Skip to main content

Appendix E: Minimum Permissions for SCCAC Salesforce Users

Overview

This appendix describes the minimum Salesforce permissions required to create dedicated service account users for SCCAC. If you want to create dedicated users with minimal permissions rather than using administrator accounts, this appendix provides the individual permissions needed and step-by-step instructions.

Connected App Client Credentials Run As User

The awsscc GLOBAL_CONNECTED_APP Connected App uses the OAuth 2.0 Client Credentials Flow to authenticate AWS Lambda functions when making API calls to Salesforce. By default, a System Administrator is assigned as the "Run As" user for this flow.

If you want to create a dedicated user instead of using a System Administrator, this section provides the minimum required Salesforce permissions and setup instructions — for both new and existing installations.

Required Permissions

The following system permissions are required for the dedicated Run As user:

PermissionPurpose
API EnabledAllows the user to make Salesforce API calls
Customize ApplicationAllows updating the Connected App configuration via Metadata API
Modify Metadata Through Metadata API FunctionsAllows programmatic Metadata API access required by the Lambda functions
Allows users to modify Named Credentials and External CredentialsAllows updating the External Credential certificate

In addition, the SCC Administrator permission set must be assigned to the user to provide the SCCAC object and field-level permissions required for runtime Lambda operations (such as Contact Trace Record export).

Option 1: Set Up a Dedicated Run As User (New Installation)

Follow these steps instead of Step 4.5(ii, iii, iv) in the installation guide.

Step 1: Create the Minimum Permission Set

  1. In Salesforce Setup, search for Permission Sets in Quick Find.
  2. Choose New.
  3. Set Label to SCC ConnectedApp RunAs or your preferred name and API Name to SCC_ConnectedApp_RunAs or your preferred name. Leave License as None. Choose Save.
  4. Choose System Permissions, then choose Edit.
  5. Enable the following permissions only:
    • API Enabled
    • Customize Application
    • Modify Metadata Through Metadata API Functions
    • Allows users to modify Named Credentials and External Credentials
  6. Choose Save.

Step 2: Create the Dedicated Service Account User

  1. In Salesforce Setup, search for Users in Quick Find and choose Users, then New User.
  2. Fill in the required fields:
    • Profile: Minimum Access - Salesforce
    • User License: Salesforce
  3. Choose Save.

Step 3: Assign Permission Sets to the User

  1. On the user's detail page, scroll to Permission Set Assignments and choose Edit Assignments.
  2. Move both of the following from Available to Enabled:
    • SCC ConnectedApp RunAs — provides the system permissions required for setup Lambda callbacks
    • SCC Administrator — provides the SCCAC object and field-level permissions required for runtime Lambda operations (such as Contact Trace Record export)
  3. Choose Save.

Step 4: Configure the Connected App Policies

  1. In Salesforce Setup, go to App Manager, find awsscc GLOBAL_CONNECTED_APP, and choose Manage from the dropdown arrow.
  2. Choose Edit Policies.
  3. For Permitted Users, select Admin approved users are pre-authorized.
  4. For Client Credentials Flow > Run As, select the dedicated service account user you created.
  5. Choose Save.

Step 5: Configure Manage Profiles

  1. On the Connected App Manage page, choose Manage Profiles.
  2. Uncheck System Administrator if it is checked.
  3. Choose Save.

Step 6: Configure Manage Permission Sets

  1. On the Connected App Manage page, choose Manage Permission Sets.
  2. Ensure the following are checked:
    • SCC ConnectedApp RunAs
    • SCC Administrator
    • SCC Agent
  3. Choose Save.

Option 2: Update Existing Connected App to Use a Dedicated Run As User

If you have already completed the installation using a System Administrator as the Run As user and want to switch to a dedicated user, follow these steps. No AWS changes are required.

Step 1–3: Create the Permission Set and User

Follow Steps 1–3 from Option 1 above.

Step 4: Update the Connected App Policies

  1. In Salesforce Setup, go to App Manager, find awsscc GLOBAL_CONNECTED_APP, and choose Manage from the dropdown arrow.
  2. Choose Edit Policies.
  3. For Client Credentials Flow > Run As, replace the existing user with the new dedicated service account user and Save.

Step 5: Update Manage Profiles

  1. On the Connected App Manage page, choose Manage Profiles.
  2. Uncheck System Administrator if it is checked.
  3. Choose Save.

Step 6: Update Manage Permission Sets

  1. On the Connected App Manage page, choose Manage Permission Sets.
  2. Add SCC ConnectedApp RunAs to the list. Ensure SCC Administrator and SCC Agent remain checked and Save.