Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Allow Code42 access to Salesforce

Overview

Connect Code42 to your Salesforce environment to monitor when reports are downloaded to both corporate and personal endpoints to secure this vital data.

When you add Salesforce as a data connection, you are required to authorize Code42's access using a service or integration account that exists in your Salesforce environment. Once authorized, Code42 monitors your environment for when a user downloads a report from Salesforce. When this file activity occurs, Code42 then displays that event in Forensic Search.

This article explains how to add Salesforce as a data connection, as well as the level of access Code42 requires in order to monitor your Salesforce environment.

Considerations

  • Code42 connects to your environment using a service account that requires one of your Salesforce user licenses. To free up a Salesforce license, you may need to reassign a user to a profile that uses a different license, or contact Salesforce to increase your license count. 
  • Code42 only monitors the users in your environment that:
    • Are in scope according to your selection during authorization (all users, only specific users, or only the users in specific public groups).
    • Have the "Report export" permission. Only users with this permission can generate and export reports from Salesforce data.
  • Code42 monitoring requires that Report Event is enabled in your Salesforce organization.
  • The Salesforce data connection is not available in the Code42 federal environment.

Supported Salesforce product plans

Code42 can only connect to your Salesforce environment when supported by your Salesforce product plan. The following Salesforce Classic or Lightning Experience editions are required in order to allow third-party applications like Code42 to connect to your environment:

  • Enterprise
  • Unlimited
  • Developer

In addition, either Salesforce Shield or the Salesforce Event Monitoring add-on subscription is required.

Before you begin

Set up a service or integration account in Salesforce that you'll use to connect Code42 to your Salesforce environment. Having a dedicated service account has several advantages:

  • Because it's not tied to a specific user, there are no disruptions to your business workflows as users leave and join your company.
  • In Salesforce, you can apply permissions to service accounts so that they can log in only using API calls (and not through the user interface) to secure your environment.
  • You can more easily identify activity generated by a service account compared to activity generated by your employee users.

To set up a service account in Salesforce:

  1. Create a custom profile that contains the permissions required for Code42 to access your Salesforce data.
  2. Create a new Code42 user in Salesforce and assign it that new profile.

Create a custom profile in Salesforce

  1. Log into Salesforce using your administrator account.
  2. If needed, navigate to Setup.
    • In Lightning Experience: Click the Setup icon in the upper-right corner of the screen, then select Setup from the menu that appears.
    • In Salesforce Classic: Click Setup in the upper-right corner of the screen.
    Salesforce "remembers" what you were last working on when you log out. If you were last working in Setup, you may not need to navigate there again.
  3. Navigate to Profiles.
    • In Lightning Experience: Under Administration in the left navigation pane, select Users > Profiles.
    • In Salesforce Classic: Under Administer in the left navigation pane, go to Manage Users > Profiles.
      Alternately, use the Quick Find search to search for "Profiles," then click the Profiles link.
  4. Clone an existing profile to create a new one with the permissions Code42 requires. Locate a profile in the list that uses the Salesforce user license and click Clone in the Action column.
    The Code42 service account's profile requires a Salesforce user license
    You must select an existing profile that uses the Salesforce user license. Other licenses do not include the permissions that Code42 needs to monitor reports generated in your Salesforce environment. In these steps, we cloned the existing Read Only profile. If you have already set up a custom profile for service accounts, you can also edit that profile to add the required permissions.
  5. When the Clone Profile screen opens, name the new profile and click Save.
    Use a descriptive name for the new profile, such as "Code42 API service profile."
  6. After the new profile is created, click Edit.
  7. Under Tab Settings, select Tab Hidden for every tab.
  8. Under Administrative Permissions, select only these options:
    The Chatter Internal User, Lightning Console User, and View Help Link options are selected by default and cannot be updated.
    • API Enabled
    • Chatter Internal User
    • Customize Application
    • Lightning Console User
    • Lightning Experience User
      Select this only if you anticipate a need to log into Salesforce with the Code42 user account to complete any administrative tasks using Salesforce's Lightning Experience interface. This permission isn't required for the Code42 service account's profile or any Code42 monitoring.
    • Manage All Private Reports and Dashboards
    • Manage Custom Permissions
    • Modify Metadata Through Metadata API Functions
    • View Help Link
    • View Roles and Role Hierarchy
    • View Setup and Configuration
    For more information on why the Code42 profile requires these permissions, see Salesforce permissions required by Code42 below.
  9. Under General User Permissions, select only these options:
    The Access Activities and Allow View Knowledge options are selected by default and cannot be updated.
    • Access Activities
    • Allow View Knowledge
    • Run Reports
    • View Real-Time Event Monitoring Data
    For more information on why the Code42 profile requires these permissions, see Salesforce permissions required by Code42 below.
  10. Under Standard Object Permissions, select only the Read and View All (when available) checkboxes for all of the options.
  11. Under Desktop Integration Clients, from the Offline list, select Off (access denied).
  12. Under Password Policies, from the User passwords expire in list, select Never expires.
    Expired passwords disable Code42 monitoring
    To avoid disruption, consider setting up the profile so that the Code42 service account's password never expires. When the password for the Code42 account expires, Code42's connection cannot be authenticated and Code42's monitoring of your Salesforce environment stops until a new password is selected. 

