This document describes how to configure change data capture (CDC) tostream data from a Salesforce organization to asupported destination,such as BigQuery or Cloud Storage.

Before you begin

Before you start configuring Salesforce for use with Datastream,you need to:

• Have access to an active Salesforce organization
• Have knowledge of how to navigate and change settings in Salesforce
• Have knowledge of how to create users and profiles in Salesforce

Configure a Salesforce organization for use with Datastream

To establish a connection between your Salesforce org and Datastream,you need to authenticate either by using a username and a password, or by usingthe OAuth 2.0 client credentials flow. To use the latter, you can create aSalesforce connected appor anexternal client app.

If your Salesforce org is configured to allow access from specific IP addresses,make sure that Salesforce acceptsDatastream IP addresses.For information about how to manage your network access restrictions, seeNetwork access and profile-based IP restrictionsandSet trusted IP ranges for your organizationin the Salesforce documentation.

Configure a user

1. In Salesforce, either create a user, or adjust the settings for an existinguser as per the instructions that follow.
2. Create a dedicated profile and assign it to the user.
3. If your organization has IP address restrictions configured, make sure thatyou add theDatastream IP addresses to the list of allowed IPaddresses. For more information, seeRestrict login IP addresses in profiles.
4. Make sure that the user profile has theAPI Enabledpermission so that the user can use both theSalesforce REST API andBulk API 2.0.
5. Make sure that the user profile has the permissions to read allobjectsandfieldsthat you want to include in your stream. For security reasons, consider grantingthe user read-only permissions. For more information, seeControl who sees whatin the Salesforce documentation.
6. Optional: By default, Salesforce returns encrypted fields as masked fields.If you need your user to view the actual values of encrypted fields, grant themtheView Encrypted Data permission. You can grant the permission by editingthe user's permission set.

Optional: Create and set up a connected app

Salesforce uses connected apps to integrate external applications with theSalesforce API, integrate service providers with your Salesforce org,or to control what data a third-party application can access from your Salesforceorganization. If you prefer to use a connected app to authenticate your Salesforceinstance in Datastream, perform the following steps:

1. Create a connected app. For more information, see theSalesforce documentation.

2. Configure your connected app for theOAuth 2.0 client credentials flow.

   Note: Make sure that the user to whom you want to assign the clientcredentials flow has the appropriate API permissions and access to all objectsand fields that you want to include in your stream.
   
   In Salesforce, go toSetup > Connected apps > Manage connected apps.Click the connected app for which you want to edit permissions. UnderClient credentials flow, click the user for whom you want to editcredentials flow settings.

3. Make sure that your connected app has theManage user data via APIs (api)scope enabled. For more information about scopes, seeOAuth tokens and scopes.

4. Make sure that your connected app can access the Salesforce APIs with theDatastream IP addresses. For more information, seeRestrict access to APIs with connected apps andConfigure trusted IP ranges for a connected app.

5. Get the consumer key and consumer secret:

   1. In Salesforce, enterApp in the quick find box, and then selectApp Manager.
   2. Find your connected app in the list and expand the drop-down to the rightof the row.
   3. SelectView.
   4. In theManage connected apps details page, clickManage consumer details.
   5. A screen opens asking you for a verification code. An email with the verificationcode is sent to the user to whom you assign the client credentials flow.
   6. Enter the verification code. You are then redirected to the consumerdetails page where you can find your key and secret. You need to provide theconsumer key and secret when you create your connection profile.

What's next

• Learn more about theSalesforce source.