Skip to main content Skip to complementary content

Salesforce (SFDC) Database - Import

Availability-note AWS

Bridge Requirements

This bridge:
  • requires Internet access to https://repo.maven.apache.org/maven2/ and/or other tool sites to download drivers into <TDC_HOME>/data/download/MIMB/.

Bridge Specifications

Vendor Salesforce
Tool Name Database
Tool Version Winter'18 (API v41.0) to current
Tool Web Site http://www.salesforce.com/
Supported Methodology [Relational Database] Data Store (Physical Data Model) via REST API
Data Profiling
Incremental Harvesting
Multi-Model Harvesting
Remote Repository Browsing for Model Selection

SPECIFICATIONS
Tool: Salesforce / Database version Winter'18 (API v41.0) to current via REST API
See http://www.salesforce.com/
Metadata: [Relational Database] Data Store (Physical Data Model)
Component: SalesForceObjects version 11.2.0

DISCLAIMER
This import bridge requires internet access to download third-party libraries:
- such as https://repo.maven.apache.org/maven2/ to download open source third-party libraries,
- and more sites for other third-party software such as database specific JDBC drivers.

The downloaded third-party libraries are stored into $HOME/data/download/MIMB/
- If HTTPS fails, the import bridge then tries with HTTP.
- If a proxy is used to access internet, you must configure that proxy in the JRE (see the -j option in the Miscellaneous parameter).
- If the import bridge does not have full access to internet, that $HOME/data/download/MIMB/ directory can be copied from another server with internet access where the command $HOME/bin/MIMB.sh (or .bat) -d can be used to download all third-party libraries used by all bridges at once.

By running this import bridge, you hereby acknowledge responsibility for the license terms and any potential security vulnerabilities from these downloaded third-party software libraries.

OVERVIEW
This import bridge authenticates the consumer and retrieves available physical metadata (e.g., Tables). Utilizing the username-password authentication flow that assumes the consumer already has the user's credentials.

REQUIREMENTS
In the event that users will be submitting Salesforce Documents, certain security settings must be configured to allow this access on Standard Objects and Custom Objects.
To configure permissions:
- Within Salesforce, click on Setup and then click on Manage Users
- Under the Manage Users tree click on Profiles
- Once the Profiles appear on the right, select which Profile you want to edit and click on the Edit link next to the corresponding profile

Standard Objects: Ensure that the "Documents" section has the Read permissions selected.
Custom Objects: Ensure that the Read permissions selected for each custom objects.

API version: This bridge supports any versions of Salesforce from Winter'18 version (API v41.0) to the latest version such as Spring'23 (API v57.0).
This bridge will automatically detect the API version <MajorInt>.<MinorInt> of the Saleforce Server to make the following requests:
- 'Describe Global' URI: /v<MajorInt>.<MinorInt>/sobjects/
- 'sObject Basic Information' URI: /v<MajorInt>.<MinorInt>/sobjects/sObject/
- 'SOQL Query' URI: /v<MajorInt>.<MinorInt>/query?
Note the above automatic version detection can be overwritten for forcing a specific version using the option -api.version in the Miscellaneous parameter.

To configure OAuth authentication:
- Within SalesForce Administrative console, create a "Manage Connected Apps"
Set the properties like so:
- Enable OAuth Settings
- Under Available OAuth Scopes, select "Provide access to your data via the Web (web)"
Under MM/MIMB:
- Specify the "Consumer Key" and "Consumer Secret"
- Under Miscellaneous parameter, specify "-access_token". If specified, the bridge will not try to get an access token before the import but use the one provided.

