Page Comparison

...

Increasing security

The user installing and connecting S-Drive in the portal must have Modify All Data and Customize Application permissions. This is typically an Admin user.

To increase security, we recommend setting up a special user with its own profile that will have Modify All Data and Customize Application permissions, and after installation those permissions will be removed. You can clone the System Administrator profile and remove permissions after installation.

The steps to do this are described briefly here, but are in the instructions on this page in more detail.

...

Create a user that will be a service user that has Admin permissions, including Modify All Data and Customize Application.

...

Install

...

Now login to Salesforce as Admin.

...

S-Drive

...

Click the Reschedule button

...

Edit the profile for the service user and remove Modify All Data and Customize Application permissions. (You can set up a permission set for these permissions.) Make sure the service user still has the necessary permissions to send outbound messages and has CRUD permissions to all S-Drive objects. This user should not have the Session Security Level Required at Login (found in the profile under Session Settings) set to High Assurance. It should be set to None.

...

from the

...

Install S-Drive from the AppExchange

Login to Salesforce as Admin or as a special service user you’ve set up for S-Drive. (See “Increasing Security” above.) If using a service user, it’s best to clone the System Admin profile and use it only for the service user.

...

This step is required to connect your Amazon S3 account with S-Drive. You need to enter a valid "Amazon Access Key" and "Secret Key". After providing keys, if you see "Amazon S3 Credentials are configured correctly," continue with the next step.

...

InfoImportant Note: IAM users whom assigned individual security credentials, must have some permissions to activate and use S-Drive. The minimum policy example can be seen in Getting Set Up - AWS and Portal Accounts Please apply this policy if you are planning to use this kind of user for the activation.

Step 3: Configure Amazon S3 Bucket Name:

...

Create new bucket:
- Provide a valid bucket name
- Provide a unique bucket id. This is a nickname you provide. It must be between 3 and 63 characters and can contain lowercase letters, numbers, and hyphens. It can be the same as the bucket name. This field is used to reference the bucket when configuring Multiple Bucket Support.
- Select the region name to create the bucket on this endpoint location
- Click “Check Remote Sites.” You will be taken to a Remote Site Setting and need will need to save it.
- When complete, click “Configure Amazon S3 Bucket Name”
- You will see the page refresh and show your bucket name and the default File Upload Encryption, which is SSE-S3. This can be changed later. See S-Drive Authentication Settings for more information.
- You can also use the Action buttons to Block Public Access (recommended), Enable Versioning, Enable Acceleration or you can click Add More Buckets to add another bucket.
  Image RemovedImage Added
Use existing bucket:
- Select one of the bucket name from the list (that is retrieved from your Amazon S3 account).
- Provide a unique bucket id. This can be anything and can be the same as the bucket name. This field is used to reference the bucket when configuring Multiple Bucket Support.
- Select the File Upload Encryption Type. This can be changed later. See S-Drive Authentication Settings for more information.
- Click “Check Remote Sites.” You will be taken to a new Remote Site Setting and will need to save it.
- When complete, click “Configure Amazon S3 Bucket Name”
- If your bucket is already version enabled, or if you’d like to turn on versioning, click “Enable Versioning” next to the bucket name.
- If you are using Transfer Acceleration, click “Enable Acceleration”
- If you would like to block public access for your bucket, click “Block Public Access.” If the bucket is already configured in AWS to block public access, you don’t need to click this.

...

Repeat the steps above to add more buckets if desired. See Multi-Bucket Support for more information.

Step 4: S-Drive

...

Connection:

Go to https://portal.sdriveapp.com and login into the S-Drive portal account you created earlier.
Authorize S-Drive to connect to your organization:

Click Connected Organizations link on the menu (Figure 4‑6). Then under "Connect Salesforce.com Organizations", click either “Production Instance” or “Sandbox Instance” based on where you installed S-Drive. This redirects the salesforce.com login page.

Login using either Admin credentials or another user with proper credentials. (See note.) If you choose to use a non-Admin user, it’s best to open the portal in a different browser. Otherwise the non-Admin user will take over your Salesforce session.

Info

NOTE: Portal Connection User Requirements

The user connecting S-Drive in the portal is typically an Admin User since the Admin installs S-Drive and then connects it in the portal as part of the installation.

However, the Portal Connection User need not have Modify All Data permission. Using a user that doesn’t have Modify All Data permissions increases security.

If you choose to connect in the portal with a non-Admin user, that user must still have

Customize Application permission
Send Outbound Messages permission
Access to S-Drive’s Apex classes (all start with “cg.” )
Access to S-Drive’s Custom Settings Definitions (all start with “SDRIVE.cg.”)

Back inside Salesforce, an Admin user will then need to go to S-Drive Configuration. They will be shown an Activation page with a button to click. Once the button is clicked, users will have access to S-Drive.

After entering login credentials, you’ll see your organization on the list of “Connected Salesforce.com Organizations.”

...

Note
The user that connects the portal to your Salesforce org can not have the Session Security Level Required at Login (found in the profile under Session Settings) set to High Assurance. It should be set to None.

...

Click on the File Object List link
Click Find File Objects
You’ll see the file objects populated on the list
Click Go Back or close the tab
If you connected in the portal with a non-Admin user, you will see an Activate button. Click the button.

Step 6: Add CSP Trusted Sites

...

Go to Setup-->CSP Trusted Site
Add a url in the form https://s3.region.amazonaws.com where region is your bucket region (such as us-east-1)
Check the boxes as shown in the image
Click Save and New
Add a url in the form https://s3.amazonaws.com
Check the boxes as shown in the image
Click Save and New
Add a url for zip and download: https://zip.cyangate.com
Click Save

If you used a service user to install S-Drive:

Login to Salesforce as Admin
Go to S-Drive Configuration--General Settings Tab
Scroll down to Other Settings
Click “Reschedule” to start our payment calculation job.
Edit the profile for the service user used to install S-Drive
Remove Modify All Data permission

Remove Customize Application permission

Info

A Note on Profile: Session Security Level Required at Login

Session Security Level Required at Login is a Session Setting in profiles that can be set to require 2 Factor Authentication. The profile of the user used to connect the portal must have this set to None (not High Assurance.)

Additionally, check Setup-->Outbound Messages. On each of S-Drive’s outbound messages, ensure the “user to send as” field is a user that does not have High Assurance. The outbound messages are:

AttachmentSync Callout
FileSizeRequest Callout
FileSync Callout
Preview Callout

...

Versions Compared

Old Version 1

New Version 2

Key