Tableau Connector for Salesforce

Build 24.0.9060

OAuth Scopes and Endpoints

Required Scopes and Endpoint Domains for Salesforce

When integrating with Salesforce, your application needs specific permissions to interact with the API.

These permissions are defined by access scopes, which determine what data your application can access and what actions it can perform.

This topic provides information about the required access scopes and endpoint domains for the Salesforce connector.

Understanding Scopes

Scopes are a way to limit an application's access to a user's data. They define the specific actions that an application can perform on behalf of the user.

For example, a read-only scope might allow an application to view data, while a full access scope might allow it to modify data.

Required Scopes for Salesforce

Scope Description
full Allows access to all data accessible by the logged-in user, and encompasses all other scopes. Required for write access.
api Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API 2.0. This scope also includes chatter_api, which allows access to Connect REST API resources. Required for read access.
chatter_api Allows access to Connect REST API resources on behalf of the user.
refresh_token Allows a refresh token to be returned when the requesting client is eligible to receive one. With a refresh token, the app can interact with the user’s data while the user is offline. This token is synonymous with requesting offline_access. Required for read access.
id Allows access to the identity URL service. You can request profile, email, address, or phone individually to get the same result as using id because they’re synonymous. Required for read access.
visualforce Allows access to customer-created Visualforce pages only. This scope doesn’t allow access to standard Salesforce UIs.
web Allows use of the access_token on the web. This scope also includes visualforce, allowing access to customer-created Visualforce pages. Required for read access.

Understanding Endpoint Domains

Endpoint domains are the specific URLs that the application needs to communicate with in order to authenticate, retrieve records, and perform other essential operations.

Allowlisting these domains ensures that the network traffic between your application and the API is not blocked by firewalls or security settings.

Note: Most users do not need to make any special configurations. Allowlisting is typically only necessary for environments with strict security measures, such as restricted outbound network traffic.

Required Endpoint Domains for Salesforce

Domain Always Required Description
test.salesforce.com FALSE The subdomain used to access sandbox instances of Salesforce.
<Site>.my.salesforce.com TRUE The domain of your Salesforce site.
<LoginURL> FALSE The login URL specified in LoginURL. The default value is login.salesforce.com.
<SSOLoginURL> FALSE The login URL of your SSO provider. Required when AuthScheme is set to OKTA, PingFederate, or ADFS.
<Subdomain>.onelogin.com FALSE The subdomain of onelogin.com specified in SSOProperties. Required if AuthScheme is set to OKTA.
<SSOExchangeURL> FALSE Your SSO Exchange URL. Required when AuthScheme is set to OKTA, PingFederate, ADFS, OneLogin, or AzureAD.
<Resource> FALSE The Azure AD resource URL specified in SSOProperties. Required when AuthScheme is set to AzureAD.
<RelyingParty> FALSE The URI of your ADFS relying party, specified in SSOProperties. Required when AuthScheme is set to ADFS.

Copyright (c) 2024 CData Software, Inc. - All rights reserved.
Build 24.0.9060