AWS Partner CRM connector FAQ

The following lists help answer questions about ACE CRM integration.

General questions

Q: Can I access the Amazon S3 bucket, used for sending and receiving the files?

Yes. Partners can programmatically access the Amazon S3 bucket by using an IAM role that can access the bucket.

Q: What are the prerequisites for using the AWS Partner CRM connector?

• Sign up for APN and have a valid AWS Partner ID.

• Join the APN Customer Engagements (ACE) program.

• Confirm that you have a Salesforce referral administrator, then set up the application and the permission set. For more information, refer to Assign Users to Roles.

• Your Salesforce production organization edition must be Lightning Experience (enterprise, professional, or unlimited). For more information, refer to Sales Cloud Pricing.

• You must have a separate Salesforce sandbox (testing) organization on the Salesforce Winter '23 release or higher. For more information, refer to Sandboxes: Staging Environments for Customizing and Testing.

• You must have an AWS account for sandbox and create an IAM user/role for the sandbox environment.

• You must have an Amazon S3 bucket provisioned by the AWS Partner engineering team and attach the policy to an IAM user or role in your sandbox to access the S3 bucket. If you don't already have the Amazon S3 environment provisioned, contact your partner development manager (PDM) to raise a request for the infrastructure provisioning. For more information, refer to Creating an IAM user in your AWS account and ACE CRM—How to Attach a Policy to IAM User.

Q: I haven't moved to the Salesforce Lightning version. Can I still use the AWS Partner CRM connector?

The AWS Partner CRM connector is designed for use with the Salesforce Lightning version, so the classic verison may not function as intended.

Q: Can I use the package directly on my production systems?

We recommend that you install the package on production systems only after thoroughly testing it in a sandbox environment.

Q: Who are the intended users of the AWS Partner CRM connector?

AWS Partner CRM connector is designed for the following two user personas:

• Salesforce administrator or referral administrator to set up the connector.

• Sales operations user to select, accept, and update opportunities and leads.

Q: I already have an existing integration with ACE. Can I move to the connector?

Yes. AWS Partners that have an existing integration with ACE can move to the connector. Because the connector uses the same S3 bucket in the back end, complete the following steps:

1. Disconnect your custom app or solution from the S3 bucket.

2. Sign in to the AWS account to set up the integration. Obtain or create a secret key and access key for the IAM user that is authorized to access the S3 bucket. This user has the naming format apn-ace-{partnerName}-AccessUser-prod. For more information, refer to Managing access keys (console).

   Note

   If you're unable to find the AWS account, submit a support request.

3. To configure the connector to point to the S3 bucket, choose Setup, then Named Credentials, then APN API connection.

4. Submit a support request to delete existing objects in the S3 bucket before scheduling a job in the connector.

   Important

   You must complete this step before completing the integration and setting a synchronization schedule.

5. If the target object is different from the existing object, conduct a data backfill for your existing leads and opportunities. For more information, refer to the CRM integration Production setup and backfill guide.

   Note

   During the integration switchover, all user updates queue in the Outbound folder of the S3 bucket. After the integration is live, the user-update records are synced.

Q: Is the AWS Partner CRM connector safe to use in my Salesforce organization?

The Salesforce application has gone through both external (Salesforce security review) and internal security reviews (AWS production security review). Threats that the Salesforce security review scans for include the following:

• Salesforce Object Query Language (SOQL) and SQL injection

• Cross-site scripting

• Non-secure authentication and access control protocols

• Record-sharing violations and other vulnerabilities specific to the Salesforce platform

The code review uses the Salesforce Code Analyzer to inspect Salesforce code. Salesforce Code Analyzer uses multiple code analysis engines, including PMD, ESLint, and RetireJS. It identifies potential problems from inconsistent naming to security vulnerabilites.

For more information on the review process, refer to AppExchange Security Review.

Note

Partner applications are non-Salesforce.com (SFDC) applications as defined in the Salesforce Main Services Agreement. For more information, refer to Agreements and Terms.

