Is your feature request related to a problem? Please describe.
The Salesforce Audit Logs CCF connector's LoginHistory poller queries LoginGeoId that per Salesforce documentation, requires the Manage Users permission on the integration user.
Manage Users is a write-level permission in Salesforce. It allows creating, editing, resetting passwords, etc. It is significantly broader than read-only access.
Clients understandably push back on granting Manage Users to service accounts because of its blast radius.
Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_loginhistory.htm
Describe the solution you'd like
Remove LoginGeoId from the default LoginHistory SOQL query in SalesforceAuditLogs_PollingConfig.json. This allows the connector to work with read-only permissions.
Additionally, the value of LoginGeoId appears limited. CountryIso is already on LoginHistory directly for country level location, and geo data can be derived from SourceIp via standard IP enrichment (e.g. geo_info_from_ip_address KQL function).
Affected file: Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_PollingConfig.json
Describe alternatives you've considered
- Granting
Manage Users to the integration user: works but violates least privilege. Not acceptable for all our clients.
- Deploying a custom ARM template with
LoginGeoId stripped from the SOQL query: this is our current workaround, but it duplicates a connector we would rather consume directly from Microsoft.
Is your feature request related to a problem? Please describe.
The Salesforce Audit Logs CCF connector's LoginHistory poller queries
LoginGeoIdthat per Salesforce documentation, requires theManage Userspermission on the integration user.Manage Usersis a write-level permission in Salesforce. It allows creating, editing, resetting passwords, etc. It is significantly broader than read-only access.Clients understandably push back on granting
Manage Usersto service accounts because of its blast radius.Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_loginhistory.htm
Describe the solution you'd like
Remove
LoginGeoIdfrom the default LoginHistory SOQL query inSalesforceAuditLogs_PollingConfig.json. This allows the connector to work with read-only permissions.Additionally, the value of LoginGeoId appears limited. CountryIso is already on LoginHistory directly for country level location, and geo data can be derived from SourceIp via standard IP enrichment (e.g. geo_info_from_ip_address KQL function).
Affected file:
Solutions/Salesforce Service Cloud/Data Connectors/SalesforceAuditLogsConnector_CCF/SalesforceAuditLogs_PollingConfig.jsonDescribe alternatives you've considered
Manage Usersto the integration user: works but violates least privilege. Not acceptable for all our clients.LoginGeoIdstripped from the SOQL query: this is our current workaround, but it duplicates a connector we would rather consume directly from Microsoft.