Salesforce connector for Simpplr Enterprise Search

Overview

The Salesforce connector allows Simpplr Enterprise Search to index structured data, including Accounts, Opportunities, Cases, Campaigns, Contacts, Leads, Content Document and Knowledge Articles while strictly adhering to Salesforce's complex native security model. This makes high-value business intelligence easily discoverable and searchable directly within the Simpplr intranet.

With this connector, you can:

• Centralize CRM Data: Bring Salesforce content into Simpplr Enterprise Search so users can find Accounts, Opportunities, Contacts, Leads, Campaigns, Cases and Content Documents alongside intranet content in one place.

• Access Control: Ensures users only see records they are authorized to access.

• Advanced Search Capabilities: Use features like autocomplete, hybrid ranking, and Smart Answers on top of your Salesforce CRM content.

• Enterprise Knowledge Discovery: Surface published Knowledge Articles directly in search results, enabling employees to quickly find product documentation, troubleshooting guides, FAQs, policies, and customer support knowledge

Indexed content from Simpplr Enterprise Search is available in:

• Autocomplete

• In main search listing

• Smart answers

Capabilities at a glance

Objects and content supported

1. Objects 

List the object types that are indexed:

• Account

• Contact

• Opportunity

• Lead

• Campaign

• Case

• Content Document

• Knowledge Articles

2. Metadata

For each indexed item, Salesforce captures based on the type of Object:

• Name

• Description

• Billing Address

• Type

• Website

• Rating

• Department

• Owner Details

• Url

• Created Date

• Last Modified Date

• Email

• AccountId

• Phone

• PhotoUrl

• Title

• LeadSource

• StageName

• Company

• Status

• StartDate

• EndDate

• EmailMessages

• IsClosed

• CaseNumber

• CreatedBy

• Subject

• CaseComments

• Feeds

• Permissions

• Body

• Summary

• Publish Status

• Article Number

• Language

3. Permissions model

Permissions are read from Salesforce and enforced in Simpplr ensuring user's search results in Simpplr are identical to their visibility within the Salesforce UI.
Enterprise Search. Include:

• How user permissions are synchronized

  • Salesforce users are fetched along with their full security context, including Role Hierarchy (expanded to include all subordinate roles), Public/Collaboration Group memberships (including nested groups), Chatter Group memberships, Library (Content Workspace) memberships and Object-level permissions.

  • The ACL index is updated the next time the Access Control Sync runs (typically every hour). This ensures that if a user is promoted, moved to a new group, or added to a new sharing group, their search visibility is updated automatically.

  • For Salesforce Knowledge, user permissions are additionally evaluated to determine whether the user has effective Read access to Knowledge article version objects (*__kav).

• How public or link-shared content is handled

  • Simpplr strictly enforces Salesforce’s authenticated security model. Content that is available only via Anonymous Public Links (Content Deliveries) or Guest User access is not indexed.

  • Inherited Security (Files): Files (Content Document) inherit the permissions of the records they are attached to. If a user has access to an Account, they can discover the files attached to that Account, provided the Salesforce Visibility attribute is set to AllUsers, InternalUsers, or SharedUsers.

  • Files stored in Salesforce Libraries are governed by Workspace memberships, which are synchronized and enforced at the folder/library level.

  • Salesforce Knowledge visibility flags such as:

    • IsVisibleInPkb

    • IsVisibleInCsp

    • IsVisibleInPrm 

    • are indexed as metadata only. Enterprise Search still requires authenticated Salesforce Knowledge permissions before Knowledge articles appear in search results.

• What happens when access is removed in Salesforce

  • User Deactivation: When a user is deactivated in Salesforce, they are excluded from the next ACL sync. Their identity document is removed, and they instantly lose access to all indexed Salesforce content.

  • Permission Revocation: If a user’s Permission Set or Profile is updated to remove "Read" access to an object (e.g., Cases), the next hourly ACL sync will remove the corresponding object_access:case token from their keyring. They will immediately stop seeing Cases in search results.

  • Record-Level Unsharing:If a user is removed from an Account Team or a Manual Share is deleted:

    • The Incremental Sync uses "Snapshot Diff" logic to detect that the record's recipient list has changed.

