---
title: Add a Salesforce source
slug: '1052'
canonical_url: https://docs.coveo.com/en/1052/
collection: coveo-for-salesforce
source_format: adoc
---
# Add a Salesforce source

A Salesforce [source](https://docs.coveo.com/en/246/) enables you to [index](https://docs.coveo.com/en/204/) and search your Salesforce content through Coveo-powered [search interfaces](https://docs.coveo.com/en/2741/).
You can index any Salesforce object and field, including standard objects (such as Accounts, Cases, and Opportunities), custom objects, Chatter feeds, Knowledge articles, and CRM content.

This article guides you through the process of creating a dedicated Salesforce crawling user, adding a Salesforce source, and configuring what content to index.
The source can maintain your Salesforce security model, ensuring users only see search results for content they have access to in Salesforce.

> **Notes**
>
> * To index Salesforce Commerce Cloud content such as products, variants, and availabilities, use a [REST API source](https://docs.coveo.com/en/1896/) instead and follow the [commerce-specific instructions](https://docs.coveo.com/en/sal3s118#index-a-salesforce-commerce-cloud).
> 
> * To index content from Salesforce Experience Builder sites, use the [dedicated Web source configuration](https://docs.coveo.com/en/q1d80283/) instead.


## Source features summary

The following table presents the main characteristics of a Salesforce source.

[%header,cols="~,~,~,~"]
|===
2+|Features
^|Supported
|Additional information

2+|Salesforce versions
|The Coveo for Salesforce connector is updated on a regular basis to use the latest [Salesforce API version](https://help.salesforce.com/s/articleView?id=release-notes.salesforce_release_notes.htm). However, when a new API version is released, it may take a few weeks for it to be officially supported.
|

2+|Indexable content
<a|* Standard/custom objects and fields
* Chatter feed items and files

* Multilingual Knowledge base articles and attachments

* CRM content (binary files such as PDF)
|Indexing Salesforce commerce content requires a [different approach](https://docs.coveo.com/en/sal3s118/).

.3+|[Content update operations](https://docs.coveo.com/en/2039/)
|[refresh](https://docs.coveo.com/en/2710/)
^|[check]
|[Takes place every 15 minutes by default.](https://docs.coveo.com/en/1933/)

|[rescan](https://docs.coveo.com/en/2711/)
^|[check]
a|A rescan or a rebuild is required to retrieve:

* Attached and detached KB articles from cases.

* Deleted KB articles and related files.

* Deleted KB articles that have reached the archived status.

* Non-replicable deleted objects such as deleted ContentVersion (CRM Content and Chatter files) attachments and other items.

* Changes that occurred more than 30 days ago since the last refresh (a scheduled refresh triggers a rescan).

* Permission changes for a profile, permission set, object sharing, or object security level.

|[rebuild](https://docs.coveo.com/en/2712/)
^|[check]
|

.3+|[Content security](https://docs.coveo.com/en/1779/) options
|Same users and groups as in your content system
^|[check]
|Some [limitations](#limitations-regarding-salesforce-securities) apply.

|Specific users or groups
^|[check]
|

|Everyone
^|[check]
|

.2+|Metadata indexing for search

|Automatically indexed [metadata](https://docs.coveo.com/en/218/)
2+a|Examples of [auto-populated default fields](https://docs.coveo.com/en/1833#field-origin) (no user-defined metadata required):  
&nbsp;

* `clickableuri`

* `date`

* `filetype`

* `objecttype`  
&nbsp;

After a content update, [inspect your item field values](https://docs.coveo.com/en/2053#inspect-search-results) in the **Content Browser**.

|Indexable metadata
2+a|The Salesforce source lets you choose the Salesforce object fields you want and indexes their values in `sf`-prefixed Coveo  [fields](https://docs.coveo.com/en/200/).  
&nbsp;

After a content update, [inspect your item field values](https://docs.coveo.com/en/2053#inspect-search-results) in the **Content Browser**.
|===

## Prerequisite: Create a dedicated Salesforce crawling user

To crawl your Salesforce content and [index](https://docs.coveo.com/en/204/) it in a Coveo index, you must create a dedicated Salesforce crawling user.
The procedure is the following:

. [Install the Coveo Connected Apps](#step-1-install-the-coveo-connected-apps).
. [Create a Salesforce profile dedicated to the Coveo user](#step-2-create-a-salesforce-profile-dedicated-to-the-coveo-user).
. [Create a Salesforce user dedicated to Coveo](#step-3-create-a-salesforce-user-dedicated-to-coveo) that meets the [requirements](#crawling-user-requirements).

