Salesforce Setup Guide

Follow our setup guide to connect Salesforce to Fivetran.

Prerequisites

To connect Salesforce to Fivetran, you need:

• Access to an active Salesforce account
• A Salesforce Enterprise level account plan or higher, or purchased Salesforce API calls

NOTE: You may make up to four connectors using one set of Salesforce account credentials. That’s because Salesforce limits the number of connections made using OAuth2 to four per account per application. If you attempt to authenticate more than four connectors using one set of Salesforce account credentials, the earliest connector you authenticated with those credentials will lose its authentication.

If you need more than four Salesforce connectors, you must use additional Salesforce account credentials to create those connectors.

Setup instructions

Enable field history tracking (optional)

Read the Salesforce documentation to learn how to enable field history tracking.

Disable session IP locking

If you have Session IP Locking enabled or get an INVALID_SESSION_ID error, go to the Session Settings page and uncheck the Lock sessions to the IP address from which they originated box. It is very rare that this setting needs to be updated (<1% of cases), because by default it is already disabled for the majority of users.

Create new user and profile in Salesforce (optional)

To set up a Salesforce connector, you can use any Salesforce user within your organization that has permission to read data from Salesforce's APIs. However, we recommend creating a dedicated user and limit data access for this user only to data you want to sync. You can limit data access for a user by creating a profile in Salesforce and assigning it to the user.

To create a new user and profile in Salesforce, do the following:

1. Log in to Salesforce. You must have administrative privileges to create a user.

2. Go to Setup in the top right corner of your screen.

3. Under the Administration tab on the left side of the screen, click on the Profiles tab.

4. Click New Profile.

5. Select Read Only from the Existing Profile drop-down menu.

6. Enter a memorable name in the Profile Name field. For example, Fivetran User Read Only.

   

7. Click Save. The Profile page will open.

8. Click Edit in the Profile Detail section.

   

9. Scroll down to the Standard Object Permissions section and set the Read permission for the objects that you want sync.

   

10. Scroll down to the Custom Object Permissions section and grant the Read permission for the objects that you want to sync.

11. Click Save.

12. Under the Administration tab on the left side of the screen, click the Users tab.

13. Click New User.

    

14. Fill in all the required details.

15. In Profile, select the user profile you created (Fivetran User Read Only).

    

16. You can follow the steps mentioned in the Option 2. Limit the connecting user in Salesforce documentation section to grant permission on field levels using permission sets.

Limit permissions to tables or columns (optional)

Fivetran syncs the data that we have access to based on the viewing permissions of the connected user. If you don't want Fivetran to sync a certain type of data to into your destination, limit the permissions of the connecting user.

There are two ways to limit the data that we extract from your Salesforce account. You can either disable tables in the Fivetran dashboard or limit the connecting user in Salesforce.

Option 1. Disable tables in the Fivetran dashboard

1. In your Fivetran dashboard, navigate to the Salesforce connector details page.
2. Go to the schema tab and disable the tables and columns which you do not want to be synced.

If you are concerned about unintentionally syncing sensitive data to your destination, click the gear icon to open the Schema Change Settings menu, then select Allow columns.

Option 2. Limit the connecting user in Salesforce

Fivetran connects to your Salesforce instance through the credentials of the connecting user, so to limit our access to the data, limit that user's access. You can do this in Salesforce through Permission Sets.

It's best to limit the connecting user's access before you initially connect the user through our setup form. Otherwise, you may have some dead objects in Salesforce that will no longer be updated after you've restricted the user's permissions.

1. Log in to Salesforce. You must have administrative privileges to set permissions.

2. Go to Setup in the top right corner of your screen.

3. Under the Administer tab on the left side of the screen, click on the arrow next to Manage Users.

4. You should now see a drop-down menu below the arrow. Select Permission Sets in the drop-down menu.

5. We recommend that you create a new set of permissions specifically for the user that you will use to connect to Fivetran. Name it something memorable, such as "Fivetran Permissions".

   Users can have multiple sets of permissions assigned to them. If you'd like to be certain of what data we have access to, assign only one set of permissions to the connecting user.

   Press New > Enter in Label > Choose Appropriate User License Type

6. You'll see the settings for the new Permission Set (for example, "Fivetran Permissions"). Select Object Settings.

7. Select which fields you would like this connecting user, and therefore Fivetran, to have access to. The default setting is No Access.

