To power seamless automation and intelligent support experiences, Fin integrates deeply with your Salesforce instance. This integration requires specific object and field-level permissions, which allow Fin to create, update, and sync Salesforce cases and related data.
This article will walk you through:
Why these permissions are important
Who needs them
How to implement them
A complete reference table of the required permissions
Why these permissions matter
Fin relies on Salesforce data to create cases, post summaries, read contact information, and route conversations to agents. Without the proper permissions, Fin may be unable to interact with your Salesforce environment effectively—resulting in failed syncs, blocked automations, or limited functionality.
Who needs these permissions?
There are two key Salesforce users involved in the integration:
The OAuth Salesforce user – the one linked during integration setup
The user assigned as Fin – the user Fin impersonates when responding, posting, or taking workflow actions
What permissions does the OAuth user require
Your Salesforce organisation should have API enabled - see Salesforce Error 'API not enabled for this Organization or Partner'
The user that connects to salesforce should not have API restrictions - see Restrict Access to APIs with Connected Apps
How to set up the permissions
Navigate to Deploy>Salesforce Cases>Install permissions in Salesforce.
The following steps will create an unmanaged package in salesforce with all of the permissions needed for Fin to run on the Cases channel. To do this:
Initiate installation of the permissions package.
In the section "What if existing component names conflict with ones in this package?", select "Do no install".
Select "Install for all users" – this means that the permission set can be assigned to any user if you choose.
Wait until it finishes - no errors should be shown
Note: Customers who only plan to use Web-to-Case and do not have Digital Experiences can install an alternative permission set. This allows you to connect Salesforce without requiring additional community-related permissions.
Assign the permission set
Now you’ve installed the permission set in Salesforce, you’ll need to assign it to the user who authorized the connection to Fin.
In Salesforce navigate to the user who authorized the connection to Fin
From their profile, scroll down to the Permission Set Assignments section and click Edit Assignments
Select Intercom Fin AI Permissions and apply the permission set
Required Salesforce permissions
Salesforce Object | Fields | Operations | Who Needs It | Why It's Needed |
EmailMessage | Id, FromName, FromAddress, ToAddress, Subject, ThreadIdentifier, HtmlBody, TextBody, CreatedById, CreatedDate, Incoming, ParentId, LastModifiedDate, LastModifiedById | Create, Read | Connected User, Fin | Used to create messages and replies for email-to-case workflows |
CaseFeed | Id, Title, Body, Type, CreatedBy.*, CreatedDate, Visibility, ParentId, LastModifiedDate | Read | Connected User | Required for tracking case activity |
FeedItem | Id, Body, ParentId, IsRichText, Type, Visibility, CreatedDate, CreatedById, LastEditById | Create | Connected User, Fin | Adds conversation transcripts and AI summaries to cases |
Case | Id, Subject, Description, ContactId, OwnerId, SuppliedEmail, SuppliedName, Origin, SourceId, FinInvolved__c, FinResolutionState__c | Create, Read, Update | All roles | Core case creation, handoff, and field sync |
Contact | Id, Email, CreatedDate, FirstName, LastName | Create, Read | Connected User | Needed when creating or associating contacts to cases |
User | Id, ContactId, FirstName, LastName, Email, UserType, IsActive | Read | Connected User | Enables assigning cases to specific users |
Group | Id, Name, Type | Read | Connected User | Grants visibility into Salesforce queues |
QueueSobject | QueueId, SobjectType | Read | Connected User | Allows selection of queues for routing cases |
PermissionSet | Name | Read | Connected User | Allows us to confirm if the permission package is installed |
PermissionSetAssignment | PermissionSetId, AssigneeId | Read | Connected User | Allows us to confirm if the permission set is assigned to the right user. |
EmailRoutingAddress | Id, Address, EmailServicesAddressId | Read | Connected User | Allows listing active routing email addresses. |
EmailServicesAddress | Id, IsActive | Read | Connected User | Allows checking if listed routing email address is valid. |
Tip: Fields marked with __c (e.g., FinInvolved__c) are custom fields used to track AI involvement and resolution state. Make sure they’re configured in Settings → Salesforce Integration.
Implementation checklist
Before you go live, make sure to:
Assign the custom Fin Integration Permission Set
Enable Chatter, Topics, and Feed Tracking in Salesforce
Confirm visibility for custom fields like
FinInvolved__candFinResolutionState__cTest the integration using a sandbox or non-production environment