Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Alta SaaS Protection Administrator's Guide
  3. Protect Salesforce data and metadata
  4. Key considerations and prerequisites for adding Salesforce connectors
  5. Configure User, Profile, and Connected App for Salesforce
Cohesity Alta SaaS Protection Administrator's Guide

Configure User, Profile, and Connected App for Salesforce

This topic describes the procedure to create a user, profile, and a Connected App in Salesforce (Lightning Experience) for use by Cohesity Alta SaaS Protection.

Before you configure a Connected App, create a dedicated Salesforce user for Cohesity Alta SaaS Protection and grant the permissions it needs to perform backup and restore operations using Salesforce APIs.

  • Create a dedicated integration user: Create a Salesforce user (for example, Cohesity Backup Admin) that is used exclusively for backup and restore operations.

  • Assign a supported Salesforce license: The Cohesity Backup Admin user must be assigned a Salesforce license. Cohesity Alta SaaS Protection does not currently support the Salesforce API Integration License, as it provides limited access to Salesforce objects and features.

  • There are two options to create a profile:

    • Option A (recommended): Create a custom profile by cloning System Administrator: Create a new custom profile by cloning the System Administrator profile (for example, Cohesity Backup Admin profile).

    • Option B (alternative): Standard User + Permission Set. Use this approach if your organization's security policies do not allow cloning the System Administrator profile.

Option B (alternative): Standard User + Permission Set. Use this approach if your organization's security policies do not allow cloning the System Administrator profile. It is strongly recommended to assign all permissions listed in the Required Permissions table below. These permissions determine what the integration user can read and write through Salesforce APIs during backup and restore. If any permissions are excluded, Cohesity assumes that the customer understands the associated risks and may not provide support for related issues.

For Option B (Permission Set approach):

  • Create the permission set and assign all required permissions to the Cohesity Backup Admin user before you authorize that user for the Connected App.

  • Create the Cohesity Backup Admin user with a Standard User profile (not System Administrator).

  • Assign the permission set to the Cohesity Backup Admin user (instead of granting permissions via a cloned admin profile).

Required Permissions (Permission Set Checklist)

Use the checklist below to build the permission set. At a minimum, ensure coverage for object permissions, field-level security, and record types across both standard and custom objects.

  • Object permissions: Modify All and Create permissions for all objects in the Salesforce organization (standard and custom).

  • Field permissions: Read Access and Edit Access for all fields across all objects (standard and custom).

  • Record type permissions: Read and Edit access for all record types across all objects (standard and custom).

  • Additional requirements

    • Ensure all relevant feature permission sets are assigned.

    • Ensure the user has all required feature licenses for any installed AppExchange products.

A few permissions (for example, Modify All Data) can automatically enable other permissions. In addition, Salesforce may auto-enable permissions that are not explicitly listed in the table based on what you select. Do not remove any auto-enabled permissions if they are required for Cohesity Alta SaaS Protection features to work as expected.

Table:

Permissions

Data / Metadata / Both

Salesforce Description

Used by Cohesity Alta SaaS Protection for

Access Activities

Data

Access tasks, events, calendar, and email.

Protection (backup and restore) of Tasks, Events, Calendar and Email

Access Libraries

Data

Access libraries.

Protection of Libraries

Apex REST Services

Data

Allow access to Apex REST services

Access to Salesforce APIs

API Enabled

Both

Access any Salesforce.com API.

To access Salesforce APIs for backup and restore of Data and Metadata

Assign Topics

Data

Assign existing topics to feed items. Remove topics from feed items.

Restore of FeedItem (while assigning a topic to FeedItem)

Author Apex

Metadata

Create Apex classes and triggers.

Restore of Apex classes and Triggers

Change Dashboard Colors

Metadata

Choose dashboard color theme and palette.

Restore of Dashboards

Chatter Internal User

Data

Use all Chatter features.

Protection of Chatter Objects

Create and Own New Chatter Groups

Data

Use all Chatter features.

Protection of Chatter Objects

Create Content Deliveries

Data

Create content delivery links to share files that aren't managed by a library. To let a user create content deliveries for files in a library, enable Deliver Content for that user in the library.

Protection of Salesforce Orgs where Content Delivery feature is enabled. Restore of public link Field for the Document/Attachment requires this.

Create Folders for Lightning Email Templates

Metadata

Create Folders for Lightning Email Templates.

Restore of Email Template (in Folder)

Create Libraries

Data

Create libraries.

Restore of Library

Create Public Links

Data

Let users create links to share files externally. Unlike content deliveries, public links can't be password protected. To let a user create links to files in a library, enable Deliver Content for that user in the library.

