Follow our setup guide to connect Salesforce to Fivetran.
To connect Salesforce to Fivetran, you need:
- Access to an active Salesforce account
- A Salesforce Enterprise level account plan or higher, or purchased Salesforce API calls
NOTE: You may make up to four connectors using one set of Salesforce account credentials. That’s because Salesforce limits the number of connections made via OAuth2 to four per account per application. If you attempt to authenticate more than four connectors using one set of Salesforce account credentials, the earliest connector you authenticated with those credentials will lose its authentication.
If you need more than four Salesforce connectors, you must use additional Salesforce account credentials to create those connectors.
Enable field history tracking (optional) link
Read the Salesforce documentation to learn how to enable field history tracking.
Disable session IP lockinglink
If you have Session IP Locking enabled or get an
INVALID_SESSION_ID error, go to the Session Settings page and uncheck the Lock sessions to the IP address from which they originated box. It is very rare that this setting needs to be updated (<1% of cases), because by default it is already disabled for the majority of users.
Create new user and profile in Salesforce (optional)link
To set up a Salesforce connector, you can use any Salesforce user within your organization that has permission to read data from Salesforce’s APIs. However, we recommend creating a dedicated user and limit data access for this user only to data you want to sync. You can limit data access for a user by creating a profile in Salesforce and assigning it to the user.
To create a new user and profile in Salesforce, do the following:
Log in to Salesforce. You must have administrative privileges to create a user.
Go to Setup in the top right corner of your screen.
Under the Administration tab on the left side of the screen, click on the Profiles tab.
Click New Profile.
Select Read Only from the Existing Profile drop-down menu.
Enter a memorable name in the Profile Name field. For example,
Fivetran User Read Only.
Click Save. The Profile page will open.
Click Edit in the Profile Detail section.
Scroll down to the Standard Object Permissions section and set the Read permission for the objects that you want sync.
Scroll down to the Custom Object Permissions section and grant the Read permission for the objects that you want sync.
Under the Administration tab on the left side of the screen, click the Users tab.
Click New User.
Fill in all the required details.
In Profile, select the user profile you created (Fivetran User Read Only).
You can follow the steps mentioned here to grant permission on field levels using permission sets.
Limit permissions to tables or columns (optional)link
Fivetran syncs the data that we have access to based on the viewing permissions of the connected user. If you don’t want Fivetran to sync a certain type of data to into your destination, limit the permissions of the connecting user.
There are two ways to limit the data that we extract from your Salesforce account. You can either disable tables in the Fivetran dashboard or limit the connecting user in Salesforce.
Option 1. Disable tables in the Fivetran dashboard
- In your Fivetran dashboard, navigate to the Salesforce connector details page.
- Go to the schema tab and disable the tables and columns which you do not want to be synced.
If you are concerned about unintentionally syncing sensitive data to your destination, click the gear icon to open the Schema Change Settings menu, then select Allow columns.
Option 2. Limit the connecting user in Salesforce
Fivetran connects to your Salesforce instance through the credentials of the connecting user, so to limit our access to the data, limit that user’s access. You can do this in Salesforce through Permission Sets.
It’s best to limit the connecting user’s access before you initially connect the user through our setup form. Otherwise, you may have some dead objects in Salesforce that will no longer be updated after you’ve restricted the user’s permissions.
Log in to Salesforce. You must have administrative privileges to set permissions.
Go to Setup in the top right corner of your screen.
Under the Administer tab on the left side of the screen, click on the arrow next to Manage Users.
You should now see a drop-down menu below the arrow. Select Permission Sets in the drop-down menu.
We recommend that you create a new set of permissions specifically for the user that you will use to connect to Fivetran. Name it something memorable, such as “Fivetran Permissions.”
Users can have multiple sets of permissions assigned to them. If you’d like to be certain of what data we have access to, assign only one set of permissions to the connecting user.
Press New > Enter in Label > Choose Appropriate User License Type
You’ll see the settings for the new Permission Set (for example, “Fivetran Permissions”). Select Object Settings.
Select which fields you would like this connecting user, and therefore Fivetran, to have access to. The default setting is No Access.
The only permissions relevant to Fivetran are that we can read the data, though the user themselves may need to be able to do more. The difference between the Read permission and the View All permission is that Read gives access to view records that are created by that user or are shared via rules, roles, or manual sharing. View All gives access to all records of that type (for example, the Account type).
When you’ve chosen the appropriate permissions, go to Administer > Manage Users > Users and select the user whose account you will use to log in through Fivetran.
When you’re on that user’s page, scroll down to Permission Set Assignments and click Edit Assignments.
Move Fivetran Permissions from Available Permission Sets to Enabled Permission Sets and click Save.
(Optional) AWS PrivateLink PRIVATE PREVIEWlink
IMPORTANT: You must have a Business Critical plan to use AWS PrivateLink.
To set up AWS PrivateLink, you need:
- A Fivetran instance configured to run in AWS region us-east-1 or us-west-2
- A Salesforce Private Connect license
Set up AWS PrivateLink
Log in to your Salesforce Private Connect service.
Send your Service Name to our support team. Fivetran uses that service name to configure the Interface Endpoint.
NOTE: Service names are the same across all Salesforce accounts.
We provision our AWS infrastructure for the Inbound connection. The infrastructure looks similar to any other Private Link client and consists of an Interface Endpoint, Security Group, and Route53 CNAME in the corresponding region. We use the provided Private Connect service name to configure the Interface Endpoint.
Once we provide you with the Interface Endpoint ID, use that ID to create an Inbound connection in your Salesforce dashboard.
NOTE: Salesforce may charge you extra for this new connection.
Select Actions -> Sync to verify that the inbound connection is configured properly.
Select Actions -> Provision to provision the connection.
Send your Domain Name to our support team. We use that domain name in the provisioned Route53 CNAME record, which maps the name to our Interface Endpoint URL.
TIP: You can find your domain name on the My Domain Settings page of your Salesforce dashboard.
Finish setting up your Salesforce connector as usual. The My Domain name will automatically map to the Interface Endpoint URL.
Finish Fivetran configurationlink
- In the connector setup form, enter the Destination schema name of your choice.
- Click Authorize to authorize the API. You will be taken to the Salesforce login page.
- Log in to your Salesforce account to authorize Fivetran to connect to it.
- Return to the Fivetran dashboard and click Save & Test. Fivetran will take it from here and sync your data from your Salesforce account.