# Granting Doowii Access to Salesforce

Salesforce access is always granted from within your Salesforce org by creating and approving a Connected App. Doowii operates the integration in Google Cloud, but Salesforce authorization, scope, and permissions remain fully under your control.

{% hint style="success" %}
**Prerequisites**

* Salesforce System Administrator access
* Ability to create:
  * Connected Apps
  * Users and Permission Sets
* A designated Salesforce integration user
* Your target Salesforce environment: Production (login.salesforce.com) 
  {% endhint %}

***

## 1. Overview of Doowii's Salesforce Integration

Doowii uses Salesforce APIs to read (and only when explicitly approved, write) data for analytics, reporting, and AI-assisted insights. This allows Doowii to: 

1. Replicate approved Salesforce data into Doowii’s analytics environment, such as data related to your Advancement Programs, Recruiting, Student & Career Services, Student Success & Support teams, and more. 
2. Support role-appropriate analytics for non-Salesforce users.

**Salesforce controls:**

* Which data Doowii can access
* Which users authorize access
* Which objects, fields, and records are visible

**Doowii supports the following Salesforce authentication methods:** 

1. Authorization Code + Refresh Token (standard)
2. JWT Bearer (by request)

{% hint style="info" %}
Doowii cannot access data beyond what your Salesforce permissions allow.
{% endhint %}

***

## 2. Suggested OAuth Scopes & Permissions

Depending on your institution’s selected workflows, you may choose Read Only access or Read + Write access on the integration user. Salesforce OAuth scope details are available [here](https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_tokens_scopes.htm\&type=5).

#### Recommended OAuth Scopes (Authorization Code flow)

<table data-header-hidden><thead><tr><th width="174.296875">Scope</th><th>Purpose</th></tr></thead><tbody><tr><td><strong>Scope</strong></td><td><strong>Purpose</strong></td></tr><tr><td>api</td><td>Required. Allows access to Salesforce data via REST, Bulk, and SOAP APIs.</td></tr><tr><td>refresh_token (aka offline_access)</td><td>Required. Allows Doowii to refresh access tokens for scheduled syncs without user interaction.</td></tr></tbody></table>

Not recommended (unless otherwise agreed on)

* UI-related scopes (web, visualforce, lightning)
* Product-specific scopes (Data Cloud, Pardot, Analytics) unless explicitly needed

{% hint style="info" %}
OAuth scopes control which API surfaces Doowii may call. Read vs. write access is controlled by Salesforce permissions, not OAuth scopes.
{% endhint %}

#### Access Permission Model

Salesforce data access is governed by the integration user:

* Object permissions (Read / Create / Edit)
* Field-level security (FLS)
* Record-level sharing rules

**Recommended default:**

Start with **read-only** object access and expand only if required and agreed on.

***

## 3. Step-by-Step Setup Instructions

{% stepper %}
{% step %}

#### Step 1: Create a Salesforce Integration User

Create a dedicated user for Doowii (not a personal admin account).

1. Check License Availability:
   * Navigate to Setup > Company Information.
   * Look for details about Salesforce Integration user licenses.
2. Create the User:
   * Go to Setup > Users > Users and click New User.
   * User License: Select Salesforce Integration.
   * Profile: Select Salesforce API Only System Integrations.
   * Username: Choose username following this format: **doowii.integration@\[**<mark style="color:purple;">**yourorg.edu**</mark>**]**

**Why this matters:**

* Clear audit trail
* Least-privilege security
* Stable long-term integration
  {% endstep %}

{% step %}

#### Step 2: Create a Permission Set for Doowii

1. Go to Setup → Permission Sets → New
   * Name: Doowii Integration User Access
2. Grant:
   * Read access to approved objects (e.g., Account, Contact, Opportunity, custom objects)
   * Field-level visibility only for approved fields
   * Record visibility via your existing sharing rules
3. Assign this permission set to the integration user.
4. Note, you may also need to click Edit Assignments and enable the Salesforce API Integration license.
   {% endstep %}

{% step %}

#### Step 3: Create an OAuth Client App in Salesforce

Salesforce [recommends](https://help.salesforce.com/s/articleView?id=xcloud.connected_app_create_basics.htm\&type=5) [External Client Apps](https://help.salesforce.com/s/articleView?id=xcloud.create_a_local_external_client_app.htm\&type=5) for new OAuth integrations. If your org still supports Connected Apps, you may use either option, as both are fully compatible with Doowii’s Salesforce integration.