### Step 1: Install the Coveo Connected Apps

Due to a recent [update](https://help.salesforce.com/s/articleView?id=release-notes.rn_security_connected_app_restrictions.htm&release=256&type=5) to the Salesforce security policies, you must now install the Coveo Connected Apps that apply to your use case.
These apps are required to fetch [refresh](https://docs.coveo.com/en/2710/) tokens and to authenticate the Coveo crawling user.

. Log in to your Salesforce organization using an Administrator account.

. On the **Setup** page, enter `OAuth` in the Quick Find box, then select **Connected Apps OAuth Usage**.

. On the **Connected Apps OAuth Usage** page, install the Coveo Connected Apps that apply to your use case:

![Connected App options | Coveo for Salesforce](https://docs.coveo.com/en/assets/images/coveo-for-salesforce/coveo-connected-apps.png)

.. If you use a Salesforce account to log in to the [Coveo HIPAA Platform](https://docs.coveo.com/en/1853/), find the **Coveo Admin Hipaa** Connected App, and then click **Install** under the **Actions** column.
This Connected App must be installed in the organization that hosts the Salesforce users.

.. If you use a Salesforce account to log in to the standard (non-HIPAA) [Coveo Platform](https://docs.coveo.com/en/186/), find the **Coveo Admin** Connected App, and then click **Install** under the **Actions** column.
This Connected App must be installed in the organization that hosts the Salesforce users.

.. If you use the Salesforce [connector](https://docs.coveo.com/en/2734/) in a HIPAA-compliant environment, find the **Coveo Cloud Platform Hipaa** Connected App, and then click **Install** under the **Actions** column.
This Connected App must be installed in all the organizations that are crawled.

.. If you use the Salesforce [connector](https://docs.coveo.com/en/2734/) in a standard (non-HIPAA) production environment, find the **Coveo** Connected App, and then click **Install** under the **Actions** column.
This Connected App must be installed in all the organizations that are crawled.

### Step 2: Create a Salesforce profile dedicated to the Coveo user

. Log in to your Salesforce organization using an Administrator account.

. On the **Setup** page, enter `Profiles` in the Quick Find box, then select **Profiles**.

. On the **Profiles** page, click **New Profile**.

. On the **Clone Profile** page:

.. In the **Existing Profile** box, select an existing profile, such as **Read Only**, to serve as a template for the new profile, depending on the permissions you want to grant to the Coveo crawler.

.. Take note of the **User License** (for example, Salesforce), as you'll need it later.

.. In the **Profile Name** box, enter a name, such as `CoveoCrawler`.

.. Click **Save**.

. On the page for your new profile, click **Edit** and, in the **Administrative Permissions** section, set the following permissions.
If you've enabled the [Enhanced Profile User Interface](https://help.salesforce.com/s/articleView?id=sf.users_profiles_about_enhanced_ui.htm&type=5), click **System Permissions**, and then click **Edit** to set the following permissions.

.. Ensure that the **API Enabled** permission is selected.

.. Select the **Manage Sharing**, **Modify Metadata Through Metadata API Functions**, **View All Data**, **View All Users**, **View All Profiles**, and **View Setup and Configuration** permissions.
See the [requirements](#crawling-user-requirements) for more information on the reason for these permissions.

.. Select the **Query All Files** permission to index all the `ContentVersion` objects in your Salesforce organization.
If you've enabled the Enhanced Profile User Interface, access the **App Permissions** section to set this permission.

.. Optionally, as an additional security measure, in the [**Login IP Ranges** section](https://help.salesforce.com/articleView?id=users_profiles_epui_login_ip_ranges.htm&type=5), enter [Coveo's IP range](https://docs.coveo.com/en/1831/) to restrict access for this profile.

.. Click **Save**.

### Step 3: Create a Salesforce user dedicated to Coveo

Your Salesforce source will use this dedicated user account to access your Salesforce organization and index its content.
Make sure to read the [requirements](#crawling-user-requirements) for the dedicated Salesforce crawling user before proceeding.

. Log in to your Salesforce organization using an Administrator account.

. On the **Setup** page, enter `Users` in the Quick Find box, and then select **Users**.
. On the **All Users** page, click **New User**.
. On the **New User** page:
 .. Fill the required fields.
 .. In the **User License** box, ensure that the license matches the license of your newly created profile (for example, Salesforce).
 .. In the **Profile** box, select your newly created profile.
 .. To index Classic Knowledge content, ensure that [**Knowledge User**](https://help.salesforce.com/articleView?id=knowledge_setup_users.htm&type=5) is checked.
 .. Click **Save**.

#### Crawling user requirements

Your dedicated Salesforce crawling user must:

* Not be an employee's account.
If this employee leaves the company or changes roles, their account could be terminated or have its permissions changed.
This could break the connection to Coveo or impact indexing.

