How To Mass-Activate Salesforce Access for Multiple Users¶
Important
Mass authorization of Salesforce users with a Salesforce service account is compatible only with RG Sync Engine. It is not yet available for RG Sidebar mass authorization.
The RG Sync Engine supports bulk user authorization in Salesforce. When combined with mass delegated or application-only email access authorization, this setup eliminates the need for end-user actions. Additionally, using this method prevents authorization prompts for end users when access tokens expire.
To quickly establish a Salesforce connection for all RG users in your organization, use the CRM section under the profile’s Connectivity subtab in the RGES Admin panel. A prerequisite for this feature is creating a Salesforce service account with full data visibility.
Requirements for service account permissions¶
System permissions for profile¶
| Permission | Description | Notes |
|---|---|---|
| Access Activities | Access tasks, events, calendar, and email. | |
| Access Libraries | Access Libraries. | Required for Content Documents. |
| Apex REST Services | Allow access to Apex REST services. | |
| API Enabled | Access any Salesforce.com API. | |
| Edit Events | Create, edit, and delete events. | |
| Edit Read Only Fields | Edit fields that are read-only due to page layouts or field-level security. | |
| Edit Tasks | Create, edit, and delete tasks. | Required if emails are shared via Tasks. |
| Modify All Data | Create, edit, and delete all organizational data, regardless of sharing settings. | |
| View All Data | View all organizational data, regardless of sharing settings. |
FAQs about system permissions¶
What is the “Access Libraries” permission, and why is it needed?
The Access Libraries permission allows access to Salesforce Libraries, which are repositories for storing and sharing documents and content. It is required to access or manipulate Content Documents as an attachment type.
Salesforce uses Libraries to store and manage Content Documents, so accessing or modifying these files often depends on this permission. Without it, actions like attaching files to records or retrieving files for impersonated users will fail.
Check if your use case involves managing Content Documents or file attachments. If so, ensure this permission is enabled.
What is the “Modify All Data” permission, and why is it important?
The Modify All Data permission allows the account to create, edit, and delete all organizational data, regardless of sharing settings.
It is crucial for impersonation functionality, which needs to operate across multiple records and objects while bypassing typical user-specific sharing rules. Without this permission, the service account will encounter “insufficient access” errors for specific data or records.
This permission ensures the service account has global access to organizational data to perform its tasks effectively.
What is the “View All Data” permission, and why is it required?
The View All Data permission allows the service account to view any data in the Salesforce org, regardless of sharing settings or user ownership.
Impersonation scenarios often involve data visibility varying between users. This permission ensures the service account has a “superuser” view to access all records for which the impersonated user has permission.
Without this permission, the functionality will fail when the service account lacks visibility into certain records. This permission is critical for enabling seamless access across organizational boundaries.
Object settings for profile¶
| Object | Permissions | Notes |
|---|---|---|
| Accounts | Read, Create, View All. | |
| Contacts | Read, Create, Edit, Delete, View All, Modify All. | |
| Documents | Read, Create, Edit, View All, Modify All. | Required for Content Documents. |
| Opportunities | Read, View All. | |
| Leads | Read, Create, Edit, View All, Modify All. |
Authorization using a service account with granted data visibility¶
Follow the instructions below to mass-authorize Salesforce access for the end users via the CRM section.
- Create a Salesforce user account with granted data visibility for all data in the organization that will be accessed and managed by RGES users in your company. If you intend to mass-authorize RGES end users’ access to a Salesforce Sandbox environment, create a corresponding service user account in this environment.
Important
To use this feature, set up a dedicated Salesforce service-only account. Please do not use an active RGES user account or provision the service account in the RG Email Sidebar, as it is only intended for Salesforce access authorization.
- Open RG Admin panel > Profiles tab > Connectivity subtab.
- In the CRM section, click Log in with Salesforce.
Note
Presently, only the Salesforce OAuth authorization option is available; it implies that the pre-set service Salesforce account’s refresh token will be used to authorize access for a specified group of RGES end users.
- Log in to the dedicated service account using the standard Salesforce OAuth window that opens in your browser.
- If authorization was successful, you will see that the Salesforce service account status changed to Connected.
Re-establishing connection after refresh token expiration¶
If the service account’s refresh token expires, suspending RG Syncfor the entitled end users, the local RG admin will see the status change to Disconnected in the CRM widget on the Connectivity tab.
Tip
Users’ sync status/Salesforce connection can also be monitored via the Users subtab of the Admin panel’s Profiles tab. Specifically, the Synchronization status of the users whose synchronization changes to the Disabled status; if clicking on such a user brings up a notification “invalid_grant: expired access/refresh token,” that means the user’s access token requires refreshing.
To get a new refresh token and reestablish Salesforce connection:
-
Open the Connectivity subtab of the Profile tab in the RG admin panel.
-
In the CRM widget, click Refresh.
- After refreshing, log in to the dedicated service account using the standard Salesforce OAuth window that opens in your browser.
Now, the RG users’ Salesforce connection will be recovered.
