Hi all,
We were informed from newbies (not experts) in Hubspot that for the integration between Salesforce and Hubspot following permissions are documented in Hubspot:
- API Enabled
- View Setup and Configuration
- Modify All on any objects (accounts, campaigns, contacts, leads, or opportunities) that you would like to sync to Hubspot
- Have the Modify Metadata permission (to view data in the Hubspot Visualforce window on Salesforce lead and/or contact records). This is only required if you want to use the Visualforce window, and sync deals to Hubspot
- Have the Download AppExchange Packages permission
What I see as risk are the "Modify all" permissions and Modify Metadata permissions, as this includes all records created or assigned to any users bypassing the OWDs and sharing rules. I created a permission set to assign to a specific user, who will execute the integration. He said, he needs to sync accounts, contacts, leads and opportunities to Hubspot. He also needs to view data in the Hubspot Visualforce window, but I am wondering why the documentation says you need "Modify Metadata" permission for that!!!. It is too dangerous if you give such permissions to non-admins.
I would appreciate any guidance from experts in the Hubspot Integration with Salesforce, which permissions are really needed for the Integration.
@Salesforce Administrators & Developers, @* Outlook/Teams, Gmail, and Inbox *, @* Customer Architect Community *
Hi @Lena Wong,
You've got it exactly.
To expand on it... (and also why I suggested your Senior admin is the integration user, since they would already have the modify all permission) the actual integration between Hubspot and Salesforce requires a user who will serve as the integration user. These user permissions are then inherited by the integration.
The integration is going to directly CRUD (Create, Read, Update, Delete) records in your database, records will be affected as the settings & rules for synchronization are setup.
The page layout, only controls what a user sees in the system via the UI based upon their profile, permissions, and the page layout you have assigned to them for the particular record type you assign the page layout to.
As an example (very basic), lets say Hubspot was going to update a contact record first and last name (current values Jane Doe) and had the permission to do so via the modify all permission inherited by the integration user. When the right scenario is triggered in Hubspot (let's say someone updates the contact in Hubspot to be John Doe) it will automatically update the First and Last name of the contact record, thus (Jane Doe would become John Doe in Salesforce).
Now lets say that the page layout you had assigned to a particular user only shows the last name. Before the update, even though values in the record are Jane Doe, only the last name of Doe is displayed to the user based on the page layout.
After the update, because the page layout only shows the last name, it would appear there is no change to the record, as the last name 'Doe' would still be displayed. However the actual first name would have been updated to 'John' as the integration is updating the data directly at the data level, and is unhindered with page layout restrictions. So people who utilize a different page layout which shows the first and last name would see the change to John Doe, while the user who has the more restrictive page layout would only see the Last Name 'Doe' and be unaware of the first name change.
Page layouts really are only a UI level control. They do not really affect data access at the object level. For that, you really would want to look at FLS, Profile, Permission set(s), and to a lesser degree page layout (depending on subset of data you want displayed to a user based on what they can view via the prior 3 settings)
Hopefully this helps.
Cheers,
J.