* Be used by a single Coveo Salesforce source.
Having multiple Salesforce sources use the same crawling user and run content updates in parallel is known to cause [errors](#invalid_query_locator-error).

* Have access to all the Salesforce objects you want to query in your Salesforce organization.
We strongly recommend granting the user the **View All Data** permission.

* Have the following permissions, even if it has the **Modify All Data** or **View All Data** permission.

[%header,cols="~,~"]
|===
|Permission
|Reason/comments

|API Enabled
|Required to call Salesforce APIs.

|Knowledge User
|Required to index Classic Knowledge articles.
This permission doesn't apply when [Lightning Knowledge is enabled](https://help.salesforce.com/s/articleView?id=sf.knowledge_lightning_enable.htm&type=5).

|Manage Sharing
|Required to access the object sharing settings that are required to index securities.

|Modify Metadata Through Metadata API Functions
|Required to use the Salesforce Metadata API, which Coveo uses to index Salesforce item permissions, case settings, sharing settings, and other Salesforce setup configuration information.

|Query All Files
|Required to index all [`ContentVersion`](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_contentversion.htm) records in your Salesforce organization.
Without this permission, only the `ContentVersion` records that have been specifically shared with the crawling user will be indexed.
However, the **Query All Files** permission isn't required if the [**Index related files**](#content-to-index-subtab) option is enabled on applicable objects.

|View All Users
|Required to view all users, regardless of their object sharing settings, and to properly index document securities.

|View All Profiles
|Required to view all profiles, regardless of their object sharing settings, and to properly index document securities.

|View Setup and Configuration
|Required to view the basic security objects such as `Roles`, `Profiles`, and `Permission Sets`, and the object sharing configuration.
Also required to properly index document securities.
|===

**Permissions required on a per-object basis**
<details><summary>Details</summary>

This table provides a summary of the permissions that must be set for the crawling user depending on the Salesforce objects you want to index.

[%header,cols="~,~,~,~,~"]
|===
|Permissions
^|Service Cloud objects
^|Content objects
^|Knowledge objects
^|Chatter objects[.footnote]^[[1](#permission-footnote-1)]^

|API Enabled
^|[check]
^|[check]
^|[check]
^|[check]

|Knowledge User[.footnote]^[[2](#permission-footnote-2)]^
^|[x]
^|[x]
^|[check]
^|[x]

|Manage Sharing[.footnote]^[[3](#permission-footnote-3)]^
^|[check]
^|[check]
^|[check]
^|[check]

|Modify All Data[.footnote]^[[4](#permission-footnote-4)]^
^|Optional
^|Optional
^|Optional
^|Optional

|Modify Metadata Through Metadata API Functions[.footnote]^[[5](#permission-footnote-5)]^
^|[check]
^|[check]
^|[check]
^|[check]

|Query All Files[.footnote]^[[6](#permission-footnote-6)]^
^|[x]
^|[check]
^|[x]
^|[x]

|View All Data
^|Recommended
^|Recommended
^|Recommended
^|Recommended

|View All Profiles
^|[check]
^|[check]
^|[check]
^|[check]

|View All Users
^|[check]
^|[check]
^|[check]
^|[check]

|View Setup and Configuration
^|[check]
^|[check]
^|[check]
^|[check]
|===

--
1. To view the Chatter feed items created inside a community, [a user must also be a member of that community](https://docs.coveo.com/en/l8ae0063#permissions).

2.The Knowledge User permission is required to index Classic Knowledge articles only. It doesn't apply when Lightning Knowledge is enabled.

3.The Manage Sharing permission is required even if your crawling user has the Modify All Data permission.

4.Although the Modify All Data permission is no longer a requirement for the crawling user, you can continue to use this permission if it's part of your existing integration.

5.If necessary, the [DisableMetadataApiSecurities](https://docs.coveo.com/en/m6h90378#disablemetadataapisecurities) parameter can be used to bypass the crawling user's Modify Metadata Through Metadata API Functions and Manage Sharing permission requirements in order to create a secured source. However, we strongly advise against using it. [Enabling this parameter may cause some users to experience missing results in their Coveo-powered search interface](https://docs.coveo.com/en/m6h90378#known-impacts).

6.The Query All Files permission is required even if your crawling user has the Modify All Data or the View All Data permissions.
--

</details>

* Have access to all the fields you want to index in each Salesforce object.
Make sure to validate the [field-level security settings](https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/admin_fls.htm) in your Salesforce organization.

* Be a member of each library that contains the `ContentVersion` records you want to index.

