Skip to main content

Checklist before installing a Salesforce integration

We recommend verifying the following requirements before installing the Salesforce integration:

1. Verify your Salesforce edition supports API access

Salesforce editions offer different levels of API access, which can affect how Salesforce integrations work in Ampersand. Before setting up your Salesforce integration, confirm whether your Salesforce edition includes API access. Some editions include full API access by default, while others may offer limited access or require additional purchases. To check if your Salesforce edition supports the necessary API access for this integration, please refer to Salesforce’s official documentation on API access by edition. If your Salesforce edition does not include the required API access, contact your Salesforce account representative to upgrade your edition.

2. Configure token policy settings

Salesforce access tokens expire after a certain period. To ensure your integration continues working without interruption, you need to set your refresh token policy to Refresh token is valid until revoked. Here’s how to configure this setting in Salesforce:
  1. Log in to Salesforce.
  2. Go to Setup.
  3. In the Quick Find box, search for Connected Apps.
  4. Click on Manage Connected Apps.
  5. Find and click on the name of the application you are integrating with.
  6. Scroll down to the OAuth Policies section.
  7. Look for Refresh Token Policy.
  8. Under IP Relaxation, select Relax IP restrictions.
  9. Make sure the refresh token policy is set to Refresh token is valid until revoked.
Refresh Token Settings
  1. Click Save.

3. Check API access control settings

Salesforce allows administrators to restrict which applications can access Salesforce data through APIs. You need to ensure that API access isn’t limited to only specific connected apps. To verify your API access control settings:
  1. Log in to Salesforce.
  2. Go to Setup.
  3. In the Quick Find box, search for Connected Apps OAuth Usage.
  4. Under the list of connected apps, find your app and click Manage App Policies.
  5. In the OAuth Policies section, ensure the Permitted Users status is one of:
  • Admin approved users are pre-authorized - only selected users can access.
  • All users may self-authorize - all users can access the app.
Permitted Users If you need to modify these settings:
  1. Click on Install next to your connected app.
  2. In the OAuth Usage and Policies section, set the appropriate permissions level.
  3. Click Save.

4. Ensure sufficient permissions for installing user

The user that installs the Salesforce integration should either be:
  • a System Administrator
  • or a user that has been assigned a user profile with sufficient permissions, it is best to create a new custom user profile for this purpose.

Create a custom user profile

To create a new user profile:
  1. Log in to Salesforce.
  2. Go to Setup.
  3. In the Quick Find box, search for “Profiles”.
  4. Click on the New button.
  5. Choose an existing profile to clone, we recommend Standard User. Please ensure that you clone a user profile with the Salesforce User License. The Salesforce Platform User License is insufficient.
Create user profile

View and edit permissions for user profile

Follow the steps above to go to the Profiles page, and then:
  1. Select the user profile you’d like to view and edit.
  2. Click Edit at the top of the page. Edit user profile
  3. Ensure the checkboxes for the necessary permissions below are checked.
  4. Click Save at the top or bottom of the page.
Ensure that the following permissions are checked in the user profile:
  1. API Enabled
  2. One of the following:
  • Approve Uninstalled Connected Apps
  • Use Any API Client
    • Choose this if API Access Control is enabled. This can be enabled by contacting Salesforce Customer Support.
  1. If your integration is using Subscribe actions:
  • View Setup and Configuration
  • View Roles and Role Hierarchy
  • Manage Custom Permissions
  • Customize Application
  • Modify Metadata Through Metadata API Functions
  • Allows Users to Modify Named Credentials and External Credentials

Object and field permissions for custom user profile

  1. Click the gear icon in the top-right corner and select Setup.
  2. In the left-hand search bar, type Object Manager and open it. Setup Object Manager
  3. Choose the object you need (for example, Account) and go to Object Access in the left navbar. Select the Profiles tab at the top. Click Edit and grant the necessary permissions for the custom user profile that you created.
  • If the integration needs to read data, ensure that Read, View All Records, and View All Fields are checked.
  • If the integration needs to write data, ensure that all boxes are checked.
Edit Object Access

Field permissions for standard user profile

We highly recommend creating a custom user profile for integrations. However if this is not possible, then here is how you can ensure the correct field permissions for a standard user profile. Please note that it is not possible to modify object permissions for standard user profiles.
  1. Click the gear icon in the top-right corner and select Setup.
  2. In the left-hand search bar, type Object Manager and open it. Setup Object Manager
  3. Select Fields & Relationships from the left navbar. Setup Object Manager Account
  4. Find the field you want to adjust and click it.
  5. Click Set Field-Level Security. Set Field Level Security
  6. Ensure the checkbox for Visible is selected for the user profile you’re interested in. If the user profile is not visible in this list, it means that it does not have access to the this object. This is not possible to modify, so you should choose a different user profile to use for the integration, or create a custom user profile.
Check Visible for profile
  1. Repeat steps 4-6 for all the fields that the integration needs to read, especially custom fields.
I