Salesforce Permissions establish the access controls required for the Backstory integration to function. You will create a dedicated Salesforce user account and assign it three categories of permissions: system permissions, object permissions, and field permissions. Together, these enable Backstory to read, create, and update Salesforce data as part of normal integration operations.
What You Can Do
Create a dedicated integration user for a stable Salesforce connection
Assign system permissions for the required access
Assign object permissions to control record-level access
Assign field permissions to control which fields are readable
Prerequisites
You must be a Salesforce administrator to complete this setup.
Your organization must have an active Backstory account with the Salesforce integration enabled.
Integration User
We strongly recommend setting up a separate Salesforce user account exclusively for Backstory, rather than using an existing employee's account. This ensures permissions remain stable if someone leaves the company or changes roles.
Follow Salesforce's standard process to add a single user.
Name the user "Backstory Integration User."
Assign the user a Salesforce user license.
Place the user at the top of your Salesforce Role Hierarchy.
Once complete, move on to the next section to assign system permissions.
System Permissions
System permissions give the integration user the access it needs to connect to Backstory. Three permissions are required: View All Data, API Enabled, and View All Users. How you grant them depends on the profile type assigned to your integration user. Select the option that applies to you.
Option A: System Administrator Profile (Recommended)
The System Administrator profile includes the highest level of administrative privileges by default, including all three required permissions. If your organization is comfortable granting this level of access, no further configuration is needed. Skip to the section about Object Permissions.
Option B: Custom Profile
Custom profiles let you grant permissions selectively. Once you have a custom profile assigned to your integration user, follow these steps to enable the required permissions:
In Salesforce, go to Setup > Users > Profiles.
Open the custom profile assigned to your integration user.
Under System Permissions, enable View All Data, API Enabled, and View All Users.
Option C: Standard Profile with Permission Set
Standard profiles have fixed permissions and cannot be edited directly. You will need to create a Permission Set to grant the required access.
Create a new permission set named "Backstory Standard Permissions."
Under System Permissions, enable Edit Events, Edit Tasks, and API Enabled.
Under User Permissions, enable View All Data and View All Users.
Assign the permission set to your Backstory Integration User.
A Note on View All Data
We recommend enabling View All Data for the integration user. Backstory relies on it in the following ways:
CRM pull: View All Data allows Backstory to access all Salesforce objects without additional configuration.
Trigger exception troubleshooting: When a sync fails due to insufficient access errors, View All Data gives Backstory the visibility needed to diagnose the root cause.
Cadence tool integration: View All Data may be required when integrating with cadence tools.
If your organization's security policies prohibit View All Data, you can use the least-privilege alternative below. Note that troubleshooting trigger exceptions will become your responsibility in this case.
Assign View All permission on Accounts, Contacts, Leads, and Opportunities.
Enable Edit Events and Edit Tasks under System Permissions.
Enable View Setup and Configuration under Administrative Permissions. This automatically grants View Role and Role Hierarchy, which is also required.
Assign View All permission on any additional objects that interact with the above via automations, including Tasks and Events.
Object Permissions
Object permissions control which types of Salesforce records Backstory can read, edit, create, or delete.
To configure object permissions:
In Salesforce Setup, navigate to your integration user's profile or permission set.
Click Object Settings.
Select an object and enable the permissions listed in the table below.
Click Save.
Return to Object Settings and repeat for each remaining object.
Salesforce Object | View All | Edit | Create | Delete | Why Backstory Needs It |
Account | ✓ | ✓ |
|
| Used to match activities to accounts and write aggregated fields. |
Contact | ✓ | ✓ | ✓ | ✓ | Used to match activities to contacts and update titles and phone numbers. Delete is reserved for contacts created by Backstory for support purposes. |
Lead | ✓ | ✓ | ✓ |
| Used to match activities to leads and write aggregated fields. Create is reserved for future enhancements. |
Opportunity | ✓ | ✓ |
|
| Used to match activities to opportunities and write aggregated fields. |
Note: If your organization uses Private sharing settings on any object above, the integration user also needs the Modify All Records permission for that object. Without it, some sync processes may fail.
Inherited Object Permissions
The following objects inherit permissions automatically from the parent objects or system permissions you've already granted and require no additional configuration:
Object | Inherits From |
AccountTeamMember | Account |
EventRelation | Edit Events (system permission) |
FiscalYearSettings | View All Data (system permission) |
Group | Manage Users (system permission) |
LeadHistory | Lead |
LeadStatus | Lead |
OpportunityContactRole | Opportunity |
OpportunityHistory | Opportunity |
OpportunityStage | Opportunity |
OpportunityTeamMember | Opportunity |
Organization | View All Data (system permission) |
Profile | Manage Users (system permission) |
TaskRelation | Edit Tasks (system permission) |
User | Manage Users (system permission) |
UserLicense | Manage Users (system permission) |
UserRole | Manage Users (system permission) |
Field Permissions
Granting access to an object does not automatically grant access to its fields. Field permissions control which individual data fields Backstory can read within each Salesforce object.
We recommend granting Read Access to all fields in the following objects to ensure all features work as expected:
Account
Contact
Event
Lead
Opportunity
Period
Task
To configure field permissions:
In Salesforce Setup, navigate to your integration user's profile or permission set.
Click Object Settings and select the object you want to configure.
