Salesforce Schema

        graph LR
O(SalesforceOrganization) -- RESOURCE --> U(SalesforceUser)
O -- RESOURCE --> P(SalesforceProfile)
O -- RESOURCE --> PS(SalesforcePermissionSet)
O -- RESOURCE --> R(SalesforceUserRole)
O -- RESOURCE --> G(SalesforceGroup)
O -- RESOURCE --> A(SalesforceConnectedApp)
U -- HAS_ROLE --> P
U -- HAS_ROLE --> PS
U -- MEMBER_OF --> R
U -- MEMBER_OF --> G
R -- MEMBER_OF --> R
G -- MEMBER_OF --> G
U -- AUTHORIZED --> A
    

SalesforceOrganization

Represents a Salesforce org (the Organization object). This is the tenant-like root that every other node hangs off of.

Ontology Mapping: This node has the extra label Tenant to enable cross-platform queries for organizational tenants across different systems (e.g. OktaOrganization, AWSAccount).

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The org’s 18-character Salesforce ID

name

The org name

organization_type

Edition, e.g. Enterprise Edition

instance_name

The Salesforce instance the org lives on

is_sandbox

Whether the org is a sandbox

primary_contact

Primary contact name

country

Org country

language_locale_key

Default language locale

namespace_prefix

Managed-package namespace prefix, if any

trial_expiration_date

Trial expiration date, if a trial org

created_date

When the org was created

Relationships

  • A SalesforceOrganization contains users, profiles, permission sets, roles, groups, and connected apps.

    (:SalesforceOrganization)-[:RESOURCE]->(:SalesforceUser)
    (:SalesforceOrganization)-[:RESOURCE]->(:SalesforceProfile)
    (:SalesforceOrganization)-[:RESOURCE]->(:SalesforcePermissionSet)
    (:SalesforceOrganization)-[:RESOURCE]->(:SalesforceUserRole)
    (:SalesforceOrganization)-[:RESOURCE]->(:SalesforceGroup)
    (:SalesforceOrganization)-[:RESOURCE]->(:SalesforceConnectedApp)
    

SalesforceUser

Represents a Salesforce User.

Ontology Mapping: This node has the extra label UserAccount so it can be linked to the canonical User (Human) ontology node across identity providers.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The user’s 18-character Salesforce ID

username

The login username (indexed)

name

Full display name

first_name

First name

last_name

Last name

email

Email address (indexed)

alias

Salesforce alias

is_active

Whether the user is active

user_type

User type, e.g. Standard

profile_id

ID of the user’s profile

user_role_id

ID of the user’s role

manager_id

ID of the user’s manager

department

Department

title

Job title

federation_identifier

SSO federation identifier

created_date

When the user was created

last_login_date

Last login timestamp

last_password_change_date

Last password change timestamp

Relationships

  • A user belongs to an org.

    (:SalesforceUser)<-[:RESOURCE]-(:SalesforceOrganization)
    
  • A user is granted a profile and any assigned permission sets (canonical HAS_ROLE ontology edge).

    (:SalesforceUser)-[:HAS_ROLE]->(:SalesforceProfile)
    (:SalesforceUser)-[:HAS_ROLE]->(:SalesforcePermissionSet)
    
  • A user is a member of a role and of public groups.

    (:SalesforceUser)-[:MEMBER_OF]->(:SalesforceUserRole)
    (:SalesforceUser)-[:MEMBER_OF]->(:SalesforceGroup)
    
  • A user has authorized a connected app (derived from the OAuthToken object).

    (:SalesforceUser)-[:AUTHORIZED]->(:SalesforceConnectedApp)
    

SalesforceProfile

Represents a Profile: the baseline permission bundle assigned to each user.

