Versions Compared

Old Version 5

changes.mady.by.user Petr Chvala

Saved on

compared with

New Version 6

changes.mady.by.user David Depman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Named Credentials were introduced in Salesforce in Spring '15 and provide a reliable and secure way to store sensitive information such as authorization details. Among other features, Named Credentials allow native SFDC applications to use this information without exposing it.

Why

...

does ClosePlan need authorized Named Credentials?

ClosePlan needs an authorized Named Credential (+ Connected App, Auth. Provider) to access other Salesforce APIs such as Metadata, Tooling, and UI APIs.

This ensures that ClosePlan doen’t doesn’t need to manage any sensitive information as the entire process is automatically managed by SFDC. It is also the official and only way to access these APIs from within the Salesforce environment.

How are the APIs

...

used?

CloserPlan ClosePlan uses these APIs (Salesforce Metadata API and UI API) to access data that is not accessible with Apex / SOQL.

ClosePlan uses Metadata to read and tweak configurations in a controlled way to prevent user User errors.

Examples:

  • RetrievingSales Process details

    • Which Sales Stage belongs to what which Sales Process, etc.

  • Managing Picklist Values for ClosePlan objectsObjects

    • Whenever a User updates the Relationship Map Picklist Values, several objects are updated at the same time. Additional Metadata related to those Picklist values are also defined.

...

In most Orgs, ClosePlan Named Credentials are authenticated by a User with System Administrator profile as it . A Sys Admin Profile covers all needed permissions.

Some Orgs prefer to authenticate the Named Credentials with an Integration User. In this case the Integration User must be provided with specific permissions as descibed described below.

Note that by Integration User, we mean any other user with define it as: Any other User with a Salesforce type license that is dedicated to be used for similar scenarios and is not typically represented by an actual userUser.

Users with special ‘Salesforce Integration User’ licence type cannot be used to authorize Named Credentials.

Minimal

...

Permissions Setup

A user User who authorizes a named credential will need to have the all Named Credential needs the following permissions to get allow full functionality.

  • To authorize Named Credentials:

    • View Setup and Configuration (to get to NC configNamed Credentials configuration)

      • View Roles and Hierarchy (dependency)

    • Allows users to modify Named Credentials and External Credentials (to edit NCNamed Credentials)

    • Manage Auth. Providers (Optional if Auth. provider is already selected)

  • To access the APIs mentioned APIs

    • Api API Enabled (to call Meta/UI ApiAPI)

  • To manage matadatametadata:

    • Customize Application

      • Manage Translation (dependency)

      • Manage Custom Permissions (dependency)

    • Modify Metadata Through Metadata API Functions

    • Modify All Data (required for Custom Field manipulation)

Note

Note that the actual user User working with ClosePlan Admin will still need to have the same permissions, regardless of the fact that they are already granted by the user User who authorized the named credentialsNamed Credentials.

Is access to APIs required for ClosePlan to function?

...

Second option is to reduce user User permissions to retain only Read access to the APIs. In such case, ClosePlan will still be able to render various setionssections, but any attempt to update will fail with error. Note that apllication the ClosePlan application is not aware if all required permissions are provided and errors are expected to occurs occur if not.

Important Points:

  • ClosePlan updates and changes ONLY ClosePlan metadata.

  • ClosePlan does NOT touch the metadata of the Client organization.

  • Named Credentials must be authorized by the user a User with propper proper permissions, usually a System Administrator.

  • ClosePlan provides no bypass for a Standard User to edit or change Salesforce Metadata through the ClosePlan Admin feature.

    • The User must still have required permissions (usually System AdminstratorAdministrator)Otherwise

      • If the User does not have the required permissions, SFDC/ClosePlan will prohibit the modification of

      Metadata

      • metadata.

Note:

In Salesforce Classic, Salesforce legacy behavior permits a direct call to metadata APIs. In Lightning, Salesforce changed the behavior to increase security.

...

The SFDC (Audit Trail) metadata logging mechanism still tracks all metadata changes, but operations will be logged on behalf of the user User who authorized the named credential. In some cases, they are surrounded by additional logs logged as the actual userUser, providing additional clues. However, the actual user User may be hidden.

External Access to the System

...

In order for the the Connected Application to provide access, a 3rd party would need to have:

  • Consumer Key,

  • Consumer Secret Key

  • A User within the system with Login, Password and security token

** If a client or prospect requires any further clarification, please open a ticket at For any additional questions, please reach out to Technical Success with an email to Support@People.ai