    • The record is re-indexed with a new restricted ACL "lock."

    • The user will no longer see that specific record after the incremental sync completes.

  • File Detachment : If a file is unlinked from a record in Salesforce, its search permissions are refreshed on the next incremental sync so users no longer retain access inherited from that record.

  • Archived Knowledge Articles : When the latest version of a Salesforce Knowledge article transitions to Archived, the article is automatically removed from the Enterprise Search index during Knowledge incremental sync.

  • Data Deletion: If a record (like an Opportunity or Lead) or file is deleted in Salesforce, the connector uses the Salesforce getDeleted() API to identify the deletion and purge the document from Simpplr search results.

• Salesforce Knowledge security

  • For Salesforce Knowledge, the connector indexes the latest published version of Knowledge articles.

  • Knowledge articles are only searchable by users who have Salesforce Knowledge read permissions through their assigned Profile or Permission Sets.

  • Archived Knowledge articles are automatically removed from the search index when they are no longer published.

Versions and editions supported

• Supported Salesforce editions:

  • The Salesforce connector utilizes the Salesforce REST API and SOQL to index data and enforce security. Therefore, the primary requirement is that your Salesforce organization has API access enabled.

• Not supported: 

  • Essentials, Starter, Personal, and Group editions, as these do not provide the necessary API access or advanced sharing tables.

Prerequisites

Before you begin, ensure the following:

• Source system permissions

  • Salesforce Setup Access: You need administrative access to the Salesforce Setup menu (specifically the App Manager) to create and configure a Connected App.

  • Required Permissions: Your user account must have the Manage Connected Apps/ External Client App and Modify Metadata permissions to register the integration and configure OAuth policies.

• Application / service account

  • Ability to Create a Connected App: You must be able to create a new Connected App in Salesforce. This generates the unique Consumer Key (Client ID) and Consumer Secret (Client Secret) required for the integration.

  • OAuth Configuration: The Connected App must be configured with the Client Credentials Flow enabled (as the connector uses the client_credentials grant type for secure, non-interactive service access).

  • OAuth Scopes: You must assign the following OAuth scopes to the Connected App:

    • Manage user data via APIs (api): Required to execute SOQL queries and fetch record data.

    • Perform requests at any time (refresh_token, offline_access)

    • Access the Salesforce API Platform (api): Required for metadata and object description.

  • Authorized Execution User: You must select a "Run As" execution user (Service Account) for the Client Credentials flow. This user must have:

    • API Enabled permission.

    • View Setup and Configuration permission (required to query EntityDefinition for OWD resolution).

    • View Roles and Role Hierarchy

• Security & Data Access Permissions

The Execution User assigned to the Connected App must have the following object-level permissions to ensure all relevant data is indexed:

• Read & View All: Required for the six core objects: Account, Opportunity, Contact, Lead, Campaign, and Case.

  • Note: Using "View All" ensures the connector can index all records across the organization regardless of individual sharing rules.

• Ensure Query All Files permissions for file records.

• Ensure Read and View All permissions for Knowledge__kav and Knowledge object.

• System Table Access: The user must have permission to read the following system tables required for the ACL permission mapping:

  • UserRole and Group: To map the role hierarchy and public groups.

  • GroupMember: To identify user memberships.

  • PermissionSetAssignment and ObjectPermissions: To map object-level visibility for all users.

  • Share tables (e.g., AccountShare, CaseShare): To capture manual and team-based sharing.

Authentication and security

1. Authentication mechanism

Simpplr Enterprise Search connects to Salesforce using a secure, server-to-server integration that does not require individual user logins for indexing.

• Auth type: OAuth 2.0 Client Credentials Flow (Server-to-Server Authentication).

• Scopes Required:

  • api: Required to execute REST API requests and SOQL queries to fetch records.

  • refresh_token, offline_access: (Optional) If using standard OAuth, but for Client Credentials, the api scope is the primary driver for data retrieval.

• Permissions Required (Service Account/Execution User):

  • API Enabled: To allow the connector to interact with Salesforce programmatically.

  • View Setup and Configuration: Required to query the EntityDefinition and UserRole tables for OWD and Hierarchy resolution.