Scroll to the Field Permissions section.
Enable Read Access for all object fields allowed by your organization’s security policies.
Click Save.
Return to Object Settings and repeat for each remaining object.
Minimum Required Field Permissions
If your organization's security policies require a more restrictive approach, the table below lists the minimum required and recommended fields by their API names.
Required: Backstory cannot complete a data pull without these. Missing required fields will cause the integration to stop and return an error.
Recommended: Backstory uses these to enrich insights, but the data pull will not fail without them. Granting access is strongly encouraged where your security policies allow.
Object | Required Fields | Recommended Fields |
Account | CreatedById Name OwnerId
| AnnualRevenue BillingAddress Industry NumberOfEmployees Ownership ParentId RecordTypeId ShippingAddress Type Website |
Contact | AccountId CreatedDate Name OwnerId Title | AssistantPhone Department HomePhone MailingAddress MobilePhone OtherPhone Phone |
Event | ActivityDate CreatedById LastModifiedById OwnerId peopleai__Created_by_PeopleAI__c Type | — |
Lead | Company CreatedById Name OwnerId Status | AnnualRevenue Industry MobilePhone Phone Rating Title Website |
Opportunity | AccountId CloseDate CreatedById Name OwnerId StageName | Amount ExpectedRevenue ForecastCategoryName LeadSource Probability RecordTypeId Territory2Id Type |
Task | CreatedById OwnerId peopleai__Created_by_PeopleAI__cWhatId WhoId | Priority Status TaskSubtype |
Inherited Field Permissions
Fields in the table below are also required for the Backstory integration, but are accessible automatically through permissions you've already granted and do not require manual configuration.
Object | Required Fields |
Account | CreatedDate Id IsDeleted LastModifiedById SystemModstamp |
AccountTeamMember | AccountId CreatedDate Id IsDeleted SystemModstamp TeamMemberRole UserId |
Contact | AccountId CreatedDate Id IsDeleted SystemModstamp |
Currency Type
Note: These fields only exist if Multi-Currency is enabled in Salesforce. To check, go to Setup > Company Settings > Company Information > Activate Multiple Currencies checkbox. | CreatedDate DecimalPlaces Id, IsActive IsCorporate IsoCode SystemModstamp |
DatedConversionRate
Note: These fields only exist if Multi-Currency is enabled in Salesforce. To check, go to Setup > Company Settings > Company Information > Activate Multiple Currencies checkbox. | ConversionRate CreatedDate Id IsoCode NextStartDate StartDate SystemModstamp |
Event | CreatedDate Id SystemModstamp |
FiscalYearSettings | EndDate Id IsStandardYear Name StartDate SystemModstamp |
Group | CreatedDate Id Name OwnerId SystemModstamp Type |
Lead | ConvertedAccountId ConvertedContactId ConvertedDate ConvertedOpportunityId CreatedDate Id IsDeleted SystemModstamp |
LeadHistory | CreatedDate Field Id LeadId NewValue |
LeadStatus | ApiName CreatedDate IsConverted IsDefault SortOrder SystemModstamp |
Opportunity | CreatedDate Id IsClosed IsDeleted IsWon LastModifiedById SystemModstamp |
OpportunityContactRole | ContactId CreatedDate Id IsDeleted IsPrimary OpportunityId Role SystemModstamp |
OpportunityHistory | Amount CloseDate CreatedDate Id OpportunityId Probability StageName SystemModstamp |
OpportunityStage | ApiName CreatedDate IsActive IsClosed IsWon SortOrder SystemModstamp |
OpportunityTeamMember | CreatedDate Id IsDeleted Name OpportunityAccessLevel OpportunityId SystemModstamp TeamMemberRole Title UserId |
Profile | Id SystemModstamp UserLicenseId |
User | CreatedDate Id IsActive ProfileId SystemModstamp TimeZoneSidKey |
UserLicense | Id LicenseDefinitionKey SystemModstamp |
UserRole | Id LastModifiedById Name ParentRoleId PortalAccountId SystemModstamp |
Frequently Asked Questions
Which profile type should I use for the integration user?
It depends on your organization's security policies. The System Administrator profile is the simplest option. A custom profile gives you more control. A standard profile requires an additional permission set.
What happens if I don’t enable read access to a required field?
The integration will stop and return an error. It won't resume syncing until read access is granted for every required field on that object.
Do I have to enable the recommended fields?
No, but it's strongly encouraged. Recommended fields allow Backstory to surface richer insights and more complete reporting. Skipping them won't break the integration, but your data may be less detailed and some functionality will be unavailable to you.
What does "inherited" mean for field permissions?
Some fields become accessible automatically once you grant the related parent object permission or system permission. You don't need to configure these manually. They're listed in the table for reference only.
What if my organization uses private sharing settings?
If any object has Private sharing settings, the integration user will also need the Modify All permission for that object. Without it, specific processes like OCR creation and summary field pushes may fail.
What should I do if validation rules are blocking Backstory from updating fields?
Some orgs have validation rules or flows that prevent Backstory from updating fields installed with the managed package. If this happens, ask a Salesforce admin to update each affected validation rule to exempt the Backstory integration user. They can do this by adding a condition like $Profile.Name != 'Backstory Integration User', or by referencing the integration user's profile or role in the rule logic.
Need Help?
Contact your CSM or email support@backstory.ai.