Elastic Salesforce connector reference
editElastic Salesforce connector reference
editThe Elastic Salesforce connector is a connector for Salesforce data sources.
Native connector reference (managed service)
editView reference for the native connector reference (managed service).
Availability and prerequisites
editThis connector is available as a native connector in Elastic Cloud since 8.12.0. To use this connector, satisfy all connector client requirements.
Compatibility
editThis connector is compatible with the following:
- Salesforce
- Salesforce Sandbox
Create a Salesforce connector
editUse the UI
editTo create a new Salesforce connector:
- Navigate to the Search → Connectors page in the Kibana UI.
- Follow the instructions to create a new native Salesforce connector.
For additional operations, see Using connectors.
Use the API
editYou can use the Elasticsearch Create connector API to create a new native Salesforce connector.
For example:
PUT _connector/<my-salesforce-connector> { "index_name": "<my-elasticsearch-index>", "name": "Content synced from Salesforce", "service_type": "salesforce", "is_native": "true" }
You’ll also need to create an API key for the connector to use.
The user needs the cluster privileges manage_api_key
and write_connector_secrets
to generate API keys programmatically.
To create an API key for the connector:
-
Run the following command, replacing values where indicated. Note the
id
andencoded
return values from the response:POST /_security/api_key { "name": "<connector_name>-connector-api-key", "role_descriptors": { "<connector_name>-connector-role": { "cluster": [ "monitor" ], "indices": [ { "names": [ "<index_name>", ".search-acl-filter-<index_name>", ".elastic-connectors*" ], "privileges": [ "all" ], "allow_restricted_indices": false } ] } } }
-
Use the
encoded
value to store a connector secret, and note theid
return value from this response:POST _connector/_secret { "value": <encoded_api_key> }
-
Use the API key
id
and the connector secretid
to update the connector:PUT /_connector/<connector_id>/_api_key_id { "api_key_id": "<API key id>", "api_key_secret_id": "<secret id>" }
Refer to the Elasticsearch API documentation for details of all available Connector APIs.
Usage
editTo use this connector as a connector client, use the Connector workflow in the Kibana UI.
For additional operations, see connectors usage.
You need to create an Salesforce connected app with OAuth2.0 enabled to authenticate with Salesforce.
Create a Salesforce connected app
editThe Salesforce connector authenticates with Salesforce through a connected app. Follow the official Salesforce documentation for Configuring a Connected App for the OAuth 2.0 Client Credentials Flow.
When creating the connected app, in the section titled API (Enable OAuth Settings) ensure the following settings are enabled:
- Enable OAuth Settings
-
Enable for Device Flow
-
Callback URL should be the Salesforce dummy callback URL,
https://test.salesforce.com/services/oauth2/success
-
Callback URL should be the Salesforce dummy callback URL,
- Require Secret for Web Server Flow
- Require Secret for Refresh Token Flow
- Enable Client Credentials Flow
All other options should be disabled. Finally, in the section Selected OAuth Scopes, include the following OAuth scopes:
- Manage user data via APIs (api)
- Perform requests at any time (refresh_token, offline_access)
Salesforce admin requirements
editBy default, the Salesforce connector requires global administrator permissions to access Salesforce data. Expand the section below to learn how to create a custom Salesforce user with minimal permissions.
Create a custom Salesforce user with minimal permissions
By creating a custom profile with sufficient permissions from the Setup menu, you can remove the system administrator role requirement for fetching data from Salesforce.
To create a new profile:
- From the Salesforce Setup menu, go to Administration ⇒ Users ⇒ Profiles.
- Create a new profile.
-
Choose
Read Only
orStandard User
from the Existing Profile dropdown. Name the profile and save it.By default,
Read Only
orStandard User
users have read permission to access all standard objects. -
Edit the newly created profile. Under Object Permissions, assign at least
Read
access to the standard objects and custom objects you want to ingest into Elasticsearch. -
Make sure the newly created profile has at least
Read
access for the following standard objects:- Account
- Campaign
- Case
- Contact
- EmailMessage
- Lead
- Opportunity
-
User
If using advanced sync rules you’ll need to assign
Read
access for that specific object in the profile.
