Salesforce (SFDC) Database - Import
Bridge Requirements
This bridge:requires Internet access to https://repo.maven.apache.org/maven2/ and/or other tool sites to download drivers into <TDC_HOME>/data/download/MIMB/.
Bridge Specifications
| Vendor | Salesforce |
| Tool Name | Database |
| Tool Version | Winter'18 (API v41.0) to current |
| Tool Web Site | http://www.salesforce.com/ |
| Supported Methodology | [Relational Database] Data Store (Physical Data Model) via REST API |
| Data Profiling |  |
| Incremental Harvesting |  |
| Multi-Model Harvesting | |
| Remote Repository Browsing for Model Selection | |
SPECIFICATIONS
Tool: Salesforce / Database version Winter'18 (API v41.0) to current via REST API
See http://www.salesforce.com/
Metadata: [Relational Database] Data Store (Physical Data Model)
Component: SalesForceObjects version 11.2.0
DISCLAIMER
This import bridge requires internet access to download third-party libraries:
- such as https://repo.maven.apache.org/maven2/ to download open source third-party libraries,
- and more sites for other third-party software such as database specific JDBC drivers.
The downloaded third-party libraries are stored into $HOME/data/download/MIMB/
- If HTTPS fails, the import bridge then tries with HTTP.
- If a proxy is used to access internet, you must configure that proxy in the JRE (see the -j option in the Miscellaneous parameter).
- If the import bridge does not have full access to internet, that $HOME/data/download/MIMB/ directory can be copied from another server with internet access where the command $HOME/bin/MIMB.sh (or .bat) -d can be used to download all third-party libraries used by all bridges at once.
By running this import bridge, you hereby acknowledge responsibility for the license terms and any potential security vulnerabilities from these downloaded third-party software libraries.
OVERVIEW
This import bridge authenticates the consumer and retrieves available physical metadata (e.g., Tables). Utilizing the username-password authentication flow that assumes the consumer already has the user's credentials.
REQUIREMENTS
In the event that users will be submitting Salesforce Documents, certain security settings must be configured to allow this access on Standard Objects and Custom Objects.
To configure permissions:
- Within Salesforce, click on Setup and then click on Manage Users
- Under the Manage Users tree click on Profiles
- Once the Profiles appear on the right, select which Profile you want to edit and click on the Edit link next to the corresponding profile
Standard Objects: Ensure that the "Documents" section has the Read permissions selected.
Custom Objects: Ensure that the Read permissions selected for each custom objects.
API version: This bridge supports any versions of Salesforce from Winter'18 version (API v41.0) to the latest version such as Spring'23 (API v57.0).
This bridge will automatically detect the API version <MajorInt>.<MinorInt> of the Saleforce Server to make the following requests:
- 'Describe Global' URI: /v<MajorInt>.<MinorInt>/sobjects/
- 'sObject Basic Information' URI: /v<MajorInt>.<MinorInt>/sobjects/sObject/
- 'SOQL Query' URI: /v<MajorInt>.<MinorInt>/query?
Note the above automatic version detection can be overwritten for forcing a specific version using the option -api.version in the Miscellaneous parameter.
To configure OAuth authentication:
- Within SalesForce Administrative console, create a "Manage Connected Apps"
Set the properties like so:
- Enable OAuth Settings
- Under Available OAuth Scopes, select "Provide access to your data via the Web (web)"
Under MM/MIMB:
- Specify the "Consumer Key" and "Consumer Secret"
- Under Miscellaneous parameter, specify "-access_token". If specified, the bridge will not try to get an access token before the import but use the one provided.
To configure OAuth 2.0 JWT Bearer Flow:
-Use the Java utility keytool, in order to generate a keypair. The entry should be named "Salesfoce", e.g.
%JAVA_HOME%\bin\keytool -genkeypair -keystore %JAVA_HOME%\lib\security\cacerts -storepass *specify JKS password* -storetype PKCS12 -alias Salesforce -keyalg RSA -keysize 2048 -dname "CN=Salesforce.Import.Bridge@metaintegration.info, OU=Poltava, O=Metaintegration, L=SanJose, ST=CA, C=US" -validity 365
-Export the generated key pair as a certificate file, e.g.
%JAVA_HOME%\bin\keytool -exportcert -keystore %JAVA_HOME%\lib\security\cacerts -storepass *specify JKS password* -alias Salesforce -file Salesforce.crt -rfc
-Export the generated private key PEM file ""Salesforce.pem"", e.g.
openssl pkcs12 -in KeyStore.jks.p12 -nocerts -nodes -out Salesforce.pem
- Make sure the file has proper content, e.g.
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqtbOsYWiJXTrU
bHUnLvNH5Kieuer3RGSrogiWv2fLjQGXbHWSDjMbCFVU72T3+hT7uyKgfwA8P9V1
...
EioPeaQkpfOkdqNLEf9aZQ==
-----END PRIVATE KEY-----
-The content of this file should be specified in bridge parameter 'Consumer Secret'.