    If the password expires, the Code42 connection enters an error status and a message is displayed in the Code42 connection's details. Reset the password in your Salesforce environment to resolve the error and return the connection to the Monitoring status.
  13. Click Save.

Create a Code42 user in Salesforce with that profile

  1. In Setup, navigate to Users.
    • In Lightning Experience: Under Administration, go to Users > Users.
    • In Salesforce Classic: Under Administer, go to Manage Users > Users.
  2. Click New User.
  3. Enter the required information about the user.
    • Use the First Name, Last Name, Alias, and Nickname fields to identify the user as the Code42 service account.
    • Enter a unique email address for this service account user in the Email field. You'll use this email address to authorize Code42's connection to your Salesforce environment and for automated notifications.
  4. From the User License list, select Salesforce.
    If Salesforce is not listed, this means that all of your available Salesforce licenses are currently in use. You can either reassign one of these users to a different license or contact Salesforce to increase your license count.
  5. Select the new custom profile from the Profile list to assign it to the new user.
  6. Click Save.
    When you authorize Code42 to connect to Salesforce, you'll enter this service account's credentials.

Connect Code42 to Salesforce

To connect Code42 to your Salesforce environment:

  1. Verify that event reporting is enabled for the Salesforce organization to which you want to connect Code42.
    Code42 monitoring requires that Report Event is enabled
    Report Event must be enabled in your Salesforce organization in order for Code42 to be able to monitor report downloads from your Salesforce data. If Report Event is not enabled, Code42 cannot collect data and no file events are displayed in Forensic Search.

    If Report Event is disabled, the Code42 connection enters the Error status and monitoring stops. Enable Report Event in your Salesforce environment to resolve the error and return the connection to the Monitoring status.

  2. Authorize Code42's connection to Salesforce.

Step 1: Verify Report Event is enabled in Salesforce

  1. Log into Salesforce using your administrator account.
  2. If needed, navigate to Setup.
    • In Lightning Experience: Click the Setup icon in the upper-right corner of the screen, then select Setup from the menu that appears.
    • In Salesforce Classic: Click Setup in the upper-right corner of the screen.
    Salesforce "remembers" what you were last working on when you log out. If you were last working in Setup, you may not need to navigate there again.
  3. Navigate to Event Manager.
    • In Lightning Experience: Under Platform Tools, go to Events > Event Manager.
    • In Salesforce Classic: Under Build in the left navigation pane, go to Develop > Events > Event Manager.
  4. Locate the Report Event entry in the Events list.
    • If a check mark appears in the Streaming Data column for the entry, it's already enabled for the organization. Continue to step 2 to authorize Code42's connection to your Salesforce environment.
    • If no check mark appears, click the arrow on the right side of the screen and select Enable Streaming.
      Salesforce adds a check mark to the entry to indicate that Report Event is enabled for your organization.

Step 2: Authorize the connection in the Code42 console

Connect Code42 to Salesforce

  1. Sign in to the Code42 console
  2. Select Administration > Integrations > Data Connections.
  3. Click Add Data Connection.
    The Add Data Connection dialog displays.
    Add Salesforce data connection
  4. From Data Connection, select Salesforce under Business Tools.
  5. Enter a Display Name. This name must be unique.
  6. Code42 prompts you to verify that you've set up a service user and custom profile and that Report Event is enabled in your Salesforce environment. You completed this by establishing the custom profile and Code42 user service account and by enabling Report Event in step 1, so click Continue.