To configure OAuth 2.0 JWT Bearer Flow:
- Use the Java utility keytool, in order to generate a keypair. The entry should be named "Salesforce", e.g.
%JAVA_HOME%\bin\keytool -genkeypair -keystore %JAVA_HOME%\lib\security\cacerts -storepass *specify JKS password* -storetype PKCS12 -alias Salesforce -keyalg RSA -keysize 2048 -dname "CN=Salesforce.Import.Bridge@metaintegration.info, OU=Poltava, O=Metaintegration, L=SanJose, ST=CA, C=US" -validity 365

- Export the generated key pair as a certificate file, e.g.
%JAVA_HOME%\bin\keytool -exportcert -keystore %JAVA_HOME%\lib\security\cacerts -storepass *specify JKS password* -alias Salesforce -file Salesforce.crt -rfc

- Export the generated private key PEM file "Salesforce.pem", e.g.
openssl pkcs12 -in KeyStore.jks.p12 -nocerts -nodes -out Salesforce.pem
- Make sure the file has proper content, e.g.
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqtbOsYWiJXTrU
bHUnLvNH5Kieuer3RGSrogiWv2fLjQGXbHWSDjMbCFVU72T3+hT7uyKgfwA8P9V1
...
EioPeaQkpfOkdqNLEf9aZQ==
-----END PRIVATE KEY-----
-The content of this file should be specified in bridge parameter 'Consumer Secret'.

- Within the SalesForce Administrative console, create "Manage Connected Apps"
Set the properties to:
- Enable OAuth Settings
- Enable "Use digital signatures" and upload the generated certificate.

Under Available OAuth Scopes:
- Select "Provide access to your data via the Web (web)"
- Select "Perform requests at any time (refresh_token, offline_access)"

Under OAuth Policies:
- Specify "Admin approved users are pre-authorized"

Under Profiles:
- Specify the required profile

In order to utilize this flow, specify the required "User" and empty "Password" under their respective fields.

FREQUENTLY ASKED QUESTIONS
n/a

LIMITATIONS
Refer to the current general known limitations at https://metaintegration.com/Products/MIMB/Help/#!Documents/mimbknownlimitations.html
Field called "Description" in third column is omitted by the Salesforce API, consequently it will not appear under any Profiles.

SUPPORT
Provide a troubleshooting package with:
- the debug log (can be set in the UI or in conf/conf.properties with MIR_LOG_LEVEL=6)
- the metadata backup if available (can be set in the Miscellaneous parameter with -backup option, although this common option is not implemented on all bridges for technical reasons).

- How to retrieve an SalesForce access_token:
curl https://*your SalesForce instance URL* -d "grant_type=password" -d "client_id=*your SalesForce Client ID*" -d "client_secret=*your secret*" -d "username=*your SalesForce username*" -d "password=*your SalesForce password*" -H "X-PrettyPrint: 1"

When you do not have username-password authentication parameter values but have an access token and your Salesforce instance URL you can specify them using the Miscellaneous parameter (see its description for details). In this case, you still need to fill all mandatory parameters with text that will be ignored.


Bridge Parameters

Parameter Name Description Type Values Default Scope
Instance/My Domain URL The Salesforce login endpoint URL.
By default (when the value is empty) it is https://login.salesforce.com.
You can use your company' instance URL (such as https://na30.salesforce.com) or My Domain URL (such as https://myCompanyName.my.salesforce.com/).
Your company instance URL is mandatory if you are going to use 'OAuth 2.0 Client Credentials Flow' and leave the password empty. Otherwise, you will have an error 'Cannot retrieve access token. Make sure you specify proper Instance/My Domain URL'
STRING      
User The username of the user that the connected app is imitating. STRING      
Password The password of the user that the connected app is imitating. Leave this parameter empty if you want to use 'OAuth 2.0 Client Credentials Flow'
The security token is an automatically generated key that must be added to the end of the password to log in to Salesforce from an untrusted network.Concatenate the password and token when passing the request for authentication.
https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&;type=5
PASSWORD      
Consumer Key The Consumer Key from the connected app definition.
The connected app's consumer key, which you can find on the connected app's Manage Connected Apps page or from the connected app's definition.
https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&;type=5
STRING     Mandatory
Consumer Secret The Consumer Secret from the connected app definition.
The connected app's consumer secret, which you can find on the connected app's Manage Connected Apps page or from the connected app's definition.
https://help.salesforce.com/articleView?id=remoteaccess_oauth_username_password_flow.htm&;type=5
PASSWORD      
Objects List of object names separated by semicolon ';' or comma ','. E.g. object1, object2
An empty list signifies that all available objects are imported.
You can specify object names as a wildcard pattern, e.g.
topic?

