Salesforce Access Requirements

Why do we need access to your Service Cloud Instance ?

The client created in your Service Cloud instance will perform create, update operations on behalf of end users as well as notify end users on Case related updates.

The Moveworks Service interacts with your Salesforce platform so that the bot can:

  • monitor tickets for autonomous resolution
  • identify end users/employees
  • create tickets for issues that require an agent's attention
  • reach out to an employee when a Salesforce ticket needs the employee's attention (via ticket comments)
  • load Salesforce Knowledge articles so the bot can serve them to employees

Access Requirments

The Moveworks Connected App and dedicated service account in Salesforce allows the Moveworks service to read and update tickets, read users, and KB articles.

Read only access is needed for the following objects in your Salesforce environment:

  • Contact
  • Knowledge__kav (if applicable)

Read/write access is needed for the following objects in your Salesforce environment:

  • Case
  • CaseComment

Authentication

This integration leverages a server-to-server integration using OAuth 2.0 JWT Bearer Flow. A private key/certificate pair will be created. The private key will be encrypted within the Moveworks backend, to sign the JWT claim generated by Moveworks. The certificate file will be uploaded to the Salesforce Connected App in order to file will be uploaded to Salesforce to validate the signed JWT assertions.

Setup Overview

After setup is complete, provide the following information to your Moveworks CS team:

  • Consumer Key
  • Consumer Secret
  • Service Account Email
  • Service Account Password
  • Service Account First name and Last name
  • Private Key (.key file)

👉🏻 Provide provide ALL of the above to your Moveworks Customer Success team via secure encrypted email.

Setting up JWT Bearer Flow (server-server)

Process Walkthrough

  1. Create an RSA x509 private key/certification pair
    openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 -keyout salesforce.key -out salesforce.crt
    The private key (.key) will be used to sign the JWT claim generated by Moveworks. The certificate (.crt) will be uploaded to Salesforce to validate the signed JWT assertions.

  2. Create Connected App in Salesforce

    1. Under Setup > App Manager and click New Connected App
    2. Fill basic info: {Connected App Name: Moveworks_Server, API Name: Moveworks_Server, Contact Email: [email protected]}
    3. Select enable oAuth settings under API (Enable oAuth Settings) & add {Callback URL: https://login.salesforce.com/}
    4. Check Use digital signatures. Upload the salesforce.crt that was generated in step 1.
    5. Add oAuth scopes to: 
      1. api
      2. refresh_token, offline_access
    6. Click Save & Note down the Consumer Key and the Consumer Secret
    7. After saving, click Manage > Edit Policies
      1. In the OAuth policies section, change Permitted Users to Admin approved users are pre-authorized
      2. In the Session policies section, change Timeout Value to 24 hours
      3. Click Save
  3. Create a Permission Set to interact with the Connected App

    1. Navigate to Users > Permission Sets and click on New
    2. Add moveworks_connected_app as the Label & Api Names & click Save
    3. Now click on the moveworks_connected_app Permission Set and click Assigned Connected Apps
    4. Click Edit and add Moveworks_Server to list of Enabled Connected Apps & click Save
  4. Create New Service Account (if it doesn’t exist)

    1. Navigate to Users > Users and click on New User
    2. Enter the following information & click Save:
      1. Last Name: Moveworks
      2. Alias: moveworks
      3. Email, Username & Nickname: moveworks@{{customer-domain}}.com
      4. Setup role as Admin (or whatever the customer allows)
  5. Assign our service user the connected app

    1. Navigate to Users > Users & click on our service user account that was just created.
    2. Click on Permission Set Assignment and then Edit Assignments
    3. Now add moveworks_connected_app to list of Enabled Permission Sets & click Save
  6. Edit policies to set admin approved users to preauthorize

    1. Navigate to the connected app and click on Edit policies
    2. Set permitted users to Admin approved users are pre-authorized