Salesforce - Permissions

This document covers information on what permissions the Popl integration with Salesforce uses and resolving common permission errors.

Least Privilege

Our integration with Salesforce utilizes Role Based Access Controls (RBAC) which in turn uses the security principle of least privilege. Least privilege means that the enterprise app created by the integration has precisely the amount of privilege that is necessary to perform the and nothing more.

Permissions

The Salesforce integration uses the following permissions:

OAuth Scope Name
OAuth Scope Description
Reasoning

openid

Access unique user identifiers (openid)

This scope is used with OpenID Connect. It allows access to the user's unique identifier

api

Manage user data via APIs (api)

Grants access to the authenticated user's data via the Salesforce REST and SOAP APIs.

web

Manage user data via Web browsers (web)

Allows the app to use the web-based flow to authenticate the user and access Salesforce with consent, through the UI.

refresh_token

Perform requests at any time (refresh_token)

Allows the app to receive a refresh token to obtain new access tokens.

offline_access

Perform requests at any time (offline_access)

Allows the app to perform background tasks or long-running sessions without requiring re-login.

Fixing the “Your Salesforce policies are blocking Popl’s IP address” Error

When connecting Popl with Salesforce, you may see this message:

This happens because Salesforce has strict security settings called IP Restrictions. If a login request comes from an IP address outside your organization’s allowed range, Salesforce blocks it.

This can affect the Popl integration.

Why Does This Error Happen?

Salesforce restricts logins and API access based on IP addresses to help protect your data. If Popl’s connection request comes from an IP address not included in your trusted range, Salesforce blocks it.

Common reasons you might see this error:

  • Your organization has strict IP restriction policies

  • The Popl Connected App is not configured to allow Popl’s IP addresses

  • Your team is working remotely from dynamic IP addresses

How to Fix the Error

There are two ways to resolve this error depending on your organization’s security preferences:

Option 1: Relax IP Restrictions for the Popl Connected App

Steps:

  1. Log in to Salesforce using an administrator account.

  2. Go to Setup (click the gear icon at the top right and select Setup).

  3. In the Quick Find box, search for App Manager and select it.

  4. Locate your Popl Connected App in the list, click the dropdown arrow, and choose Manage.

  5. Click Edit Policies.

  6. In the IP Relaxation dropdown, select Relax IP restrictions.

  7. Click Save.

Option 2: Add Trusted IP Ranges

Steps:

  1. Open the Popl Connected App in Salesforce.

  2. Scroll down to the Trusted IP Ranges for OAuth Web Server Flow section.

  3. Click New.

  4. Enter the starting and ending IP address range you want to allow.

    • Example: Start IP: 35.168.0.0 | End IP: 35.168.255.255 (replace with your actual allowed ranges)

  5. Click Save.

Best Practices

  • Relax IP restrictions only if necessary and document the change for your security team

  • Add trusted IP ranges whenever possible to maintain tighter control

  • Test after making changes to ensure Popl can successfully connect

  • Document any IP changes in your internal IT or security log for future reference

Troubleshooting

Still seeing the error after changes?

  • Double-check that you updated the Popl Connected App (not a different app)

  • Confirm you clicked Save after editing policies

  • Verify that your Salesforce user has the proper admin permissions to make these changes

Popl users still can’t connect?

  • Log out of both Popl and Salesforce and reconnect

  • Confirm with your IT team that no firewall rules are blocking Salesforce connections

  • Contact Popl Support for additional troubleshooting

If you still experience issues:

  • Contact your Salesforce administrator to review IP settings

Fixing the "OAUTH_APPROVAL_ERROR_GENERIC" Error

Why Does This Error Happen?

This error occurs when a user tries to authorize a Salesforce integration but does not have the required permission to approve uninstalled connected apps. Salesforce restricts OAuth approval to prevent unauthorized apps from being connected. For non-admin users, the permission "Approve Uninstalled Connected Apps" must be enabled, otherwise Salesforce blocks the authentication attempt, resulting in a generic OAuth error.

How to Fix It

A Salesforce admin must update the user’s profile permissions:

  1. Go to Setup

  2. Navigate to Manage User Profiles

  3. Select the specific User Profile

  4. Scroll to System Permissions

  5. Enable Approve Uninstalled Connected Apps

  6. Save the changes

  7. Have the user retry the integration connection

Recommendation: Have an Admin Complete the Integration

To avoid permission-related errors like this, it’s best to have a Salesforce admin handle the initial integration setup. Admins automatically have the necessary permissions and can approve the connected app without issues.

Need Help?

Contact Popl Support – our team is always available to assist at [email protected].

With 🤍 from Popl.

PreviousSend a Test Lead to SalesforceNextSalesforce Integration (Legacy)

Last updated