- Go to Users ⇒ Profiles and assign the newly created profile to the user.
-
Go to Connected apps, select your app and then select Edit policies. Assign the client credentials flow to the user with the custom profile in Salesforce.
Now, the connector can be configured for this user profile to fetch all object records, without needing the system administration role.
Configuration
editThe following settings are required to set up this connector:
- Domain (required)
-
The domain for your Salesforce account.
This is the subdomain that appears in your Salesforce URL.
For example, if your Salesforce URL is
foo.my.salesforce.com
, then your domain would befoo
. If you are using Salesforce Sandbox, your URL will contain an extra subdomain and will look similar tofoo.sandbox.my.salesforce.com
. In this case, your domain would befoo.sandbox
. - Client ID (required)
- The Client ID generated by your connected app. The Salesforce documentation will sometimes also call this a Consumer Key
- Client Secret (required)
- The Client Secret generated by your connected app. The Salesforce documentation will sometimes also call this a Consumer Secret.
- Enable document level security
-
Toggle to enable document level security (DLS). Optional, disabled by default. Refer to the DLS section for more information, including how to set various Salesforce permission types.
When enabled:
-
Full syncs will fetch access control lists for each document and store them in the
_allow_access_control
field. - Access control syncs will fetch users' access control lists and store them in a separate index.
-
Full syncs will fetch access control lists for each document and store them in the
Finding the Client ID and Client Secret
editThe Client ID and Client Secret are not automatically shown to you after you create a connected app. You can find them by taking the following steps:
- Navigate to Setup
- Go to Platform Tools > Apps > App Manager
- Click on the triangle next to your app and select View
- After the page loads, click on Manage Consumer Details
Your Client ID and Client Secret should now be visible at the top of the page.
Document level security (DLS)
editDocument level security (DLS) enables you to restrict access to documents based on a user's permissions. This feature is available by default for the Salesforce connector and supports both standard and custom objects.
Salesforce allows users to set permissions in the following ways:
- Profiles
- Permission sets
- Permission set Groups
For guidance, refer to these video tutorials about setting Salesforce permissions.
To ingest any standard or custom objects, users must ensure that at least Read
permission is granted to that object.
This can be granted using any of the following methods for setting permissions.
Set Permissions using Profiles
editRefer to the Salesforce documentation for setting permissions via Profiles.
Set Permissions using Permissions Set
editRefer to the Salesforce documentation for setting permissions via Permissions Sets.
Set Permissions using Permissions Set group
editRefer to the Salesforce documentation for setting permissions via Permissions Set Groups.
Assign Profiles, Permission Set and Permission Set Groups to the User
editOnce the permissions are set, assign the Profiles, Permission Set or Permission Set Groups to the user. Follow these steps in Salesforce:
-
Navigate to
Administration
under theUsers
section. -
Select
Users
and choose the user to set the permissions to. -
Set the
Profile
,Permission Set
orPermission Set Groups
created in the earlier steps.
Sync rules
editBasic sync rules are identical for all connectors and are available by default. For more information read Types of sync rule.
Advanced sync rules
editA full sync is required for advanced sync rules to take effect.
The following section describes advanced sync rules for this connector. Advanced sync rules enable filtering of data in Salesforce before indexing into Elasticsearch.
They take the following parameters:
-
query
: Salesforce query to filter the documents. -
language
: Salesforce query language. Allowed values are SOQL and SOSL.
Fetch documents based on the query and language specified
editExample: Fetch documents using SOQL query
[ { "query": "SELECT Id, Name FROM Account", "language": "SOQL" } ]
Example: Fetch documents using SOSL query.
[ { "query": "FIND {Salesforce} IN ALL FIELDS", "language": "SOSL" } ]
Fetch standard and custom objects using SOQL and SOSL queries
editExample: Fetch documents for standard objects via SOQL and SOSL query.