Ontology Mapping: This node has the extra label PermissionRole to enable cross-platform queries over permission grants.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The profile’s 18-character Salesforce ID

name

Profile name (indexed)

user_type

User type the profile applies to

description

Profile description

permissions_modify_all_data

Whether the profile grants Modify All Data

permissions_view_all_data

Whether the profile grants View All Data

permissions_api_enabled

Whether the profile grants API access

permissions_manage_users

Whether the profile grants Manage Users

created_date

When the profile was created

Relationships

  • A profile belongs to an org and is granted to users.

    (:SalesforceProfile)<-[:RESOURCE]-(:SalesforceOrganization)
    (:SalesforceProfile)<-[:HAS_ROLE]-(:SalesforceUser)
    

SalesforcePermissionSet

Represents a PermissionSet (excluding profile-owned permission sets, which are already represented by SalesforceProfile).

Ontology Mapping: This node has the extra label PermissionRole to enable cross-platform queries over permission grants.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The permission set’s 18-character Salesforce ID

name

API name (indexed)

label

Display label

description

Description

type

Permission set type

is_owned_by_profile

Whether it is owned by a profile

profile_id

Owning profile ID, if any

permissions_modify_all_data

Whether it grants Modify All Data

permissions_view_all_data

Whether it grants View All Data

permissions_api_enabled

Whether it grants API access

namespace_prefix

Managed-package namespace prefix, if any

created_date

When the permission set was created

Relationships

  • A permission set belongs to an org and is assigned to users (via PermissionSetAssignment).

    (:SalesforcePermissionSet)<-[:RESOURCE]-(:SalesforceOrganization)
    (:SalesforcePermissionSet)<-[:HAS_ROLE]-(:SalesforceUser)
    

SalesforceUserRole

Represents a UserRole: a node in the Salesforce role hierarchy used for record sharing.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The role’s 18-character Salesforce ID

name

Role name (indexed)

developer_name

API developer name

parent_role_id

ID of the parent role in the hierarchy

rollup_description

Rollup description

portal_type

Portal type

Relationships

  • A role belongs to an org, has member users, and reports up to a parent role.

    (:SalesforceUserRole)<-[:RESOURCE]-(:SalesforceOrganization)
    (:SalesforceUserRole)<-[:MEMBER_OF]-(:SalesforceUser)
    (:SalesforceUserRole)-[:MEMBER_OF]->(:SalesforceUserRole)
    

SalesforceGroup

Represents a Group (public group, queue, or role group).

Ontology Mapping: This node has the extra label UserGroup to enable cross-platform queries over groups.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The group’s 18-character Salesforce ID

name

Group name

developer_name

API developer name (indexed)

type

Group type, e.g. Regular, Queue, Role

related_id

Related record ID (e.g. the role for role-based groups)

Relationships

  • A group belongs to an org and has member users and nested member groups (via GroupMember).

    (:SalesforceGroup)<-[:RESOURCE]-(:SalesforceOrganization)
    (:SalesforceGroup)<-[:MEMBER_OF]-(:SalesforceUser)
    (:SalesforceGroup)<-[:MEMBER_OF]-(:SalesforceGroup)
    

SalesforceConnectedApp

Represents a ConnectedApplication: a third-party app integrated with the org.

Ontology Mapping: This node has the extra label ThirdPartyApp to enable cross-platform queries over connected third-party applications.

Field

Description

firstseen

Timestamp of when a sync job first created this node

lastupdated

Timestamp of the last time the node was updated

id

The connected app’s 18-character Salesforce ID

name

App name (indexed)

admin_approved_users_only

Whether only admin-approved users may use the app

created_date

When the app was created

last_modified_date

When the app was last modified

Relationships

  • A connected app belongs to an org and is authorized by users.

    (:SalesforceConnectedApp)<-[:RESOURCE]-(:SalesforceOrganization)
    (:SalesforceConnectedApp)<-[:AUTHORIZED]-(:SalesforceUser)
    

Note

The AUTHORIZED edge is derived from the OAuthToken object by matching its AppName to the connected app’s Name, since Salesforce does not expose a direct foreign key between the two objects.