WorkSpan Salesforce Connected App FAQ


Table of Contents
1. Package upgrade and the Post Deployment Wizard
2. Connected App and Security

1. Package upgrade and the Post Deployment Wizard

1.1. Why do we need to upgrade the package?

Hyperscalers (AWS / MSFT / Google) regularly update their systems and processes, and we need to make changes to comply with them. These changes are mandatory to keep co-selling with the hyperscalers; as such, they must be performed in one way or another in order to maintain functionality.  In addition, WorkSpan regularly releases improvements and new functionalities.

1.2. We have upgraded the package via the AppExchange; why do we need to do anything else?

When Salesforce packages are upgraded, some metadata (most notably, page layouts, picklist values, and help texts) cannot be changed, and Salesforce will not allow this.

1.3. What are the post-deployment steps?

Post-deployment steps are a set of changes to Salesforce metadata that need to be performed so that the package can be used according to the updated rules of engagement.

1.4. We don’t remember performing post-deployment steps before upgrading the WorkSpan package; why is this new upgrade different?

Most of the time, post-deployment steps only provide improvements to the product. They are not required to keep using the package in the same way as before. However, the changes mandated by hyperscalers cannot be skipped. They are much less frequent, that’s why you might have never run into them before.

1.5. What is the Post Deployment Wizard?

In the past, our customers had to perform the necessary post-deployment steps manually. This process was labor-intensive, error-prone, and required dedicated attention from a customer’s Salesforce admin. In order to help reduce this manual effort, we have introduced an automated “Post Deployment Wizard (PDW)” in v.1.14. The PDW carries out the same processes that an admin would have to do manually but in a more efficient and reliable manner.

1.6. What are the exact steps that the Post Deployment Wizard executes?

The exact steps are listed here

1.7. Some of the steps in the Post Deployment Wizard don’t seem like they would be mandated by the hyperscalers; is that right?

Yes. WorkSpan regularly releases small improvements that cannot be upgraded easily (most notably, field help texts). In order to ease the upgrade process for all our customers, we automate as many post-deployment steps as possible, regardless of them being mandatory.

1.8. Can we only execute the mandated steps?

Yes, but you will be missing out on the best practice improvements we make based on our customers' feedback.

1.9. Can we execute some optional steps but not the others?

Not at the moment.

1.10. Can we execute some mandated steps but not the others?

Yes, but there is no point in doing so. All mandatory steps are required to comply with the new hyperscaler rules for co-selling.

2. Connected App and Security

2.1. Why do we need to create this new Connected App?

Salesforce doesn’t provide a straightforward method for package developers to help their customers go through upgrades easier. However, this is still possible in a roundabout way by utilizing Connected Apps to make changes directly through the Metadata API.

2.2. We didn’t need the Connected App before upgrading the WorkSpan package; why is this new upgrade different?

The Post Deployment Wizard was introduced in v.1.14, but we didn’t have any mandatory steps until v.1.19. So, it was possible to skip setting it up.

2.3. We never have to do this for any other Salesforce packages; how is WorkSpan’s package different?

Since Salesforce doesn’t provide a straightforward method, most package developers either don’t know that this is even possible, or they don’t have the high level of expertise required to execute this approach, or they decide not to spend the significant resources that are needed to implement and maintain such functionality.

2.4. Why does this new Connected App require too many privileges?

Salesforce Connected Apps and APIs don’t provide a granular enough breakdown of permission to allow us to limit the privileges strictly to the ones that are necessary to perform only our specific post-deployment steps.

2.5. How will the Connected App comply with data privacy and security regulations?

Salesforce's Security Review team enforces strict governance, prohibiting alterations beyond the managed package's boundaries. The Salesforce Security Review team will not allow us to put in any changes that would touch something outside our managed package. They will also not allow us to fetch or trigger the changes dynamically from an external source; every part of every change has to be explicitly included in the package and can only be triggered from within the package by a user in the specific Salesforce org. Every package version we release into the AppExchange has to go through the Salesforce Security Review process. It can also be easily verified in the list of installed packages:

2.6. Is the Connected App required to operate the package?

The Connected App does not need to operate the package.

Note: The Connected App is required for upgrades only.

2.7. Can we block the Connected App after completing the upgrade?

You can enable the Post Deployment Wizard, execute the steps, and then block the Connected App, making it inaccessible to all users. 

In order to do that, go to “Setup > Connected Apps OAuth Usage” and click “Block” in the corresponding row.

Then, when a new upgrade comes around, you will be able to quickly unblock, execute new steps, and then block it again.

2.8. Can we remove the Connected App after completing the upgrade?

As the Connected App is used only during the upgrade, it can be removed. However, the next upgrade of the package will require setting up the Connected App again. Instead of removing the Connected App, you can block access to the app as described above and unblock it during the next upgrade.

0 out of 0 found this helpful



Please sign in to leave a comment.