  • View All Data (or View All on specific objects): Required for the connector to see all records for Account, Opportunity, Contact, Lead, Campaign, and Case to ensure index completeness.

  • View Roles and Role Hierarchy

  • View All Profiles

  • View All Users

  • Chatter Internal User

  • Query All Files: Essential for identifying deletions and files in the Recycle Bin.

  • Read & View All: Required for the six core objects: Account, Opportunity, Contact, Lead, Campaign, and Case.

  • Read & View All for Knowledge__kav.

2. Data security

• Data storage and residency: Indexed content  from Salesforce are stored within your Simpplr Enterprise Search environment, in the same region as your Simpplr tenant.

• Encryption in transit: Server-side encryption with Amazon S3 managed keys (SSE-S3), TLS encryption in Kafka.

• Encryption at rest: SSL (TLS 1.2 or higher), Auth: OAuth 2.0 Bearer tokens (client-credential).

• Permission enforcement: Salesforce access controls (User-based) are stored in the ACL index and applied at query time.
  Search results are filtered using a logical intersection: (User Identity AND Object Permission AND Record-Level Access). This ensures that a user can only discover and view Salesforce records in Simpplr that they have explicit permission to view in the Salesforce UI.

Setup and configuration

Step 1: Create Profile to associate Salesforce integration user

1. Go to Setup: Click Settings then Setup
   

2. From the Salesforce Setup menu, go to Administration ⇒ Users ⇒ Profiles.

3. Create a new profile or edit an existing Profile.
   

4. Choose any profile from the Existing Profile dropdown. Name the profile and save it.
   Note: By default, Read Only or Standard User users have read permission to access all standard objects.
   Recommended: Read Only Profile.
   

5. Edit the newly created profile. Under Object Permissions, assign at least Read access to the standard objects.
   

6. Under  System Permission ensure following permissions are checked:

   1. API Enabled (Allows the user to communicate with REST)

   2. View All Data (Grants the user "Read" access to every record in the org, regardless of owner.)

   3. View Setup and Configuration (Allows the user to use "Describe" calls to understand the object schema.)

   4. View Roles and Role Hierarchy

   5. View All Users

   6. View All Profiles

   

7. Make sure the newly created profile has at least Read (Preferrably Read plus View All Records) access for the following standard objects: Accounts, Opportunities, Contacts, Leads, Campaigns, and Cases.

8. For Content Document please ensure this Query All files permissions under App Permissions in Profile Overview section in Content section as this permission is require to fetch all the content documents present in salesforce.

   

Step 2: Create or select the Salesforce integration user

1. Go to Setup: Click Settings then Setup

2. Go to Users and click create New User or select an existing user (service account user used for Integration)
   

   

3. Under User License select Salesforce.

4. By default, the Salesforce connector documentation assumes System Administrator access, but this can be avoided by creating a custom profile with minimal permissions.

5. Assign the System Administrator profile (by default have full Access), or a custom Profile created as per above mentioned steps in Step 1 (Creating new Profile) with the above associated permissions mentioned there.

6. For Knowledge Articles please check/enable the Knowledge User.

   

7. Verify that:

   1. The user is able to login successfully.

   2. The user can access records for each object (e.g., Accounts, Cases, Campaigns, Lead, Opportunity and Contacts) in the Salesforce UI or via SOQL queries.

Step 3: Creation of an External Client App/ Connected App

1. Go to Setup: Click Settings then Setup

2. Navigate to Apps -> App Manager > External Client App
   

3. Click New External Client App / New Connected App

4. Enter the Basic Information (App Name, Contact Email).

   1. If External Client App:
      

   2. If Connected App:
      

5. Click Create.

6. Go to the created app and configure: OAuth Settings

7. Under API ( Enable Oauth ) Click enable Oauth.
   

8. Check Enable OAuth Settings.

9. Set the Callback URL to https://login.salesforce.com/services/oauth2/success/ (Note: While Client Credentials doesn't strictly use this, it's a required field).

10. Add the following OAuth Scopes:

    1. Manage user data via APIs (api)

    2. Perform requests at any time (refresh_token, offline_access)
       

       

11. Enable: Client Credentials Flow and click save.
    

12. Go to External Client apps/ Connector App, select your app and then select Edit policies. Assign the client credentials flow to the user we have created earlier with the custom profile in Salesforce.
    

