Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Give us feedback
View GitHub RSS feed
Set theme to dark (⇧+D)

Salesforce

The Salesforce integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated Salesforce environment that could leave you and your organization vulnerable.

​​ Integration prerequisites

  • A Salesforce environment (most editions are compatible)

  • Permissions to a Salesforce organization with either:

    • System Administrator permission
    • Permissions for View Setup and Configuration, Customize Applications, and Modify All Data

​​ Integration permissions

For the Salesforce integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App:

  • Manage user data via APIs (api)
  • Manage user data via Web browsers (web)
  • Perform requests at any time (refresh_token, offline_access)
  • Access unique user identifiers (openid)

These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the Salesforce OAuth Tokens and Scopes documentation.

​​ Security findings

The Salesforce integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by severity level.

To stay up-to-date with new CASB findings as they are added, bookmark this page or subscribe to its RSS feed.

​​ File sharing

Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion.

FindingSeverity
Salesforce Content Document Publicly Accessible Without PasswordCritical
Salesforce Content Document Publicly Accessible Weak PasswordHigh
Salesforce Content Document Publicly Accessible Password ProtectedMedium
Salesforce Content Document Shared and Not Viewed in 1 Year (Stale Permission)Medium
Salesforce Large Content Document (2 GB+)Medium

​​ Account misconfigurations

Discover account and admin-level settings that have been configured in an insecure way.

FindingSeverity
Salesforce Domain without HTTPSHigh
Salesforce Default Account Record Access Allows EditMedium
Salesforce Default Case Record Access Allows EditMedium
Salesforce Default Contact Record Access Allows EditMedium
Salesforce Default Lead Record Access Allows EditMedium
Salesforce Default Opportunity Record Access Allows EditMedium
Salesforce Organization with Active Compliance BCC EmailLow

​​ User access

Flag user access issues, including account misuse and users not following best practices.

FindingSeverity
Salesforce User Sending Email with Different Email AddressMedium
Salesforce User InactiveLow
Salesforce User Never Logged InLow
Salesforce User Not Logged In within 90 DaysLow