[CASB] Salesforce FedRAMP integration (#19580)

maxvp · web-flow · commit 9c5cd24f8dd9 · 2025-02-06T22:53:12.000Z
diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/index.mdx
@@ -25,5 +25,6 @@ You can integrate the following SaaS applications and cloud environments with Cl
   - [SharePoint](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/sharepoint/)
   - [Outlook](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/outlook/)
 - [Salesforce](/cloudflare-one/applications/casb/casb-integrations/salesforce/)
+- [Salesforce (FedRAMP)](/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp/)
 - [ServiceNow](/cloudflare-one/applications/casb/casb-integrations/servicenow/)
 - [Slack](/cloudflare-one/applications/casb/casb-integrations/slack/)
diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce-fedramp.mdx
@@ -0,0 +1,23 @@
+---
+pcx_content_type: reference
+title: Salesforce (FedRAMP)
+rss: file
+head:
+  - tag: title
+    content: Salesforce (FedRAMP) - CASB
+---
+
+import { Render } from "~/components";
+
+:::note[Limited access]
+The Salesforce (FedRAMP) CASB integration is available in limited access. To request access, contact your account team.
+:::
+
+<Render
+	file="casb/salesforce-integration"
+	params={{
+		integrationName: "Salesforce (FedRAMP)",
+		environmentName: "FedRAMP-compliant Salesforce environment",
+		slugifiedName: "salesforce-fedramp",
+	}}
+/>
diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/salesforce.mdx
@@ -10,69 +10,10 @@ head:
 import { Render } from "~/components";
 
 <Render
-  file="casb/integration-description"
-  params={{ one: "Salesforce", two: "Salesforce environment" }}
+	file="casb/salesforce-integration"
+	params={{
+		integrationName: "Salesforce",
+		environmentName: "Salesforce environment",
+		slugifiedName: "salesforce",
+	}}
 />
-
-## Integration prerequisites
-
-- A Salesforce environment (most editions are compatible)
-- Permissions to a Salesforce organization with either:
-
-  - System Administrator permission
-  - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data
-
-## Integration permissions
-
-For the Salesforce integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App:
-
-- `Manage user data via APIs (api)`
-- `Manage user data via Web browsers (web)`
-- `Perform requests at any time (refresh_token, offline_access)`
-- `Access unique user identifiers (openid)`
-
-These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the [Salesforce OAuth Tokens and Scopes documentation](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm).
-
-## Security findings
-
-<Render
-  file="casb/security-findings"
-  params={{ one: "Salesforce", two: "salesforce" }}
-/>
-
-### File sharing
-
-Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion.
-
-| Finding type                                                                        | FindingTypeID                          | Severity |
-| ----------------------------------------------------------------------------------- | -------------------------------------- | -------- |
-| Salesforce: Content Document publicly accessible without a password                 | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical |
-| Salesforce: Content Document publicly accessible with weak password                 | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High     |
-| Salesforce: Content Document publicly accessible and password protected             | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium   |
-| Salesforce: Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium   |
-| Salesforce: Content Document larger than 2 GB                                       | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium   |
-
-### Account misconfigurations
-
-Discover account and admin-level settings that have been configured in an insecure way.
-
-| Finding type                                              | FindingTypeID                          | Severity |
-| --------------------------------------------------------- | -------------------------------------- | -------- |
-| Salesforce: Domain without HTTPS                          | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High     |
-| Salesforce: Default Account record access allows edit     | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium   |
-| Salesforce: Default Case record access allows edit        | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium   |
-| Salesforce: Default Contact record access allows edit     | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium   |
-| Salesforce: Default Lead record access allows edit        | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium   |
-| Salesforce: Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium   |
-| Salesforce: Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low      |
-
-### User access
-
-Flag user access issues, including account misuse and users not following best practices.
-
-| Finding type                                                | FindingTypeID                          | Severity |
-| ----------------------------------------------------------- | -------------------------------------- | -------- |
-| Salesforce: User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium   |
-| Salesforce: Inactive user                                   | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low      |
-| Salesforce: User has never logged in                        | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low      |
-| Salesforce: User has not logged in for 90+ days             | `8395c824-bc44-4c12-b300-40f2477384d4` | Low      |
diff --git a/src/content/docs/cloudflare-one/policies/gateway/lists.mdx b/src/content/docs/cloudflare-one/policies/gateway/lists.mdx
@@ -3,10 +3,9 @@ pcx_content_type: how-to
 title: Lists
 sidebar:
   order: 13
-
 ---
 
-import { Render } from "~/components"
+import { Render } from "~/components";
 
 With Cloudflare Zero Trust, you can create lists of URLs, hostnames, or other entries to reference when creating [Gateway policies](/cloudflare-one/policies/gateway/) or [Access policies](/cloudflare-one/policies/access/). This allows you to quickly create rules that match and take actions against several items at once.
 
@@ -16,12 +15,12 @@ Before creating a list, make note of the [limitations](#limitations).
 
