Salesforce Setup Guide

Follow our setup guide to connect Salesforce to Fivetran.

Prerequisites

To connect Salesforce to Fivetran, you need:

An active Salesforce account with Administrative privileges to approve Uninstalled Connected Apps. For more information, see our Grant permission to connect to the Fivetran app documentation.
A Salesforce Enterprise level account plan or higher, or purchased Salesforce API calls.

You can create up to four connections using one set of Salesforce account credentials. That’s because Salesforce limits the number of connections made using OAuth2 to four per account per application.

If you attempt to authenticate more than four connections using one set of Salesforce account credentials, the earliest connection you authenticated with those credentials will lose its authentication.

If you need more than four Salesforce connections, you must use additional Salesforce account credentials to create those connections.

Supported authentication methods

You can use one of the following authentication methods to connect your Salesforce account to Fivetran:

OAuth2.0 (default): This method uses 1-way TLS (Transport Layer Security) with OAuth2.0 (refresh-token flow) authorization.
mTLS: This method adds a layer of security by using mutual TLS (mTLS authentication) with OAuth2.0 (client-credential flow) authorization. See our Mutual Authentication documentation for detailed instructions to enable this option. We do not recommend this mode for most users because it requires additional configuration in your Salesforce account.

We do not support mTLs for Private Link connections.

Setup instructions

Disable session IP locking

Go to the Session Settings page and uncheck the Lock sessions to the IP address from which they originated box.

It is very rare that this setting needs to be updated (<1% of cases), as it is disabled by default for the majority of users.

You may encounter the INVALID_SESSION_ID error when Session IP Locking is turned on.

Grant permission to connect to the Fivetran app

To connect to Salesforce using an application that isn't installed in your organization, you must grant users the appropriate permissions to connect to uninstalled apps. To grant user permissions, you must have administrative privileges. You can assign this permission either by adding it to an existing permission set or by enabling it directly on the user's profile that you want to connect to Fivetran. For more information, see the Salesforce documentation.

To grant permission, do the following:

Log in to your Salesforce account.
Click Setup.
Under the Administer tab, expand the Manage Users section.
From the drop-down menu, select Permission Sets. You can either create a new permission set or use an existing one. One user can be assigned multiple permission sets.
Click Edit and enable Approve Uninstalled Connected Apps. Alternatively, enable Use Any API Client if API Access Control for your organization.
Click Save.
Click Manage Assignments > Add Assignments.
Select the user that you want to assign this permission set, and click Assign.
(Optional) After your Fivetran connection is successfully syncing, return to the permission set and disable Approve Uninstalled Connected Apps to remove this permission.

The Approve Uninstalled Connected Apps permission is only required during the initial connection setup. Once the connection is successfully created and is syncing data, you may remove the permission from the account for enhanced security.

Advanced configuration

Advanced configuration provides additional setup options that help you get more granular control over the permissions, data access, and security for your Salesforce connection.

Expand for instructions

Enable field history tracking

Enable Field History Tracking in Salesforce.

Configure Salesforce account

You can connect Fivetran to Salesforce using any user account that has the required API and object-level permissions. However, if you want more control over what data you sync, you can create a dedicated Salesforce user for Fivetran.

If you choose to create a dedicated user, follow the instructions in the Create new user and profile in Salesforce section first, and then use the instructions in the Limit permissions to tables or columns section to restrict access. If you use an existing user, you only need to complete the permission-limiting steps as needed.

Create new user and profile in Salesforce

Expand for instructions

To set up a Salesforce connection, you can use any Salesforce user within your organization that has permission to read data from the Salesforce APIs. However, we recommend creating a dedicated user and limiting data access for this user only to the data you want to sync. You can limit data access for a user by creating a profile in Salesforce and assigning it to the user.

To create a new user and profile in Salesforce, do the following:

Go to Setup.
Under the Administration tab, click the Profiles tab.
Click New Profile.
In the Existing Profile drop-down menu, select Read Only.
Enter a name in the Profile Name field. For example, 'Fivetran User Read Only'.
Click Save. The Profile page will open.
In the Profile Detail section, click Edit.
Go to the Standard Object Permissions section and set the Read permission for the objects that you want sync.
Go to the Custom Object Permissions section and grant the Read permission for the objects that you want to sync.
Click Save.
Under the Administration tab, click the Users tab.
Click New User.
Enter all the required details.
In the Profile drop-down menu, select the user profile you created (Fivetran User Read Only).
Follow the steps mentioned in the Limit permissions to tables or columns section to grant permission on field levels using permission sets.

Limit permissions to tables or columns

Expand for instructions

We sync the data that we have access to based on the viewing permissions of the connected user. If you don't want us to sync a certain type of data to into your destination, limit the permissions of the connecting user.

