Skip to main content

Celonis Product Documentation

Extractor Detail, Salesforce
Permissions for Extractor Detail

Administrators grant permissions by checking the API Enabled box through security settings. It is accessible via Setup > Manage Users > Permission Sets > Permission Set to be updated > System > System Permissions > Edit.


The user needed for the extraction can also be API user only, the option right below API Enabled. API Enabled needs to be activated in any case.

Read access to object types is provided in the Standard Object Permission and the Custom Object Permissions section and depends on the process to be analyzed. It does not mean that the user can see any object; the setting only controls basic access to object type (e.g., Campaigns). Generic read access for all objects of a specific object type is provided through Standard Object Permissions > Customer Object Permissions > Data Administration > View All permission assignment to specific profile. Alternatively, sharing rules can be defined on an object type basis (e.g., all leads with a specific status). The minimum access required is Read only. That needs to be repeated for all relevant object types which should be extracted. The respective role needs to be assigned to the user later.

Authentication Using OAuth

To receive the OAuth access token using REST API, a request is made to the appropriate Salesforce token request endpoint that passes in grant_type, client_id, client_secret, and redirect_uri. The redirect_uri is the URI that Salesforce sends a callback to. If the values are valid, Salesforce returns a value for access_token.

Upon authentication, every request must pass the access_token value in the header. It cannot be passed as a request parameter. The syntax to provide the access token is:

Authorization: Bearer xyz
Authentication Using Stored Credentials (Deprecated)

For stored credentials authorization using SOAP API, a username, password and security token are set in the user's Salesforce settings. Subsequently, they can be used to authenticate calls in the body.


In the EMS data connection configuration, the security token has to be pasted right after the actual password (without spaces) in the password field. For example, enter 'yourpasswordyourtoken' in the password field. (New security token can be generated in the user's Salesforce settings > Reset My Security Token.)

Used Requests

In response to the Version request, information about the version label (when the version was released), URL and name is provided.


The Resources request returns different resources to access (such as Metadata, Folders, Analytics or Service Templates) as well as their respective URL.


The information provided by the Metadata request includes individual table characteristics (incl. their relationships and fields, an indicator for custom fields, labels and corresponding values) as well as characteristics of custom user interfaces for actions (e.g., action overrides). Based on that response, custom view templates are built to get the data.

Total Count

The Total Count request returns the total number of records, which is then used to paginate and use Data requests.


The response to the Data request contains detailed individual info about records that can incl. contact data, initial meeting/won contracts dates or general comments.

Request Limits

API request limits depend on the organization type. Concurrent API requests with a duration of 20 seconds and longer limits are as follows.

  • For Developer Edition and Trial organizations: 5

  • For Production organizations and Sandbox: 25

Additionally, below are the limits for total requests per 24-hour period.

  • For the Developer Edition: 15,000

  • For the Enterprise Edition and the Professional Edition with API access enabled: 15,000 + (number of licenses X calls per license type), up to a maximum of 1,000,000

  • For the Unlimited and Performance Edition: 15,000 + (number of licenses X calls per license type)

  • For the Sandbox: 5,000,000

For the API calls per license type, see Salesforce Developer Guide, API Request Limits and Allocations.


We do offer the option to use a middleware (like Datapower) to connect to Salesforce. In this case the middleware works as a proxy and provides an extra layer before the Salesforce instance.

This option can be activated via a setting in the connection configuration. If active, you need to provide 3 additional input parameters:

  • Authorize Url --> the URL that should be called to authorize via OAuth with the middleware

  • Token Url --> The URL that should be called to request tokens from Salesforce via the middleware

  • Data Url --> The base URL that should be used used to call the APIs for fetching the data (the specific API requests will be appended)