Skip to main content

Salesforce Users/Groups

Connector name

agtsalesforce

Connector type

Executable

Type (UI field value)

Salesforce Users/Groups

Connector status / support

Bravura Security-Verified

This connector has been tested and is fully supported by Bravura Security.

Note

See Platform specific SCIM connectors for an alternative connector for Salesforce.

The following Bravura Security Fabric operations are supported by this connector:

  • user verify password

  • get server information

  • administrator reset password

  • disable account

  • enable account

  • check account enabled

  • unlock account

  • check account lock

  • update attributes

  • create account

  • add user to group

  • delete user from group

  • List:

    • accounts

    • attributes

    • groups

    • members

    Note

    Permission sets are listed as groups with group IDs starting with the string PS_.

    Public groups are listed as groups with group IDs starting with the string PG_.

Preparation

Before you can begin to manage passwords on Salesforce, you must:

  1. Obtain a Salesforce administrative account with API access permissions.

    This account is used to log in to Salesforce to configure the Connected App and manage settings.

  2. Obtain your Salesforce.com Organization ID from your Salesforce instance.

  3. Configure OAuth 2.0 authentication and obtain API credentials:

    Create a Salesforce Connected App with OAuth enabled and obtain:

    • Consumer Key (OAuth Client ID)

    • Consumer Secret (OAuth Client Secret)

    • Required OAuth settings:

      • OAuth 2.0 Client Credentials flow or Web Server flow

      • API access scope: "Manage user data via APIs (api)"

      • Refresh token scope (if using Web Server flow)

    Refer to Salesforce documentation for creating and configuring Connected Apps.

  4. Ensure API access is enabled for the service account profile in Salesforce.

  5. For organizations with API Access Control enabled: Ensure your Connected App is added to the trusted API client list in Salesforce security settings.

  6. Create at least one template account.

  7. Ensure that the Bravura Security Fabric service user is allowed to access Salesforce site via HTTPS.

Creating a template account

Bravura Security Fabric uses template accounts as models or "blueprints" for creating new accounts in Salesforce. The following example illustrates how you can create a template account in Salesforce:

  1. As an administrator, log in to the Salesforce application and select Setup > Administer > Manage Users > Users.

  2. Click New user.

  3. Fill in the required fields.

  4. Click Save.

Ensuring Bravura Security Fabric service user access

The Bravura Security Fabric service user (psadmin) account must be able to access the Salesforce site to list accounts. To ensure that the psadmin account is allowed to access the Salesforce site via HTTPS:

  1. As psadmin, log in to your Bravura Security Fabric server.

  2. Using a browser, access your Salesforce site via HTTPS.

  3. Add the site as a trusted site.

Targeting Salesforce

To target Salesforce, add a target system in Bravura Security Fabric (Manage the system > Resources > Target systems):

  • Type is Salesforce Users/Groups.

  • Address uses options described in the table below.

  • Credentials: Configure two sets of administrator credentials:

    1. Salesforce account credentials:

      • Administrator ID: Your Salesforce administrative username

      • Administrator password: Your Salesforce administrative password

    2. OAuth API credentials (with "System password" flag enabled):

      • Administrator ID: OAuth Consumer Key

      • Administrator password: OAuth Consumer Secret

    Both credential sets are required for proper authentication and API access.

The full list of target parameters is explained in Target System Options.

Table 1. Salesforce address configuration

Option

Description

Options marked with a redstar.png are required.

Server redstar.png

The Salesforce web service URL for your company. This is set to login.salesforce.com by default.

(key: server)

Port

Default is 443.

(key: port)

Connection over SSL

(optional) Select to enforce SSL connections. Default is "true".

(key: ssl)

Validate the server's certificate when connecting

Determines whether to validate the server's security certificate for SSL connections. Default is "true".

(key: checkCert)

HTTP Network Proxy

Optional

(key: proxy)

Version

Optional

(key: ver)

Skip Deleted Users

Optional. Determines whether to skip deleted users during list operation. Default is "true".

