When you first integrate your Donorbox account with your Salesforce Org, it connects to your Salesforce Org using the OAuth protocol, which is an open standard for access delegation. For creating this delegated access tunnel, it uses the Salesforce credentials that you used to sign up for the Salesforce integration on Donorbox.
With this in mind, it’s highly advisable that you connect to Salesforce using an account that has admin-level access in your Salesforce Org. This essentially means that the particular user account has been assigned the following license and user profile in Salesforce:
- User License: Salesforce
- Profile: System Administrator
You can easily check these details from the user’s section in your Salesforce setup by going to that specific user records detail page.
The reason we advise using an admin-level user for connecting to Donorbox is that it has all the required permissions enabled by default. These permissions are required for the application sync to work without any problems.
We understand that there are cases where it’s not possible for you to connect using an admin level user account. To help, we wrote this article to cover the minimum level of permissions that are required for the proper functioning of the Donorbox and Salesforce integration.
First Things First
- Connect your Salesforce account to Donorbox. Detailed instructions can be found here.
- Head over to Setup > Users > Select the user that was used for the Donorbox connection.
- When you scroll down, you’ll find Donorbox in the OAuth Connected Apps related list. This ensures that your connection to Donorbox is established properly.
We’ll now look at the basic rights, permissions, record sharing rules, and record type permissions that are required for the Donorbox integration to work.
There can be additional dependencies specific to every Salesforce Org, such as sharing rules, validation rules, duplication rules, escalation rules, triggers, and workflow rules. All these can cause potential issues with record creation and modification.
Our Salesforce error logs page on Donorbox provides considerable details for every error that occurs during the record sync. If you have trouble understanding the error logs, you can always send us a support ticket.
The user through which your Salesforce account is connected to Donorbox needs to have the “Create Campaign” permission which can be granted by editing the user from user setup in Salesforce. All you need to do is to go to Setup > Users > Select the user that was used for the Donorbox connection and click edit. There would be a “Marketing User” checkbox field there, please make sure that it is checked.
Before we start, you need to ensure that your Salesforce profile has edit access to the fields for the Account, Opportunity, Contact, and Campaign objects. You can confirm this from the “Field-Level Security” related list section in your profile.
Clicking on the “View” link for these objects will take you to the Field-Level Security page, where you will have the option to set “Edit Access” and “Read Access” for each field of that particular object. Note: Make sure that you have edit access to preferably all the fields. And that you ensure this for all the highlighted objects.
In the Administrative Permissions section on your profile (which is below the Field-Level Security section), ensure that the following permission checkboxes are checked:
- API Enabled
- Manage Data Integrations
- Modify All Data
- Modify Metadata Through Metadata API Functions
- Transfer Record
- View All Data
Below Administrative Permissions is the Standard Object Permissions section. In this section, ensure that you have the “Modify All” check-boxes selected for the Accounts, Campaigns, Contacts, and Opportunities objects.
Additionally, if you have enabled IP restrictions through the “Login IP Ranges” section, please ensure that you have whitelisted the IP ranges of the Donorbox.org platform.
After setting Object and Field Level security, you need to configure access settings for the actual records themselves.
Record Level Security
Record Level Security lets you give users access to some object records, but not others. Every record is owned by a user or a queue. The owner has full access to the records that they own.
Record Level sharing is set up in a top-down hierarchy. We have Organization-Wide Defaults, followed by Role Hierarchies, then Sharing Rules, and finally Manual Sharing.
A combination of all these record sharing settings is what actually calculates and defines the record-level access that your account will have. This is important because the Donorbox integration will fail to access, create, and modify records in your Salesforce Org if it does not have the right record-level access.
Now an interesting note here is that as you go down the hierarchy, you cannot restrict the record-level access—you can only give further record accessing permissions. Therefore, if you can define the most lenient record-sharing rules at the top level (i.e. at the Organization-Wide Defaults), then you don’t need to worry about the sharing settings below it. This following illustration gives you an idea of that:
You can set up the Org-Wide Defaults from Setup under the Sharing settings menu item. If you cannot assign the “Public Read/Write” default sharing settings for the Opportunities, Contacts, Accounts, and Campaigns object under Org-Wide Defaults, then you can define sharing rules for each of these objects. This can also be done from the Sharing settings page and are defined just below the Org-Wide Defaults section.
Once you’ve specified organization-wide sharing settings and sharing rules, another way you can give wider access to records is with a role hierarchy.
Similar to an organization chart, a role hierarchy represents a level of data access that a user or group of users needs. The role hierarchy ensures that users higher in the hierarchy always have access to the same data as people lower in the hierarchy, regardless of the organization-wide default settings.
Role hierarchies don’t have to exactly match your organization chart. Instead, each role in the hierarchy should represent a level of data access that a user or group of users needs.
You can access the role hierarchies page from the Setup directly. It can be found under the User heading in the menu and is named “Roles”.
Another important component of our integration is tied to having access to the right record types.
Salesforce NPSP package has certain default record types for the Opportunity, Account, and Campaign objects. Our integration requires the connected Salesforce account to have access to these record types. Otherwise, Donorbox is unable to push the donations to your Salesforce Org.
- For the Campaign object in Salesforce, Donorbox integration selects the “Default” record type when pushing campaigns from Donorbox to Salesforce.
- Similarly, for the Account object in Salesforce, Donorbox integration defaults to the “Household Account” record type.
- For the Opportunity object, it uses the “Donation” record type.
The Salesforce user account that is connected to Donorbox needs to have access to at least these record types. And the easiest way to ensure that the connected user account has access to the right record types is through that user’s profile.
- Head to the relevant user’s profile page, which is accessible through Setup.
- Scroll down to the “Record Type Settings” section.
- Ensure that the record types we mentioned above are selected in this profile for the Account, Campaign, and Opportunity objects.
You made it! This sums up all the standard security and permission requirements that are essential for the Donorbox and Salesforce integration.
If you have any questions, feel free to reach out and drop us a line. We’re happy to help.