Question

I want to set up the Zendesk for Salesforce integration, but I can't use the default System Administrator profile. What permissions do I need to link them successfully?

Answer

Salesforce profile requirements

Important: Full Salesforce user license required. Don't use an API-only Salesforce user to connect this integration.

The Salesforce user who connects the Zendesk integration must meet these requirements:

  • Have a full Salesforce user license, not Salesforce Integration license type
  • Be able to log in interactively to Salesforce
  • Have standard user profile capabilities
  • Not be an API-only user type

Reasons why API-only users fail:

  • Integration connection requires interactive OAuth authentication
  • API-only users can't complete the OAuth authorization flow
  • Salesforce API-only license type blocks required authentication methods

To resolve API-only user issues:

  • Provision a full Salesforce license for the integration connection
  • Contact your Salesforce administrator
  • Budget for additional Salesforce license cost

To check if a user is API-only:

  • Go to Salesforce setup > Users > [select user]
  • Check the License field
  • If the license is Salesforce Integration, the user is API-only and won't work
  • Required license types include Salesforce, Salesforce Platform, or a full Sales or Service Cloud license

Required permissions

After you confirm you have a full, not API-only, Salesforce user, that user needs these permissions:

Administrative permissions API enabled

API_settings

If you don't see the option within your profile, reach out to Salesforce support or check that your SFDC plan includes access to the API. For more information, see the Salesforce community post "Enable API" not available.

Administrative permissions modify metadata through metadata API functions

Modify Metadata

Standard objects permissions push topics with full access

object_permission

Push topics are required to use the Account, Contact, or Lead sync portion of the Data Sync feature. Push topics rely on the SFDC Streaming API.

Standard objects permissions streaming channels with full access

This is required to renew the streaming connection for the Account, Contact, or Lead sync. For more information, see Configuring data sync from Salesforce to Zendesk.

Setup enable streaming API

This option must be enabled.

Enable Streaming API

Access to account, contact, lead, or opportunity objects

The default ticket-view setup will appear as the fields below.

ticket_settings

Any user who wishes to use the Ticket View needs read-only access, at least, to the listed fields within their respective objects in Salesforce. See the requirements for the default fields:

  • Account object: Account Name field
  • Contact object: Email field
  • Opportunity object: Related account name field
  • Lead object: Email field

Access to case objects

If you don't use the ticket-to-case sync, access to the Case object is required to connect the integration initially.

case_object

Access to relevant case fields

Case fields setting is only required if you use the ticket-to-case sync feature of the integration. The relevant fields include all of the fields listed in the Standard field mapping section in Setting up Ticket Sync from Zendesk to Salesforce.

To modify these fields within a profile:

  1. Navigate to Field-level security > Case > (view)
  2. Ensure that the profile in question has edit access to the aforementioned fields
Field-level security viewField-level security access

Access to the connected app

The Allowed Profiles in the Connected App Manager need to be in place when you connect the integration in Admin Center, and won't retroactively apply if updated after the connection of the app.

Available push topics

According to Salesforce Streaming Limits, plans are typically maxed out at 40, 50, or 100 push topics.

push_topics

Other integrations or apps can consume them. To see how many currently exist, execute the following SOQL query with the Developer Console or Workbench.

push_topics_dev

SELECT count() from PushTopic

The Zendesk for Salesforce integration needs to create three of these push topics, one each for Accounts, Contacts, and Leads.

Visualforce pages

The Lightning component should automatically inherit the permissions of the connected app. However, only the System Administrator profile can authorize the Visualforce pages until specified otherwise. To control the permissions of these Visualforce pages, go to Salesforce > Setup > Custom Code > Visualforce Pages.

visualforce

From there, ensure the profile has access to the Visualforce page in question.

Additional Salesforce requirements

PKCE OAuth setting

Required: Enable PKCE in Salesforce:
  1. Navigate to Setup > Apps > App Manager
  2. Find the Zendesk connected app
  3. Click the dropdown and select Edit
  4. Scroll to OAuth Policies
  5. Enable the toggle/slider for Require Proof Key for Code Exchange (PKCE) - must be set to ON
  6. Save changes

Why: The Zendesk integration requires PKCE for users other than the connecting user to view tickets within Salesforce.

Session settings

Required: The session must not be locked to an IP address.

In Salesforce:

  1. Navigate to Setup > Security > Session Settings
  2. Find Lock sessions to the IP address from which they originated
  3. Ensure this is UNCHECKED, or add Zendesk IPs to your allowed list
  4. Save your changes

Why: Zendesk makes requests from multiple IPs and the connection will fail if locked.

Profile authorization timing

Critical: Configure profiles before connecting the integration.

If you configure profiles after connection:

  • Profiles won't work retroactively
  • You must disconnect and reconnect the integration
  • All field mappings will need reconfiguration

Best practice

Follow the steps in order:

  1. Set up all profiles and permissions
  2. Grant the Zendesk integration user access to the profiles
  3. Connect Zendesk to Salesforce
  4. Verify field access immediately after the connection
 
Powered by Zendesk