## Add a Salesforce source

A Salesforce source allows you to index most types of Salesforce content in your Coveo organization.
However, to index Salesforce commerce content, such as products, variants, and availabilities, use a [REST API source](https://docs.coveo.com/en/1896/) instead and follow the [commerce-specific instructions](https://docs.coveo.com/en/sal3s118#index-a-salesforce-commerce-cloud).

Follow the instructions below to add a Salesforce source.

. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click **Add source**.

. In the **Add a source of content** panel, click the **Salesforce** source tile.

. Configure your source.

> **Leading practice**
>
> It's best to create or edit your source in your sandbox organization first.
> Once you've confirmed that it indexes the desired content, you can copy your source configuration to your production organization, either [with a snapshot](https://docs.coveo.com/en/3239/) or manually.
> 
> See [About non-production organizations](https://docs.coveo.com/en/2959/) for more information and best practices regarding sandbox organizations.

### "Configuration" tab

On the **Add a Salesforce source** page, the **Configuration** tab is selected by default.
It contains your source's general and authentication information, as well as other parameters.

#### "Identification" subtab

The **Identification** subtab contains general information about the source.

## Name

The source name.
It can't be modified once it's saved.

##### Name

Enter a name for your source.

> **Leading practice**
>
> A source name can't be modified once it's saved, therefore be sure to use a short and descriptive name, using letters, numbers, hyphens (`-`), and underscores (`_`). Avoid spaces and other special characters.

##### Project

Use the **Project** selector to associate your source with one or more Coveo [projects](https://docs.coveo.com/en/n7ef0517/).

#### "Authentication" subtab

To allow Coveo to access your content, you must authenticate with Salesforce.

Click **Authorize account**, and then, in the window that opens, log in to your Salesforce organization with the [dedicated **Salesforce account** you created earlier](#step-3-create-a-salesforce-user-dedicated-to-coveo).

> **Note**
>
> Your source authentication may eventually fail.
> You'll then need to [reauthorize the source](#reauthorize-the-source).

#### "Content to index" subtab

The **Content to index** subtab lets you select the [Salesforce objects and fields](#about-object-and-field-names) you want to index.

> **Note**
>
> Your [custom objects](https://help.salesforce.com/articleView?id=dev_objectedit.htm) are only displayed when you've enabled its **Allow Search** field in Salesforce.

When you click an object, you can then click **View** > **Fields** or **Relationships** in the Action bar.
Like in the object list, select the fields or relationships you want to index.

![Salesforce View menu |Coveo](https://docs.coveo.com/en/assets/images/coveo-for-salesforce/source-view-menu.png)

The breadcrumb at the top of the table helps you navigate the content:

![Salesforce source breadcrumb |Coveo](https://docs.coveo.com/en/assets/images/coveo-for-salesforce/source-breadcrumb.png)

By default, indexing related files (also known as _attached files_ or [_ContentVersion records_](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_contentversion.htm)) is enabled on applicable objects.
However, make sure to read about the [limitations](#limitations-regarding-related-files).

![Index related files option |Coveo](https://docs.coveo.com/en/assets/images/coveo-for-salesforce/source-index-related-files.png)

> **Leading practice**
>
> Not all Salesforce data is useful to index.
> Indexing large amounts of data can have an impact on your Coveo organization performance, overload the Salesforce API, and clutter search results with irrelevant items.
> Carefully select only the Salesforce objects and fields that are relevant to your users' search needs to improve the search experience.
> 
> Start indexing the key standard objects with pre-selected fields and test search results to identify essential information that's missing.
> Then, only add other standard or custom objects and fields that you want to see in search results or use with the following Coveo features:
> 
> ** [Facets search](https://docs.coveo.com/en/1571/) or strings in search interfaces
> ** [Query pipeline ranking expressions (QRE)](https://docs.coveo.com/en/3375/)
> ** [Usage analytics dashboard](https://docs.coveo.com/en/1631/) or [reporting dimensions](https://docs.coveo.com/en/1904/)
> 
> You can also [add conditions](#add-a-condition) to only index a subset of the selected content.

See [Index Chatter feeds](https://docs.coveo.com/en/l8ae0063/) and [Index Salesforce Knowledge](https://docs.coveo.com/en/m5ba6010/) for details about indexing these specific types of content.

##### Add a condition

When you select Salesforce objects, fields, or relationships to index, you can also define conditions to only index a subset of this content.
Only the items that meet the defined conditions will be indexed.

. Click an object, field, or relationship that you've decided to index, and then click **Conditions** in the Action bar.

. To build a condition, select a Salesforce object field and an [operator](https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql_select_comparisonoperators.htm), and then enter a field value using the [SOQL syntax](https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql_select_conditionexpression.htm).
Only the content that meets the defined condition will be indexed.