[ { "query": "SELECT Account_Id, Address, Contact_Number FROM Account", "language": "SOQL" }, { "query": "FIND {Alex Wilber} IN ALL FIELDS RETURNING Contact(LastModifiedDate, Name, Address)", "language": "SOSL" } ]
Example: Fetch documents for custom objects via SOQL and SOSL query.
[ { "query": "SELECT Connector_Name, Version FROM Connector__c", "language": "SOQL" }, { "query": "FIND {Salesforce} IN ALL FIELDS RETURNING Connectors__c(Id, Connector_Name, Connector_Version)", "language": "SOSL" } ]
Fetch documents with standard and custom fields
editExample: Fetch documents with all standard and custom fields for Account object.
[ { "query": "SELECT FIELDS(ALL) FROM Account", "language": "SOQL" } ]
Example: Fetch documents with all custom fields for Connector object.
[ { "query": "SELECT FIELDS(CUSTOM) FROM Connector__c", "language": "SOQL" } ]
Example: Fetch documents with all standard fields for Account object.
[ { "query": "SELECT FIELDS(STANDARD) FROM Account", "language": "SOQL" } ]
Documents and syncs
editThe connector syncs the following Salesforce objects:
- Accounts
- Campaigns
- Cases
- Contacts
- Content Documents (files uploaded to Salesforce)
- Leads
- Opportunities
The connector will not ingest any objects that it does not have permissions to query.
- Content from files bigger than 10 MB won’t be extracted. (Self-managed connectors can use the self-managed local extraction service to handle larger binary files.)
- Permissions are not synced by default. You must enable document level security. Otherwise, all documents indexed to an Elastic deployment will be visible to all users with access to that Elastic Deployment.
Sync types
editFull syncs are supported by default for all connectors.
This connector also supports incremental syncs, but this feature is currently disabled by default. Refer to the linked documentation for enabling incremental syncs.
Content Extraction
editThe connector will retrieve Content Documents from your Salesforce source if they meet the following criteria:
- Are attached to one or more objects that are synced
- Are of a file type that can be extracted
This means that the connector will not ingest any Content Documents you have that are not attached to a supported Salesforce object. See documents and syncs for a list of supported object types.
If a single Content Document is attached to multiple supported objects, only one Elastic document will be created for it.
This document will retain links to every object that it was connected to in the related_ids
field.
See content extraction for more specifics on content extraction.
Known issues
edit-
DLS feature is "type-level" not "document-level"
Salesforce DLS, added in 8.13.0, does not accomodate specific access controls to specific Salesforce Objects. Instead, if a given user/group can have access to any Objects of a given type (
Case
,Lead
,Opportunity
, etc), that user/group will appear in the\_allow_access_control
list for all of the Objects of that type. See https://github.com/elastic/connectors/issues/3028 for more details.Refer to connector known issues for a list of known issues for all connectors.
Security
editSee connectors security.
Framework and source
editThis connector is built with the Elastic connector framework.
View the source code for this connector (branch 8.14, compatible with Elastic 8.14).
Connector client reference (self-managed)
editView reference for the connector client reference (self-managed).
Availability and prerequisites
editThis connector is available as a self-managed connector client. This connector client is compatible with Elastic versions 8.10.0+. To use this connector, satisfy all connector client requirements.
Compatibility
editThis connector is compatible with the following:
- Salesforce
- Salesforce Sandbox
Create a Salesforce connector
editUse the UI
editTo create a new Salesforce connector:
- Navigate to the Search → Connectors page in the Kibana UI.
- Follow the instructions to create a new Salesforce connector client.
For additional operations, see Using connectors.
Use the API
editYou can use the Elasticsearch Create connector API to create a new self-managed Salesforce connector client.
For example:
PUT _connector/my-salesforce-connector { "index_name": "my-elasticsearch-index", "name": "Content synced from Salesforce", "service_type": "salesforce" }
You’ll also need to create an API key for the connector to use.