**Step 3A: External Client App (recommended)**

1. Navigate to Setup, enter App Manager, and select App Manager
2. Click New External Client App
3. Enter a name for the external Client App: Doowii Integration
4. Set the Distribution State to Local
5. Enable OAuth 2.0 Authorization Code flow
6. Enter the Doowii callback URL *(Provided by Doowii during onboarding)*
7. Select scopes (api, refresh\_token)
8. Save and request admin approval

**Step 3B: Connected App (if already enabled)**

1. Navigate to Setup, enter App Manager, and select App Manager
2. Click New Connected App
3. Enable OAuth
4. Enter the Doowii callback URL (Provided by Doowii during onboarding)
5. Select scopes (api, refresh\_token)
6. Save and approve

{% hint style="info" %}
Note, it may take up to 10 minutes for a new OAuth Client App to propagate through Salesforce's servers, and up to 15 minutes for changes to app and access settings to take effect.
{% endhint %}
{% endstep %}

{% step %}

#### Step 4: Approve and Install the Connected App

Salesforce requires explicit approval before an app can issue tokens.

1. Navigate to Setup > Connected Apps OAuth Usage.
2. Find \[The New App] in the list
3. In the Action column, click Install (if it says "Uninstall" it is already installed)
4. Review the information and click Install
5. Approve OAuth Policies by going to Setup > Manage Connected Apps > \[The New App] > Edit Policies
6. Select "Admin approved users are pre-authorized" in the Profiles or Permission Sets detail page&#x20;
7. Save

Recommended settings:

* Permitted Users: *Admin approved users are pre-authorized*
* Assign access via a Permission Sets
  {% endstep %}

{% step %}

#### Step 5: Share Connection Details with Doowii

Share the application details with Doowii.&#x20;

* Salesforce login URL (this should be your Production URL)
* Connected App Consumer Key
* Connected App Consumer Secret
* Integration User username
  {% endstep %}

{% step %}

#### Step 6: Authorization & Validation

Once shared, Doowii will:

1. Complete the OAuth authorization flow
2. Exchange the authorization code for access + refresh tokens
3. Validate object and field access
4. Confirm record counts and ingestion readiness
   {% endstep %}
   {% endstepper %}

***

## 4. Operational Expectations

#### Data Freshness & Refresh Cadence

Doowii supports multiple refresh patterns, depending on your needs. The standard refresh patter is nightly, unless otherwise agreed upon.&#x20;

| Pattern                                              | Typical Use               |
| ---------------------------------------------------- | ------------------------- |
| Nightly sync                                         | Standard reporting        |
| Every 4–6 hours                                      | Operational dashboards    |
| Incremental updates                                  | Near-real-time monitoring |
| Change Data Capture (optional, CDC must be enabled)) | Event-driven freshness    |

Refresh strategy is configured after initial access is established.

***

## Trusted Salesforce Connectors references

* [Google Cloud, Integration Connectors, Salesforce](https://docs.cloud.google.com/integration-connectors/docs/connectors/salesforce/configure) (Google)
* [Connecting GCS and Salesforce with Data Cloud](https://developer.salesforce.com/blogs/2024/03/connecting-google-cloud-storage-and-salesforce-with-data-cloud) (Salesforce)
* [OAuth Tokens and Scopes](https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_tokens_scopes.htm) (Salesforce)&#x20;
* [OAuth JWT Bearer Flow for Server-to-Server Integration](https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_jwt_flow.htm\&type=5) (Salesforce)&#x20;
* [OAuth Authorization Flows](https://help.salesforce.com/s/articleView?id=xcloud.remoteaccess_oauth_flows.htm\&type=5) (Salesforce)&#x20;
* [Change Data Capture overview + channels](https://developer.salesforce.com/docs/atlas.en-us.change_data_capture.meta/change_data_capture/cdc_intro.htm) (Salesforce)
* [Granting Integration Users API Access](https://help.salesforce.com/s/articleView?id=platform.integration_user.htm\&type=5) (Salesforce)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.doowii.io/external-data-connections/granting-doowii-access-to-salesforce.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.