> **Notes**
>
> * String values must be entered in single quotes and datetime values must respect the [`ISO 8601`](https://en.wikipedia.org/wiki/ISO_8601) format. For example, `'2017-08-21T20:09:26+00:00'`.
> 
> * If you select the **Includes** or **Excludes** operator, using the following syntax to enter multiple field values in a single entry: `('value1','value2')`.

. Once you're satisfied with your conditions, click **Apply**.

### "Items" tab

On the **Items** tab, you can specify how the source handles items based on their file type or content type.

#### File types

File types let you define how the source handles [items](https://docs.coveo.com/en/210/) based on their file extension or content type.
For each file type, you can specify whether to index the item content and [metadata](https://docs.coveo.com/en/218/), only the item metadata, or neither.

You should fine-tune the file type configurations with the objective of indexing only the content that's relevant to your users.

**Example**

Your repository contains `.pdf` files, but you don't want them to appear in search results.
You click **Extensions** and then, for the `.pdf` extension, you change the **Default action** and **Action on error** values to `Ignore item`.

For more details about this feature, see [File type handling](https://docs.coveo.com/en/l3qg9275/).

#### Content and images

If you want Coveo to extract text from image files or PDF files containing images, enable the appropriate option.
The extracted text is processed as item data, meaning that it's fully searchable and will appear in the item [Quick view](https://docs.coveo.com/en/2760#search-result-quick-view).

> **Note**
>
> When OCR is enabled, ensure the source's relevant [file type configurations](https://docs.coveo.com/en/l3qg9275/) index the item content.
> Indexing the item's metadata only or ignoring the item will prevent OCR from being applied.

See [Enable optical character recognition](https://docs.coveo.com/en/2937/) for details on this feature.

### "Content security" tab

> **Important**
>
> * Before changing the security of your Salesforce source, ensure that it doesn't violate any third-party contracts.
> * Changing this setting may expose sensitive content publicly.

Select who will be able to access the source items through a Coveo-powered [search interface](https://docs.coveo.com/en/2741/).
For details on the content security options, see [Content security](https://docs.coveo.com/en/1779/).

**Same users and groups as in your content system** is the default and most secure option.
Select it if you have secured content.
This only allows anonymous and authenticated users to see search results for items to which they have access within Salesforce.

Alternatively, if you select **Specific users and groups**, you can specify which users or groups can or can't access the source content through a Coveo-powered search interface.
See [Content security](https://docs.coveo.com/en/1779#specific-users-and-groups) for more information on this option.
In the **Add a user of group** panel that opens, the **Standard** view allows you to select [security identities](https://docs.coveo.com/en/240/) from the Email Security Provider.
Switch to the **Advanced** view to select a different [security identity provider](https://docs.coveo.com/en/242/) and/or to enter additional information about the identity, depending on the selected provider.

### "Access" tab







. On the **Access** tab, specify whether each group (and API key, if applicable) in your [Coveo organization](https://docs.coveo.com/en/185/) can view or edit the current source.

For example, when creating a new source, you could decide that members of Group A can edit its configuration, while Group B can only view it.

For more information, see [Custom access level](https://docs.coveo.com/en/3151#custom-access-level).
On the **Access** tab, specify whether each group (and API key, if applicable) in your [Coveo organization](https://docs.coveo.com/en/185/) can view or edit the current source.

For example, when creating a new source, you could decide that members of Group A can edit its configuration, while Group B can only view it.

For more information, see [Custom access level](https://docs.coveo.com/en/3151#custom-access-level).

### Build the source

. Finish adding or editing your source:

** When you're done editing the source and want to make your changes effective, click **Add and build source**/**Save and rebuild source**.

** When you want to save your source configuration changes without starting a build/rebuild, such as when you know you want to make other changes soon, click **Add source**/**Save**.
On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click **Launch build** or **Start required rebuild** when you're ready to make your changes effective and index your content.

> **Leading practice**
>
> By default, a Jira Software source indexes the entire Jira Software instance content.
> To index only certain projects, click **Save**, and then specify the desired address patterns in your [source JSON configuration](https://docs.coveo.com/en/1685/) before launching the initial build.
> See [Add source filters](https://docs.coveo.com/en/2006#add-source-filters) for further information.

. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, follow the progress of your source addition or modification.

. Once the source is built or rebuilt, [review its content in the Content Browser](https://docs.coveo.com/en/2053/).

. Optionally, consider [editing or adding mappings](https://docs.coveo.com/en/1640/).