The user needs the cluster privileges manage_api_key
and write_connector_secrets
to generate API keys programmatically.
To create an API key for the connector:
-
Run the following command, replacing values where indicated. Note the
encoded
return values from the response:POST /_security/api_key { "name": "<connector_name>-connector-api-key", "role_descriptors": { "<connector_name>-connector-role": { "cluster": [ "monitor" ], "indices": [ { "names": [ "<index_name>", ".search-acl-filter-<index_name>", ".elastic-connectors*" ], "privileges": [ "all" ], "allow_restricted_indices": false } ] } } }
-
Update your
config.yml
file with the API keyencoded
value.
Refer to the Elasticsearch API documentation for details of all available Connector APIs.
Usage
editTo use this connector as a connector client, use the Connector workflow in the Kibana UI.
For additional operations, see connectors usage.
You need to create an Salesforce connected app with OAuth2.0 enabled to authenticate with Salesforce.
Create a Salesforce connected app
editThe Salesforce connector authenticates with Salesforce through a connected app. Follow the official Salesforce documentation for Configuring a Connected App for the OAuth 2.0 Client Credentials Flow.
When creating the connected app, in the section titled API (Enable OAuth Settings) ensure the following settings are enabled:
- Enable OAuth Settings
-
Enable for Device Flow
-
Callback URL should be the Salesforce dummy callback URL,
https://test.salesforce.com/services/oauth2/success
-
Callback URL should be the Salesforce dummy callback URL,
- Require Secret for Web Server Flow
- Require Secret for Refresh Token Flow
- Enable Client Credentials Flow
All other options should be disabled. Finally, in the section Selected OAuth Scopes, include the following OAuth scopes:
- Manage user data via APIs (api)
- Perform requests at any time (refresh_token, offline_access)
Salesforce admin requirements
editBy default, the Salesforce connector requires global administrator permissions to access Salesforce data. Expand the section below to learn how to create a custom Salesforce user with minimal permissions.
Create a custom Salesforce user with minimal permissions
By creating a custom profile with sufficient permissions from the Setup menu, you can remove the system administrator role requirement for fetching data from Salesforce.
To create a new profile:
- From the Salesforce Setup menu, go to Administration ⇒ Users ⇒ Profiles.
- Create a new profile.
-
Choose
Read Only
orStandard User
from the Existing Profile dropdown. Name the profile and save it.By default,
Read Only
orStandard User
users have read permission to access all standard objects. -
Edit the newly created profile. Under Object Permissions, assign at least
Read
access to the standard objects and custom objects you want to ingest into Elasticsearch. -
Make sure the newly created profile has at least
Read
access for the following standard objects:- Account
- Campaign
- Case
- Contact
- EmailMessage
- Lead
- Opportunity
-
User
If using advanced sync rules you’ll need to assign
Read
access for that specific object in the profile.
- Go to Users ⇒ Profiles and assign the newly created profile to the user.
-
Go to Connected apps, select your app and then select Edit policies. Assign the client credentials flow to the user with the custom profile in Salesforce.
Now, the connector can be configured for this user profile to fetch all object records, without needing the system administration role.
Deployment using Docker
editConnector clients are run on your own infrastructure.
You can deploy the Salesforce connector as a self-managed connector client using Docker. Follow these instructions.
Step 1: Download sample configuration file
Download the sample configuration file. You can either download it manually or run the following command:
curl https://raw.githubusercontent.com/elastic/connectors/main/config.yml.example --output ~/connectors-config/config.yml
Remember to update the --output
argument value if your directory name is different, or you want to use a different config file name.
