You are here:
Salesforce Authenticated User Permission Requirements for Backup & Recover
The Authenticated User connects your Backup & Recover application to a client's Salesforce org. Having a dedicated integration user enhances security, improves audit trails, and avoids API concurrency collisions.
We leverage the Salesforce API. As a best practice, we recommend having a dedicated user as the Authenticated User. Define user permissions via profiles or permission sets. For large data volumes, assign dedicated Authenticated Users for Backup and Archive products.
Basic Permissions
The Authenticated User must have the following permissions:
- Read and Update access to all record types in your org. (Currently the Permission Report verifies field level permissions, but does not check for the record types you may need). For successful Restore operations and also for un-archiving records if you use the Archive tool.
- Read and Edit access to all Standard and Custom objects, fields, and record types. This can be configured from the Field Level Security page. As part of the implementation of Recover, you will be guided to create an additional permission set for setting Field Level Security. See Field Permissions.
Additional Permissions
The Authenticated User must also have the required permissions as follows:
- A license for all of the managed packages (for example: nCino) and feature licenses you use in your org. You must ensure that all the necessary Permission Set Licenses (PSL) and Installed Managed Package Licenses (IMPLs) are attributed to the Authenticated User. As a guide, use the Company Information screen to find which features licenses are available and have an assignment number > 1 (indicating that it is actually in use). See Available Feature Licenses
- The Modify All Data permission check box is enabled in the user profile, and all of its dependent default permissions are enabled. See Modify All Data Permission in Salesforce.
- Ensure that the IP addresses for our application are permitted to access the Salesforce Org.
- Customers may need to add the IP addresses, as login IP addresses, at the user profile level.
- We recommend using the “System Administrator” profile, or cloning the "System
Administrator" profile to a new profile for this Authenticated User, and then ensuring
that the user has all of the required permissions, as listed in this article.
- The Authenticated User requires Read and Update access to all Record Types in the org. The Permission Report verifies field-level permissions, but does not check for the Record Types that might be required.
- Some organizations require that integration users must use a specific profile. In such a case, ensure that the user is granted all the permissions that an Admin would have. Enable the permission "API Only User", which is enabled via the authenticated user's custom profile, or permission set.
- When setting up Permission Sets for this user, make sure that “Session Activation Required” is not set to True, as this is not supported.
- As part of the implementation of Recover, creating an additional permission set for setting Field-Level Security is required.
Further Permissions to Consider for Backup & Recover
- If security policies permit it, enable the permission “Password Never Expires” for this user.
- Enable the “Manage Encryption Key” check box in their profile to back up the TenantSecret object.
- Enable "Edit Read Only Fields" (e.g. to insert a value into Case.ClosedDate during a Restore operation)
- Enable "Manage All Private Reports and Dashboards"
- Enable "Manage Experiences"
- Enable "View All Custom Settings"
- Enable "View All Lookup Record Names"
- Enable "View Encrypted Data"
- Possibly an additional permission might be required, to avoid a problem caused by the Salesforce Summer ’21 update. In order to avoid problems due to this known Salesforce issue, also add the "Access Conversation Entries" under Administrative Permission in the profile/permission set. This issue could apparently cause an error message even for customers who don't use the functionality. This bug was apparently fixed in Summer ’21 Patch 13, so you could choose to skip this permission if you are not using that functionality.
- To backup Einstein, an Einstein Analytics Plus Admin is necessary to be assigned to the Authenticated user.
- Enable the “Manage Prompts” permission to prevent issues backing up Prompt Versions, if they are in use in your org.
- The user will also need access to the target object where the prompt is pointing to or the backup of that prompt record will potentially fail. For example the object referenced in the ‘TargetPageKey1’ field on any prompt version record.
- Enable the “Manage Flows” permission to prevent issues with backup which were introduced with the Salesforce Winter ’23 release.
- We recommend enabling the permission "API Only User" for the Authenticated User. This can be enabled via the authenticated user's custom profile or permission set.
- You can use MFA to login for this user, if needed.
- When connecting a backup service from to Salesforce (to start the backups), you will
need to login to Salesforce for this user. Therefore the Master Administrator and other
Admins will need to know the login credentials for that Backup & Recover Authenticated
User. This login will generate the OAuth access token that Backup & Recover will store
and use for access to that Salesforce Org.
This initial login will require the credentials to be entered from the user's desktop, so if IP address restrictions are in place, make sure that the desktop used for the initial login is recognized as the Backup & Recover Authenticated User. This will also be the case whenever you need to re-authenticate with Salesforce.
- If you are using Backup & Recover with a Veeva org, the Authenticated User must have Veeva administrator permissions (no separate license as such).
- To enable backing up and restoring Knowledge Articles, the following permission must be enabled:
- Lightning Knowledge must be enabled in your org to enable backup of Knowledge Articles.
- A user must have the View Articles permission enabled.
- Salesforce Knowledge users, unlike customer and partner users, must also be granted the Knowledge User feature license.
- The new Salesforce Integration User license is currently not supported. Our current testing indicates the scope of this license type is not enough to provide comprehensive access for backup and restore operations.
Required Permissions Table (Backup and Restore)
| Permission / Settings Name | Permission Type | Reason / Use Case | Documentation |
|---|---|---|---|
| Access Conversation Entries | Administrative Permission in the profile/permission set | Avoid problems with the issue described here | Access Conversation Entries |
| CRM Analytics Plus Admin | Permission Set License | Backup Einstein Analytics / Tableau CRM Note: Only supports the elements using the force.com API. | CRM Analytics Plus Admin |
| Customize Application | Administrative Permission | Avoids Cross Reference errors. | Define Validation Rules |
| Edit Read Only Fields | System Permissions | Used to populate data on restore to fields that may normally be read only | Field Access |
| Manage all Private Reports and Dashboards | System Permissions | Query / restore private reports/dashboards. | User Permissions for Sharing Reports and Dashboards |
| Manage Experiences | System Permissions | Needed if using Experience Cloud (formerly Community Cloud). | Assign an Experience Cloud Site Manager |
| Manage Flow | System Permissions | System Permissions | Not Available |
| Manage Orchestration Runs and Work Items | System Permissions | Access to Flow orchestrations since Winter '23 | Enable Sharing for Flow Orchestration Objects |
| Manage Prompts | System Permissions |
|
Create Prompts in Lightning Experience |
| Manage Users | Not Available | Must be enabled to retrieve the Profile metadata object and run Analyze Profile Permissions | Not Available |
| Modify All Data | System Permissions | Not Available | Modify All Data Permission in Salesforce |
| Query All Files | App Permission | More efficient queries and access to private files. | Query All Files |
| Set Audit Fields upon Record Creation | Enable in the user interface when setting up, and assign via System Permissions | Populates original created date of record | Enable the 'Create Audit Fields' permission |
| Update Records with Inactive Owners | Enable in the user interface when setting up, and assign via System Permissions | Restores records with inactive owners | Update Records with Inactive Owners |
| View All Custom Settings | System Permissions | Needed to backup custom relationships | Grant Read Access to All Custom Settings |
| View All Lookup Record Names | System Permissions | Needed to backup lookup relationships | View All Lookup Record Names |
| View and Edit Converted Leads | App Permission | Ability to see all leads | View and Edit Converted Leads |
| View Encrypted Data | System Permissions | Needed to backup encrypted data using classic encryption | View Encrypted Data |
With the release of Summer ’24, Salesforce has made it easier to review the user permissions of an org. More information can be found in the following articles:
Did this article solve your issue?
Let us know so we can improve!