> **Note**
>
> If you selected **Specific URLs** or **User profiles** in the [**Content**](https://docs.coveo.com/en/1739#content) section, some additional items will appear in the Content Browser.
> To retrieve user profiles, Coveo must crawl your SharePoint Online instance, including your host site collection and the documents it contains.
> Items encountered during this process are also retrieved and therefore appear in the Content Browser.

> **Leading practice**
>
> The number of [items](https://docs.coveo.com/en/210/) that a source processes per hour (crawling speed) depends on various factors, such as network bandwidth and source configuration.
> See [About crawling speed](https://docs.coveo.com/en/2078/) for information on what can impact crawling speed, as well as possible solutions.

## Limitations regarding Salesforce securities

The security of your Salesforce content is maintained in your Coveo organization.
When you create a Salesforce source and select the [**Same users and groups as in your content system** content security option](https://docs.coveo.com/en/1779#same-users-and-groups-as-in-your-content-system), Coveo indexes not only your Salesforce content, but also its access permissions.
This allows Coveo to replicate the Salesforce security model, so that, through a Coveo-powered search interface, end users can only see the Salesforce content they have access to in Salesforce.

For example, a support agent who has access to Accounts, Contacts, and Cases objects in Salesforce, but not to Campaigns, Leads, Opportunities, and Forecasts objects, will only see search results for Accounts, Contacts, and Cases when searching through a Coveo-powered search interface.

Coveo supports several Salesforce securities, but has some limitations, including the following:

* Shared personal groups aren't supported.
A user can share content with a personal group.
These sharing permissions can't be indexed because they're currently not reported by the Salesforce API.
As a result, members of the personal group won't see the shared content in Coveo organization results.
This limitation is therefore not a security hole.

* Field-level security isn't supported.
For Enterprise, Unlimited, and Developer Salesforce editions, visibility of individual fields can be granted or denied to users or groups to fine-tune the access control in a permission set or a profile.
The Coveo organization index doesn't include this information.
As a result, a user who's denied access to a field could see the content of this field in the Coveo organization results.
Note however that [this is also the case for Salesforce search results](https://na14.salesforce.com/help/doc/en/admin_fls.htm).

* Login IP address and hours restrictions aren't supported.
The Coveo organization index doesn't contain restrictions on login IP address or hours configured in Salesforce.
As a result, your Salesforce users can access the Coveo organization search interfaces and review Salesforce content from any IP address at any time.

* [Frozen users](https://help.salesforce.com/HTViewHelpDoc?id=users_freeze.htm&language=en_US) aren't supported, so they aren't denied access to the search.

* In Salesforce, if you rely on [data categories](https://help.salesforce.com/s/articleView?id=sf.category_parent_admin.htm&type=5) to control Classic or Lightning KB record access, beware that these permissions can't be [indexed](https://docs.coveo.com/en/204/) as this information isn't available in the Salesforce API.
Consequently, in search results, all users can view all KB articles under all data categories.
Cases such as this one require custom manipulations to ensure content security.

> **Note**
>
> When standard Salesforce [**Sharing for Lightning Knowledge**](https://help.salesforce.com/s/articleView?id=sf.knowledge_sharing.htm&type=5) is enabled for Lightning KB record access, all Knowledge permissions are supported, including permissions set on **Online**, **Draft**, and **Archived** articles.

* Coveo for Salesforce doesn't currently support the [Account Relationship Data Sharing Rules](https://help.salesforce.com/s/articleView?id=sf.networks_partner_account_relationships_and_sharing.htm&type=5) functionality that was introduced in the Salesforce Spring '19 Release.
In addition, poorly implemented [Apex Managed Sharing](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_bulk_sharing.htm) can generate large amounts of record sharing.
In such cases, records may be rejected by the index.

* When the [organization-wide default](https://help.salesforce.com/HTViewHelpDoc?id=sharing_model_fields.htm&language=en_US) is set to **Controlled by Parent**, a maximum master-detail relationship depth of two levels is supported.
For example, when you index a sub-detail object, the detail parents are correctly determined, but the master parents are considered public because there are three levels (master-detail-subdetail).

## Limitations regarding related files

* [Indexing related files](#content-to-index-subtab) only applies to Salesforce [ContentVersion records](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_contentversion.htm).

* You can't filter which related files are included or excluded from the index.
All ContentVersion records linked to indexed parent records are indexed by default.
To obtain a list of all the IDs that act as parents of the ContentVersion record, access the `sfcontentversionlinkedentityids` field.

* [Folding](https://docs.coveo.com/en/428/) isn't possible at this time because the many-to-many relationship isn't supported.

* A source [refresh](https://docs.coveo.com/en/2710/) doesn't remove deleted related files from the index.
A source [rescan](https://docs.coveo.com/en/2711/) or [rebuild](https://docs.coveo.com/en/2712/) is required to retrieve deleted related files.