*topic*

topic_?,*topic*
REPOSITORY_SUBSET      
Miscellaneous INTRODUCTION
Specify miscellaneous options starting with a dash and optionally followed by parameters, e.g.
-connection.cast MyDatabase1="MICROSOFT SQL SERVER"
Some options can be used multiple times if applicable, e.g.
-connection.rename NewConnection1=OldConnection1 -connection.rename NewConnection2=OldConnection2;
As the list of options can become a long string, it is possible to load it from a file which must be located in ${MODEL_BRIDGE_HOME}\data\MIMB\parameters and have the extension .txt. In such case, all options must be defined within that file as the only value of this parameter, e.g.
ETL/Miscellaneous.txt

JAVA ENVIRONMENT OPTIONS
-java.memory <Java Memory's maximum size> (previously -m)

1G by default on 64bits JRE or as set in conf/conf.properties, e.g.
-java.memory 8G
-java.memory 8000M

-java.parameters <Java Runtime Environment command line options> (previously -j)

This option must be the last one in the Miscellaneous parameter as all the text after -java.parameters is passed "as is" to the JRE, e.g.
-java.parameters -Dname=value -Xms1G
The following option must be set when a proxy is used to access internet (this is critical to access https://repo.maven.apache.org/maven2/ and exceptionally a few other tool sites) in order to download the necessary third-party software libraries.
Note: The majority of proxies are concerned with encrypting (HTTPS) the outside (of the company) traffic and trust the inside traffic that can access proxy over HTTP. In this case, an HTTPS request reaches the proxy over HTTP where the proxy HTTPS-encrypts it.
-java.parameters -java.parameters -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=3128 -Dhttp.proxyUser=user -Dhttp.proxyPassword=pass

MODEL IMPORT OPTIONS
-model.name <model name>

Override the model name, e.g.
-model.name "My Model Name"

-prescript <script name>

This option allows running a script before the bridge execution.
The script must be located in the bin directory (or as specified with M_SCRIPT_PATH in conf/conf.properties), and have .bat or .sh extension.
The script path must not include any parent directory symbol (..).
The script should return exit code 0 to indicate success, or another value to indicate failure.
For example:
-prescript "script.bat arg1 arg2"

-postscript <script name>

This option allows running a script after successful execution of the bridge.
The script must be located in the bin directory (or as specified with M_SCRIPT_PATH in conf/conf.properties), and have .bat or .sh extension.
The script path must not include any parent directory symbol (..).
The script should return exit code 0 to indicate success, or another value to indicate failure.
For example:
-postscript "script.bat arg1 arg2"

-cache.clear

Clears the cache before the import, and therefore will run a full import without incremental harvesting.

If the model was not changed and the -cache.clear parameter is not used (incremental harvesting), then a new version will not be created.
If the model was not changed and the -cache.clear parameter is set (full source import instead of incremental), then a new version will be created.

-backup <directory>

Allows to save the input metadata for further troubleshooting. The provided <directory> must be empty.

-restore <directory>

Specify the backup <directory> to be restored.

DATA CONNECTION OPTIONS
Data Connections are produced by the import bridges typically from ETL/DI and BI tools to refer to the source and target data stores they use. These data connections are then used by metadata management tools to connect them (metadata stitching) to their actual data stores (e.g. databases, file system, etc.) in order to produce the full end to end data flow lineage and impact analysis. The name of each data connection is unique by import model. The data connection names used within DI/BI design tools are used when possible, otherwise connection names are generated to be short but meaningful such as the database / schema name, the file system path, or Uniform Resource Identifier (URI). The following option allows to manipulate connections. These options replaces the legacy options -c, -cd, and -cs.

