What profile permissions are required for the Zendesk for Salesforce integration?

Question

I want to set up the Zendesk for Salesforce integration, but I cannot use the default System Administrator profile. What permissions do I need to link them successfully?

Answer

Salesforce Profile Requirements

Important: Full Salesforce User License Required

Do not use an API-only Salesforce user to connect this integration.

The Salesforce user connecting the Zendesk integration must meet these requirements:

Have a full Salesforce user license (not "SALESFORCE INTEGRATION" license type)
Be able to log in interactively to Salesforce
Have standard user profile capabilities
Not be an "API Only" user type

Reasons why API-only users fail:

Integration connection requires interactive OAuth authentication
API-only users cannot complete the OAuth authorization flow
Salesforce API-only license type blocks required authentication methods

To resolve API-only user issues:

Provision a full Salesforce license for the integration connection
Contact your Salesforce administrator
Budget for additional Salesforce license cost

To check if a user is API-only:

Go to Salesforce setup Users [select user]
Check the License field
If the license is Salesforce Integration, the user is API-only and will not work
Required license types include Salesforce, Salesforce Platform, or a full Sales or Service Cloud license

Required Permissions

Once you confirm you have a full, not API-only, Salesforce user, that user needs these permissions:

Administrative Permissions API Enabled

If you do not see the option within your profile, reach out to Salesforce support or check that your SFDC plan includes access to the API. For more information, see the Salesforce community post: "Enable API" not available.

Administrative Permissions Modify Metadata Through Metadata API Functions

Modify Metadata

Standard Objects Permissions Push Topics (full access)

Push topics are required to use the Account, Contact, or Lead syncing portion of the Data Sync feature. Push topics rely on the SFDC Streaming API.

Standard Objects Permissions Streaming Channels (full access)

This is required to renew the streaming connection for the Account, Contact, or Lead syncing. For more information, see Configuring data sync from Salesforce to Zendesk.

Setup Enable Streaming API

This option must be enabled.

Enable Streaming API

Access to account, contact, lead, or opportunity objects

The default ticket-view settings will appear as the fields below.

Any user who wishes to use the Ticket View needs read-only access, at least, to the listed fields within their respective objects in Salesforce. See the requirements for the default fields:

Account object: Account Name field
Contact object: Email field
Opportunity object: Related account name field
Lead object: Email field

Access to Case Objects

If you are not using the ticket-to-case sync, access to the Case object is required to connect the integration initially.

Access to relevant Case fields

Case fields setting is only required if using the integration's ticket-to-case syncing feature. The relevant fields include all of the fields listed in the Standard field mapping section: Setting up Ticket Sync from Zendesk to Salesforce.

To modify these fields within a profile:

Navigate to Field-level security Case (view)
Ensure that the profile in question has edit access to the aforementioned fields

Access to the Connected app

The Allowed Profiles in the Connected App Manager is mentioned within Setting up user access to Zendesk tickets in Salesforce. These settings need to be in place when the integration is connected in Admin Center, and will not retroactively apply if updated after the app is connected.

Available Push Topics

According to Salesforce Streaming Limits, plans are typically maxed out at 40, 50, or 100 push topics.

These could be consumed by other integrations or apps. To see how many currently exist, execute the following SOQL query using the Developer Console or Workbench.

SELECT count() from PushTopic

The Zendesk for Salesforce integration needs to create three of these push topics, one each for Accounts, Contacts, and Leads.

Visualforce Pages

The Lightning component should automatically inherit the permissions of the connected app. However, the Visualforce pages will only be authorized for the System Administrator profile until specified otherwise. To control the permissions of these Visualforce pages, go to Salesforce Setup Custom Code Visualforce Pages.

From there, make sure the profile has access to the Visualforce page in question.