 Lists can contain a single type of data each. Supported data types include:
 
-* URLs
-* Hostnames
-* Serial numbers
-* User email addresses
-* IP addresses
-* Device ID numbers
+- URLs
+- Hostnames
+- Serial numbers
+- User email addresses
+- IP addresses
+- Device ID numbers
 
 <Render file="gateway/lists" />
 
@@ -31,10 +30,10 @@ Lists can contain a single type of data each. Supported data types include:
 
 2. Select **Edit**. This will allow you to:
 
-   * Edit list name and description by selecting on the three-dots menu to the right of your list's name.
-   * Delete the list by selecting the three-dots menu to the right of your list's name.
-   * Delete individual entries.
-   * Manually add entries to your list.
+   - Edit list name and description by selecting on the three-dots menu to the right of your list's name.
+   - Delete the list by selecting the three-dots menu to the right of your list's name.
+   - Delete individual entries.
+   - Manually add entries to your list.
 
 3. Once you have edited your list, select **Save**.
 
@@ -46,7 +45,7 @@ Your lists can include up to 1,000 entries for Standard plans and 5,000 for Ente
 
 ### Duplicate entries
 
-Lists cannot have duplicate entries. Because hostnames are converted to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in an error.
+Lists cannot have duplicate entries. Because hostnames are converted to [Punycode](https://www.rfc-editor.org/rfc/rfc3492.txt), multiple list entries that convert to the same string will count as duplicates. For example, `éxàmple.com` converts to `xn—xmple-rqa5d.com`, so including both `éxàmple.com` and `xn—xmple-rqa5d.com` in a list will result in a duplicate error.
 
 ### URL slashes
 
diff --git a/src/content/partials/cloudflare-one/casb/integration-description.mdx b/src/content/partials/cloudflare-one/casb/integration-description.mdx
@@ -1,12 +1,7 @@
 ---
-inputParameters: integrationName;;integrationAccountType
-
+params:
+  - integrationName
+  - integrationAccountType
 ---
 
-import { Markdown } from "~/components"
-
-<div class="special-class" markdown="1">
-
 The {props.one} integration detects a variety of data loss prevention, account misconfiguration, and user security risks in an integrated {props.two} that could leave you and your organization vulnerable.
-
-</div>
diff --git a/src/content/partials/cloudflare-one/casb/integration-perms.mdx b/src/content/partials/cloudflare-one/casb/integration-perms.mdx
@@ -1,5 +1,7 @@
 ---
-inputParameters: parentIntegration;;parentSlug
+params:
+  - parentIntegration
+  - parentSlug
 ---
 