Notwithstanding any security requirements set forth herein or any security review of a partner application that may occur, Salesforce makes no guarantees regarding the quality or security of any partner application, and customers are solely responsible for evaluating the quality, security, and functionality of partner applications to determine their adequacy and appropriateness for customers' installation and use.

While we cannot share specifically what our internal security audit covers, it is geared towards the native AWS components of the integration architecture, to which the Salesforce app connects and covers a number of different threat modeling scenarios such as man-in-the-middle (MITM) attacks, distributed denial-of-service (DDoS) mitigations, and encryption standards. For more information, submit a support request.

Q: How do I get started with the AWS Partner CRM connector?

To set up a new integration, contact your partner development manager (PDM) or your AWS point of contact. Your PDM will verify eligibility, help set up the IAM user required for authentication and submit the request internally to set up the Amazon S3 bucket required for you to exchange files. After you have access to the S3 bucket, you can install the connector and set up the integration by following the instructions in the user guide.

Partners who already have an integration set up with AWS Partner Network (APN) can get started by installing the connector from Salesforce AppExchange and following the instructions in the user guide.

Setup

Q: How do I set up the named credentials for the package?

1. Sign in to the AWS Management Console, and open the IAM console.

2. In the left navigation bar, choose Users.

3. Choose Add user.

   • Enter a user name (for example, APN CRM integration API).

   • For Access type, choose Programmatic Access.

   • Choose Attach existing policies directly, and choose the policy file you received from AWS during the Amazon S3 setup process.

   • Copy the access key ID and secret access key.

4. Navigate to the setup section of your Salesforce instance, and search for Named Credentials.

5. Choose New Named Credential. Enter the following values:

   • URL–https://s3.us-west-2.amazonaws.com

   • Identity Type–Named principal

   • Authentication Protocol–AWS Signature Version 4

   • AWS Access Key ID–Access key ID copied from IAM console

   • AWS Secret Access Key–Secret access key copied from IAM console

   • AWS Region–us-west-2

   • AWS Service–S3

   • Generate Authorisation Header – Checked

   • Allow Merge Fields in HTTP Header – Unchecked

   • Allow Merge Fields in HTTP Body – Unchecked

6. Choose Save.

7. Test the connection. On the Guided Settings page of the package, choose Test.

Mapping

Q: Why can't I edit the mapping for sync with an AWS field?

The Sync with AWS checkbox determines if the record (lead or opportunity) is selected for synchronization with AWS when the next scheduled job runs. The Sync with Partner Central field is included with the app for standard opportunities and leads. If your target object is a custom object, you must map the Sync with AWS field to a custom nonformula boolean field in each object.

Q: How does the Has Updates for AWS field work?

The formula field Has Updates for AWS determines if a record is targeted to be sent to APN in the next scheduled job. Has Updates for AWS is set to True when the following conditions are true:

• Last Modified Date of the record is later than Last APN Sync Date.

• Last Modified User is not the user that scheduled the integration jobs.

Q: Why can't I map the required APN CRM Unique Identifier field? The menu is unavailable, and I receive the message "No valid field to map".

The data type for the APN CRM Unique Identifier field should be Text with a length of 18 characters. We require 18 characters to match the length of the API field.

• Configuration: Text (18) (External ID) (Unique Case Insensitive)

Q: What are the troubleshooting checkpoints for outbound-file push from the AWS Partner's Salesforce to APN, using the connector app?

• Sync to AWS must be checked to sync with AWS.

• Has Update to AWS must be checked to sync with AWS.

• The user persona for creating the scheduling job must be different from the user persona for creating and updating the lead or opportunity.

• If the previous checks are true but the outbound batch still does not run, check the AWS Partner sync logs list view and add the column outbound IDs. Confirm that the opportunity ID (identifier) that is targeted to be picked is in the sync log. If the sync log is stuck in the API Success state, delete the sync log record and try again.