Restore of Public Links of Documents / Attachments / Files

Create Topics

Data

Create new topics by assigning them to feed items.

Restore of FeedItem (while assigning a topic to FeedItem)

Customize Application

Metadata

Customize the organization using App Setup menu options.

Required for 'Connected App' backup. Restore of various Metadata types, for example, Custom Fields, Page Layout and so on.

Edit HTML Templates

Metadata

Edit Classic HTML Email Templates.

Restore of Email Templates

Edit Read Only Fields

Data

Edit fields that are read only due to page layouts or field-level security.

Restore values back into some fields that are read-only due to page layout or field level security

Edit Tasks

Data

Create, edit, and delete tasks.

Restore of Tasks

Edit Topics

Data

Edit topic names and descriptions.

Restore of Topics

Manage All Private Reports and Dashboards

Metadata

Allows full access to reports and dashboards in all other users' private folders (API only).

Restore to reports and dashboards in all other users' private folders (API only).

Manage Auth. Providers

Metadata

Create and edit Auth. Providers

Restore of Auth Providers

Manage Certificates

Metadat

Ability to manage certificates

Protection of Certificates

Manage Chatter Messages and Direct Messages

Data

Access all users' messages sent in Chatter.

Protection of Chatter data

Manage Connected Apps

Metadata

Manage, create, edit, and delete connected applications.

Restore of Connected Apps

Manage Custom Permissions

Metadata

Create, edit, and delete custom permissions.

Restore of Permission Sets and Profiles

Manage Custom Report Types

Metadata

Create, edit, and delete custom report types.

Restore of Custom Reports

Manage Dashboards in Public Folders

Metadata

Create, edit, delete dashboards, and manage their sharing in all public folders.

Restore of Custom Dashboards

Manage Data Categories

Metadata

Create, edit, and delete data categories.

Protection of 'DataCategoryGroup' backup

Manage Data Integrations

Data

Monitor or abort Bulk API jobs.

Bulk API management (during backup and restore)

Manage Letterhead

Both

Create, edit, and delete letterheads for HTML emails.

Protection of Email Letterheads.

Manage Multi-Factor Authentication in API

Metadata

Use the API to manage user identity verification methods for multi-factor authentication.

Required for Metadata Backup

Manage Public Classic Email Templates

Metadata

Create, edit, and delete text emails, mail merge templates, and folders for public email templates.

Restore of Email Template in Folder

Manage Public Documents

Data

Create, edit, and delete folders for public documents.

Restore of Folders for Documents

Manage Public List Views

Metadata

Create, edit, and delete public list views

Restore of List Views

Manage Reports in Public Folders

Data

Create, edit, delete reports, and manage their sharing in all public folders.

Restore of Reports in Public Folder

Manage Unlisted Groups

Metadata

View and moderate unlisted Chatter groups.

Protection of Unlisted Groups

Manage Users

Metadata

Create, edit, and deactivate users, and manage security settings, including profiles and roles.

Restore of Users

Modify All Data

Data

Create, edit, and delete all organization data, regardless of sharing settings

Needed for auto-inclusion of new objects and related objects. Third party product objects, custom objects as and when they get added to the Org, they will get picked up by Alta SaaS Protection only if this permission is given. Also, some objects (TopicAssignment, FeedRevision, FeedAttachment, Announcement, FeedComment, EntitySubscription) require this permission for query. A few other objects require this permission for Metadata restore.

Modify Metadata through Metadata API Functions

Metadata

Create, read, edit, and delete org metadata. Users must have appropriate access rights to the metadata they're trying to modify. Be careful if delegating this permission. Some metadata executes in system context, when object permissions, field-level security, and sharing rules that apply to the user are ignored. For example, Apex executes in system context.

Metadata restores

Update Email Messages

Data

Modify certain email message related records.

Restore of Email Messages

View All Custom Settings

Metadata

Let users view all custom setting data directly and via the API.

Protection of Custom Settings

View All Lookup Record Names

Data

View the record names in lookup fields regardless of sharing settings. Lookup fields include system fields, such as Created By and Last Modified By.

Backup of System Fields

View All Profiles

Metadata

View all user profiles, regardless of profile filtering setting.

Backup of Profiles

View And Edit Converted Leads

Data

View and edit converted lead records.

Restore of Converted Leads

View Developer Name

View the DeveloperName field via the API.

Backup of Developer Name field

View Encrypted Data

Data

View the value of encrypted fields in plain text.

Protection of Encrypted Fields

Edit Case Comments

Data

Edit their own case comments but not other user's comments.

Restore of CaseComment

Import Solutions

Data

Import solutions for the organization.