* Permissions on related files linked to Knowledge Base (KB) articles with [data category](https://help.salesforce.com/s/articleView?id=service.category_whatis.htm&type=5) permissions aren't currently supported.
Either index these files in a public source or don't index files under Knowledge at all.

## About object and field names

In Coveo for Salesforce, you often need to reference specific Salesforce objects and fields, either in [result templates](https://docs.coveo.com/en/413/), in a [search interface](https://coveo.github.io/search-ui/components/searchinterface.html), or in custom code you want to implement.

In Coveo for Salesforce, Salesforce object names stay the same.
For example, the following [query syntax](https://docs.coveo.com/en/1552/) expression, where you replace `<YOUR_SALESFORCE_OBJECT>` with the API name of the Salesforce object, filters the results to only include items from that object:

```javascript
@objecttype=="<YOUR_SALESFORCE_OBJECT>"
```

See [Standard Objects](https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_list.htm) and [Custom Objects](https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_objects_custom_objects.htm) for lists of object API names.

Coveo adapts the Salesforce field names to ease the implementation and avoid potential confusion with other non-Salesforce fields.
Coveo for Salesforce field names are built following this syntax:

`sf` + `Relationship` + `Salesforce API field name`

* The `sf` [prefix indicates the field is exclusively used by Salesforce sources](https://docs.coveo.com/en/1833#field-origin).

* `Relationship` indicates the parent or child object associated to the field.
See the [About object relationships](#about-object-relationships) section for more information.
When referring to a parent object, the singular form of the object name is used.
When referring to a child object, the plural form of the object name is used.
When the object is a top-level field (has no parent or child relationship), this value is skipped.

**Examples**

* Since Account is a parent of Case, the field Name from the Account object associated to a case is `sfAccountName`
* The Subject field for all the Case objects on an Account is `sfCasesSubject`
* The Status field of the Case object is a top-level field, meaning its field is `sfStatus`

* [`Salesforce API Field Name`](https://help.salesforce.com/articleView?id=000007594&type=1).
Custom fields end with `__c`.

When [inspecting a Salesforce item](https://docs.coveo.com/en/2053#inspect-search-results) in the [**Content Browser**](https://platform.cloud.coveo.com/admin/#/orgid/content/browser/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/browser/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/browser/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/browser/)), you can find the Coveo fields associated to this item, including those with the `sf` prefix.

### About object relationships

Because Coveo fields incorporate object relationships in their syntax, it helps to understand these relationships when working with fields.

_Top-level fields_ are directly associated to an object.
For example, formula fields are top-level fields.

The _parent relationship_ is only available when querying a child object.
Multiple child records can be associated to the same parent record.
For example, the Account object is a parent of the Case object, as cases belong to an account.

The _child relationship_ is only available when querying a parent object.
A single parent record can be associated to multiple child records.
For example, the Account object has a Cases child relationship that lists all the cases for any particular account.

## Reauthorize the source


Your Salesforce source uses the OAuth 2.0 authorization protocol and the authentication information specified in your [source configuration](#authentication-subtab) to access your Salesforce content.

Authentication may start to fail for many reasons, such as:

* The crawling account was disabled or deleted.

* The crawling account's permissions changed.

* Coveo's authorization to access the content was revoked.

An authentication error appears on the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page when your Salesforce source can no longer access your content.

To reauthorize the source
To reauthorize the source

. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click your source, and then click **Edit** in the Action bar.

. On the source subpage, click the **Authentication** subtab.

. Click **Reauthorize**, and then, in the window that opens, log in to your Salesforce organization with the [dedicated **Salesforce account** used to index your content](#step-3-create-a-salesforce-user-dedicated-to-coveo).
. Click **Reauthorize**, and then, in the window that opens, log in to your SharePoint Online tenant with the [crawling account used to index your content](https://docs.coveo.com/en/3252/).
By default, the **Also update the authentication token of the related security identity provider** box is checked to ensure that the authentication of the linked security identity provider to your source is also updated.
However, this security identity provider may be used by multiple sources.
Before updating, ensure that doing so won't impact other sources.

. Click **Save** or **Save and rebuild source**.

## Define a Salesforce object body

You can change what's indexed as the body of your object by defining a [mapping](https://docs.coveo.com/en/217/) rule for the `body` [field](https://docs.coveo.com/en/200/).
The body of your object is used both as the [excerpt](https://docs.coveo.com/en/3310/) and as the [quickview](https://docs.coveo.com/en/3311/) of an [item](https://docs.coveo.com/en/210/) in your [search interface](https://docs.coveo.com/en/2741/).