Add Users

  1. Select the scope of users in your Salesforce environment to monitor:
    • All
      Monitors all users with the "Report export" permission in your Salesforce environment.
    • Specific Users
      Monitors only the Salesforce users you designate that also have the the "Report export" permission.
      1. Click Upload .CSV File.
      2. Select a .csv file containing a list of only those users you want to monitor.
        For details, see Upload a .csv file listing Salesforce users below.
    • Specific Groups
      Monitors only the users that also have the "Report export" permission in the Salesforce groups you designate.
      1. Click Upload .CSV File.
      2. Select a .csv file containing a list of groups in Salesforce whose users you want to monitor. 
        For details, see Upload a .csv file listing Salesforce public groups below.

    Add users

  2. Click Continue.

Verify and authorize the connection

  1. Enter the Salesforce My Domain that you use to log into your organization in Salesforce.
    Salesforce creates a custom My Domain for each organization. This My Domain gives your organization a custom URL for logging in and increases security. If you do not know your organization's My Domain, you do not need to enter one. If you do not enter a My Domain, Code42 directs you to Salesforce's standard login page (login.salesforce.com) to log in and authorize the Code42 connection.
    Verify the connection
  2. Click Authorize.
  3. When the Salesforce sign in screen opens, enter the credentials of the secure Salesforce API user account you created as a service account for the Code42 connection.
  4. Review the access and permissions that Code42 is requesting to connect to your Salesforce environment, and then click Allow.
    Salesforce is added as a data connection and Code42 starts to scan your environment to discover users that are in scope and that have the "Report export" permission.

Next steps

Now that you have added Salesforce as a data connection, learn more about:

Upload a .csv file

If you select Specific Users or Specific Groups during the authorization process and click Upload .CSV file, you must upload a .csv file that lists the Salesforce users or groups you want to monitor.

General considerations for uploading a .csv file:

  • The .csv file is limited to 1,000 entries.
  • Uploading a new .csv replaces the existing list of people or groups being monitored.

Upload a .csv file listing Salesforce users

See the Salesforce documentation to create an Administrative Report that filters and lists the users in your environment based on the criteria you select. Export the Excel file to .csv format, and create a .csv file from this list that contains only the users you want to monitor.

Code42 reads usernames from the column headers labeled Email or Email Address in the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.

Upload a .csv file listing Salesforce public groups

To create a public group in Salesforce, see the Salesforce documentation. After your public groups are set up, create a .csv file that contains only the public groups you want to monitor. In this .csv file:

  • Use a column header labeled either Group Name or Groups. Code42 reads the names of groups from rows under this column header. If neither of these column headers are specified, the upload produces an error.
  • Under that column header, specify the names of the groups to monitor exactly as they appear in Salesforce.

When a group name is provided, Code42 attempts to look up users with the specified group name from the .csv file. If the group name cannot be found, Code42 proceeds to the next group. Code42 looks for that group again every 24 hours.

As users are added and removed from the monitored groups, Code42 automatically detects changes and adjusts monitoring of users accordingly.

Permissions

Users monitored in Salesforce

Code42 only monitors users with the "Report export" permission in your Salesforce environment. Only these users can generate and export reports from Salesforce data, so only these users are monitored by Code42. Once you complete authorization, Code42 starts scanning your Salesforce environment to identify the users to monitor.

  • Code42 scans the users in Salesforce to find the users that are in scope for monitoring, according to your selection when you authorized the connection:
    • All users
    • Only the specific users you identified during authorization
    • Only the users in the specific groups you identified during authorization
  • Code42 determines which of these users have the "Report export" permission in Salesforce and then monitors only those users.
  • Code42 discovers any new users that have been added to your Salesforce environment (and determines whether they have the required permissions and should be monitored) within 8 hours.

Permissions required by the Code42 service account user

Code42 monitors your Salesforce environment for report download activity via a series of secure API calls. As a service account API user, Code42 requires certain permissions in your Salesforce environment in order for those calls to be accepted and responded to by the Salesforce Event Manager. The following table lists the permissions the Code42 service account requires along with what those permissions allow the Code42 service account to do.

