| Table of Contents | ||
|---|---|---|
|
What are Named Credentials?
Named Credentials were introduced in Salesforce in Spring '15 and provide a reliable and secure way to store sensitive information such as authorization details. Among other features, Named Credentials allow native SFDC applications to use this information without exposing it.
Why
...
are Need?
ClosePlan needs an authorized Named Credential (+ Connected App, Auth. Provider) to access other Salesforce APIs such as Metadata, Tooling, and UI APIs. This ensures that ClosePlan doen’t need to manage any sensitive information as the entire process is automatically managed by SFDC. It is also the official and only way to access these APIs from within the Salesforce environment.
...
How APIs are used?
CloserPlan uses these APIs to access data that is not accessible with Apex / SOQL.
...
RetrievingSales Process details
Which Sales Stage belongs to what Sales Process, etc.
Managing Picklist Values for ClosePlan objects
Whenever a User updates the Relationship Map Picklist Values, several objects are updated at the same time. Additional Metadata related to those Picklist values are also defined.
External Access to the System
...
.
...
In order for the the Connected Application to provide access, a 3rd party would need to have:
Consumer Key,
Consumer Secret Key
- User within the system with Login, Password and security token
Authentication with an Integration User
...
Minimal Persmission setup
TO BE SPECIFIED IN DETAIL
In the event that Modify All Data cannot be assigned to the Integration User, ClosePlan can still function with some functionality limitations. Examples of these limitations are:
Picklist Values will not be editableField creation will not be permitted, such as attempting to create a Custom Attribute in the ClosePlan AdminAdditional Administrative limitations can also occur
...
A user who authorizes a named credential will need to have the all following permissions to get full functionality.
To authorize Named Credentials:
View Setup and Configuration (to get to NC config)
View Roles and Hierarchy (dependency)
Allows users to modify Named Credentials and External Credentials (to edit NC)
Manage Auth. Providers (Optional if Auth. provider already selected)
To access the APIs mentioned APIs
Api Enabled (to call Meta/UI Api)
To manage matadata:
Customize Application
Manage Translation (dependency)
Manage Custom Permissions (dependency)
Modify Metadata Through Metadata API Functions
Modify All Data (required for Custom Field manipulation)
| Note |
|---|
Note that the actual user working with ClosePlan Admin will still need to have the same permissions, regardless of the fact that they are already granted by the user who authorized the named credentials. |
Is access to APIs required for ClosePlan to function?
ClosePlan can function without Named Credential authentication, however some Administrative functionality will be prevented such as but not limited to:
Picklist Values will not be editable
Field creation will not be permitted, such as attempting to create a Custom Attribute in the ClosePlan Admin
Additional Administrative limitations can also occur
...
Workaround 1
For Orgs that cannot allow authentication for Named Credentials to remain active, the following work-around may be an alternative:
After Installing and configuring the ClosePlan app, and completing all required templates and settings needed for ClosePlan to function as needed, a Sys Admin can remove Named Credential authentication.
In the event that Administrative work needs to be done on ClosePlan (Such as create a Custom Attribute) Named Credentials can be authenticated temporarily, the work completed and then Named Credential authentication can be removed again.
Workaround 2
Second option is to reduce user permissions to retain only Read access to the APIs. In such case, ClosePlan will still be able to render various setions, but any attempt to update will fail with error. Note that apllication is not aware if all required permissions are provided and errors are expected to occurs if not.
Important Points:
ClosePlan updates and changes ONLY ClosePlan metadata.
ClosePlan does NOT touch the metadata of the Client organization.
Named Credentials must be authorized by the Sys Admin (which is defined by having Customize Application permission)user with propper permissions, usually a System Administrator.
ClosePlan provides no bypass for a Standard User to edit or change Salesforce Metadata through the ClosePlan Admin feature.
The User must be a still have required permissions (usually System Adminstrator with corresponding required permissions.If the User is not a System Administrator with corresponding required permission, )
Otherwise SFDC/ClosePlan will prohibit modification of Metadata and display a message.
Note:
In Classic, Salesforce legacy behavior permits a direct call to metadata APIs. In Lightning, Salesforce changed the behavior to increase security.
Logging Metadata Changes
The SFDC (Audit Trail) metadata logging mechanism still tracks all metadata changes, but operations will be logged on behalf of the user who authorized the named credential. In some cases, they are surrounded by additional logs logged as the actual user, providing additional clues. However, the actual user may be hidden.
External Access to the System
ClosePlan Connected App does NOT provide any access to a Client Org under any circumstances.
In order for the the Connected Application to provide access, a 3rd party would need to have:
Consumer Key,
Consumer Secret Key
User within the system with Login, Password and security token
** If a client or prospect requires any further clarification, please open a ticket at Support@People.ai
...