***

title: Salesforce Access Requirements
excerpt: ''
deprecated: false
hidden: false
metadata:
title: ''
description: ''
robots: index
next:
description: ''
---------------

## Why do we need access to your Service Cloud Instance ?

The client created in your Service Cloud instance will perform create, update operations on behalf of end users as well as notify end users on Case related updates.

The Moveworks Service interacts with your Salesforce platform so that the bot can:

* monitor tickets for autonomous resolution
* identify end users/employees
* create tickets for issues that require an agent's attention
* reach out to an employee when a Salesforce ticket needs the employee's attention (via ticket comments)
* load Salesforce Knowledge articles so the bot can serve them to employees

## Access Requirements

The Moveworks Connected App and dedicated service account in Salesforce allows the Moveworks service to read and update tickets, read users, and KB articles.

***Read only*** access is needed for the following objects in your Salesforce environment:

* Contact
* Knowledge\_\_kav (if applicable)

***Read/write*** access is needed for the following objects in your Salesforce environment:

* Case
* CaseComment

# Authentication

This integration leverages a server-to-server integration using OAuth 2.0 JWT Bearer Flow. A private key/certificate pair will be created. The private key will be encrypted within the Moveworks backend, to sign the JWT claim generated by Moveworks. The certificate file will be uploaded to the Salesforce Connected App in order to file will be uploaded to Salesforce to validate the signed JWT assertions.

# Setup Overview

After setup is complete, provide the following information to your Moveworks CS team:

* Consumer Key
* Consumer Secret
* Service Account Email
* Service Account Password
* Service Account First name and Last name
* Private Key (.key file)

👉🏻 Provide ALL of the above to your Moveworks Customer Success team via **secure encrypted email.**

# Setting up JWT Bearer Flow (server-server)

## Process Walkthrough

1. Create an RSA x509 **private key/certification pair**\
   `openssl req -x509 -sha256 -nodes -days 36500 -newkey rsa:2048 -keyout salesforce.key -out salesforce.crt`\
   The private key (`.key`) will be used to sign the JWT claim generated by Moveworks. The certificate (`.crt`) will be uploaded to Salesforce to validate the signed JWT assertions.\
   ![](https://files.readme.io/e768fb5-small-Screen_Shot_2023-01-24_at_3.23.31_PM.png)

2. **Create Connected App** in Salesforce\
   ![](https://files.readme.io/3170a09-small-Screen_Shot_2023-01-24_at_3.20.14_PM.png)
   1. Under **Setup > App Manager** and click `New Connected App`
   2. Fill basic info: \{Connected App Name: `Moveworks_Server`, API Name: `Moveworks_Server`, Contact Email: [support@moveworks.ai](mailto:support@moveworks.ai)}
   3. Select *enable oAuth settings* under API (Enable oAuth Settings) & add \{Callback URL: [https://login.salesforce.com/](https://login.salesforce.com/)}
   4. Check *Use digital signatures*. Upload the *`salesforce.crt`* that was generated in step 1.
   5. Add oAuth scopes to: 
      1. api
      2. refresh\_token, offline\_access
   6. Click *Save* & Note down the `Consumer Key` and the `Consumer Secret`
   7. After saving, click *`Manage`> Edit Policies*
      1. In the *OAuth policies* section, change *Permitted Users* to *Admin approved users are pre-authorized*
      2. In the Session policies section, change *Timeout Value* to *24 hours*
      3. Click *Save*

3. **Create a Permission Set** to interact with the Connected App\
   ![](https://files.readme.io/e110dc6-small-Screen_Shot_2023-01-24_at_3.28.08_PM.png)
   1. Navigate to **Users > Permission Sets** and click on `New`
   2. Add `moveworks_connected_app` as the Label & Api Names & click Save
   3. Now click on the `moveworks_connected_app` Permission Set and click Assigned Connected Apps
   4. Click Edit and add `Moveworks_Server` to list of Enabled Connected Apps & click Save

4. Create **New Service Account** (if it doesn’t exist)\
   ![](https://files.readme.io/cf02e32-small-Screen_Shot_2023-01-24_at_3.29.33_PM_1.png)
   1. Navigate to **Users > Users** and click on `New User`
   2. Enter the following information & click *Save*:
      1. Last Name: `Moveworks`
      2. Alias: `moveworks`
      3. Email, Username & Nickname: `moveworks@{{customer-domain}}.com`
      4. Setup role as `Admin` (or whatever the customer allows)

5. **Assign our service user the connected app**
   1. Navigate to **Users > Users** & click on our service user account that was just created.
   2. Click on **Permission Set Assignment** and then **Edit Assignments**
   3. Now add `moveworks_connected_app` to list of **Enabled Permission Sets** & click **Save**

6. Edit policies to set admin approved users to preauthorize
   1. Navigate to the connected app and click on `Edit policies`
   2. Set permitted users to ***Admin approved users are pre-authorized***