-connection.cast ConnectionName=ConnectionType

Casts a generic database connection (e.g. ODBC/JDBC) to a precise database type (e.g. ORACLE) for SQL Parsing, e.g.
-connection.cast "My Database"="MICROSOFT SQL SERVER".
The list of supported data store connection types includes:
ACCESS
APACHE CASSANDRA
DB2/UDB
DENODO
GOOGLE BIGQUERY
HIVE
MYSQL
NETEZZA
ORACLE
POSTGRESQL
PRESTO
REDSHIFT
SALESFORCE
SAP HANA
SNOWFLAKE
MICROSOFT SQL AZURE
MICROSOFT SQL SERVER
SYBASE SQL SERVER
SYBASE AS ENTERPRISE
TERADATA
VECTORWISE
HP VERTICA

-connection.rename OldConnection=NewConnection

Renames an existing connection to a new name, e.g.
-connection.rename OldConnectionName=NewConnectionName
Multiple existing database connections can be renamed and merged into one new database connection, e.g.
-connection.rename MySchema1=MyDatabase -connection.rename MySchema2=MyDatabase

-connection.split oldConnection.Schema1=newConnection

Splits a database connection into one or multiple database connections.
A single database connection can be split into one connection per schema, e.g.
-connection.split MyDatabase
All database connections can be split into one connection per schema, e.g.
-connection.split *
A database connection can be explicitly split creating a new database connection by appending a schema name to a database, e.g.
-connection.split MyDatabase.schema1=MySchema1

-connection.map SourcePath=DestinationPath

Maps a source path to destination path. This is useful for file system connections when different paths points to the same object (directory or file).
On Hadoop, a process can write into a CSV file specified with the HDFS full path, but another process reads from a Hive table implemented (external) by the same file specified using a relative path with default file name and extension, e.g.
-connection.map /user1/folder=hdfs://host:8020/users/user1/folder/file.csv
On Linux, a given directory (or file) like /data can be referred to by multiple symbolic links like /users/john and /users/paul, e.g.
-connection.map /data=/users/John -connection.map /data=/users/paul
On Windows, a given directory like C:\data can be referred to by multiple network drives like M: and N:, e.g.
-connection.map C:\data=M:\ -connection.map C:\data=N:\

-connection.casesensitive ConnectionName...

Overrides the default case insensitive matching rules for the object identifiers inside the specified connection, provided the detected type of the data store by itself supports this configuration (e.g. Microsoft SQL Server, MySql etc.), e.g.
-connection.casesensitive "My Database"

-connection.caseinsensitive ConnectionName...

Overrides the default case sensitive matching rules for the object identifiers inside the specified connection, provided the detected type of the data store by itself supports this configuration (e.g. Microsoft SQL Server, MySql etc.), e.g.
-connection.caseinsensitive "My Database"

-connection.level AggregationLevel

Specifies the aggregation level for the external connections, e.g.-connection.level catalog
The list of the supported values:
server
catalog
schema (default)

SALESFORCE OPTIONS

-access_token <token>


Sets the Salesforce access token. It is a "long" case-sensitive alphanumeric key that is used FOR temporary (minutes or hours) access Salesforce. When an access token expires, attempts to use it will fail. In Salesforce terms, the access token is a session ID (SID), much like a session cookie on other systems. It must be protected against misuse.

-api.version <MajorInt>.<MinorInt>


Forces the Salesforce API version to be used instead of the latest detected by the bridge. The version value must be specified in the format <MajorInt>.<MinorInt>, e.g. '41.0'.
STRING      

 

Bridge Mapping

Mapping information is not available

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!