    

13. Click Settings -> Oauth Settings Click Consumer Key and Secret and copy that.
    

14.  Copy the Consumer Key (Client Id) and Secret (Client Secret) required for configuration.

Step 4 - Salesforce KB Setup and Permissions

1. Enable Knowledge User for Integration User.

2. Go to Setup -> Users -> Select Integration User that you have created -> Enable Knowledge User
   

3. Under Setup -> search for Knowledge in Quick Find Box -> Select Knowledge Settings (For this Tab to be visible Knowledge User check box should be enabled for logged in User)

    

4. Enable Lightning Knowledge Check
   

5. Additional Permission Required to fetch the Knowledge article is:

   1. Ensure the Profile (created on Step 1) has Knowledge Read plus View All object permission for Knowledge__kav object.
      

   2. Go to Profiles -> Select Profile Associated with Integration user -> select Object settings -> Select Knowledge__kav -> edit -> enable Read  plus view all.
      

   3. Click save.

   4. Under App Permissions -> Enable the View Archive Article (Required to fetch the archive articles and delete the article from Index such that it doesn’t appear in user’s  search)
      

      

Step 5 - Create the connector in Simpplr

1. In Simpplr, go to: Enterprise Search → Connectors → Add connector.
   

2. Select “Salesforce”.
   

3. Enter basic information:

   • Name: (ConnectorName for this instance)

4. Provide authentication details:

   • Client ID

   • Client secret

   • Domain

   

5. Save the configuration.

Step 6 - Define Filters (Optional)

1. Configure exclusion rules:

   • Select object types that should be excluded and should not be indexed. If not selected will index all standard objects including content documents.

   • Select age filter so that documents older than the specified time are not ingested.
     

2. Configure Audience based filtering.

   • Include audiences

   • Exclude audiences

   

Step 7 - Run Initial Sync and Monitor the sync

1. Run the initial sync by clicking the start sync button.

2. Monitor the latest sync status in the connector dashboard. This page shows the status of first full sync completed with latest full/incremental completed/failed status here.

   

Crawling and sync behavior

Describe how the connector works over time:

1. Initial full crawl

• The connector performs a comprehensive scan of your Salesforce environment and indexes records from core Salesforce objects, including Accounts, Opportunities, Contacts, Leads, Campaigns, Cases, Content Documents, and Salesforce Knowledge Articles 

  • Discovery Phase: Before fetching records, the connector pre-fetches security metadata (Organization-Wide Defaults, Role Hierarchy, and Public Groups), Chatter Groups, Library Workspaces, and the Organization ID to build the initial Access Control List (ACL) mapping.

• How long it may take: Depends on the total record count and Salesforce API rate limits. For large orgs (millions of records), the initial crawl is optimized using batch processing.

2. Incremental updates

• Mechanism: The connector uses a multi-layered detection strategy:

  • SOQL Timestamp Filtering: Queries LastModifiedDate to find new or edited records.

  • Salesforce /getDeleted/ API: Specifically targets the Salesforce system log to identify records that were moved to the Recycle Bin or hard-deleted.

  • ACL Snapshot Diffing: A specialized "Silent Change" detector that compares current manual shares against a stored snapshot to catch share removals (which Salesforce does not track via timestamps).

• What changes trigger reindexing:

  • New Records & File: Any new core object or file version uploaded since the last sync.

  • Data Updates: Any field change on an existing record or file metadata.

  • Permission Shifts: Adding or removing users from Manual Shares, Account Teams, or Case Teams.

  • Ownership Changes: Changing a record owner (which triggers a recalculation of hierarchy-based access).

  • Inheritance Propagation: If a Parent Account is modified, the connector automatically re-indexes "Controlled by Parent" children (like Contacts) to ensure permissions remain synced.

  • Knowledge Article updates such as changing title or summary or any other content and publishing the latest version of the article.

3. Deletion and permission changes

• Deleted Items: Records deleted in Salesforce are identified via the /getDeleted/ API and purged from the Simpplr index during the next incremental sync.

• Archived Knowledge Articles : When the latest version of a Salesforce Knowledge article transitions to Archived, the article is automatically removed from the Enterprise Search index during Knowledge incremental sync.

