Tag Archives: salesforce

Encryption in Salesforce

When we talk about Encryption in Salesforce, There are typically three kinds of encryption you may need to secure your data:

  • Encription at rest
  • Encription during transit
  • Encription during usuage

Here we will be going to talk about Encryption at rest which is provided by Salesforce Shield which provides 3 products:

  • Event Monitoring
  • Field Audit Trail
  • Encryption

Encryption

Protect data at rest – Encrypt standard & custom fields, files & attachments

Natively to Salesforce features like Search, Chatter, Relationship work with encrypted data

Bring your Own Key: Customer can manage keys, Customer-driven encryption key lifecycle management

Encryption in Salesforce
Salesforce Shield

Find more details at https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/salesforce_shield.htm

There are two types of Shield Encryption: Deterministic & Probabilistic. Deterministic encryption is for the field which you need in the where clause in a query but the Probabilistic type ensures extra security than the Deterministic type.

Don’t get confused between Classic encryption and Shield platform encryption, Classic encryption is also provided on top of the platform with no cost but it doesn’t support the Standard field, File, also it provides 128 bit AES and user access to the encryption field is managed by permission set

https://twirltech.in/architect-blogs/

Salesforce Unlock Package

There are three kinds of packages one can build in the Salesforce platform, Out of which Salesforce Unlock Package is very powerful for the use-case of project deployment, release management, and CICD.

  1. Manage Package: Metadata is IP Protected, distributed via AppExchange
  2. Unmanage Package : Metadata is not IP Protected, you can protect via password but not a good way of working
  3. Unlock Package: Metadata elements are not locked, use it for modular development

Salesforce Unlock package provides a great way for modular development and release, Best suited for Multi org rollout of core functionalities. The diagram below illustrates the unlock packaging and release via Salesforce CLI. Core reviews can also be automated using Salesforce CLI Scanner plug-in using PMD v6.38.0, ESlint v6.8.0, and RetireJS v2.2.5. My blog on Salesforce Code Review Process has more details on that https://twirltech.in/2021/10/salesforce-code-review-process/

It’s Source driven development and deployment mechanism comes with Platform, no-cost, fully integrated with developer IDE VS Code

Salesforce Unlock Package
Salesforce Unlock Package

Refer to the Salesforce developer guide to get your hands dirty https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_unlocked_pkg_intro.htm

Salesforce Code Review Process

There are many AppExchange tools for Salesforce Static code analysis, few of the market leaders are SonarQube, CheckMarx, CodeScan. PMD (Programming Mistake Detector) is also a popular option. These tools help the Release Manager in Salesforce Code Review Process.

I will not go through each tool’s capability rather highlight my opinion and comparison between two of my personal favorite CodeScan and PMD; Paid vs Open Source. And Lastly want to cover Salesforce CLI Scanner which can be a viable alternative.

Salesforce Code Review Process
PMD
  1. PMD has a set of built-in rules available for both Apex and Visualforce pages. Static ruleset with define priority n PMD for Apex.

2. Finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth

3. Supports Salesforce Apex & Visualforce

4. Plugin for VS Code, ANT build, Eclipse 

5. It is Open-source which doesn’t have any licensing cost

Major drawback – The scan doesn’t review Lightning and LWC Components.

https://pmd.github.io/latest/pmd_rules_apex.html

Salesforce Code Review Process
CodeScan

CodeScan Features

  1. Codescan is an end to end code analysis solution to ensure quality and security of Salesforce orgs 2.
  2. 350+ security and quality rules for Apex, Visualforce, Lightning and Metadata
  3. IDE plugins helps developers to get the review on real time to address any issues with the code quality
  4. 4.Integrates directly with Salesforce and all popular CI/CD pipelines, Integration with Jira
  5. Covers Lightning Component and Javascript related issues and standards.
  6. Easy to configure/modify a ruleset as needed
  7. It is not open source. License cost is involved. Self-host or cloud plan

CODESCAN INTEGRATIONS
CodeScan SFDX Plugin
IDE Plugins
AutoRABIT
Copado
Flosum
Azure DevOps
GitLab
Bitbucket Pipelines
GitHub Actions
Jenkins
Webhooks

https://www.codescan.io/

Code Quality check with the Salesforce CLI Scanner

The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code. Developer can install the plug-in on a local developer machine or integrate it into a CI/CD process to scan the code.