Permission Description
API Enabled Allows the Code42 service account to make API calls to retrieve event information from the Salesforce Event Manager's reporting stream, such as organization configuration details, user and group information, and event metadata.
Customize Application Required in order for the Code42 service account to be granted the "View Setup and Configuration" and "View Roles and Role Hierarchy" permissions.
Manage All Private Reports and Dashboards Allows the Code42 service account to retrieve metadata on the reports that users generate within Salesforce.
Manage Custom Permissions Allows the Code42 service account to use Salesforce's metadata API.
Modify Metadata Through Metadata API Functions Allows the Code42 service account to determine whether Report Event is enabled for the organization in Salesforce. If Report Event is disabled, the Code42 connection enters the Error status. After you enable Report Event in your Salesforce environment, the error clears and the connection returns to the Monitoring status.
View Roles and Role Hierarchy

Allows the Code42 service account to:

  • Identify the users in your Salesforce environment
  • Determine whether those users have the permissions needed to generate reports
  • Start monitoring only those users for report download activity.
View Setup and Configuration Allows the Code42 service account to identify your organization's configuration settings to help diagnose errors with the Code42 connection.
Run Reports Allows the Code42 service account to retrieve information about the public and private reports generated by users in your Salesforce environment.
View Real-Time Event Monitoring Data Allows the Code42 service account to subscribe to the Salesforce Event Manager's reporting stream in order to identify that a report download event has occured.

Troubleshooting

Issues with the service account user or in your Salesforce environment can cause errors with the Code42 connection. When such issues occur, the Salesforce connection in the Data Connections table is highlighted in red and this error message is displayed at the top of the screen:

A data connection is not sending security data. View the data connection's details for more information.

When this occurs, click the Salesforce connection in the Data Connections table. The detail panel opens and lists the source of the error so that you can resolve it.

Service account user or profile errors

You can control access to Salesforce data by deactivating or freezing users, removing permissions, or revoking OAuth-enabled connected app access. However, if any of these actions are taken on the Code42 service account profile or user, the Code42 connection enters the Error status and monitoring stops. View the connection's details for more information about the cause of the error.

User has been deactivated

In Salesforce, you can deactivate users to prevent them from logging into your environment while preserving historical activity and avoiding orphaned records and the loss of business information. If the Code42 service account user is deactivated in Salesforce, this error message is displayed in the connection's details:

The Salesforce service account user that authorized this data connection has been deactivated. Reactivate the user account to return this data connection to monitoring.

To reactivate the Code42 service account user and resolve the error:

  1. Log into Salesforce using your administrator account.
  2. If needed, navigate to Setup.
    • In Lightning Experience: Click the Setup icon in the upper-right corner of the screen, then select Setup from the menu that appears.
    • In Salesforce Classic: Click Setup in the upper-right corner of the screen.
    Salesforce "remembers" what you were last working on when you log out. If you were last working in Setup, you may not need to navigate there again.
  3. Navigate to Users.
    • In Lightning Experience: Under Administration, go to Users > Users.
    • In Salesforce Classic: Under Administer, go to Manage Users > Users.
  4. Locate the Code42 service account user in the list.
    The Active checkbox is cleared, indicating that this user is deactivated.
  5. Click Edit.
  6. In the user's General Information section, select Active to reactivate the user and then click Save.
    Code42 detects the reactivation, automatically clears the error, and returns the connection to the Monitoring status within 20 minutes.

User has been frozen

If the Code42 service account user is frozen in Salesforce, this error message is displayed in the connection's details in the Code42 console:

The Salesforce service account user that authorized this data connection has been frozen. Unfreeze the user account to return this data connection to monitoring.

This error occurs in these situations:

  • An administrator has accidentally frozen the Code42 service account user in Salesforce.
    Freezing a user in Salesforce also prevents that user from logging in, and is used to prevent access in situations when you can't immediately deactivate a user account.
  • The Code42 service account user has logged into Salesforce via the API too many times within an hour, and Salesforce has automatically frozen the account for security reasons.
    If you use the Code42 service account user for other integrations, those additional API logins and requests may exceed the Salesforce hourly limit. It's unlikely that the Code42 service account user will exceed the hourly limit if you use it only for report download monitoring. This error automatically resolves within the hour when the hourly login quota resets.

If the Code42 service account user has accidentally been frozen by an administrator, unfreeze it in Salesforce to resolve the error:

  1. Log into Salesforce using your administrator account.
  2. If needed, navigate to Setup.
    • In Lightning Experience: Click the Setup icon in the upper-right corner of the screen, then select Setup from the menu that appears.
    • In Salesforce Classic: Click Setup in the upper-right corner of the screen.
    Salesforce "remembers" what you were last working on when you log out. If you were last working in Setup, you may not need to navigate there again.
  3. Navigate to Users.
    • In Lightning Experience: Under Administration, go to Users > Users.
    • In Salesforce Classic: Under Administer, go to Manage Users > Users.
  4. Locate the Code42 service account user in the list.
  5. Click Edit.
  6. Click Unfreeze at the top of the screen to unfreeze that user.
    Code42 detects the change, automatically clears the error, and returns the connection to the Monitoring status within 20 minutes.

