Introduction to the InCountry for Salesforce app
Salesforce is the leading customer relationship management (CRM) platform for businesses of any size and specialization. All your marketing, sales, commerce, service, and IT teams can collaborate and communicate with your customers in one place and in different ways.
Regulated data processing in Salesforce
Salesforce hosting data centers are located in 6 countries. This is not sufficient for the world-wide companies and corporations that manage regulated data of customers. InCountry expands the list to over 90 countries where you can store regulated data and be sure that you do not violate any local laws or regulations.
With InCountry for Salesforce, you can have a single Salesforce instance to store regulated data in over 90 different countries. You do not need to have a dedicated Salesforce instance for each country or region to comply with all sorts of regulations you have to adhere to.
By default, Salesforce does not restrict the visibility of regulated data in the Salesforce instance for agents that work from other countries and are not allowed to view this data. The InCountry for Salesforce app addresses this problem and provides configuration that can restrict the visibility of regulated data to agents working in the origin country only.
InCountry for Salesforce allows customers to separate the streams of regulated and non-regulated data and store each one in different places. This way you store the non-regulated data in Salesforce, and regulated data in the InCountry platform in the specific country.
All the regulated data stored in the InCountry platform is encrypted on the fly with the customer-owned key, so the data is kept secure and safe.
For the next steps with the InCountry for Salesforce app, see the following sections:
- Package Installation
- Initial App Setup
- Configuring Data Regulation Policies
- Configuring the PROTECTED fields
- Regulated Field Protection
- Package Uninstallation
- Viewing Serverless Functions
The InCountry for Salesforce app is installed as a common package by following the standard procedure.
You must have permissions of a System Administrator to install the packages onto your Salesforce instance.
Log in to the Salesforce instance as a System Administrator.
From Setup, click Company Settings and select My Domain.
Specify the domain and check its availability. Rename the domain if it is already occupied. Apply changes and wait for system response.
Installing the app package
The InCountry app is distributed as a standard package which you can install onto your Salesforce instance.
Copy the installation URL of the package.
Log in to the Salesforce instance which you want to install the app in.
In the address line of the browser, paste the link with the Salesforce instance URL and the package installation path. For example:
On the opened page, enter the installation key which InCountry provided to you.
Select users who the app is installed for.
Check the box to prove that you acknowledge the risks by installing the Salesforce app which is not authorized.
Upgrading the app package
Upgrade of the app package is performed in the same way as installation of the app package. For upgrade of the app package to beta releases, please contact the InCountry team in advance.
You need to upload valid certificates into Salesforce, so the InCountry for Salesforce application can perform data communication of regulated between Salesforce and InCountry Platform.
Getting certificates from InCountry
You need to set up an account on the InCountry Portal.
Generating Salesforce compatible certificates
Install OpenSSL and Java Keystore locally.
Open OpenSSL as an administrator and enter:
openssl pkcs12 -export -name signedcert -in <YourCertName>.crt -inkey<YourKeyName>.key -out keystore.p12
Enter a password for the keystore between 6 and 8 characters.
Use the following command for "signedcert" alias:
keytool -importkeystore -destkeystore C:/temp/salesforce.jks -srckeystorekeystore.p12 -srcstoretype pkcs12 -alias signedcert
Enter the same password as in step 3.
Upload the JKS file to Salesforce (Setup > Security > Certificate and Key Management > Import from Keystore), and enter the password specified in steps 3 and 6.
Set the certificate in Salesforce as SSO Request Signing, API Client, and/or Domain Certificate.
The InCountry for Salesforce package requires certificates to perform the client-side requests to InCountry REST SDK. All the certificates must be provided in the JKS format.
You need to upload the following certificates:
incountry- the generic certificate for performing data requests to the InCountry Platform. This is a required certificate.
serverless- the certificate to perform serverless functions. This is an optional certificate.
batch- the certificate to perform batch data operations (for data migration). This is an optional certificate.
You will have to specify the certificate names in the corresponding InCountry REST API endpoints. Depending on your setup, some certificate may not be needed.
Get a certificate from InCountry.
From Setup, click Security, then select Certificate and Key Management.
On the Certificate and Key Management page, click Import from Keystore.
Select the certificate file and enter the keystore password.
Once you have uploaded the certificates, the InCountry for Salesforce app is ready for operation.
If you receive the Data not available error when importing certificates, please do any of the following to bypass this issue:
Create a self-signed certificate in the Certificate and Key Management section.
Enable the Identity Provider and assign the self-signed certificate to it.
After performing these steps, you will be able to import the JKS certificates.
Initial App Setup
Once you have installed the InCountry for Salesforce package, you need to complete its initial setup, so it can make data requests to REST SDK.
Upon successful installation, the InCountry for Salesforce package creates two user accounts for work, as follows:
InCountry Admin - can administer the InCountry Salesforce package and set up data regulation policies for Salesforce objects.
InCountry User - can work within the InCountry interface and manage Salesforce objects.
You need to assign regular Salesforce users to each the InCountry-specific user account depending on their roles within your organization. Each user account can be associated with multiple users. Users who are not assigned to the InCountry Admin or InCountry User account will not be able to load the InCountry interface in Salesforce.
From Setup, click Users and then select Permission sets.
On the list with users, locate the user named as InCountry User or InCountry Admin.
Click this user.
On the opened page, click Manage Assignments.
Within the opened permission set you can view users who attribute to InCountry User or InCountry Admin. They will be able to work within the InCountry for Salesforce app according to the granted permission level.