 Refer to <a href={`/cloudflare-one/applications/casb/casb-integrations/${props.two}/#integration-permissions`}>{props.one} integration permissions</a> for information on which API permissions to enable.
diff --git a/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx b/src/content/partials/cloudflare-one/casb/salesforce-integration.mdx
@@ -0,0 +1,75 @@
+---
+params:
+  - integrationName
+  - environmentName
+  - slugifiedName
+---
+
+import { Render } from "~/components";
+
+<Render
+	file="casb/integration-description"
+	params={{ one: props.integrationName, two: props.environmentName }}
+/>
+
+## Integration prerequisites
+
+- A {props.environmentName} (most editions are compatible)
+- Permissions to a Salesforce organization with either:
+  - System Administrator permission
+  - Permissions for View Setup and Configuration, Customize Applications, and Modify All Data
+
+## Integration permissions
+
+For the {props.integrationName} integration to function, Cloudflare CASB requires the following Salesforce permissions via a Connected App:
+
+- `Manage user data via APIs (api)`
+- `Manage user data via Web browsers (web)`
+- `Perform requests at any time (refresh_token, offline_access)`
+- `Access unique user identifiers (openid)`
+
+These permissions follow the principle of least privilege to ensure that only the minimum required access is granted. To learn more about each permission, refer to the [Salesforce OAuth Tokens and Scopes documentation](https://help.salesforce.com/s/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm).
+
+## Security findings
+
+<Render
+	file="casb/security-findings"
+	params={{ one: props.integrationName, two: props.slugifiedName }}
+/>
+
+### File sharing
+
+Identify uploaded content, files, and attachments that have been shared in a potentially insecure fashion.
+
+| Finding type                                                                                     | FindingTypeID                          | Severity |
+| ------------------------------------------------------------------------------------------------ | -------------------------------------- | -------- |
+| {props.integrationName}: Content Document publicly accessible without a password                 | `4cde56ed-19db-4cdb-a6c6-3aede5e17785` | Critical |
+| {props.integrationName}: Content Document publicly accessible with weak password                 | `68c43ab8-733d-4798-b25f-202f6fcf435f` | High     |
+| {props.integrationName}: Content Document publicly accessible and password protected             | `75194f6b-5a95-48fa-b485-37181d2d19c8` | Medium   |
+| {props.integrationName}: Content Document shared and not viewed in 12+ months (stale permission) | `7125e209-234a-4f10-89d2-1af0601c277f` | Medium   |
+| {props.integrationName}: Content Document larger than 2 GB                                       | `3d21de13-4b9f-483c-921a-44cdef7a58c5` | Medium   |
+
+### Account misconfigurations
+
+Discover account and admin-level settings that have been configured in an insecure way.
+
+| Finding type                                                           | FindingTypeID                          | Severity |
+| ---------------------------------------------------------------------- | -------------------------------------- | -------- |
+| {props.integrationName}: Domain without HTTPS                          | `20916e32-442e-4622-9e54-e1f37eb7d79f` | High     |
+| {props.integrationName}: Default Account record access allows edit     | `316f1d9a-447e-432c-add7-7adde67c4f19` | Medium   |
+| {props.integrationName}: Default Case record access allows edit        | `a7c8eb3e-b5be-4bfc-969a-358186bf927a` | Medium   |
+| {props.integrationName}: Default Contact record access allows edit     | `e7be14f0-24d6-4d6c-9e12-ca3f23d34ba9` | Medium   |
+| {props.integrationName}: Default Lead record access allows edit        | `12fde974-45e8-4449-8bf4-dc319370d5ca` | Medium   |
+| {props.integrationName}: Default Opportunity record access allows edit | `2ab78d14-e804-4334-9d46-213d8798dd2a` | Medium   |
+| {props.integrationName}: Organization with active compliance BCC email | `43e5fd20-1cba-4f1d-aa39-90c7ce2e088a` | Low      |
+
+### User access
+
+Flag user access issues, including account misuse and users not following best practices.
+
+| Finding type                                                             | FindingTypeID                          | Severity |
+| ------------------------------------------------------------------------ | -------------------------------------- | -------- |
+| {props.integrationName}: User sending email with different email address | `a2790c4f-03f5-449f-b209-5f4447f417af` | Medium   |
+| {props.integrationName}: Inactive user                                   | `57e44995-c7ad-46fe-9c55-59706e663adf` | Low      |
+| {props.integrationName}: User has never logged in                        | `a0bf74df-c796-4574-ac1c-0f239ea8c9ac` | Low      |
+| {props.integrationName}: User has not logged in for 90+ days             | `8395c824-bc44-4c12-b300-40f2477384d4` | Low      |
diff --git a/src/content/partials/cloudflare-one/casb/security-findings.mdx b/src/content/partials/cloudflare-one/casb/security-findings.mdx
@@ -1,5 +1,7 @@
 ---
-inputParameters: integrationName;;slugRelativePath
+params:
+  - integrationName
+  - slugRelativePath
 ---
 
 The {props.one} integration currently scans for the following findings, or security risks. Findings are grouped by category and then ordered by [severity level](/cloudflare-one/applications/casb/manage-findings/#severity-levels).
diff --git a/src/content/partials/cloudflare-one/casb/shared-links.mdx b/src/content/partials/cloudflare-one/casb/shared-links.mdx
@@ -2,8 +2,4 @@
 {}
 ---
 
-<div class="special-class" markdown="1">
-
 To access some file findings, you may need to review shared links. For more information, refer to [View shared files](/cloudflare-one/applications/casb/manage-findings/#view-shared-files).
-
-</div>
diff --git a/src/content/partials/cloudflare-one/gateway/response.mdx b/src/content/partials/cloudflare-one/gateway/response.mdx
@@ -1,12 +1,8 @@
 ---
-inputParameters: type1;;example2;;example3
-
+params:
+  - type1
+  - example2
+  - example3
 ---
 
-import { Markdown } from "~/components"
-
-<div class="special-class" markdown="1">
-
-If a condition in an expression joins a {props.one} attribute (such as *{props.two}*) and a response attribute (such as *{props.three}*), then the condition will be evaluated when the response is received.
-
-</div>
+If a condition in an expression joins a {props.one} attribute (such as _{props.two}_) and a response attribute (such as _{props.three}_), then the condition will be evaluated when the response is received.
diff --git a/src/content/partials/cloudflare-one/gateway/url-slash.mdx b/src/content/partials/cloudflare-one/gateway/url-slash.mdx
@@ -1,10 +1,5 @@
 ---
 {}
-
 ---
 
-<div class="special-class" markdown="1">
-
 Gateway ignores trailing forward slashes (`/`) in URLs. For example, `https://example.com` and `https://example.com/` will count as the same URL and may return a duplicate error.
-
-</div>
diff --git a/src/content/partials/learning-paths/zero-trust/threat-intelligence-automation.mdx b/src/content/partials/learning-paths/zero-trust/threat-intelligence-automation.mdx
@@ -1,10 +1,5 @@
 ---
 {}
-
 ---
 
-<div class="special-class" markdown="1">
-
 You can implement this policy by either creating custom blocklists or by using blocklists provided by threat intelligence partners or regional Computer Emergency and Response Teams (CERTs). Ideally, your CERTs can update the blocklist with an [API automation](/security-center/intel-apis/) to provide real-time threat protection.
-
-</div>
