Salesforce Authenticated User Permission Requirements for Recover

    We leverage the Salesforce API. The Authenticated User is the user that connects our application to the client's Salesforce org. As a best practice, we recommend having a dedicated user as the Authenticated User. 

    The specific permissions for each user is defined either in the user’s profile, or via a permission set.

    The recommended best practice for large data volumes, is to have a dedicated Authenticated User for the Backup product, and a separate dedicated Authenticated User for the Archive product.

    This should enhance security and audit trail capabilities, assist in avoiding API concurrency collisions, and other similar user issues.

    User Profile Permissions

    Basic Permissions

    The Authenticated User must have the following permissions:

    • Read and Update access to all record types in your org. (Currently the Permission Report verifies field level permissions, but does not check for the record types you may need). For successful Restore operations and also for un-archiving records if you use the Archive tool. See the attached spreadsheet to assist you in creating a permission set containing all Record Types.
    • Read and Edit access to all Standard and Custom objects, fields, and record types. This can be configured from the Field Level Security page. As part of the implementation of Recover, you will be guided to create an additional permission set for setting Field Level Security.

    Additional Permissions

    The Authenticated User must also have the required permissions as follows:

    • A license for all of the managed packages (for example: nCino) and feature licenses you use in your org. You must ensure that all the necessary Permission Set Licenses (PSL) and Installed Managed Package Licenses (IMPLs) are attributed to the Authenticated User. As a guide, use the Company Information screen to find which features licenses are available and have an assignment number > 1 (indicating that it is actually in use). At the bottom of the Knowledge Base article, there is a link to the Salesforce reference page Available Feature Licenses.
    • The Modify All Datapermission checkbox is enabled in the user profile, and all of its dependent default permissions are enabled.
    • The View All Datapermission checkbox is enabled in the user profile, and all of its dependent default permissions are enabled.
    • Ensure that the IP addresses for your our application are permitted to access the Salesforce Org. The IP addresses for all our applications are provided in this list. Note the graphic image at the bottom of that page, about adding the relevant addresses to Salesforce.
    • Customers may need to add the IP addresses, as login IP addresses, at the user profile level.
    • We recommend using the “System Administrator” profile, or cloning the "System Administrator" profile to a new profile for this Authenticated User, and then ensuring that the user has all the required permissions, as listed in this article.
      • The Authenticated User will need to have Read and Update access to all Record Types in your org. Currently the Permission Report verifies field-level permissions, but does not check for the Record Types that might be needed. In addition, the attached spreadsheet can assist you in creating a permission set that contains all Record Types. The instructions provided in this spreadsheet are highly useful for successful Restore operations, and also for un-archiving records, if you use the Archive tool.
      • Some organizations require that integration users or API-only users must use a specific profile. In such a case, ensure that the user is granted all the permissions that an Admin would have. Enable the permission "API Only User", which is enabled via the authenticated user's custom profile, or permission set.
      • When setting up Permission Sets for this user, make sure that “Session Activation Required” is not set to True, as this is not supported.
      • As part of the implementation of Recover, you will be guided to create an additional permission set for setting Field-Level Security.
    • Further permissions to consider for Backup and Recovery
      • If your security policies permit it, enable the permission “Password Never Expires” for this user.
      • Enable the “Manage Encryption Key” checkbox in their profile to back up the TenantSecret object.
      • Enable "Edit Read Only Fields" (e.g. to insert a value into Case.ClosedDate during a Restore operation)
      • Enable "Manage All Private Reports and Dashboards"
      • Enable "Manage Experiences"
      • Enable "View All Custom Settings"
      • Enable "View All Lookup Record Names"
      • Enable "View Encrypted Data"
    • Possibly an additional permission might be required, to avoid a problem caused by the Salesforce Summer ‘21 update. In order to avoid problems due to this known Salesforce issue, also add the "Access Conversation Entries" under Administrative Permission in the profile/permission set. This issue could apparently cause an error message even for customers who don't use the functionality. This bug was apparently fixed in Summer ‘21 Patch 13, so you could choose to skip this permission if you are not using that functionality.
    • In order to backup Einstein, an Einstein Analytics Plus Admin is necessary to be assigned to the Authenticated user.
    • Enable the “Design and Deliver In-App Guidance” permission to prevent issues backing up Prompt Versions, if they are in use in your org.
    NOTE: The user will also need access to the target object where the prompt is pointing to or the backup of that prompt record will potentially fail. For example, the object referenced in the ‘TargetPageKey1’ field on any prompt version record.
    • Enable the “Manage Flow” permission to prevent issues with backup which were introduced with the Salesforce Winter ‘23 release.
    • Wecommends enabling the permission "API Only User" for the Authenticated User. This can be enabled via the authenticated user's custom profile or permission set.
    • If your security policies permit it, we recommend also enabling "Password Never Expires" for this user.
    • You can use MFA to login for this user, if needed.
    • When connecting a backup service from the application to Salesforce (to start the backups), you will need to login to Salesforce for this user. Therefore the Master Administrator and other Admins will need to know the login credentials for thatAuthenticated User. This login will generate the OAuth access token that we will store and use for access to that Salesforce Org.