It can be seamlessly integrated with Salesforce dx release management to automate the code review process.

Salesforce CLI Scanner plug-in uses PMD v6.38.0, ESlint v6.8.0, and RetireJS v2.2.5 at this moment. Salesforce is actively implementing new features to further improve Salesforce CLI Scanner.

PMD is a source code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. It’s built-in rules detect common flaws in code, such as empty catch blocks or unused variables.

ESLint is a popular linting tool for JavaScript. It provides numerous static analysis rules that help developers write quality code.

RetireJS is an engine that analyzes a project’s third-party JavaScript dependencies and identifies those that have known security vulnerabilities

Plugin Design
Salesforce CLI Scanner

https://forcedotcom.github.io/sfdx-scanner/en/getting-started/prerequisites/

https://twirltech.in/architect-blogs/

Salesforce Einstein Analytics Deployment

Salesforce Einstein Analytics Deployment: Salesforce Einstein Analytics components can be deployed in orgs via three ways:

If the Einstein Analytics components will be deployed to a related org then Change set is the best option.
Else Package-based metadata deployment using VS Code is the freeware to carry out the deployment.

There are deployment tools like AutoRabit, Copado Gearset etc who supports Einstein Analytics component deployment seamlessly but the assumption here is customers don’t have a license of any of those tools.

Before starting, please make sure who is carrying out the deployment has the below permission

  • Manage Analytics
  • API enabled
  • Modify Metadata
  • Modify All Data

Below is the package.xml

<types>
  <members>Analytics</members>
  <name>Settings</name>
<members></members>
  <name>WaveApplication</name>
<members></members>
  <name>WaveDataflow</name>
<members></members> 
  <name>WaveDashboard</name>
<members></members>
  <name>WaveDataset</name>
<members></members>
  <name>WaveLens</name>
<members></members>
<name>WaveComponent</name>
<members></members>
  <name>WaveRecipe</name>
<members></members>
  <name>WaveXmd</name>
</types> 
  • Security Predicates update is a post deployment manual task

Connect to the source org from VS code and retrieve the components using the above xml. Then connect to the destination org and deploy.

Please be cautious about any component override.

Change set based deployment link

https://help.salesforce.com/s/articleView?id=sf.bi_packaging_migrate.htm&language=en_US&r=https%3A%2F%2Fwww.google.com%2F&type=5

https://twirltech.in/architect-blogs/

Salesforce: Send Email delivery to Gmail, Yahoo

Let’s consider a use-case of this problem:

The customer is using email2case. When customers send an email to the support email ( like product@domain.com) then a case is successfully created. Now, from Console when an Agent replies back to the customer from Feed->Send mail the email is NOT reaching the customer.

Solution:

1. Create DKIM key in Salesforce

https://help.salesforce.com/s/articleView?id=emailadmin_create_secure_dkim.htm&type=5&language=en_US

2. publish the CNAME and alternate CNAME to the DNS server. You may need to involve your infrastructure IS and email domain admin

3. Once done, wait for few hours and activate the DKIM key in Salesforce. 

4. Next is to have Salesforce SPF added in your DNS’s SPF records. Below is the article for reference:
Include Salesforce in Your SPF Record
https://help.salesforce.com/articleView?id=sf.emailadmin_spf_include_salesforce.htm&type=5

5. Once you have activated DKIM and SPF, we recommend you to disable the below deliverability settings:
– ‘Activate bounce management’
– ‘Enable compliance with standard email security mechanisms’

Salesforce: email notifications from corporate email domain

If you want to send email notifications (like case status change, Lead creation) to the customers from your corporate email for branding or don’t want to expose the sales or service personal email then

  1. Create a service emailbox in the corporate email service
  2. go to Salesforce Organization-Wide Addresses
  3. Set User Selectable Organization-Wide Email Addresses and get it verified
  4. This email address will then automatically be avaialble for selection in workflow email alert and flow email alert.