Protection of Solutions

Manage Cases

Data

Administer case settings, including Email-to-Case and mass transfer of cases.

Protection of Cases

Manage Categories

Data

Define and modify solution categories settings.

Define and modify solution categories settings.

Manage Entitlements

Data

Enable, create, and update entitlement management items.

Enable, create, and update entitlement management items.

Manage Content Permissions

Data

Create, edit, and delete library permissions in Salesforce CRM Content.

Create, edit, and delete library permissions in Salesforce CRM Content

Manage Content Properties

Data

Create, edit, and delete custom fields in Salesforce CRM Content.

Create, edit, and delete custom fields in Salesforce CRM Content

Manage Flow

Data

Allow users to view, create, edit, delete, and activate all flows and flow types in Lightning Experience apps and Setup.

Protection of Workflows

Manage record types and layouts for Files

Both

Create, edit, and delete content types in Salesforce CRM Content..

Create, edit, and delete content types in Salesforce CRM Content.

Manage Salesforce CRM Content

Data

Create, edit, and delete libraries and library memberships.

Create, edit, and delete libraries and library memberships.

Query All Files

Data

Allows View All Data users to SOQL query all files in the org.

Protection of Documents / Attachments / Files / Salesforce CRM Content

Create user and profile

You may be using Salesforce Lightning Experience or Classic Experience. Use this procedure to create a user and profile in Salesforce Lightning Experience.

To create user and profile

  1. Log in to your Salesforce org using a user with the System Administrator profile.
  2. Click Setup.
  3. Locate the profile setup by typing profile in the search box on the left.
  4. Click New Profile.
  5. Select System Administrator from the list to create a clone of the profile.
  6. Enter a name for the profile (for example, Cohesity Backup Admin Profile).
  7. Click Save.
  8. Go to the profile you have just created and click Edit.
  9. Assign the following permissions to the profile:
    • Modify All Data

    • API enabled

    • View Encrypted Data

      If encrypted fields are used for standard/custom objects.

    • Query all files

      To back up private library files for all users.

    • View and Edit Converted Leads

      If the lead has been converted and needs to be restored.

  10. Click Save.
  11. Click View Users > New User to create a new user.
  12. Enter user details like First Name, Last Name, Username, Email and then select the profile created earlier.
  13. Click Save.
  14. Log off, then log on using the newly created user.
Configure Connected App

To Configure Connected App

  1. Log on using the newly created user.
  2. Click Setup.
  3. Locate the App Manager setup by typing it in the search box on the left.
  4. On the top right, click New Connected App.
  5. Select Create a Connected App option and click Continue.
  6. Provide the basic information for the new app, such as the name.
  7. Click the checkbox to enable OAuth settings. Set the callback URL to http://localhost:1717/OauthRedirect.
  8. Select Full Access and Perform requests at any time (refresh_token, offline_access) from the list of the available OAuth scopes. This is required by the app for permissions to back up and restore various objects and records.
  9. Click Save.
  10. Go to the app created above and look for the consumer key. Copy the consumer key to a text file for use later. This is required when creating a connector on the Cohesity Alta SaaS Protection Web UI.
  11. Go to the Cohesity Alta SaaS Protection Web UI to create a Salesforce connector.
  12. Enter the Salesforce username, instance URL, and consumer key.
  13. To find the instance URL, log in to the Salesforce org, click Setup, type My Domain, click My Domain, copy the Current My Domain URL, and add https:// to the beginning.
  14. Click Generate certificate and download the certificate.
  15. When entering the username, ensure that the user is part of the profile (for example, Cohesity Backup Admin Profile) associated with the connected app so that access is limited to the user.
  16. Go back to the Salesforce app created earlier and click Edit to associate the certificate created by Cohesity Alta SaaS Protection and to relax IP restrictions.
  17. Click the Use Digital Signature checkbox and upload the certificate created by Cohesity Alta SaaS Protection using the Choose File button.
  18. Keep all other settings as default and click Save.
  19. From the App Manager, locate this app and click Manage.
  20. Click Edit Policies.
  21. Under OAuth Policies, set Permitted Users to Admin approved users are pre-authorized and set IP Relaxation to Relax IP restrictions. Keep default values for all other settings.
  22. Click Save.
  23. Scroll down and click Manage Profiles.
  24. Select the profile associated with the user who can use this connected app for backup and restore. For example, select the Cohesity Backup Admin Profile.
  25. Click Save.
  26. This completes the setup of the Connected App in Salesforce for users using Lightning Experience.

Feedback

Was this page helpful?
Previous

Key considerations and prerequisites for adding Salesforce connectors

Next

Add Salesforce connectors

Feedback

Was this page helpful?