Step 2: Update the configuration file for your self-managed connector
Update the configuration file with the following settings to match your environment:
-
elasticsearch.host
-
elasticsearch.api_key
-
connectors
If you’re running the connector service against a Dockerized version of Elasticsearch and Kibana, your config file will look like this:
# When connecting to your cloud deployment you should edit the host value elasticsearch.host: http://host.docker.internal:9200 elasticsearch.api_key: <ELASTICSEARCH_API_KEY> connectors: - connector_id: <CONNECTOR_ID_FROM_KIBANA> service_type: salesforce api_key: <CONNECTOR_API_KEY_FROM_KIBANA> # Optional. If not provided, the connector will use the elasticsearch.api_key instead
Using the elasticsearch.api_key
is the recommended authentication method. However, you can also use elasticsearch.username
and elasticsearch.password
to authenticate with your Elasticsearch instance.
Note: You can change other default configurations by simply uncommenting specific settings in the configuration file and modifying their values.
Step 3: Run the Docker image
Run the Docker image with the Connector Service using the following command:
docker run \ -v ~/connectors-config:/config \ --network "elastic" \ --tty \ --rm \ docker.elastic.co/enterprise-search/elastic-connectors:8.14.3.0 \ /app/bin/elastic-ingest \ -c /config/config.yml
Refer to DOCKER.md
in the elastic/connectors
repo for more details.
Find all available Docker images in the official registry.
We also have a quickstart self-managed option using Docker Compose, so you can spin up all required services at once: Elasticsearch, Kibana, and the connectors service.
Refer to this README in the elastic/connectors
repo for more information.
Configuration
editThe following settings are required to set up this connector:
-
domain
(required) -
The domain for your Salesforce account.
This is the subdomain that appears in your Salesforce URL.
For example, if your Salesforce URL is
foo.my.salesforce.com
, then your domain would befoo
. If you are using Salesforce Sandbox, your URL will contain an extra subdomain and will look similar tofoo.sandbox.my.salesforce.com
. In this case, your domain would befoo.sandbox
. -
client_id
(required) - The Client ID generated by your connected app. The Salesforce documentation will sometimes also call this a Consumer Key
-
client_secret
(required) - The Client Secret generated by your connected app. The Salesforce documentation will sometimes also call this a Consumer Secret.
-
use_document_level_security
-
Toggle to enable document level security (DLS). Optional, disabled by default. Refer to the DLS section for more information, including how to set various Salesforce permission types.
When enabled:
-
Full syncs will fetch access control lists for each document and store them in the
_allow_access_control
field. - Access control syncs will fetch users' access control lists and store them in a separate index.
-
Full syncs will fetch access control lists for each document and store them in the
Finding the Client ID and Client Secret
editThe Client ID and Client Secret are not automatically shown to you after you create a connected app. You can find them by taking the following steps:
- Navigate to Setup
- Go to Platform Tools > Apps > App Manager
- Click on the triangle next to your app and select View
- After the page loads, click on Manage Consumer Details
Your Client ID and Client Secret should now be visible at the top of the page.
Document level security (DLS)
editDocument level security (DLS) enables you to restrict access to documents based on a user's permissions. This feature is available by default for the Salesforce connector and supports both standard and custom objects.
Salesforce allows users to set permissions in the following ways:
- Profiles
- Permission sets
- Permission set Groups
For guidance, refer to these video tutorials about setting Salesforce permissions.
To ingest any standard or custom objects, users must ensure that at least Read
permission is granted to that object.
This can be granted using any of the following methods for setting permissions.
Set Permissions using Profiles
editRefer to the Salesforce documentation for setting permissions via Profiles.
Set Permissions using Permissions Set
editRefer to the Salesforce documentation for setting permissions via Permissions Sets.
Set Permissions using Permissions Set group
editRefer to the Salesforce documentation for setting permissions via Permissions Set Groups.
Assign Profiles, Permission Set and Permission Set Groups to the User
editOnce the permissions are set, assign the Profiles, Permission Set or Permission Set Groups to the user. Follow these steps in Salesforce:
-
Navigate to
Administration
under theUsers
section. -
Select
Users
and choose the user to set the permissions to. -
Set the
Profile
,Permission Set
orPermission Set Groups
created in the earlier steps.