This’s it. Customers will get the notification from the defined corporate branded email id

Salesforce: File transfer through Einstein BOT

Options to transfer File through Salesforce Einstein BOT

Currently, there is no file upload functionality in the einstein chatbot – between Bot and a Customer. A file transfer facility is available between Agent and Customer, by transferring chat from Einstein bot to Agent and then Agent can request the customer to transfer file by sending a link to transfer file.

A customer can’t upload a file until you initiate the file transfer by clicking the file transfer icon. This restriction helps prevent customers from uploading unsolicited or potentially dangerous files into the chat.

Salesforce: File transfer through Einstein BOT
Salesforce: File transfer through Einstein BOT

The is an idea to allow file transfer through Einstein BOT: https://trailblazer.salesforce.com/ideaView?id=0873A0000015BDVQA2

https://twirltech.in/architect-blogs/

Salesforce OAuth 2.0 Response and Grant Type

Salesforce OAuth 2.0 response and Grant Type

response_type is used against authorization endpoint. This parameter define what authorization response must contain in its response. For example, code when using authorization code grant . Salesforce OAuth 2.0 Response and Grant Type

https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=<your_client_id> &redirect_uri=<your_redirect_uri>response_type=code: to request an authorization coderesponse_type=token: 

to request an access token
The /authorize endpoint is used for the Web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow. End user interaction is needed to provide username/password and to authorize the client.

Salesforce OAuth 2.0 Response and Grant Type
Salesforce OAuth 2.0 Response and Grant Type

grant_type 

grant_type on the other hand is used against token endpoint. It define the grant used to get the token from the Authorization Server. For example, authorization_code is the grant used for authorization code grant

https://login.salesforce.com/services/oauth2/token?grant_type=password&client_id=<your_client_id> &client_secret=<your_client_secret>                                                                             &username=<your_username>&password=<your_password>
The /token endpoint is used for the Username-Password OAuth Authentication Flow and the OAuth Refresh Token Process.


grant_type=password : used to get access token directly in exchange of username and password Request:grant_type with the value passwordclient_id with the the client’s IDclient_secret with the client’s secretscope with a space-delimited list of requested scope permissions.username with the user’s usernamepassword with the user’s password
Response:token_type with the value Bearerexpires_in with an integer representing the TTL of the access tokenaccess_token a JWT signed with the authorization server’s private keyrefresh_token an encrypted payload that can be used to refresh the access token when it expires.


grant_type=authorization_code : server exchanges the auth code for an access token
It has two Parts1. First go to the Authorization endpoint to get the authorization code2.

Part II is to hit the Token end point with the authorization code Request:grant_type with the value of authorization_code client_id with the client identifier client_secret with the client secret redirect_uri with the same redirect URI the user redirected back to code with the authorization code from the query string Response:token_type with the value Bearerexpires_in with an integer representing the TTL of the access token access_token a JWT signed with the authorization server’s private keyrefresh_token an encrypted payload that can be used to refresh the access token when it expires.


grant_type = refresh_token: Access tokens eventually expire; however some grants respond with a refresh token which enables the client to refresh the access token. Request:grant_type with the value refresh_tokenrefresh_token with the refresh tokenclient_id with the the client’s IDclient_secret with the client’s secretscope with a space-delimited list of requested scope permissions. This is optional; if not sent the original scopes will be used, otherwise you can request a reduced set of scopes. Response:token_type with the value Bearer
expires_in with an integer representing the TTL of the access token
access_token a new JWT signed with the authorization server’s private key
refresh_token an encrypted payload that can be used to refresh the access token when it expires

