Enterprise Recon 2.10.0


This section covers the following topics:


When Salesforce is added as a scan Target, ER2 returns all Standard Objects (including Salesforce Files and Chatter), Custom Objects and Big Objects in the Salesforce domain. You can scan the whole domain or select specific Objects when setting up the scan schedule for the Salesforce Target.

For information on scanning archived and deleted Salesforce data, see Archived or Deleted Salesforce Data.

To set up Salesforce as a Target:

  1. Configure Salesforce Account
  2. Set Up and Scan a Salesforce Target

To scan specific paths in a Salesforce Target, see Edit Salesforce Target Path.


For Sitewide Licenses, all scanned Salesforce Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Salesforce Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.

See Target Licenses for more information.


Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • Cloud service-specific access keys.
Required Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
TCP Allowed Connections Port 443

Configure Salesforce Account

You will need to perform the following setup to scan Salesforce Targets:

  1. Generate Certificate and Private Key
  2. Create Connected App

Generate Certificate and Private Key

To scan Salesforce Targets, you will need a digital signature associated with a digital certificate and private key.

To generate the digital certificate and private key:

  1. Open a Terminal or Windows Command Prompt.
  2. Install the OpenSSL package and run the following command:

    # Syntax: openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days <number of days> -keyout <*.key private key file> -out <*.crt certificate file> openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout er-salesforce.key -out er-salesforce.crt

    Parameter Description
    (Optional) days Number of days to certify the certificate for. The default is 30 days.
    keyout Output filename to write the private key to. For example, er-salesforce.key.
    out Output filename to write the digital certificate to. For example, er-salesforce.crt.
  3. openssl asks for the following information:

    Prompt Answer
    Country Name (2 letter code) [AU]: Your country's two letter country code (ISO 3166-1 alpha-2).
    State or Province Name (full name) [Some-State]: State or province name.
    Locality Name (e.g., city) []: City name or name of region.
    Organization Name (e.g., company) [Internet Widgits Pty Ltd]: Name of organization.
    Organizational Unit Name (e.g., section) []: Name of organizational department.
    Common Name (e.g. server FQDN or YOUR name) []: Fully qualified domain name of the Master Server.
    Email Address []: Email address of organization's contact person.

The openssl command generates two output files:

Create Connected App

To create a connected app in Salesforce for ER2:

  1. With your administrator account, log in to your organization's Salesforce site and go to Setup.
  2. In the Setup > Home tab, enter "App Manager" in the Quick Find box, and select App Manager.
  3. In the Lightning Experience App Manager page, click on New Connected App.
  4. In the Basic Information section, fill in the following fields:

    Field Description
    Connected App Name Enter a descriptive display name for ER2. For example, Enterprise_Recon.
    API Name Enter a unique identifier to use when referring to the app programmatically. For example, Enterprise_Recon.
    Contact Email Enter an email address that Salesforce can use if they need to contact you about the connected app.
  5. In the API (Enable OAuth Settings) section, select the Enable OAuth Settings checkbox.
  6. In the Callback URL field, enter the URL to redirect to after successful authorization of the connected app. For example, https://example.com/callback-enterprise-recon.

  7. Select the Use digital signatures checkbox and click Choose File to upload a digital certificate. For example, er-salesforce.crt. See Generate Certificate and Private Key for more information.
  8. Under Select OAuth Scopes, select and Add the following permissions for the "Enterprise_Recon" connected app:

    Available OAuth Scopes Description
    • Access the identity URL service (id, profile, email, address, phone)
    • Manage user data via APIs (api)
    • Perform requests at any time (refresh_token, offline_access)
    Required for probing, scanning and remediating Salesforce Targets.
  9. Click Save > Continue.
  10. In the Manage Connected Apps page, go to API (Enable OAuth Settings) > Consumer Key and click Copy. The consumer key will be required when you Set Up and Scan a Salesforce Target.
  11. Click Manage > Edit Policies.
  12. Under OAuth Policies > Permitted Users, select Admin approved users are pre-authorized.
  13. Click Save.
  14. Back in the App Manager page, go to the Profiles section and click Manage Profiles.
  15. In the Application Profile Assignment page, select the profile(s) (e.g. "System Administrator") that you want to allow to access the "Enterprise_Recon" connected app.

    The username that is specified for the Salesforce Account field when you Set Up and Scan a Salesforce Target must be assigned to at least one of the profiles that has:
    • Access to the ER2 connected app (e.g. "Enterprise_Recon"), and
    • Minimum "Read" permissions for the Salesforce Objects to be scanned.
    See Salesforce Help - Object Permissions for more information.
  16. Click Save.
  17. In the Setup > Home tab, enter "Profiles" in the Quick Find box, and select Profiles.
  18. Go to the profile(s) selected in Step 15 (e.g. "System Administrator") and click Edit.
  19. In the Administrative Permissions section, select the following checkboxes:
    • API Enabled
    • Query All Files
  20. Click Save.

Set Up and Scan a Salesforce Target

  1. From the New Scan page, Add Targets.
  2. In the Select Target Type dialog box, select Salesforce.
  3. Fill in the following fields:
    Dialog box to configure the path, credentials and proxy agent for a Salesforce Target.

    Field Description
    Salesforce Domain Enter the organization's domain name.
    To get the domain name for your organization's Saleforce site, log in to Salesforce and go to Setup > Company Settings > My Domain. The value in the My Domain Name field is your Salesforce domain. Salesforce My Domain value for setting up the Target.
    New Credential Label Enter a descriptive label for the credential set.
    Salesforce Account

    Use the correct username syntax for the Salesforce Account according to the Salesforce site.