Here you can manage users, as follows:
- Adding users to the permission set
- Removing users from the permission set
Adding users to the permission set
Within the opened InCountry User permission set, click Add Assignments.
On the All Users page, select users that you want to assign to the InCountry User permission set.
Removing users from the permission set
Within the opened InCountry User or InCountry Admin permission set, select users that you want to remove the assignment from.
Click Remove Assignments.
InCountry REST Endpoint management
The InCountry for Salesforce package pre-defines the REST endpoints for data communication between Salesforce and the InCountry Platform. You can manage these REST endpoints if needed and change them for some custom ones.
From Setup, click Custom Code, then select Custom Metadata Types.
On the Custom Metadata Types page, locate the
InCountryRestApiEndpointobject and click Manage Records.
On the opened InCountryRestApiEndpoint page, locate the country which REST API endpoint you want to modify.
For the required country, click Edit.
On the opened page, you can modify the following:
- Label - enter the label of the country in the ISO format (upper case).
- InCountryRestApiEndpoint Name - enter the label of the country in the ISO format (upper case).
- Country - select the country from the prompted variants.
- Endpoint - specify another InCountry REST API endpoint in the target country. Contact the InCountry team to get the actual endpoint address.
- Default - check the box to use the current InCountry REST API endpoint as default for all data requests.
- Token - enter the token name as '
- CertificateNameServerless - enter the name of the certificate for serverless functions. You need to enter the name of the certificate which was issued for serverless functions without the *.JKS file extension, so that only the certificate name remains. The pattern for this looks like '
- CertificateNameApi - enter the certificate name for performing requests from the backend. This is applicable to the replication model. The name of such certificate is individual for each customer.
- CertificateNameRest - enter the certificate name for performing REST API requests from the frontend. Such requests are performed through the dedicated
/sfendpoint of InCountry REST API and authorization of such requests is executed with a JWT token. This is applicable to the redaction model. The name of such certificate is individual for each customer.
- CertificateNameBatch - name of the certificate for batch data operations. You need to enter the name of the certificate which was issued for batch operations without the *.JKS file extension, so that only the certificate name remains. The pattern for this looks like '
When complete, click Save.
Please avoid modifying these parameters if not needed.
To create a new InCountry REST endpoint:
Initiate the management of records within the
Above the table with REST endpoints, locate the New button and click it.
On the opened page, fill out details for the REST endpoint as described above for management of REST endpoints. To get the actual address of REST endpoint, please contact the InCountry team.
When complete, click Save.
Management of InCountry flags
The InCountry for Salesforce app package introduces a set of custom metadata types, so called flags. These flags regulate the activation of specific features within the package.
- From Setup, click Custom Code, then select Custom Metadata Types.
- On the Custom Metadata Types page, locate the
InCountry Flagobject and click Manage Records. The list with flags opens, as follows:
The list of InCountry flags includes the following:
- CountryISOFromUserProfile - this flag regulates the fetching of the country location from the user profile, otherwise it is determined automatically from the IP address.
- EnableRangeKeyFilter - this flag regulates the usage of the range key filter for searching for numeric values within the specified range.
- PIIFieldsAutoConfiguration - this flag regulates the automatic configuration of the PII fields for Salesforce objects based on the common patterns.
To enable or disable the flag:
- On the list with flags, locate the flag which you want to enable or disable.
- Click the flag name.
- On the opened page, click Edit.
- Select or clear the IsEnabled box.
- Click Save.
Registering remote sites
The app package communicates data with the InCountry Platform through REST API. This requires the registration of remote sites in Salesforce, so the package can seamlessly communicate protected data between Salesforce and InCountry Platform.
Once you have received the address of REST API from the InCountry support team, you can proceed to setup.
From Setup, click Security, then select Remote Site Settings.
On the list with remote sites, click New Remote Site.
On the Remote Site Edit page, specify the following information:
Remote Site Name - enter a meaningful name of the remote site. So you can understand what country it relates to.
Remote Site URL - enter the URL address of InCountry REST API. Besides REST API you may also enter the address of InCountry Border.
Active - check the box to make the remote site as active.
When complete, click Save.
Repeat the same procedure for other InCountry endpoints if you manage protected data for multiple countries.
Loading the InCountry for Salesforce app
Once you have configured the InCountry for Salesforce app and re-created the Salesforce views, you can load the app for working within it.
In the left part of the menu, locate the icon showing available apps and click it.
In the App Launcher form, select InCountry. The name may differ depending on your setup.
The InCountry for Salesforce package will load the recreated views for managing Salesforce objects and their data.
Removing User Assignments
Log in to Salesforce as a system administrator.
From Setup, click User Permissions and then select Permission Sets.
On the list, locate the InCountry User and InCountry Admin sets and click them to open.
Select all users and click Remove Assignment.
Uninstalling App Package
From Setup, click Apps, then click Packaging and select Installed Packages.
On the Installed Packages page, locate the InCountry for Salesforce app.
On the confirmation page, select the Do not save a copy of this package's data after uninstall option.
Select the Yes, I want to uninstall this package and permanently delete all associated components box.
You may encounter the situation when the app package cannot be uninstalled at once due to the modifications in the organization after the app installation including the following:
new layouts in App Builder
new pages in App Builder
In this case, you will see the list of modified items. In order to continue with the app package uninstallation, you will have to roll back these modifications and only then uninstall the app from your Salesforce instance.