RARelease AssuranceDocs
Setup › Sandbox Setup Guide
For Salesforce admins and security reviewers

Sandbox Setup Guide

Everything you need to prepare a Salesforce sandbox for Release Assurance regression testing, with least-privilege personas, server-to-server authentication, and a security posture your reviewer can sign off on in one read.

Reading time · ~10 minutes Setup time · 30–60 minutes Scope · Sandbox or scratch only — never production
Security footprint at a glance
The whole guide in two columns

What we access

  • One sandbox or scratch org, never production
  • One or more persona users cloned from real end users
  • A single External Client App or Connected App (JWT flow)
  • A small, dedicated permission set on those personas
  • Your UI, behaving exactly as a real user would
  • Short-lived access tokens, re-minted on every run

What we never access

  • Production orgs (blocked in our code, not just in policy)
  • Setup, Object Manager, or any admin-only screens
  • Flows, Apex classes, triggers, LWCs, metadata, or config
  • PII, real customer data, or live business secrets
  • Named credentials, custom settings, or secret stores
  • Passwords, refresh tokens, or long-lived sessions
Part 1

The security model

Before the how, the why. Four properties of Release Assurance shape the whole setup, and understanding them up front makes every later step obvious.

By design, not by policy

Our control plane refuses to start a run against any Salesforce instance_url that resolves to a production pod. It's a code-level gate with tests around it, not a setting an operator could flip. You never have to trust us to avoid production — the system cannot physically run there.

We drive your UI as a real user

Release Assurance exercises business workflows through Salesforce's own interface. That means all we need is a persona user who can do what a real user does — nothing more. No Setup, no metadata APIs, no direct database access, no custom integration endpoints.

No passwords, no long-lived tokens

Authentication is Salesforce's OAuth 2.0 JWT bearer flow. Every request is a freshly signed JWT; Salesforce verifies it against a public certificate you install; you get back an access token that lives for minutes. There is no password, no refresh token, no persistent session.

One kill switch, in your hands

Trust is granted by a single artifact: the certificate you upload. Remove it and every persona loses access instantly. There are no sessions to invalidate, no keys to rotate on our end, no cleanup for you to chase.

Blast radius

If a JWT leaked today, it would expire in minutes and could not be renewed. If our private key were ever compromised, revoking our certificate in Salesforce would end access for every persona immediately, with no session fallout.

Part 2

Prepare the sandbox environment

A sandbox prepared for automated regression testing should be representative enough to exercise your workflows and sanitized enough that a mistake costs nothing.

  1. Use a sandbox or scratch org — never production

    Full-regression runs require the freedom to create, update, and delete records. That work does not belong in a production org.

  2. Strip PII and real customer data

    Refresh from a seeded template, not from a production copy. Scrub names, emails, phone numbers, payment data, and any field that carries PII.

  3. Turn email deliverability off

    Set Setup › Email › Deliverability › Access to Send Email to No access, unless your tests specifically need to verify outbound email behavior.

    Why: Prevents any accidental email to real addresses that might still exist in the cloned data.

  4. Remove or rotate secrets inside the org

    Scrub named credentials, custom settings, custom metadata, and any other in-org secret stores. We will not read them, but a sanitized sandbox makes this a non-issue in audits.

    Why: Defense in depth. Even though our permission set denies metadata access, a sandbox with no secrets cannot leak any.

  5. Keep enough test data to exercise the workflows

    Balance matters: too little and tests can't run; too much real data and risk creeps back in. Use synthetic records, fixture accounts, and anonymized copies.

Part 3

Create persona users

Give us users who look exactly like your real end users — same profile, same permissions, same app visibility. The whole point is to test what your real users experience; any extra permission we receive invalidates the test.

Username convention

Use a deterministic format so the account is obviously a Release Assurance test account, tied to your org and your sandbox:

persona@releaseassurance.com.tenantid.sandboxname

Replace persona with the role or name, tenantid with the ID we assign during onboarding, and sandboxname with your sandbox name.

Examples

Departmentlegal@releaseassurance.com.12345.qa
Titlesalesmanager@releaseassurance.com.12345.qa
Representative namejohn@releaseassurance.com.12345.qa
Hard rule

Never assign the System Administrator profile to a persona user, even temporarily for setup. Clone the real user's profile. If the real user is a salesperson, the persona is a salesperson — not a salesperson plus admin.

One persona per distinct role

If your workflows differ by department or title — legal, CSS, sales, service — create a separate persona per role. Don't share one persona across roles; it hides whether a failure is a permissions issue or a workflow issue.

Part 4

Set up JWT authentication

Release Assurance uses Salesforce's OAuth 2.0 JWT Bearer Flow for server-to-server authentication. On newer orgs you'll configure it through an External Client App; on older orgs it may still be a Connected App.

  1. Create the External Client App (or Connected App)

    Enable OAuth and, in the OAuth settings, enable the JWT bearer flow. Request only the scopes we need: api, refresh_token, and web if required. Avoid full.

    Why: JWT bearer is server-to-server. No passwords, no browser login, no user interaction. The app is the narrow door that carries every request.

  2. Upload our public certificate

    We provide an X.509 public certificate. Install it on the app's Use digital signatures setting. The matching private key is generated on our infrastructure and never leaves it.

    Why: Salesforce verifies every JWT signature against this certificate. Only a signer holding the matching private key can produce valid tokens — there is no shared password to leak.