    • Syntax: <username>
    • Example: admin@example.com


    • Syntax: sandbox:<username>
    • Example: sandbox:admin@example.com.test

    The username that is specified for the Salesforce Account field must be assigned to at least one of the profiles that has:
    • Access to the ER2 connected app (e.g. "Enterprise_Recon"), and
    • Minimum "Read" permissions for the Salesforce Objects to be scanned.
    See Create Connected App and Salesforce Help - Object Permissions for more information.
    Consumer Key

    Enter the Consumer Key obtained from Create Connected App.

    For example, 1234567890.ThisIsTheConsumerKeyForTheEnterpriseReconConnectedAppForSalesforce_1234567.

    Private Key

    Upload the private key file obtained from Generate Certificate and Private Key.

    For example, er-salesforce.key.

    Agent to act as a proxy host Select a Proxy Agent host with direct Internet access.
    Recommended Least Privilege User Approach

    To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

  4. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  5. Click Commit to add the Target.
  6. (Optional) On the Select Locations page, probe the Target to browse and select specific Salesforce Objects to scan.

  7. Click Next.
  8. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
  9. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

  10. (Optional) Configure the Partial Salesforce object scanning parameter, Scan maximum [N] records, sorted by last modified date in descending order, where N:
    • Is the maximum number of records to scan per Salesforce Object.
    • Must be a positive integer (N ≥ 1).
    • Must be less than or equal to 2147483647 (N ≤ 2147483647).

    See Partial Salesforce Object Scanning for more information.

  11. Click Next.
  12. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Exclude Files or Attachments from Scans for Salesforce Targets

To exclude scanning files and/or attachments in Salesforce:

  • Do not select Objects that contain files / attachments (Attachments, Documents, ContentVersion Objects, etc.) when selecting scan locations in Step 6, or
  • Use the Exclude Location by Prefix Global Filter to exclude the Objects that contain files (e.g. s/ContentVersion) when scanning Salesforce Targets.
    Set up the global filter to exclude specific Objects from Salesforce Targets

Partial Salesforce Object Scanning

The Partial Salesforce object scanning parameter is optional. If the parameter is left blank, ER2 will proceed to scan all available records in a Salesforce Object.

The maximum number of records to scan per Salesforce Object, N will apply to all Salesforce Targets that are included in the scan schedule.

All records will be scanned if the number of available records in a Salesforce Object is less than N.

Edit Salesforce Target Path

To scan a specific Target location in Salesforce:

  1. Set Up and Scan a Salesforce Target.
  2. In the Select Locations section, select your Salesforce Target location and click Edit.
  3. In the Edit Salesforce Location dialog box, enter the Path to scan. Use the following syntax:

    Salesforce Object Type Path Syntax
    Standard Object

    Syntax: s/<object API name>

    Example: s/Account

    Custom Object

    Syntax: c/<object API name>

    Example: c/Account__c

    Big Object

    Syntax: b/<object API name>

    Example: b/Account__b

  4. Click Test and then Commit to save the path to the Target location.

Archived or Deleted Salesforce Data

ER2 supports the scanning of archived and deleted records in Salesforce Objects. These records will contain the "Archived" or "Deleted" tags in the location's metadata information.

Scanning of archived and deleted files is not supported by ER2.

Salesforce Files and Attachments

When a Salesforce Object is selected during a scan, ER2 scans all attachments and files associated with the parent records under the selected Object.

Each attachment and file is scanned and reported as a distinct location from its parent record. Files with multiple versions are differentiated by the Version N suffix in the location path.


The "ContentVersion" Object contains records for the file "Data.txt". If there are three versions of "Data.txt", and a match is found in two file versions (Version 1 and Version 3), ER2 reports this as:

  • Six scanned locations, where the record and file for each version of "Data.txt" are distinct scanned locations, and
  • Two match locations, where Version 1 and Version 3 of "Data.txt" are distinct match locations.

Unsupported Salesforce Standard Objects

ER2 currently does not support the following Salesforce Standard Objects:

  • AccountUserTerritory2View
  • AppTabMember
  • ColorDefinition
  • ContentDocumentLink
  • ContentFolderItem
  • ContentFolderMember
  • DataStatistics
  • DataType
  • DatacloudAddress
  • EntityParticle
  • FieldDefinition
  • FlexQueueItem
  • FlowVariableView
  • FlowVersionView
  • IconDefinition
  • IdeaComment
  • ListViewChartInstance
  • NetworkUserHistoryRecent
  • OutgoingEmail
  • OutgoingEmailRelation
  • OwnerChangeOptionInfo
  • PicklistValueInfo
  • PlatformAction
  • RelationshipDomain
  • RelationshipInfo
  • SearchLayout
  • SiteDetail
  • UserEntityAccess
  • UserFieldAccess
  • UserRecordAccess
  • Vote

Selecting these Standard Objects when scanning Salesforce Targets will result in ER2 reporting these Objects as Inaccessible Locations.

To prevent unsupported Standard Objects from being reported as inaccessible locations, you are recommended to select specific Salesforce Objects when scheduling scans for Salesforce Targets.

Salesforce API Limits

Salesforce imposes a limit for the total number of inbound API calls that can be made per 24-hour period for an organization. For each API call to Salesforce, ER2 queries and retrieves:

  • Up to 2000 records (including Big Objects), or
  • A single attachment or file.

If an organization reaches its daily API request limits:

  • A critical error will be flagged for the Salesforce domain (or location) with the HTTP 403 error - "REQUEST_LIMIT_EXCEEDED. TotalRequest Limit Exceeded".
  • Ongoing Salesforce scans will stop executing with the "Failed" status, and the critical error will be reflected on the last Object that was scanned when the limit was reached.
  • Probing a Salesforce Target will result in the HTTP 403 error - "REQUEST_LIMIT_EXCEEDED. TotalRequest Limit Exceeded".

See Salesforce - API Request Limits and Allocations for more information.