-Within the SalesForce Administrative console, create a "Manage Connected Apps"
Set the properties to:
- Enable OAuth Settings
- Enable "Use digital signatures" and upload the generated certificate.
Under Available OAuth Scopes:
- Select "Provide access to your data via the Web (web)"
- Select "Perform requests at any time (refresh_token, offline_access)"
Under OAuth Policies:
- Specify "Admin approved users are pre-authorized"
Under Profiles:
- Specify the required profile
In order to utilize this flow, specify the required "User" and empty "Password"
FREQUENTLY ASKED QUESTIONS
n/a
LIMITATIONS
Refer to the current general known limitations at https://metaintegration.com/Products/MIMB/Help/#!Documents/mimbknownlimitations.html
Field called "Description" in third column is omitted by Salesforce API, consequently will not appear under any of the Profiles.
SUPPORT
Provide a troubleshooting package with:
- the debug log (can be set in the UI or in conf/conf.properties with MIR_LOG_LEVEL=6)
- the metadata backup if available (can be set in the Miscellaneous parameter with -backup option, although this common option is not implemented on all bridges for technical reasons).
- How to retrieve an SalesForce access_token:
curl https://*your SalesForce instance URL* -d "grant_type=password" -d "client_id=*your SalesForce Client ID*" -d "client_secret=*your secret*" -d "username=*your SalesForce username*" -d "password=*your SalesForce password*" -H "X-PrettyPrint: 1"
When you do not have username-password authentication parameter values but have an access token and your Salesforce instance URL you can specify them using the Miscellaneous parameter (see its description for details). In this case, you still need to fill all mandatory parameters with some text that will be ignored.
Bridge Parameters
| Parameter Name | Description | Type | Values | Default | Scope |
| Instance/My Domain URL | The Salesforce login endpoint URL. By default (when the value is empty) it is https://login.salesforce.com. You can use your company' instance URL (such as https://na30.salesforce.com) or My Domain URL (such as https://myCompanyName.my.salesforce.com/). Your company instance URL is mandatory if you are going to use 'OAuth 2.0 Client Credentials Flow' and leave the password empty. Otherwise, you will have an error 'Cannot retrieve access token. Make sure you specify proper Instance/My Domain URL' |
STRING | |||
| User | The username of the user that the connected app is imitating. | STRING | |||
| Password | The password of the user that the connected app is imitating. Leave this parameter empty if you want to use 'OAuth 2.0 Client Credentials Flow' The security token is an automatically generated key that must be added to the end of the password to log in to Salesforce from an untrusted network.Concatenate the password and token when passing the request for authentication. https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&;type=5 |
PASSWORD | |||
| Consumer Key | The Consumer Key from the connected app definition. The connected app's consumer key, which you can find on the connected app's Manage Connected Apps page or from the connected app's definition. https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&;type=5 |
STRING | Mandatory | ||
| Consumer Secret | The Consumer Secret from the connected app definition. The connected app's consumer secret, which you can find on the connected app's Manage Connected Apps page or from the connected app's definition. https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&;type=5 |
PASSWORD | |||
| Objects | List of object names separated by semicolon ';' or comma ','. E.g. object1, object2 An empty list signifies that all available objects are imported. You can specify object names as a wildcard pattern, e.g. topic? *topic* topic_?,*topic* |
REPOSITORY_SUBSET | |||
| Miscellaneous | INTRODUCTION Specify miscellaneous options starting with a dash and optionally followed by parameters, e.g. -connection.cast MyDatabase1="MICROSOFT SQL SERVER" Some options can be used multiple times if applicable, e.g. -connection.rename NewConnection1=OldConnection1 -connection.rename NewConnection2=OldConnection2; As the list of options can become a long string, it is possible to load it from a file which must be located in ${MODEL_BRIDGE_HOME}\data\MIMB\parameters and have the extension .txt. In such case, all options must be defined within that file as the only value of this parameter, e.g. ETL/Miscellaneous.txt JAVA ENVIRONMENT OPTIONS -java.memory <Java Memory's maximum size> (previously -m) 1G by default on 64bits JRE or as set in conf/conf.properties, e.g. -java.memory 8G -java.memory 8000M -java.parameters <Java Runtime Environment command line options> (previously -j) This option must be the last one in the Miscellaneous parameter as all the text after -java.parameters is passed "as is" to the JRE, e.g. -java.parameters -Dname=value -Xms1G The following option must be set when a proxy is used to access internet (this is critical to access https://repo.maven.apache.org/maven2/ and exceptionally a few other tool sites) in order to download the necessary third-party software libraries. Note: The majority of proxies are concerned with encrypting (HTTPS) the outside (of the company) traffic and trust the inside traffic that can access proxy over HTTP. In this case, an HTTPS request reaches the proxy over HTTP where the proxy HTTPS-encrypts it. -java.parameters -java.parameters -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=3128 -Dhttp.proxyUser=user -Dhttp.proxyPassword=pass MODEL IMPORT OPTIONS -model.name <model name> Override the model name, e.g. -model.name "My Model Name" -prescript <script name> This option allows running a script before the bridge execution. The script must be located in the bin directory (or as specified with M_SCRIPT_PATH in