Configuring API scanning in Forcepoint ONE SSE

Once you have completed the above steps in Salesforce, you can now move back to Forcepoint ONE SSE to authorize the API access in Forcepoint ONE SSE. Ensure you are logging in as a Forcepoint ONE SSE sysadmin account to perform the below steps.

1. Login to the Forcepoint ONE SSE portal and navigate to Protect > Policies and select the Salesforce application to get to the settings page and then click on the app instance that you wish to enable API scanning for.
2. In the app instance dialog, enable API scanning by checking Enable DLP Scanning of Objects and then click Ok. Back on the Salesforce Settings page, click Savein the top right corner.
   
   
   
3. After you save, under the app instance, click the Authorize Scanning option.
   
   
   
4. On the Authorize API Scanning page, copy and paste over the Consumer key and secret from step 5 in the Salesforce Connected App Setup steps above and then click Save. Once you have saved, click Authorize Scanning underneath and you will be taken to a Salesforce page to authorize the API access.
   
   
   
   Note:

   The Authorize API Access link must be visited by a Salesforce admin who must authenticate with admin credentials to generated an associated OAuth token.

   
   
   

   Once authenticated, you should see a green check mark beside Scanning Authorized.

   
   
   
5. Click the Scanning Authorized and then click Sync Now under the Synchronization Status section.
   
   
   

   A pop-up opens asking to confirm the sync. Click Sync Now to continue with the sync.

   
   
   
6. Navigate back to the Salesforce settings page and under the app instance, select API Scanning: Setup.

   Here is where you can setup what you are scanning for. The API Scanning Settings page is divided into two cards. The top card will allow you to specify what you are scanning for (data patterns and sharing status). The bottom card is where you will specify which objects and fields are to be scanned.

   
   
   
   
   

   • For the top card, first select the sharing status you are looking to identify. Are you looking for all sharing status or just things shared publicly/externally? After that you can click the green plus icons to add as many Data patterns that you want to look for. Add new lines and then select your data pattern from the drop down.
     
     
     
     Note: To configure API policies with the Forcepoint DLP data pattern, refer to Configuring FSM controlled policies for CASB and SWG channels.
   • For the bottom card you will need to select the Object from the drop down and then you can add the Fields that are contained within that object. You will need to do this for each Object that contains Fields you wish to scan for.
     
     
     
     • Once you are done selecting which Objects/Fields are scanned and you save you will see the list at the very bottom across all of your objects.
       
       
       
7. To learn how to configure policy actions, refer to Configuring API policies.

   Forcepoint ONE SSE currently supports:

   • Allow, CreateCopy, and Quarantine actions if the user's Salesforce account is using Classic view.
   • Allow action if the user's Salesforce account is using Lightning View.

   Note:

   • Forcepoint ONE SSE can support create copy/quarantine of Salesforce attachment files to other sanctioned apps that you have authorized the API for (example Google Drive, OneDrive, Dropbox, Box, etc).
   • Forcepoint ONE SSE can also create copy/quarantine Salesforce attachments to other Salesforce instance's that were also setup via API. In this case the copied/quarantined file will be attached to a BGObject record that Forcepoint ONE SSE automatically creates.
   • Forcepoint ONE SSE currently do not support policy actions on Salesforce Global Files or if the user's Salesforce account is using lightning UI.