   The only permissions relevant to Fivetran are that we can read the data, though the user themselves may need to be able to do more. The difference between the Read permission and the View All permission is that Read gives access to view records that are created by that user or are shared using rules, roles, or manual sharing. View All gives access to all records of that type (for example, the Account type).

   NOTE: To enable the user to access all the files in the org, provide the user with the Query All Files permission. Fivetran can not sync the ContentNote, ContentDocument, ContentDocumentLink, and ContentVersion objects without the Query All Files permission.

8. Enable View Setup and Configuration to enable the limits resource, which allows us to access different limits via API to optimize data sync.

9. Go to Administer > Manage Users > Users and select the user account that you will use to log in through Fivetran.

10. Scroll down to Permission Set Assignments and click Edit Assignments.

11. Move Fivetran Permissions from Available Permission Sets to Enabled Permission Sets and click Save.

(Optional) AWS PrivateLink

IMPORTANT: Do not perform this step if you want to use Hybrid Deployment for your data pipeline. You must have a Business Critical plan to use AWS PrivateLink.

Prerequisites

To set up AWS PrivateLink, you need:

• A Fivetran instance configured to run in the mentioned AWS regions.
• A Salesforce Private Connect license

Set up AWS PrivateLink

1. Log in to your Salesforce Private Connect service.

2. Send your Service Name to our support team. Fivetran uses that service name to configure the Interface Endpoint.

   NOTE: Service names are the same across all Salesforce accounts.

   

3. We provision our AWS infrastructure for the Inbound connection. The infrastructure looks similar to any other Private Link client and consists of an Interface Endpoint, Security Group, and Route53 CNAME in the corresponding region. We use the provided Private Connect service name to configure the Interface Endpoint.

4. Once we provide you with the Interface Endpoint ID, use that ID to create an Inbound connection in your Salesforce dashboard.

   NOTE: Salesforce may charge you extra for this new connection.

   

5. Select Actions -> Sync to verify that the inbound connection is configured properly.

6. Select Actions -> Provision to provision the connection.

7. Send your Domain Name to our support team. We use that domain name in the provisioned Route53 CNAME record, which maps the name to our Interface Endpoint URL.

   TIP: You can find your domain name on the My Domain Settings page of your Salesforce dashboard.

8. Finish setting up your Salesforce connector as usual. The My Domain name will automatically map to the Interface Endpoint URL.

Authentication method Private Preview

You can choose between the following authentication methods to connect your Salesforce account to Fivetran:

• Standard (default) : This method uses 1-way TLS(Transport Layer Security) with OAuth2.0(refresh-token flow) authorization.

• Advanced: This method adds a layer of security by using mutual TLS (mTLS authentication) with OAuth2.0 (client-credential flow) authorization. See our Advanced Authentication documentation for detailed instructions to enable this option.

NOTE: Advanced authentication mode requires additional configuration in your Salesforce account, and is not recommended for most users.

Finish Fivetran configuration

1. Fivetran has two separate services for Salesforce. Choose the connector for the environment you'd like to use:

   • Production environment
   • Sandbox environment

2. In the connector setup form, enter the Destination schema name of your choice.

3. (Hybrid Deployment only) If your destination is configured for Hybrid Deployment, the Hybrid Deployment Agent associated with your destination is pre-selected in the Select an existing agent drop-down menu. To use a different agent, select the agent of your choice, and then select the same agent for your destination.

4. Select your Authentication Method:

   • (Default) For Standard authentication, click Authorize and log in to your Salesforce account.

   IMPORTANT: We recommend logging in while in Incognito mode to ensure authorization of the correct account.

   • (Private Preview only) For Advanced authentication, perform the following steps:

     i. In the Client ID field, enter the consumer key for your configured connected app.

     ii. In the Client secret field, enter the consumer secret for your configured connected app.

     iii. In the CA-signed Certificate or Public Key field, upload the CA-signed certificate file you generated.

     iv. In the Private key field, upload the private key you generated.

     v. Enter the My Domain URL you found.

5. Click Save & Test. Fivetran will take it from here and sync your data from your Salesforce account.

Related articles

description Connector Overview

account_tree Schema Information

assignment Release Notes

settings API Connector Configuration

home Documentation Home