DigitSec recommends that organizations use an Admin level account to connect DigitSec to their Salesforce. By default, it has the requisite permissions to begin scanning right away.
This page seeks to provide more context for users that are interested in learning more about the permissions that we require. You can also rely on this information to set up an integration account rather than relying on a specific user's account.
Enable API
In order for DigitSec to connect to Salesforce and being scanning your custom code and config, the connecting account or profile will need the API enabled in Settings.
Modify-All Data
The Modify All permission is required for the user account that connects from DigitSec to Salesforce. While DigitSec does not WRITE any data to Salesforce, our access to the MetaData API for the purposes of scanning your custom code and configuration settings require Modify All.
Download App Exchange Packages
If you wish to enable Third Party package scanning, we will also require that your connecting user has the Download AppExchange Package permissions enabled. This will allow DigitSec to access the Tooling API and run a SOQL query to find your installed packages.
Installing Using a Connected App
Configurations on Salesforce
- Install a new connected app.
- Go to Setup > App Manager
- Click on New Connected App as follows:
- Configure the app as follows:
- Please do not select any checkboxes and press Save. Please note, by default Salesforce will enable the “Require Proof Key for Code Exchange (PKCE)” setting. This must be disabled for this authentication system to work successfully.
- Once Save is clicked, the screen that appears shows a buttom named Manage Consumer Details as follows:
Click this button to copy your consumer key.
It usually takes 10 minutes for these settings to go into effect.
When a Salesforce Sandbox Org is refreshed, it creates a new Consumer Key value and resets the PKCE setting to Enabled. When such a refresh occurs, it will be required to retrieve the new key and disable PKCE. Then use that new Consumer Key value with your existing DigitSec workspace by using the Edit dialog available from the Workspace Title Card’s 3-dot menu on the Workspaces Dashboard.
Configuration on DigitSec
-
Click on Add Workspace > Salesforce
-
Add Name
-
Select "Salesforce Custom Login & Connected App" from the "Salesforce Login URL" dropdown
-
Enter the URL for the org where the connected app was created (It should be in the format we shared earlier) > Add the Consumer Key copied in step 1.
-
Click Save
-
Login to the org, if you get redirected to s4.digitsec.com then the connection has been established. Login again to DigitSec and now you can run scans.