(key: skipDeleted)

Config file

Optional configuration file to override operational behavior such as listing users and groups. Refer to the agtsalesforce.cfg sample configuration file in the samples directory for more information.

(key: config)

Note

Config file option implemented in Connector Pack 4.6.0.



Managing permission sets

Salesforce permission sets are listed as pseudo-groups with group IDs starting with the string PS_.

Help desk users can assign permission sets to users in the same way as assigning group memberships.

A permission set can be assigned to a user only if the user has a profile that matches the user license of the permission set.

Managing roles

A Salesforce role is an account attribute that must be mapped to a profile attribute before help desk users can update the user's role.

Salesforce users cannot be assigned more than one role.

Troubleshooting

Testing create operations

Salesforce does not allow administrators to delete accounts once created, only disable them. So the [delete] operation only implements [disable]. Also, since the accounts listed from a template account include attributes that are calculated (so read-only), in order to test implementing the [create] operation, several attempts at creating accounts may be required.

To reduce the number of test accounts populating the test Salesforce account, use the following steps:

  1. Generate an input KVGroup file using the pstee utility.

    1. Rename agent\agtsalesforce.exe to agent\ agtsalesforce-orig.exe.

    2. Copy util\pstee.exe to agent\agtsalesforce.exe.

    3. Run a [create] operation.

      The input/output KVGroup files from the connector will be saved in the instance's <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance> directory (where idmsuite.log is located).

  2. Copy the input KVGroup file that was generated to the agent folder.

  3. Add a pseudo attribute to the input file, right before the last closing curly bracket } :

    "attribute" "@disableAddResourceOperation" = { 
                "GROUP" = "0" 
                "SEQUENCE" = "-1" 
                "ACTION" = "VALUE" 
                "VALUE" = "" 
              }

    1. Look in the idmsuite.log at the lines generated by agtsalesforce-orig.exe when running the [create] operation.

    2. If the attributes that mention (read-only or RO) when they are read from the template account are not present in the input KVGroup, add them (add an attribute group like the one above, before @disableAddResourceOperation).

    3. Make sure that all read-only attributes in the input KVGroup are configured with "ACTION" = "IGNORE" (or edit the file to make it so, and edit the attribute mapping in Manage the system > Resources > Account attributes > Target system type > Salesforce. Add override with that attribute name, and disable the action on Create and Update).

  4. Redirect the input KVGroup into the agent, by opening an administrator command prompt into the agent\ folder and running:

    agtsalesforce < agtsalesforce-input-<timestamp>.kvg

    Ensure that you replace the <timestamp> with the actual value for the generated input KVGroup, or rename the input KVGroup to something simpler to type on the command line.

  5. Check the idmsuite.log again to see if there were any missed attributes or other errors. The same account will be used (no new one created).

No accounts returned from discovery

Discovery may return no accounts if the Salesforce connector encounters an error when attempting to list account attributes. This can occur when the connector is configured to load an attribute that does not exist or is not enabled in your Salesforce organization.

Check the idmsuite.log for an error similar to the following:

No such column 'X' on entity 'User'. If you are attempting to use a custom field,
be sure to append the '__c' after the custom field name. Please reference your WSDL
or the describe call for the appropriate names.

In this error, X represents the name of the attribute that could not be found in Salesforce.

If the error exists and the column named X is not a field you need or use in Salesforce, override the account attribute for X for the Salesforce target system so that it does not load:

  1. Navigate to Manage the system > Resources > Account attributes > Target system type > Salesforce.

  2. Add an override for the attribute named X.

  3. Ensure that Load attribute values from target system is unchecked.

  4. Run discovery again to verify that accounts are now returned.

If the account attribute override does not resolve the issue, contact Bravura Security Support for further assistance.

Known issue

A known issue in versions prior to Bravura Security Fabric 12.8 (build 39093) could cause account attribute overrides to not be honored. This was subsequently fixed. If you are running an older build, upgrading may resolve the problem.

In this section: