Provisioning Salesforce

This section describes how to provision Salesforce. "Provisioning" means both creating a service account and the process by which Cloud App Security is granted the ability to access your Salesforce environment.

Cloud App Security provisions the service account for Salesforce through the OAuth 2.0 flow.


Cloud App Security allows only administrators assigned to the default Global administrator role to provision service accounts. For details about Cloud App Security role-based access control, see Administrator and Role.

Provisioning a Salesforce Service Account

Provision a service account for Salesforce Sandbox or Salesforce Production to allow Cloud App Security to run advanced threat protection and data loss prevention scanning on object records, for example, documents and feed posts, updated in your Salesforce environment.

Before you begin provisioning, make sure that:

  • You have a valid Cloud App Security for Salesforce license.

  • You have purchased the Salesforce environment with a license that supports RESTful APIs.

  • You have the administrator's credentials for your Salesforce environment.

  • You have not logged on to your Salesforce environment using any other user account.

The steps outlined below detail how to provision a service account for Salesforce from Dashboard. This procedure uses Salesforce Sandbox as an example.

  1. Log on to the Cloud App Security management console.
  2. Hover over Salesforce Sandbox and click Provision.

    The Provision Service Account for Salesforce Sandbox screen appears.

  3. Click Click here in Step 1.

    The Salesforce Sandbox logon screen appears.


    Skip this and the next step if you have already installed the TrendMicro Cloud App Security app.

  4. Specify your Salesforce Sandbox administrator credentials, click Log In to Sandbox, and install TrendMicro Cloud App Security.

    You can also go to AppExchange, search for TrendMicro Cloud App Security, and click Install to install the application before provisioning.

  5. Go back to the Cloud App Security management console as instructed and click Click here in Step 2.
  6. Specify your Salesforce Sandbox administrator credentials if the logon screen appears, and then click Log In.

    The Salesforce authorization screen appears.

  7. Click Allow.
  8. Go back to the Cloud App Security management console as instructed and click Done.

    Cloud App Security then retrieves your Salesforce Sandbox object metadata and profile information. The time required depends on how many object records and profiles you have in Salesforce Sandbox.

    Cloud App Security also adds Apex triggers to your objects. The TrendMicro Cloud App Security app uses these triggers to monitor changes to an object record and sends them to Cloud App Security upon detection. It then takes actions as instructed (through the RESTful API implemented in the app) by Cloud App Security based on the configured policies.

    Cloud App Security creates several custom objects in your Salesforce Sandbox environment to store data, for example, quarantined contents, which are accessible only to the Salesforce administrator.


    The TrendMicro Cloud App Security app stores quarantined contents within it before they are restored to their original locations.

  9. Hover over the ring icon in the upper-right corner of the management console.

    If the message "Salesforce Sandbox protected." appears on the Notifications screen, the provisioning is successful.