grant_type=client_credentials : applications need a way to get an access token for their own account, outside the context of any specific user. This grant is suitable for machine-to-machine authentication, for example for use in a cron job which is performing maintenance tasks over an API. Not Applicable in Salesforce
grant_type = assertion

grant_type—urn:ietf:params:oauth:grant-type:jwt-bearer

grant_type: urn:ietf:params:oauth:grant-type:saml2-bearer

grant_type=device

https://developer.salesforce.com/blogs/isv/2015/04/integrating-multi-orgs-using-oauth

https://twirltech.in/architect-blogs/

Force.com Site Vs Site.com

Salesforce Force.com Site Vs Site.com

Salesforce Force.com Site and Site.com can build a public website and application. The website is directly integrated with a Salesforce Org – without requiring users to log in with a credential- hence not requiring any Salesforce license. One can publicly expose any information stored in the company through a branded URL and make the site’s pages match the look and feel of any company’s brand. Create a branded, custom Web address, such as https://twirltech.in, by registering through a domain name registrar. Create CNAME records to redirect your branded domain and sub-domains to the Salesforce Sites domain without exposing the force.com name in the URL. the public users could access the Force.com site or Site.com site by Guest User licenses. If Community is enabled, these users also have access to public pages in the communities. Site visitors have access to any information made available on an active public site. For each Guest User license, one can develop one site for your organization. So lets discuss more on Force.com Site Vs Site.com.

Force.com Site Vs Site.com
Salesforce Site.com

What is Site.com Site
Site.com Site is more template-driven, built using Community Builder or Site.com Studio, no CRM functionality – don’t have access to the Accounts and Contacts objects. Users have access to an unlimited number of custom tabs but are limited to the use of one custom app, which is defined as up to 20 custom objects. Each Site.com the Only user also needs either a Site.com Contributor or Site.com Publisher feature license to access Site.com. 

Community Builder is an intuitive, convenient tool for customizing a community that can have public pages. Community Builder lets a developer/administrator create a community based on a pre-configured template, and then apply branding, edit pages, update your template, and publish changes all from one user-friendly interface.
Using Community builder, a developer can create public pages that anyone can access or set a home page and set up multilingual support for the community in Site.com Studio, a Web content management system that provides extra configuration options. Site.com Studio is easily accessible from Community Management.

Developer, Enterprise, Unlimited, and Performance Editions each come with unlimited Guest User licenses of Site.com

Force.com Sites VS Site.com Sites

Force.com Sites:

  • Force.com sites supports both authenticated and public websites
  • Included in all Enterprise Edition (or above) and Developer orgs.
  • Support for custom pages using Visualforce, JavaScript, CSS.
  • Developers must be familiar with the above languages.
  • Can access all Force.com objects.

https://developer.salesforce.com/docs/atlas.en-us.salesforce_platform_portal_implementation_guide.meta/salesforce_platform_portal_implementation_guide/sites_overview.htm

https://help.salesforce.com/s/articleView?id=sf.sites_overview.htm&type=5

Site.com:

  • Is a provisioned product.
  • Site.com is meant for non-technical administrators as there is no coding necessary.
  • Drag n drop support for CMS.
  • Allows custom coding using HTML, CSS, Javascript.
  • Includes a security model of who can contribute to and publish sites.
  • Chatter supported for contribution of content while chatter is not available on the front end website.

https://help.salesforce.com/s/articleView?id=sf.siteforce_overview.htm&type=5

FeatureForce.com SitesCommunity Builder Sites
Visualforce pagesYesNo
Can it have AuthenticationNoYes
Can be Template drivenNoYes
Can host Public pagesYesYes
Out-of-the-box login, logout, self-registration, and error pagesYesYes
Can it have Pixel-perfect designsYesYes
Can impose IP restrictionsYesYes
Can success to data from Salesforce org, Account Contact cases, leads, and opportunitiesYesYes
Can support CMSNoYes
Force.com Sites vs Site.com

For more https://twirltech.in/architect-blogs/