Creating a Dedicated Salesforce Linking Account

Coveo for Salesforce must be able to communicate to your Coveo Cloud organization to be able to return results. This communication is initially done through the user that installed the Coveo for Salesforce package and created the Coveo Cloud organization. However, since this user is needed for Coveo to work in your Salesforce organization, it is recommended to reset the link and to configure your organization with a Salesforce account dedicated to the Coveo integration.

When using Coveo for Salesforce Pro and Enterprise, this user should also be used to crawl your Salesforce content and index it in a Coveo index. In this scenario, the dedicated linking account also becomes a dedicated crawling account.


Your dedicated Salesforce account must follow these points:

  • The Salesforce account should be used only for your Coveo implementation.

    Avoid using a single user account. If the person leaves the company or simply changes role, the account can be terminated or have its permissions changed, which can break the connectivity to the Coveo Cloud or affect the indexing.

  • The password should never change.

  • When deploying several Coveo for Salesforce applications, such as in several environments (development, staging, production), it is strongly recommended to create and use separate dedicated Salesforce accounts for each environment, as well as one for each different Salesforce source.

    Otherwise, when the Coveo Cloud accesses your Salesforce organization with the same user credentials too many times, Salesforce returns an INVALID_QUERY_LOCATOR error message, as follows:

      Error with ID 'SALESFORCE_INVALID_QUERY': invalid query locator (INVALID_QUERY_LOCATOR) - This error can occur if a user is used more than once for sources that run in parallel. To avoid this error, make sure to use only one user per source or alternate the refresh schedule of your sources.
  • When you have more than one Salesforce organization and more than one Coveo Cloud Instance, it is highly recommended to link only one Salesforce organization to only one Coveo Cloud Instance.

    With the Coveo for Salesforce Free edition, this step is mandatory.

  • Free edition only

    The account should have access to all the Salesforce objects and fields you wish to be queried in your Salesforce organization.

  • Pro and Enterprise editions only

    • The account should have the Modify All Data permissions. This permission is required as it is the only permission that allows a user to gain access to the Salesforce Metadata API, which is required to index Salesforce item permissions.

      You can enable the API Enabled permission without selecting the Modify All Data permission.

      Be aware that, when crawling the content of a Salesforce source by a user without the Modify All Data access (see About the ‘Modify All Data’ permission), the security on your documents will not be applied on the search results.

      If you do not enable Modify All Data, the crawler will also only index content to which the user has access, so set up read access to objects accordingly.

    • When indexing Knowledge articles, ensure that the dedicated user is a Knowledge User (see Knowledge User Access).

    • Optionally, as an additional security measure, in the Login IP Ranges section (see Login IP Ranges in the Enhanced Profile User Interface), select or create a login IP range to restrict the accessibility for this profile (see IP Addresses to Whitelist).

Creating the Dedicated Salesforce Account

The Coveo Authorized Administrator permission set is used to allow the edition and the customization of the Coveo for Salesforce integration, but does not allow a user to install the Coveo package in Salesforce.

  1. Using an administrator account, log in to your Salesforce organization.

  2. In the user menu, select Setup.

  3. Create a Salesforce profile dedicated to the Coveo user:

    1. In the Setup page, select Manage Users > Profiles.

    2. In the Profiles page, click New Profile.

    3. In the Clone Profile page:

      1. In the Existing Profile box, select an existing profile such as Read Only to be used as a template for the new profile according to the permissions you want to grant to the crawler.

      2. In the Profile Name box, enter a name, such as CoveoLink.

      3. Click Save.

    4. In the page for your new profile, click Edit and in the Administrative Permissions section:

      1. Ensure that the API Enabled option is selected.

      2. Optionally, select the API Only User option as an additional security measure.

      3. When creating a user for Coveo for Salesforce Pro or Enterprise, select the Modify All Data option.

      4. When indexing Knowledge content, ensure that Knowledge User is checked.

  4. Create a Salesforce user dedicated to Coveo:

    1. In the Setup page, select Manage Users > Users.

    2. In the All Users page, click New User.

    3. In the New User page:

      1. Fill the required fields.

      2. In the Profile box, select the profile you just created.

      3. Click Save.

  5. Invite your dedicated user to your Coveo Cloud organization (see Adding and Managing Members for Coveo Cloud V2 and Inviting Users to Join Your Coveo Cloud V1 Organization for Coveo Cloud V1).

  6. Connect to your Salesforce organization using the dedicated user.

    You can use your browser in Incognito mode or close all other existing browser tabs that are connected to Salesforce organizations.

  7. Reset the connection between your Salesforce production instance and the Coveo Cloud (see Resetting Your Coveo for Salesforce Configuration).

  8. Relink your Salesforce organization with your Coveo Cloud organization using the dedicated user (see Configuring the Coveo for Salesforce Application).

    • If your account has been deactivated, you will encounter the following error message:

        "status": 400,
        "message": "The user has been deactivated",
        "type": "SalesforceConfigurationException",
        "name": "SalesforceConfigurationException",
        "queryExecutionReport": [

      You should relink your Salesforce organization with your Coveo Cloud organization.

    • Because you are connecting to an existing Coveo Cloud organization, you should choose Link to an Existing Coveo Organization.

Recommended Articles