. On the [**Sources**](https://platform.cloud.coveo.com/admin/#/orgid/content/sources/) ([platform-ca](https://platform-ca.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-eu](https://platform-eu.cloud.coveo.com/admin/#/orgid/content/sources/) | [platform-au](https://platform-au.cloud.coveo.com/admin/#/orgid/content/sources/)) page, click your source, and then click **Mappings** in the Action bar.

. To add a mapping, click the **Add** dropdown menu, and then select **Mapping**.

. In the panel that opens:

.. Under **Field**, select `body`.

.. Under **Apply to**, select the objects to which you want to apply the mapping rule.

.. Under **Rules**, enter the mapping rule to apply.
Use the following syntax to display Salesforce field values: `%[<SALESFORCE_FIELD_API_NAME>]`.
See [Mapping rule syntax reference](https://docs.coveo.com/en/1839/) if needed.
If you enter more than one rule, [Coveo will evaluate them in the order they appear, until one of them yields a non-empty value](https://docs.coveo.com/en/1839#mapping-rule-evaluation).

**Example**

You want to change your `Account` object to display the account description, number, and phone number.

Under **Rule**, you enter the following mapping rule:

`<html><div>%[Description]</div><div>Account Number: %[AccountNumber]</div><div>Phone Number: %[Phone]</div></html>`

As a result, the body of your `Account` object displays as follows:

```text
Acme Corporation is a leading provider of road runner deterrents.
Account Number: 001A000000fXyz123
Phone Number: +1-800-555-0199
```

.. Click **Apply mapping**.

. Back in the **Edit mappings** panel, click **Save and rebuild source** if you're done making changes.
Coveo will launch a [source](https://docs.coveo.com/en/246/) [rebuild](https://docs.coveo.com/en/2712/), which is necessary to apply your changes.

> **Tip**
>
> Alternatively, click **Save** to close the panel without launching a rebuild.
> This option is especially useful when you plan on making additional changes in the short term.
> Since a source with several millions of [items](https://docs.coveo.com/en/210/) may take weeks to rebuild, you'll save time and resources by rebuilding it only when necessary.

For details about mapping rules, see [Manage source mappings](https://docs.coveo.com/en/1640/) and [Add a body mapping](https://docs.coveo.com/en/1847/).

## `INVALID_QUERY_LOCATOR` error

`Error with ID 'SALESFORCE_INVALID_QUERY': invalid query locator (INVALID_QUERY_LOCATOR) - This error can occur if a user is used more than once for sources that run in parallel. To avoid this error, make sure to use only one user per source or alternate the refresh schedule of your sources.`

This error occurs when Coveo accesses your Salesforce organization with the same user credentials too many times, for instance when multiple Salesforce sources use the same crawling user and run content updates in parallel.

To prevent it, create a separate user account for Coveo to use for each of your Salesforce sources, as well as for each environment you're deploying to (for example, development, staging, and production).

In addition, only select the **Same users and groups as in your content system** source [content security](#content-security-tab) option if you have secured content.

## About legacy Salesforce sources

An alert on your source page indicates that you're using a legacy Salesforce source:

![Legacy Salesforce source alert |Coveo](https://docs.coveo.com/en/assets/images/coveo-for-salesforce/source-legacy-alert.png)

Legacy Salesforce sources use an older technology.
Coveo continues to support these sources so that your content indexing isn't disrupted.

However, legacy sources don't support the same features as newer Salesforce sources.
To benefit from these features, switch to a newer Salesforce source.

**Replace a legacy Salesforce source**
<details><summary>Details</summary>

. Follow the steps on this page to [create a new crawling user](#prerequisite-create-a-dedicated-salesforce-crawling-user), and then [create a new Salesforce source](#add-a-salesforce-source).

. [Copy your source mappings](https://docs.coveo.com/en/1640#manage-mappings) from the legacy source to the new source.

. Once your new source has [indexed](https://docs.coveo.com/en/204/) all your content, update your [search interfaces](https://docs.coveo.com/en/2741/) to use the new source instead of the legacy one.

. Ensure that your new source follows the same [update schedules](https://docs.coveo.com/en/1933#schedule-a-source-update) as your legacy source.

. Once you're satisfied with your new source, [delete your legacy source](https://docs.coveo.com/en/3390#delete-a-source) to avoid unnecessary indexing operations.

</details>

### What's next?

You may [manually edit the JSON configuration](https://docs.coveo.com/en/1685/), but be warned that improperly configuring the JSON will make your source fail to build.

For more information on the different JSON configurations you can perform on your Salesforce source, see [JSON Salesforce objects](https://docs.coveo.com/en/1785/).