conf/conf.properties), and have .bat or .sh extension. The script path must not include any parent directory symbol (..). The script should return exit code 0 to indicate success, or another value to indicate failure. For example: -prescript "script.bat arg1 arg2" -postscript <script name> This option allows running a script after successful execution of the bridge. The script must be located in the bin directory (or as specified with M_SCRIPT_PATH in conf/conf.properties), and have .bat or .sh extension. The script path must not include any parent directory symbol (..). The script should return exit code 0 to indicate success, or another value to indicate failure. For example: -postscript "script.bat arg1 arg2" -cache.clear Clears the cache before the import, and therefore will run a full import without incremental harvesting. If the model was not changed and the -cache.clear parameter is not used (incremental harvesting), then a new version will not be created. If the model was not changed and the -cache.clear parameter is set (full source import instead of incremental), then a new version will be created. -backup <directory> Allows to save the input metadata for further troubleshooting. The provided <directory> must be empty. -restore <directory> Specify the backup <directory> to be restored. DATA CONNECTION OPTIONS Data Connections are produced by the import bridges typically from ETL/DI and BI tools to refer to the source and target data stores they use. These data connections are then used by metadata management tools to connect them (metadata stitching) to their actual data stores (e.g. databases, file system, etc.) in order to produce the full end to end data flow lineage and impact analysis. The name of each data connection is unique by import model. The data connection names used within DI/BI design tools are used when possible, otherwise connection names are generated to be short but meaningful such as the database / schema name, the file system path, or Uniform Resource Identifier (URI). The following option allows to manipulate connections. These options replaces the legacy options -c, -cd, and -cs. -connection.cast ConnectionName=ConnectionType Casts a generic database connection (e.g. ODBC/JDBC) to a precise database type (e.g. ORACLE) for SQL Parsing, e.g. -connection.cast "My Database"="MICROSOFT SQL SERVER". The list of supported data store connection types includes: ACCESS APACHE CASSANDRA DB2/UDB DENODO GOOGLE BIGQUERY HIVE MYSQL NETEZZA ORACLE POSTGRESQL PRESTO REDSHIFT SALESFORCE SAP HANA SNOWFLAKE MICROSOFT SQL AZURE MICROSOFT SQL SERVER SYBASE SQL SERVER SYBASE AS ENTERPRISE TERADATA VECTORWISE HP VERTICA -connection.rename OldConnection=NewConnection Renames an existing connection to a new name, e.g. -connection.rename OldConnectionName=NewConnectionName Multiple existing database connections can be renamed and merged into one new database connection, e.g. -connection.rename MySchema1=MyDatabase -connection.rename MySchema2=MyDatabase -connection.split oldConnection.Schema1=newConnection Splits a database connection into one or multiple database connections. A single database connection can be split into one connection per schema, e.g. -connection.split MyDatabase All database connections can be split into one connection per schema, e.g. -connection.split * A database connection can be explicitly split creating a new database connection by appending a schema name to a database, e.g. -connection.split MyDatabase.schema1=MySchema1 -connection.map SourcePath=DestinationPath Maps a source path to destination path. This is useful for file system connections when different paths points to the same object (directory or file). On Hadoop, a process can write into a CSV file specified with the HDFS full path, but another process reads from a Hive table implemented (external) by the same file specified using a relative path with default file name and extension, e.g. -connection.map /user1/folder=hdfs://host:8020/users/user1/folder/file.csv On Linux, a given directory (or file) like /data can be referred to by multiple symbolic links like /users/john and /users/paul, e.g. -connection.map /data=/users/John -connection.map /data=/users/paul On Windows, a given directory like C:\data can be referred to by multiple network drives like M: and N:, e.g. -connection.map C:\data=M:\ -connection.map C:\data=N:\ -connection.casesensitive ConnectionName... Overrides the default case insensitive matching rules for the object identifiers inside the specified connection, provided the detected type of the data store by itself supports this configuration (e.g. Microsoft SQL Server, MySql etc.), e.g. -connection.casesensitive "My Database" -connection.caseinsensitive ConnectionName... Overrides the default case sensitive matching rules for the object identifiers inside the specified connection, provided the detected type of the data store by itself supports this configuration (e.g. Microsoft SQL Server, MySql etc.), e.g. -connection.caseinsensitive "My Database" -connection.level AggregationLevel Specifies the aggregation level for the external connections, e.g.-connection.level catalog The list of the supported values: server catalog schema (default) SALESFORCE OPTIONS -access_token <token> Sets the Salesforce access token. It is a 'long' case-sensitive alphanumeric key that is used FOR temporary (minutes or hours) access Salesforce. When an access token expires, attempts to use it fail. In Salesforce terms, the access token is a session ID (SID), much like a session cookie on other systems. It must be protected against misuse. -api.version <MajorInt>.<MinorInt> Forces the Salesforce API version to be used instead of the latest detected by the bridge. The version value must be specified in the format <MajorInt>.<MinorInt>, e.g. '41.0'. |
STRING |
Bridge Mapping
Mapping information is not available