# Before you create a Salesforce workspace ## Configure Salesforce as an Identity Provider You must [enable Salesforce as an Identity Provider](https://help.salesforce.com/s/articleView?language=en_US\&id=identity_provider_enable.htm\&type=5). This is required for authentication between Salesforce and Structural. It is independent of any existing Salesforce single sign-on (SSO) user login. ## Enable Grant API Enabled Access You must [enable Salesforce with Grant API Enabled Access.](https://help.salesforce.com/s/articleView?id=sf.branded_apps_commun_api_permset.htm\&type=5) This is required for authentication between Salesforce and Structural. ## Creating the connected Salesforce application for Structural For the integration between Structural and Salesforce: * Salesforce is set up as an Identity Provider for Structural * OAuth bearer tokens are used to transparently access Salesforce from Structural. There are no separate passwords or user secrets. Each user is limited to only the data available based on their available level of access for their Salesforce or Structural account. ### **Create the application in Salesforce** 1. Log into your Salesforce instance. 2. Make sure that Salesforce is enabled as an [Identity Provider](https://help.salesforce.com/s/articleView?language=en_US\&id=identity_provider_enable.htm\&type=5) with [Grant API Enabled Access](https://help.salesforce.com/s/articleView?id=sf.branded_apps_commun_api_permset.htm\&type=5). 3. In the top right corner, click the gear icon, then click **Setup**.

4. On the **Setup** page, in the search field, enter **App Manager**, then select **App Manager**.

Using the search field to find the App Manager

5. Click **New Connected App**.

Option to create a new connected application

6. On the **Create a Connected App** panel, click **Create a Connected App**. 7. On the **New Connected App** page, under **Basic Information**, fill in the following fields: * **Connected App Name**. We recommend that you include '`Tonic`' somewhere in the name. Note that after you create a connected app, you cannot change the name. * **API Name** * **Contact Email**

Basic Information section for connected application creation

8. Under **API (Enable OAuth Settings)**: 1. Check **Enable OAuth Settings**. 2. In the **Callback URL** field, enter the URL of your Structural instance with `/oauth2/callback` appended to it.\ \ For a self-hosted instance, if you do not have access to the Structural URL, contact the Structural administrator at your organization. If your organization has deployed more than one Structural instance, you can enter multiple URLs.\ \ For Structural Cloud, the callback URL is `https://app.tonic.ai/oauth2/callback`.
3. Under **Selected OAuth Scopes**, move the following settings from **Available OAuth Scopes** to **Selected OAuth Scopes**: * **Manage user data via APIs (api)** * **Perform requests at any time (refresh\_token, offline\_access)** 4. Leave the currently checked checkboxes checked.

API (Enable OAuth Settings) section for connected application creation

9. Navigate to the bottom of the page, then click **Save**. ### Retrieve the consumer key and secret After you save the new application, to retrieve the consumer key and secret values: 1. Expand the **API (Enable OAuth Settings)** section, then click **Manage Consumer Details**.

Manage Consumer Details option on the application details page

2. Locate and copy the values of **Consumer Key** and **Consumer Secret**. You use these to populate the consumer key and secret values in Structural.

Consumer Key and Consumer Secret fields for the new application

### **Set the consumer key and secret Structural environment settings** Configure the following [Structural environment settings](https://docs.tonic.ai/app/admin/environment-variables-setting), which you can configure from the **Environment Settings** tab on **Structural Settings**: * `TONIC_SALESFORCE_CONSUMER_KEY` - Set to the consumer key value that you copied from Salesforce. * `TONIC_SALESFORCE_CONSUMER_SECRET` - Set to the consumer secret value that you copied from Salesforce. If you do not configure these environment settings, then you must provide the consumer key and consumer secret in the workspace configuration. For example, on Structural Cloud, you must always configure the consumer key and secret in the workspace. ### Confirming the connected application permissions After you set up the connected application, the first time that you log in to Salesforce with the user that connects from Structural, Salesforce displays a warning about the additional permissions that are granted to the connected application.

Confirmation panel for the connected application permissions

This first login is likely to occur the first time you configure a workspace connection. It prompts you to confirm those permissions. If you do not confirm the permissions, then Structural is unable to connect to Salesforce. ## Creating the source and destination connections For a Salesforce workspace, the source and destination data connections must be separate orgs. The source and destination connections can be production orgs, sandbox orgs, or scratch orgs. However, the destination connection can only be a scratch org if the source connection is also a scratch org. ## Ensuring required Salesforce user permissions Salesforce users who authorize Structural to connect on their behalf must have the following permissions configured[:](https://docs.tonic.ai/app/api/example-polling-for-a-job-status-+-creating-a-docker-package) * Granted the `Marketing User` option. * Assigned a role that has edit access for all of the opportunities and cases. In the example below, `All Access` is an example of a custom role that was granted the required access. * Assigned the `System Administrator` profile. * Granted the `Manage Users` permission. If the permission is not included in the `System Administrator` profile, then you must grant it separately. * Granted the additional permission `Update Records with Inactive Owners`.

User details with required permissions highlighted

### Making the Update Records with Inactive Owners permission available to grant Before you can grant the `Update Records with Inactive Owners` permission, you must make sure that it is available to grant. To make the permission available: 1. Go to **Setup > User Interface.** 2. Check the **Enable** **“Set Audit Fields upon Record Creation” and “Update Records with Inactive Owners” User Permissions** checkbox. 3. Click **Save**.

**Enable** **“Set Audit Fields upon Record Creation” and “Update Records with Inactive Owners” User Permissions** checkbox

### Granting the Update Records with Inactive Owners permission After you enable the permission, to grant it, you can create and assign a permission set. To display the permission sets page: 1. Go to **Setup**. 2. Under **Administration**, click **Users**, then **Permission Sets**. #### Creating the permission set To create the permission set: 1. On the **Permission Sets** page, click **New**.

New button to create a new permission set

2. In the **Label** field, provide a name for the permission set. 3. Leave **License** set to **None**. 4. Click **Save**.

#### Assigning the permission to the permission set To assign the permission to the permission set: 1. On the **Permission Sets** page, under **System**, click **System Permissions**.

System section on the Permission Sets page

2. Under **System Permissions**, click **Edit**.

3. Check the `Update owner and sharing-based fields with Inactive Owners` permission.

Enabling the Update owner and sharing-based fields on records with inactive owners permission

4. Click **Save** and then confirm your changes. #### Assigning the permission set to the user To assign the permission set to your user: 1. From the permission set details, click **Manage Assignments**.

Manage Assignments option for the permission set

2. On the **Current Assignments** page, click **Add Assignment**.

Add Assignment option for a permission set

3. On the **Select Users to Assign** page, elect the user or users that you intend to use with Structural.

Select Users to Assign page for a permission set

4. Click **Next**, then confirm the permission set assignments. ## Enabling the ability to de-identify Salesforce users Salesforce workspaces include an [option to de-identify destination users](https://docs.tonic.ai/app/setting-up-your-database/salesforce-workspace-data-connections#salesforce-deidentify-users). To allow this option, in the **User Management Settings** for the destination org, you must enable **Scramble Specific Users’ Data**. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tonic.ai/app/setting-up-your-database/salesforce/salesforce-before-workspace.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.