Sync rules
editBasic sync rules are identical for all connectors and are available by default.
For more information read sync rules.
Advanced sync rules
editA full sync is required for advanced sync rules to take effect.
The following section describes advanced sync rules for this connector. Advanced sync rules enable filtering of data in Salesforce before indexing into Elasticsearch.
They take the following parameters:
-
query
: Salesforce query to filter the documents. -
language
: Salesforce query language. Allowed values are SOQL and SOSL.
Fetch documents based on the query and language specified
editExample: Fetch documents using SOQL query
[ { "query": "SELECT Id, Name FROM Account", "language": "SOQL" } ]
Example: Fetch documents using SOSL query.
[ { "query": "FIND {Salesforce} IN ALL FIELDS", "language": "SOSL" } ]
Fetch standard and custom objects using SOQL and SOSL queries
editExample: Fetch documents for standard objects via SOQL and SOSL query.
[ { "query": "SELECT Account_Id, Address, Contact_Number FROM Account", "language": "SOQL" }, { "query": "FIND {Alex Wilber} IN ALL FIELDS RETURNING Contact(LastModifiedDate, Name, Address)", "language": "SOSL" } ]
Example: Fetch documents for custom objects via SOQL and SOSL query.
[ { "query": "SELECT Connector_Name, Version FROM Connector__c", "language": "SOQL" }, { "query": "FIND {Salesforce} IN ALL FIELDS RETURNING Connectors__c(Id, Connector_Name, Connector_Version)", "language": "SOSL" } ]
Fetch documents with standard and custom fields
editExample: Fetch documents with all standard and custom fields for Account object.
[ { "query": "SELECT FIELDS(ALL) FROM Account", "language": "SOQL" } ]
Example: Fetch documents with all custom fields for Connector object.
[ { "query": "SELECT FIELDS(CUSTOM) FROM Connector__c", "language": "SOQL" } ]
Example: Fetch documents with all standard fields for Account object.
[ { "query": "SELECT FIELDS(STANDARD) FROM Account", "language": "SOQL" } ]
Documents and syncs
editThe connector syncs the following Salesforce objects:
- Accounts
- Campaigns
- Cases
- Contacts
- Content Documents (files uploaded to Salesforce)
- Leads
- Opportunities
The connector will not ingest any objects that it does not have permissions to query.
- Content from files bigger than 10 MB won’t be extracted by default. Use the self-managed local extraction service to handle larger binary files.
- Permissions are not synced by default. You must enable document level security. Otherwise, all documents indexed to an Elastic deployment will be visible to all users with access to that Elastic Deployment.
Sync types
editFull syncs are supported by default for all connectors.
This connector also supports incremental syncs, but this feature is currently disabled by default. Refer to the linked documentation for enabling incremental syncs.
Content Extraction
editThe connector will retrieve Content Documents from your Salesforce source if they meet the following criteria:
- Are attached to one or more objects that are synced
- Are of a file type that can be extracted
This means that the connector will not ingest any Content Documents you have that are not attached to a supported Salesforce object. See documents and syncs for a list of supported object types.
If a single Content Document is attached to multiple supported objects, only one Elastic document will be created for it.
This document will retain links to every object that it was connected to in the related_ids
field.
See content extraction for more specifics on content extraction.
Known issues
edit-
DLS feature is "type-level" not "document-level"
Salesforce DLS, added in 8.13.0, does not accomodate specific access controls to specific Salesforce Objects. Instead, if a given user/group can have access to any Objects of a given type (
Case
,Lead
,Opportunity
, etc), that user/group will appear in the\_allow_access_control
list for all of the Objects of that type. See https://github.com/elastic/connectors/issues/3028 for more details.Refer to connector known issues for a list of known issues for all connectors.
Security
editSee connectors security.
Framework and source
editThis connector is built with the Elastic connector framework.
View the source code for this connector (branch 8.14, compatible with Elastic 8.14).