Salesforce - Permissions
This document covers information on what permissions the Popl integration with Salesforce uses.
Least Privilege
Our integration with Salesforce utilizes Role Based Access Controls (RBAC) which in turn uses the security principle of least privilege. Least privilege means that the enterprise app created by the integration has precisely the amount of privilege that is necessary to perform the and nothing more.
Permissions
The Salesforce integration uses the following permissions:
openid
Access unique user identifiers (openid)
This scope is used with OpenID Connect. It allows access to the user's unique identifier
api
Manage user data via APIs (api)
Grants access to the authenticated user's data via the Salesforce REST and SOAP APIs.
web
Manage user data via Web browsers (web)
Allows the app to use the web-based flow to authenticate the user and access Salesforce with consent, through the UI.
refresh_token
Perform requests at any time (refresh_token)
Allows the app to receive a refresh token to obtain new access tokens.
offline_access
Perform requests at any time (offline_access)
Allows the app to perform background tasks or long-running sessions without requiring re-login.
Fixing the “Your Salesforce policies are blocking Popl’s IP address” Error
When connecting Popl with Salesforce, you may see this message:
This happens because Salesforce has strict security settings called IP Restrictions. If a login request comes from an IP address outside your organization’s allowed range, Salesforce blocks it.
This can affect the Popl integration.
Why Does This Error Happen?
Salesforce restricts logins and API access based on IP addresses to help protect your data. If Popl’s connection request comes from an IP address not included in your trusted range, Salesforce blocks it.
Common reasons you might see this error:
Your organization has strict IP restriction policies
The Popl Connected App is not configured to allow Popl’s IP addresses
Your team is working remotely from dynamic IP addresses
How to Fix the Error
There are two ways to resolve this error depending on your organization’s security preferences:
Option 1: Relax IP Restrictions for the Popl Connected App
Steps:
Log in to Salesforce using an administrator account.
Go to Setup (click the gear icon at the top right and select Setup).
In the Quick Find box, search for App Manager and select it.
Locate your Popl Connected App in the list, click the dropdown arrow, and choose Manage.
Click Edit Policies.
In the IP Relaxation dropdown, select Relax IP restrictions.
Click Save.
Option 2: Add Trusted IP Ranges
Steps:
Open the Popl Connected App in Salesforce.
Scroll down to the Trusted IP Ranges for OAuth Web Server Flow section.
Click New.
Enter the starting and ending IP address range you want to allow.
Example: Start IP: 35.168.0.0 | End IP: 35.168.255.255 (replace with your actual allowed ranges)
Click Save.
Best Practices
Relax IP restrictions only if necessary and document the change for your security team
Add trusted IP ranges whenever possible to maintain tighter control
Test after making changes to ensure Popl can successfully connect
Document any IP changes in your internal IT or security log for future reference
Troubleshooting
Still seeing the error after changes?
Double-check that you updated the Popl Connected App (not a different app)
Confirm you clicked Save after editing policies
Verify that your Salesforce user has the proper admin permissions to make these changes
Popl users still can’t connect?
Log out of both Popl and Salesforce and reconnect
Confirm with your IT team that no firewall rules are blocking Salesforce connections
Contact Popl Support for additional troubleshooting
Need Help?
If you still experience issues:
Contact your Salesforce administrator to review IP settings
Contact Popl Support – we’re happy to help you resolve integration errors quickly
If any issues or questions, please contact us at [email protected], we are available nearly 24/7 and will get back to you within 6-8 hours or less.
With 🤍 from Popl.
Last updated