• Permission Changes: * Identity updates (changing a user's Role or Group) are refreshed during the hourly ACL sync.

  • Record-level access (sharing a specific record) is updated during the content sync.

4. Expected latency

• With the default schedule (incremental sync every hour), changes made to Salesforce content are generally reflected in Simpplr search results within an hour of the update. Similarly, the permission lag in the system is typically up to one hour, as the ACL sync also runs hourly. On top of that, there can be certain cases, where the permission sync can take up-to 7days (When the full sync is run), subject to content volume and system load.

Field mapping and search experience

1. Default field mapping

Source field (Salesforce) → Index field Simpplr

• Account

• Case

• Opportunity

• Lead

• Contact

• Campaign

• ContentDocument

• Knowledge Article

2. Search experience 

How content from this connector appears in search:

• Result layout: (Icon, Connector name, title as link, body(excerpt), Updated Date/ Created Date, object type)

• Available filters and facets:

  • Source = Salesforce

  • Created Date

• Participation in advanced features:

  • Smart Answers / Q&A: Yes

  • Autocomplete: Yes

  • Recommendations / “Suggested for you”: N/A

  • Trending / popular results: N/A

  • Semantic / hybrid ranking: Yes

3. Limits and known limitations

Monitoring and troubleshooting

1. Connector health and monitoring - Describe where admins can see status information:

• Enterprise Search -> Connector name

• Available metrics:

  • Last sync status (Success / Warning / Failed)

  • Last sync time

  • Next scheduled sync

  • Sync Type

  • Total items indexed count

2. Common issues and resolutions. Example pattern:

   • Issue: Authentication failed (invalid credentials or missing scopes)
     Possible causes:

     1. Incorrect Consumer Key (Client ID) or Consumer Secret (Client Secret).

     2. Client Credentials Flow is not enabled in the Salesforce Connected App settings.

     3. The Execution User assigned to the flow is inactive or lacks API access.

     4. The Execution User lacks the View Setup and Configuration permission.

     5. Removed manual shares are still visible in search

   • Resolution:

     1. Verify and re-enter the Consumer Key and Secret from the Salesforce App Manager.

     2. In Salesforce, go to Manage Connected Apps, click Edit Policies, and ensure "Enable Client Credentials Flow" is checked.

     3. Confirm the "Run As" user has the API Enabled permission.

     4. Assign a Permission Set to the Execution User that includes View Setup and Configuration.

     5. Verify the Incremental Sync status in the dashboard. Run a Full Sync to clear the "Zombie Access" and re-baseline the cursor snapshot.

3. When to contact support

   • Authentication error persists even after trying the above-mentioned resolutions

   • Sync is stuck in the Pending state.

   • Sync is in progress but no documents are getting ingested.

   • Sync failure with cancelled error (when not cancelled manually)

   • Incomplete or Partial sync.
     

4. When contacting, Support, include:

• Connector name and instance ID (if available)

• Organization URL

• Approximate time and date of the issue

• Error messages or screenshots

• Steps you already tried

Frequently asked questions (FAQ)

Q1. Can I connect multiple Salesforce tenants or domains?
A. Multiple Salesforce connections can be configured in the Simpplr environment via multiple connectors.

Q2. How often does Salesforce sync data?
A. The connector runs a full crawl on first setup. Incremental sync runs every hour.

Q3. Are comments, revisions, or version history indexed?
A. Comments and individual versions are not indexed as separate items. The connector indexes the latest file metadata, including the last updated time and updated-by user.

Q4. What happens when a user loses access to an item in Salesforce?
A. The updated access permissions will be indexed during the next sync.

Note: Files and permissions are synced every hour. However, the actual update time may vary depending on the volume of data created within that period. Under normal conditions, changes are reflected within 1–2 hours, provided there has not been a significant spike in data uploads.

Q5. How are deletions handled?
A. Objects deleted from the source are permanently deleted from the index.

Q6. Are attachment files searchable ?

A. Yes attachment files are searchable with their name and content.

Q7. Is Knowledge article visibility enforced based on Data Category Groups?

A. No. Currently, all users with Salesforce Knowledge read permissions can search and access all published Knowledge articles indexed by the connector.