  When Expected Monthly AWS Revenue is not an integer (for example, 1041.67 instead of 1041), the mismatch in data type causes an error in processing. To resolve this, delete the sync log stuck in the API Success state and correct the data before the next job run.

Q: How can I configure filters/subscriptions to sync the leads/opportunities? Can we add custom filters on status or stage fields?

The easiest way to do this is to create or update the formula field to add the dependency from the status or stage fields for a specific value, to set Has Updates for AWS to True. You can use the included field on the opportunity as a reference. Refer to the following example:

IF(
   OR( 
      AND
      (
         OR(LastModifiedDate > awsapn_Last_APN_Sync_Date_c,LastModifiedDate = awsapn_Last_APN_Sync_Date_c),
         awsapn_Sync_with_Partner_Central_c, 
         NOT(ISNULL(awsapn_Last_APN_Sync_Date_c))
      ),
      AND(ISNULL(awsapn_Last_APN_Sync_Date_c),awsapn_Sync_with_Partner_Central_c)
   )
   , true , false
)
    

Q: Do I have to map the mandatory fields?

Yes. All mandatory fields must be mapped for you to schedule an integration job (either inbound or outbound).

Q: Can I map lookup fields?

We recommend reviewing the fields you currently enter in Partner Central to determine the most relevant fields (in addition to the required fields). For a list of available fields and their purpose, refer to the Field Definition Guide included in the ACE CRM Development Kit on Partner Central.

Q: Should I update the record with derived fields or create them during the mapping process?

Complex logic and derivations should be done in your Salesforce organization based on your own business logic, then populate the mapped field based on it.

Synchronization and validation

Q: After I set up the integration, why do I get a STORAGE_LIMIT_EXCEEDED error?

This issue happens when the connector is being tested in a development organization with limited storage. To fix it, clear the sync logs from the console by running the following commands:

List<awsapn_Sync_Log_c> syncLogs = [SELECT Id FROM awsapn_Sync_Log_c WHERE Status IN ('API Success', 'Processed') LIMIT 4000]; delete syncLogs;

You can also set the sync log retention period (in the guided setup) to automatically clean up sync log records older than the retention period.

Q: I received AWS referred leads or opportunities that are noncompliant with the validation imposed on my custom object. How can I fix this issue?

There are instances where leads and AWS originated opportunities don't comply with the validation rules for each field. To allow partners to accept or reject such referrals, you can correct the data before accepting a record. To accept or reject an object that is noncompliant with the data validations, complete the following steps:

1. Navigate to the sync log details of the failed record.

2. Choose Edit Payload to access the JSON view.

3. Update the values of non-compliant fields.

4. Choose Save Payload to set up the record for sync for the next job.

If the record is accepted, the you must repeat steps 1–4 again after receiving the remaining fields from AWS. For subsequent syncs, the corrected values are used. Alternatively, you can correct the values in the ACE pipeline manager on Partner Central.

Q: What is the frequency of the leads and opportunities uploads from AWS?

AWS uploads leads and opportunities to the Amazon S3 bucket every hour. This implies that every action that requires a data update through the integration can take up to an hour to synchronize.

Q: Why am I getting the following error when attempting to use the mapping screen?

pe.setFieldLengthWarning()@ -
/modules/awsapn/fieldMappingRow.js:1:7831
set salesforceFields()@- /modules/awsapn/fieldMappingRow.js:1:5624

The user performing the mapping doesn't have read access to the required fields. Either a system admin user with permissions to the source and target fields should be used, or the user should have the APN integration user permission set.

Q: What do the Status and Purpose fields on the sync log mean?

To determine the state and action on each sync log record, refer to the tables provided in Sync logs.

Q: Is there any built-in audit mechanism in place or any native archiving?

The sync log object keeps track of all inbound and outbound transactions. There's also a retention period that can be specified in the app configuration to determine how long you want to retain the sync log record.