There are two ways to limit the data that we extract from your Salesforce account:

Disable tables in the Fivetran dashboard

To disable tables:
1. In your Fivetran dashboard, navigate to the Salesforce connection details page.
2. Go to the Schema tab and exclude the tables and columns that you do not want to sync.
  If you are concerned about unintentionally syncing sensitive data to your destination, click the gear icon to open the Schema Change Settings menu, then select Allow columns.
Limit the connecting user in Salesforce

Fivetran connects to your Salesforce instance through the credentials of the connecting user, so to limit our access to the data, limit that user's access. You can do this in Salesforce through Permission Sets.
It's best to limit the connecting user's access before you initially connect the user through our setup form. Otherwise, you may have some dead objects in Salesforce that will no longer be updated after you've restricted the user's permissions.
To limit user access:
1. Log in to Salesforce. You must have Administrative privileges to set permissions.
2. Click Setup.
3. Under the Administer tab, click on the arrow next to Manage Users.
4. You should see a drop-down menu below the arrow. Select Permission Sets in the drop-down menu.
5. (Recommended) Create a new set of permissions specifically for the user that you will use to connect to Fivetran. For example, 'Fivetran Permissions'.
  Users can have multiple sets of permissions assigned to them. If you'd like to be certain of what data we have access to, assign only one set of permissions to the connecting user.
  Press New > Enter in Label > Choose Appropriate User License Type. You'll see the settings for the new permission set (for example, 'Fivetran Permissions').
6. Select Object Settings.
7. Select which fields you would like this connecting user, and therefore Fivetran, to have access to. The default setting is No Access.
  The only permissions relevant to Fivetran are that we can read the data, though the user themselves may need to be able to do more. Read permission grants access to view records that are created by that user or are shared using rules, roles, or manual sharing. View All permission grants access to all records of that type (for example, the Account type).
  To enable the user to access all the files in the org, provide the user with the Query All Files permission. Fivetran can not sync all the records from the ContentNote, ContentDocument, ContentDocumentLink, and ContentVersion objects without the Query All Files permission.
8. Set the View Setup and Configuration permission to enable the Limits resource, which allows us to access different limits using API to optimize data sync.
9. Go to Administer > Manage Users > Users and select the user account that you will use to log in through Fivetran.
10. Scroll down to Permission Set Assignments and click Edit Assignments.
11. Move Fivetran Permissions from Available Permission Sets to Enabled Permission Sets.
12. Click Save.

Configure AWS PrivateLink

Prerequisites

To set up AWS PrivateLink, you need:

a Business Critical plan.
A Fivetran instance configured to run in the mentioned AWS regions.
A Salesforce Private Connect license

Set up AWS PrivateLink

Expand for instructions

To set up AWS PrivateLink, do the following:

Log in to your Salesforce Private Connect service.
Send your Service Name to our support team. Fivetran uses that service name to configure the Interface Endpoint.
Service names are the same across all Salesforce accounts.
We provision our AWS infrastructure for the Inbound connection. The infrastructure looks similar to any other Private Link client and consists of an Interface Endpoint, Security Group, and Route53 CNAME in the corresponding region. We use the provided Private Connect service name to configure the Interface Endpoint.
We provide you with the Interface Endpoint ID. Use that ID to create an Inbound connection in your Salesforce dashboard.
Salesforce may charge you extra for this new connection.
Select Actions > Sync to verify that the inbound connection is configured properly.
Select Actions > Provision to provision the connection.
Send your Domain Name to our support team. We use that domain name in the provisioned Route53 CNAME record, which maps the name to our Interface Endpoint URL.
You can find your domain name on the My Domain Settings page of your Salesforce dashboard.
Finish setting up your Salesforce connection as usual. The My Domain name will automatically map to the Interface Endpoint URL.

Finish Fivetran configuration

Fivetran has two separate services for Salesforce. Choose the connector for the environment you'd like to use:
- Production environment
- Sandbox environment
In the connection setup form, enter the Destination schema name of your choice.
In the Destination schema names field, choose the naming convention you want Fivetran to use for the schemas, tables, and columns in your destination:
- Fivetran naming: Standardizes the schema, table, and column names in your destination according to the Fivetran naming conventions.
- Source naming: Preserves the original schema, table, and column names from the source system in your destination.
The Source naming feature is not compatible with Quickstart transformations. To ensure successful syncs, we automatically disable Quickstart transformations for connections configured with Source naming.
If you want to modify your selection, make sure you do it before you start the initial sync.
Choose your Connection Method: Connect directly or Connect via Private Link.
If you select the Connect via Private Link option, enter the My Domain URL you found and skip to step 6.
File syncing is not supported for connections using Hybrid Deployment.
Select your Authentication Method:
- (Default) For OAuth2.0 authentication, click Authorize and log in to your Salesforce account.
  We recommend logging in while in Incognito mode to ensure authorization of the correct account.
- For mTLS authentication, perform the following steps:
  i. In the Client ID field, enter the consumer key for your configured connected app.
  ii. In the Client secret field, enter the consumer secret for your configured connected app.
  iii. In the CA-signed Certificate or Public Key field, upload the CA-signed certificate file you generated.
  iv. In the Private key field, upload the private key you generated.
  v. Enter the My Domain URL you found.
If you want to sync formula fields directly (not recommended), set the Sync formula fields directly toggle to ON.
If you want to sync Salesforce Files, set the Sync Salesforce Files to your destination's object storage toggle to ON.
This feature is available only for connections that are set up for destinations supporting unstructured file replication.
File syncing is not supported for connections using Hybrid Deployment.
Click Save & Test. Fivetran will take it from here and sync your data from your Salesforce account.