Skip to main content
Unlisted page
This page is unlisted. Search engines will not index it, and only users having a direct link can access it.

Salesforce

Authentication & Authorization

  • Salesforce connects via OAuth 2.0 with Authorization Code Grant Flow.
  • DataGrail has an OAuth 2.0 app for Salesforce in the AppExchange, that provides the credentials to authenticate customers allowing the integration to connect by simply logging into their Salesforce account with their admin credentials and accepting to install the app. See Salesforce Connection Instruction.
  • DataGrail uses Refresh Token Flow to periodically update Access Token after it expires to keep the connection alive.

Scopes

Salesforce API requires specific Scopes that need to be approved in order to grant DataGrail read/write on certain objects necessary to complete privacy requests:

  • refresh_token:
    • Required to be able to use Refresh Token Flow.
    • Access user's data anytime.
    • Allows the app to read and update user data, even when they are not currently using the app.
  • api:
    • Required to be able to read/write objects and fields in Salesforce.

Scopes are independent of the required integration capabilities and the same for Access, Deletion, System Detection and Responsible Data Discovery

User Roles and Permissions

By default, DataGrail requires Salesforce user with admin credentials to install the app.

Non-administrator users must have the following permissions in their profile:

  • API Enabled
  • Customize Application
  • Manage Package Licenses
  • View All Data

These permissions grant read access to all objects defined in Access, System Detection and Responsible Data Discovery

To enable the deletion feature, the user must have administrator rights to have write access to all objects defined in Deletion.

Version

Salesforce integration currently supports version 38.0.

Access

For an access request, please note the following important points:

  1. Only fields with values are returned.
  2. Custom fields unique to the organization may also be returned as part of default objects or other custom objects, if they may potentially include PII.
  3. Other custom objects may also be returned if they are linked to Contact or Lead or User, or may contain PII in one or more fields.
note

Salesforce allows setting permissions at field level for both visibility and accessibility. Those fields that are specifically configured to not be visible or readable will not appear in response.

For access, we extract the following default objects and fields from Salesforce:

Contact

  • attributes_type
  • attributes_url
  • AccountName
  • Birthdate
  • CleanStatus
  • CreatedById
  • CreatedDate
  • Department
  • Description
  • Email
  • Fax
  • FirstName
  • HomePhone
  • Id
  • IsDeleted
  • IsEmailBounced
  • Languages__c
  • LastActivityDate
  • LastModifiedDate
  • LastName
  • LastReferencedDate
  • LastViewedDate
  • MailingAddress
  • MailingCountry
  • MailingPostalCode
  • MobilePhone
  • Name
  • OtherAddress
  • OtherCountry
  • OtherPostalCode
  • Other Phone
  • OwnerId
  • Phone
  • Title
  • Salutation

Case

  • attributes_type
  • attributes_url
  • AccountName
  • CaseNumber
  • ContactEmail
  • ContactFax
  • ContactId
  • ContactMobile
  • ContactPhone
  • CreatedById
  • CreatedDate
  • Description
  • IsClosed
  • IsDeleted
  • IsEscalated
  • Id
  • LastModifiedDate
  • LastReferencedDate
  • LastViewedDate
  • Origin
  • Priority
  • Reason
  • Status
  • Subject
  • SuppliedName
  • SuppliedEmail
  • SuppliedPhone
  • SuppliedCompany
  • Type

Opportunity

  • attributes_type
  • attributes_url
  • AccountName
  • ClosedDate
  • CreatedById
  • CreatedDate
  • CurrentGenerators
  • Description
  • Fiscal
  • FiscalQuarter
  • FiscalYear
  • ForecastCategory
  • HasOpportunity
  • HasOverdueTask
  • Id
  • IsDeleted
  • IsClosed
  • IsPrivate
  • IsWon
  • LastModifiedDate
  • LastReferencedDate
  • LastViewedDate
  • LeadSource
  • Name
  • Probability
  • StageName
  • Type

Task

  • attributes_type
  • attributes_url
  • ActivityDate
  • CreatedById
  • CreatedDate
  • Description
  • IsArchived
  • IsClosed
  • IsHighPriority
  • IsRecurrence
  • LastModifiedDate
  • Priority
  • RecordTypeId
  • Status
  • Subject
  • TaskSubtype

Lead

  • attributes_type
  • attributes_url
  • Address
  • AnnualRevenue
  • CleanStatus
  • Company
  • CreatedById
  • CreatedDate
  • Description
  • Email
  • Fax
  • FirstName
  • Id
  • Industry
  • IsConverted
  • IsDeleted
  • LastActivityDate
  • LastModifiedDate
  • LastName
  • LastReferencedDate
  • LastViewedDate
  • MobilePhone
  • Name
  • OwnerId
  • Phone
  • Status
  • Title
  • Website

User

  • attributes_type
  • attributes_url
  • Address
  • Alias
  • CommunityNickname
  • CreatedById
  • CreatedDate
  • Description
  • Email
  • EmailPreferences
  • Fax
  • FirstName
  • Id
  • IsActive
  • IsDeleted
  • LanguageLocale
  • LastLoginDate
  • LastModifiedDate
  • LastName
  • LastReferencedDate
  • LastViewedDate
  • MobilePhone
  • Name
  • Phone
  • PhotoUrl
  • ProfileId
  • TimeZone
  • Title
  • Username
  • UserPermissions
  • UserRole
  • UserType
note

DataGrail also supports the Direct Contact Access workflow for Salesforce integration.

Deletion

For a deletion request, DataGrail will take the following actions:

  • Deletion is only supported for Contacts and Leads, and associated objects to these like Case, Opportunity or Task, and other custom objects associated with the main record
  • Deletion of Users is not currently supported.
  • DataGrail will delete all the records selected by the customer for each deletion request.

Anonymization

By request, Salesforce deletion can be switched to the anonymization mode.

In this mode, for a deletion request, DataGrail will not delete any objects, but update them, using pre-configured customer's anonymization rules.

note

DataGrail also supports the Direct Contact Deletion workflow for Salesforce integration.

System Detection

DataGrail provides continuous system detection, delivering a real-time inventory of your data assets:

For an system detection requests, DataGrail will extract the following objects and fields from Salesforce:

ConnectedApplication

  • Name
  • CreatedDate

CustomObject

  • DeveloperName
  • CreatedDate
  • Description

PackageLicense

  • NamespacePrefix
  • CreatedDate

ApexClass

  • Name
  • NamespacePrefix
  • Status
  • CreatedDate

Responsible Data Discovery

Data discovery is based on the principle of finding any and all personal data that's stored in a data system (see more).

DataGrail integration discovery all of the accessible queryable objects in the Salesforce instance.

For discovery requests, DataGrail will take the following actions:

  • Count number of all records for each of supported objects.
  • Fetch records examples for each of the supported object.
  • Sampling data for the next analysis and classification.
info

"Queryable objects" is a term used to describe a feature of Salesforce objects that allows for data to be retrieved through the Salesforce API via queries. Although the majority of standard and custom objects in Salesforce are queryable by default, there are certain exceptions due to security considerations.

 

Need help?
If you have any questions, please reach out to your dedicated CSM or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.