| API Enabled |
Required to make API calls to retrieve the following information from Salesforce:
|
| Chatter Internal User |
This permission is not required by Incydr. It is selected by default when configuring permissions for a new user profile. |
| Customize Application |
Required to read RealTimeEventSettings, which indicates whether the “Real-Time Event Monitoring” license is added and enabled in your Salesforce account. Enabling this permission automatically enables these additional permissions:
Without this permission, Incydr cannot ensure the Salesforce connection is configured correctly. |
| Lightning Console User |
This permission is not required by Incydr. It is selected by default when configuring permissions for a new user profile. |
| Lightning Experience User |
This permission is optional. Select this permission only if you need to log into Salesforce with the Incydr service account to complete administrative tasks in the Salesforce Lightning Experience interface. |
| Manage All Private Reports and Dashboards | Required to retrieve metadata on the reports that users generate within Salesforce. |
| Manage Custom Permissions |
Required to use Salesforce’s Metadata API. This permission is a dependency when enabling the “Customize Applications” permission. |
| Modify Metadata Through Metadata API Functions |
Required to use Salesforce’s Metadata API and augment event information provided by the Real-Time Event Monitoring stream. |
| View Help Link |
This permission is not required by Incydr. It is selected by default when configuring permissions for a new user profile. |
| View Roles and Role Hierarchy |
Required to use Salesforce’s Metadata API. Incydr requests user, role, and profile information to determine which users are in-scope and if they are licensed to export reports. This permission is a dependency when enabling the “View Setup and Configuration” permission. |
| View Setup and Configuration |
Required to use Salesforce’s Metadata API. Incydr requests Salesforce org information to verify integration parameters.
|
| General User Permissions | |
| Access Activities |
This permission is not required by Incydr. It is selected by default when configuring permissions for a new user profile. |
| Allow View Knowledge |
This permission is not required by Incydr. It is selected by default when configuring permissions for a new user profile. |
| Run Reports | Required to retrieve information about the public and private reports generated by users in your Salesforce environment. |
| View Real-Time Event Monitoring Data |
Required to view real-time events and subscribe to the Real Time Event stream.
Incydr monitoring requires the Salesforce Shield or Salesforce Event Monitoring add-on subscriptions
You must have either the Salesforce Shield or Salesforce Event Monitoring add-on subscriptions to use the Incydr Salesforce data connection. Only these subscriptions include the View Real-time Event Monitoring Data permission required to collect information about reports downloaded from your Salesforce environment. |
Comments
Please sign in to leave a comment.