Salesforce - Permissions

This document covers information on what permissions the Popl integration with Salesforce uses.

Least Privilege

Our integration with Salesforce utilizes Role Based Access Controls (RBAC) which in turn uses the security principle of least privilege. Least privilege means that the enterprise app created by the integration has precisely the amount of privilege that is necessary to perform the and nothing more.

Permissions

The Salesforce integration uses the following permissions:

OAuth Scope Name
OAuth Scope Description
Reasoning

openid

Access unique user identifiers (openid)

This scope is used with OpenID Connect. It allows access to the user's unique identifier

api

Manage user data via APIs (api)

Grants access to the authenticated user's data via the Salesforce REST and SOAP APIs.

web

Manage user data via Web browsers (web)

Allows the app to use the web-based flow to authenticate the user and access Salesforce with consent, through the UI.

refresh_token

Perform requests at any time (refresh_token)

Allows the app to receive a refresh token to obtain new access tokens.

offline_access

Perform requests at any time (offline_access)

Allows the app to perform background tasks or long-running sessions without requiring re-login.

Fixing the “Your Salesforce policies are blocking Popl’s IP address” Error

When connecting Popl with Salesforce, you may see this message:

This happens because Salesforce has strict security settings called IP Restrictions. If a login request comes from an IP address outside your organization’s allowed range, Salesforce blocks it.

This can affect the Popl integration.


Why Does This Error Happen?

Salesforce restricts logins and API access based on IP addresses to help protect your data. If Popl’s connection request comes from an IP address not included in your trusted range, Salesforce blocks it.

Common reasons you might see this error:

  • Your organization has strict IP restriction policies

  • The Popl Connected App is not configured to allow Popl’s IP addresses

  • Your team is working remotely from dynamic IP addresses


How to Fix the Error

There are two ways to resolve this error depending on your organization’s security preferences:


Option 1: Relax IP Restrictions for the Popl Connected App

Steps:

  1. Log in to Salesforce using an administrator account.

  2. Go to Setup (click the gear icon at the top right and select Setup).

  3. In the Quick Find box, search for App Manager and select it.

  4. Locate your Popl Connected App in the list, click the dropdown arrow, and choose Manage.

  5. Click Edit Policies.

  6. In the IP Relaxation dropdown, select Relax IP restrictions.

  7. Click Save.


Option 2: Add Trusted IP Ranges

Steps:

  1. Open the Popl Connected App in Salesforce.

  2. Scroll down to the Trusted IP Ranges for OAuth Web Server Flow section.

  3. Click New.

  4. Enter the starting and ending IP address range you want to allow.

    • Example: Start IP: 35.168.0.0 | End IP: 35.168.255.255 (replace with your actual allowed ranges)

  5. Click Save.


Best Practices

  • Relax IP restrictions only if necessary and document the change for your security team

  • Add trusted IP ranges whenever possible to maintain tighter control

  • Test after making changes to ensure Popl can successfully connect

  • Document any IP changes in your internal IT or security log for future reference


Troubleshooting

Still seeing the error after changes?

  • Double-check that you updated the Popl Connected App (not a different app)

  • Confirm you clicked Save after editing policies

  • Verify that your Salesforce user has the proper admin permissions to make these changes

Popl users still can’t connect?

  • Log out of both Popl and Salesforce and reconnect

  • Confirm with your IT team that no firewall rules are blocking Salesforce connections

  • Contact Popl Support for additional troubleshooting


Need Help?

If you still experience issues:

  • Contact your Salesforce administrator to review IP settings

  • Contact Popl Support – we’re happy to help you resolve integration errors quickly

If any issues or questions, please contact us at [email protected], we are available nearly 24/7 and will get back to you within 6-8 hours or less.

With 🤍 from Popl.

Last updated