Salesforce Authenticated / Backup User Permission Requirements

OwnBackup leverages the Salesforce API, please ensure that the Authenticated User has the required permissions as follows:

• The "Modify All Data" permission checkbox and enabled in the profile and all its default subsequent permissions are enabled.
• A license of any installed package (that requires a license to access its data) must be assigned to the Authenticated User e.g nCino.
• At least Read and Edit Access to all Standard & Custom objects, fields, and record types (can be configured from the Field Level Security page).
• In case you are using the Salesforce Knowledge Base module (KB Articles), the Authenticated User must be:
  • A Knowledge User.
  • Have View Archived Articles & View Draft Articles permission enabled.
• In cases where Content Documents objects are needed to be backed up, we highly recommend enabling "Query All Files".
• If the "Unlisted Chatter Groups" is enabled, you must enable the manage unlisted groups, permission on the profile of the authenticated user.
• If you are using Salesforce Shield, OwnBackup will backup all fields that have Platform Encryption in place without any additional setup steps being required.
  If you wish to backup the TenantSecret object, which is advised, the Authenticated User should have the Manage Encryption Key checkbox enabled in their profile.
• Restoring Audit fields - Objects in Salesforce have audit fields (CreatedByID, CreatedDate, LastModifiedbyID, LastModifiedDate) that are read-only by default as they are populated by Salesforce upon creation or modifications of records. Based on your business use case, if you would like to restore Audit fields, you can do that from the setup page: Enable "Set Audit Fields upon Record Creation" and "Update Records with Inactive Owners" User Permissions. See more here. 

*Authenticated User = The user that connects OwnBackup to the client's Salesforce org.

The specific permissions for each OwnBackup authenticated user is defined either in the user’s profile, or via a permission set. As a best practice, OwnBackup recommends having a dedicated user provisioned specifically for OwnBackup. This should enable to enhance security and audit trail capabilities, as well as assist to avoid API concurrency collisions, and other problems that may occur due to with the same user issues.

The recommended best practice for large data volumes, is as follows to have a dedicated authenticated user for the Core product, and one authenticated user for the Archive product.

For security best practices: 

• Create a secure Salesforce API-only user.
• Enable IP restrictions to the relevant OwnBackup app servers.

Please note that OwnBackup uses the latest available backup to determine the schema of the Org, and accordingly whether certain fields/sObjects are read-only.  Therefore, make sure to force a backup upon Salesforce’s enabling read-write access to the audit fields.

 Further reading from Salesforce:

• How to manage User Profiles and Permission Sets
• Available Feature Licenses
• API Only User