Sept. 30 is a new date you need to aware of if you work with SFMC (ExactTarget).
Installed Packages are the combination of a (1) Client ID, (2) Client Secret, (3) a set of Permissions and (4) Business Unit access that together permit authorized systems (and dictate the scope of access) to send data *IN* to SFMC. (This is also sometimes used for CloudPages or SSJS activites.)
Previously, once you established an Installed Package, it just worked behind the scenes, permitting access to systems that had the credentials until you disabled the package or changed the scope. To make SFMC more secure, there are a few recent things of note:
- 1. Installed Packages that were not accessed in 180 days have been invalidated. (They won't work until you rotate the credentials.)
- You can no longer view Installed Package credentials in SFMC.
- Remaining Installed Packages all received the same expiry date of 09/30/2026 when they'll stop working -- unless you rotate the credentials before that point. (New credentials automatically expire 180 days from creation.)
To rotate credentials, you'll follow a pattern like this. (Validate this is your InfoSec teams now, not late-September!)
Step 1. Navigate to Installed Packages under setup about one week before the credential is set to expire.
Step 2. Click "Generate" to establish a new "staged" credential. The new credential will appear on screen but never be shown again, so capture it. After a 5-minute waiting period, the credential is LIVE. At this point, your Installed Package has an OVERLAP - two credential sets that both work. (I think "staged" is a poor word choice here by Salesforce because it implies "prepositioned" or "standing by, reading to use" - perhaps in the future we'll have the ability to schedule these and that term will make more sense.)
Step 3. SECURELY share the new credential with the vendor or developer responsible for the inbound connection to SFMC. They will need to update their code but it should work right away. (You should have no interruption in service.)
Step 4. Once they have confirmed the credential works, return to SFMC and go back to the package and click "Activate" which deactivates the old code. I recommend this over just letting the old code expire on its own. (Again, I think this is a poor word choice by Salesforce to call this "Activate" as it does nothing to your new "staged" credential except make it the only surviving credential.)
Step 5. Look at the new expiration date and go into your calendar or ticketing system and establish a reminder for just this side of 180 days to repeat the process.
Note: Unlike AWS, this cannot be performed via API (you must have the proper Roles & Responsibilities within SFMC).
Should you do this all at once for all your Installed Packages? It depends. There may be some economies of scale, but if one or more of your implementors have problems, your time performing Customer Support could be a big distraction.
Cross-posted: https://www.linkedin.com/feed/update/urn:li:activity:7443077624660230144/
No comments:
Post a Comment