    This initial login will require the credentials to be entered from the user's desktop, so if IP address restrictions are in place, make sure that the desktop used for the initial login is recognized as the Authenticated User. This will also be the case whenever you need to re-authenticate with Salesforce.

    • If you are using Recover with a Veeva org, the Authenticated User must have Veeva administrator permissions (no separate license as such).
    • To enable backing up and restoring Knowledge Articles, the following permission must be enabled: 
      • Lightning Knowledge must be enabled in your org to enable backup of Knowledge Articles. 
      • A user must have the View Articles permission enabled.
      • Salesforce Knowledge users, unlike customer and partner users, must also be granted the Knowledge User feature license.

    Required Permissions Table (Backup and Restore).

    These permissions are automatically included in the standard System Administrator profile in Salesforce:

    Permission NamePermission TypeReason / Use CaseDocumentation
    Modify All DataSystem PermissionsModify All Data includes an extensive list of permissions that are essential for a complete backup and full restoration ability.'Modify All Data' permission
    Manage UsersSystem PermissionsMust be enabled to retrieve the Profile metadata object and run Analyze Profile PermissionsManage Users

     

    These permissions are NOT automatically included in the standard System Administrator profile in Salesforce:

     

    Permission Name

    Permission Type

    Reason / Use Case

    Documentation

    Query All Files

    App Permission

    More efficient queries and access to private files.

    Query All Files

    View and Edit Converted Leads

    App Permission

    Ability to see all leads

    View and Edit Converted Leads

    Edit Read Only Fields

    System Permissions

    Used to populate data on restore to fields that may normally be read only

    Edit Read Only Fields

    Manage all Private Reports and Dashboards

    System Permissions

    Query / restore private reports/dashboards.

    User Permissions for Sharing Reports and Dashboards

    Manage Experiences

    System Permissions

    Needed if using Experience Cloud (formerly Community Cloud).

    Manage Experiences
    Design and Deliver In-App Guidance

    System Permissions

    If using Salesforce Prompts (In App Guidance), this permissions allows backup of prompt versions. Prompts are common in managed packages.

    NOTE: The user needs access to the target object where the prompt is pointing to or the backup of that prompt record will potentially fail. For example the object referenced in the ‘TargetPageKey1’ field on any prompt version record.

    Define Prompts in Lightning Experience


     

    Set Audit Fields upon Record Creation

    First enable the permission in User Interface in Setup, and then assign in System PermissionsPopulates original Created date, Created By, Last Modified Date, and Last Modfiied By of a record but only upon record creation.

    Enable the 'Create Audit Fields' permission

    Salesforce applications FAQs

    Update Records with Inactive Owners

    First enable the permission in User Interface in Setup, and then assign in System PermissionsAllows records to be updated or created with inactive ownersUpdate Records with Inactive Owners

    View All Custom Settings

    System Permissions

    Needed to back up custom settings

    Grant Read Access to All Custom Settings

    View All Lookup Record Names

    System Permissions

    Needed to back up lookup relationshipsView All Lookup Record Names

    View Encrypted Data

    System PermissionsNeeded to back up encrypted data using classic encryptionView Encrypted Data

    Access Conversation Entries

    Administrative Permission in the profile/permission set

    Avoid problems with the issue described here

    Access Conversation Entries

    Permission Set Licenses 

    Permission Set License NamePermission TypeReason / Use CaseDocumentation
    CRM Analytics Plus AdminPermission Set LicenseBack up Einstein Analytics / Tableau CRM Note: Only supports the elements using the force.com API.CRM Analytics Plus Admin

    Additional Permissions

    Permission NamePermission TypeReason / Use CaseDocumentation
    Manage Orchestration Runs and Work ItemsApp PermissionsControls access to Flow orchestrations since Winter '23Enable Sharing for Flow Orchestration Objects
    Manage FlowApp PermissionsNeeded to create and edit Flows. 
    Following changes to users, profiles or any type of permission changes, it is your responsibility to confirm that everything required in, or excluded from, a backup is as expected. 

    More on User Profile Permissions 

    For more information on using the Salesforce Integration User License (API Only) as your Authenticated User see here

    For more information on user profile permissions in Salesforce, see here.  

    For information on user profile permissions for an Authenticated User of Archive, see here.

    For information on Salesforce user permissions for an Authenticated User of Seeding, see here.

    Attachments

    « Previous ArticleNext Article »