Profile permissions are incorrect

When you set up the profile for the Code42 service account, you give that profile a number of permissions that allow it to access data in your Salesforce environment. If a required permission is not given to this profile (or is later accidentally revoked), this error message is displayed in the connection's details:

The Salesforce profile for the service account user that authorized this data connection does not have the correct permissions. Verify the profile's permissions to return this data connection to monitoring.

To grant the profile the correct permissions and resolve the error, verify that the profile has been granted the correct Administrative Permissions and General User Permissions. See Create a custom profile in Salesforce above for more information. After the correct permissions are granted, Code42 detects the change, automatically clears the error, and returns the connection to the Monitoring status within 20 minutes.

Code42 OAuth-enabled connected app has been revoked

When you authorize the Code42 connection, a Code42 OAuth-enabled connected app is granted access to your Salesforce data under the Code42 service account's user settings. If there is an issue with this app's access, this error message is displayed in the connection's details:

The Code42 connected app has been revoked in Salesforce. Deauthorize this data connection and set up a new data connection.

This error occurs in the following situations:

  • The app was revoked in Salesforce.
  • The organization's custom My Domain has changed in Salesforce.

To resolve this error, deauthorize the existing connection and set up a new Salesforce connection in Code42. You can enter a new My Domain in the Code42 console during the new Code42 authorization process.

API quota has been exceeded

To maintain performance, Salesforce limits the number of API requests that can be made per day by users or service accounts in each organization. If your Salesforce environment uses a number of integrations, services, or applications that make requests using the API, your organization may exceed this limit. When this quota is reached, Code42 monitoring stops and this error message is displayed in the connection's details in the Code42 console:

Your API quota in Salesforce has been exceeded. Further activity cannot be detected for 24 hours. Contact Salesforce support for more information.

This error automatically resolves when the daily API quota in Salesforce resets (up to 24 hours later), and Code42's monitoring of your Salesforce environment resumes. You can use the tools within Salesforce to monitor API usage in your organization to identify services that aren't making efficient use of the API. If this error happens frequently, contact your Salesforce account representative for details on how you can increase your organization's API request allocation.

Report Event streaming is disabled

In order to monitor your environment for report downloads, Code42 requires that Report Event is enabled in your Salesforce organization. If Report Event is disabled, this error message is displayed in the connection's details:

"Report Event" streaming has been disabled for your Salesforce organization. Verify that "Enable Streaming" is checked for "Report Event" to return this data connection to monitoring.

To resolve this error, verify that Report Event is enabled for your Salesforce organization. After Report Event is enabled, Code42 detects the change, automatically clears the error, and returns the connection to the Monitoring status within 20 minutes.

Reconfigure scoping for user and group monitoring

If needed, you can reconfigure the connection's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.

  1. Deauthorize the connection.
    Code42 removes the connection's configuration and authorization information immediately after you deauthorize it.
  2. Set up a new connection to the environment by clicking Add Data Connection on the Data Connections screen.
  3. In the Add Users step of the authorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.

There is an issue with the connection

Other issues - such as a change in the Code42 service account credentials - can cause the connection to enter an Error status. When such unknown errors occur, this error message is displayed in the connection's details in the Code42 console:

There was an issue with the connection to <Display Name>. Deauthorize <Display Name> and set up a new data connection to resolve the issue, or contact Code42 for support.

To resolve this error:

  1. Deauthorize the Salesforce connection.
  2. (Optional) In Salesforce, revoke the Code42 OAuth-connected app.
    When you deauthorize the connection, Code42 automatically deletes its authorization and connection information, including any OAuth tokens required to access your Salesforce environment. However, you can also revoke the Code42 app in Salesforce to increase security.
    1. Log in to Salesforce using the credentials assigned to the Code42 service account.
    2. In the upper-right corner of the screen, click the profile icon and then click Settings.
    3. In the navigation menu, go to My Personal Information > Connections.
    4. Locate the Code42 application in the OAuth Connected Apps table and then click Revoke in the Action column.
  3. In Salesforce, verify the Code42 service account's details:
  4. Connect Code42 to Salesforce again as a new connection using the service account user's credentials.
  • Was this article helpful?