  3. Set Permitted Users to "Admin approved users are pre-authorized"

    Then grant app access exclusively through the Release Assurance permission set (see part 5).

    Why: Nobody can self-authorize. The only identities that can obtain a token are the dedicated persona users holding the permission set.

  4. Keep Login IP Ranges tight — don't relax them for us

    If your org enforces IP restrictions, leave them in place. We'll provide our egress IP ranges so you can allowlist them on the persona profile or the app.

    Why: IP policy is a second factor on top of the certificate signature. A valid JWT from an unexpected network is still refused.

  5. Leave token lifetime short; no refresh token

    The JWT flow does not return a refresh token, which is exactly what we want. Access tokens expire within minutes; our control plane re-mints a fresh JWT on every run.

    Why: Short-lived tokens bound the blast radius of any single token. A copied token expires before it can be meaningfully used, and cannot be extended.

  6. Know how to revoke

    Revocation is one step: remove our certificate from the app, or delete the app itself. Access ends immediately for every persona.

    Why: Trust rests on one artifact you own. No sessions to kill, no passwords to reset, no tokens to blacklist.
How the certificate actually protects you

Only the holder of the private key can produce a JWT Salesforce will accept. The private key is generated and stored on our infrastructure, is never transmitted, and never appears in your org. Salesforce only ever sees the public certificate. Same family of asymmetric cryptography that protects HTTPS.

Part 5

Create the Release Assurance permission set

One permission set, assigned to the persona users, does two things: lets them authenticate through the JWT flow, and makes them identifiable as test personas without giving them anything extra.

SettingStateWhy
API EnabledOnRequired so Salesforce will issue an OAuth access token for the JWT flow. By itself, it does not grant Setup access or admin power.
External Client App / Connected App assignmentAssignedAttaches the Release Assurance app to persona users via the permission set. Only holders can use the app.
Modify Metadata Through Metadata API FunctionsOffEnabling this would open a path to read and modify org metadata, flows, and code via the API — exactly the access we say we don't need.
Use Any API ClientOffIf your org uses External Client Apps, keep this off. Salesforce notes that enabling it can bypass app-specific pre-authorization controls.
Object, field, and record accessNone addedPersona users inherit access from their cloned profile. The permission set adds nothing on top.
What to leave out of this permission set

Do not add View Setup and Configuration, View All Data, Modify All Data, Author Apex, Customize Application, or any object-level permissions. If a workflow only a real admin could run must be tested, use a separate admin-profile persona — don't mix admin power into every persona.

Part 6

Disable in-app guidance and feedback popups

Salesforce walkthroughs, prompts, and feedback surveys can cover buttons or change focus mid-click. For a UI-driven test run, a pop-up is a silent failure.

Setup › In-App Guidance › Settings

  • Turn off Salesforce Standard In-App Guidance
  • Turn off Custom In-App Guidance

Setup › User Interface › Adoption Assistance

Disable all three toggles:

Part 7

Extra hardening recommendations

None strictly required for Release Assurance to work, but each reduces risk meaningfully. These are what we'd do if we were in your seat.

Use a dedicated sandbox for testing

Isolate automated regression runs from day-to-day admin work, experiments, and unrelated users.

Refresh the sandbox on a cadence

Schedule a refresh (monthly or per release). Makes "remove secrets + PII" a repeatable checklist rather than a one-time scrub.

Never assign System Administrator to personas

Always clone the real user's profile. System Administrator opens every door we explicitly told you we don't need.

Pre-authorize only the Release Assurance permission set

Block self-service OAuth authorization from any other user. The only way in is through the permission set you control.

Keep Login IP Ranges strict

Allowlist only our egress IP ranges on the persona profile or app. Don't loosen org-wide IP policy on our behalf.

Minimum OAuth scopes only

Grant api, refresh_token, web if required. Avoid full. Fewer scopes, smaller blast radius.

Turn on Setup Audit Trail

Any config change in the sandbox becomes visible and attributed. If something drifts, you can see when and by whom.

Review Login History for personas

Spot unexpected IPs or user agents early. A persona user should only ever log in from our IP ranges via JWT.

Rotate our certificate on your schedule

Certs are cheap to rotate. Agree on a cadence and we'll generate a new keypair for you to install.

Deactivate personas when paused

If testing pauses for an extended period, deactivate persona users or unassign the permission set. Reactivating takes seconds.

No Lightning Login or passwordless tricks

Leave persona users on a plain profile. JWT is the only path in — keep it that way.

No custom My Domain identity flows for personas

Persona users should live in your normal My Domain. Avoid SAML assertions or identity flows that bypass standard controls.

Part 8

Go-live checklist

One list, in order. Walk through it top to bottom and you're ready for onboarding. Print it, paste it into a ticket, or share it with your security reviewer for sign-off.

Release Assurance sandbox readiness

  • Environment
  • Sandbox or scratch org provisioned (not production)
  • Real customer data and PII removed or anonymized
  • Email deliverability set to No access
  • Named credentials, custom settings, and custom metadata scrubbed of secrets
  • Persona users
  • One persona user per distinct business role
  • Usernames follow persona@releaseassurance.com.tenantid.sandboxname
  • Each persona uses a profile cloned from a real user (never System Administrator)
  • No extra permissions beyond what the real user already has
  • JWT authentication
  • External Client App or Connected App created, OAuth + JWT bearer enabled
  • Release Assurance public certificate uploaded to the app
  • Scopes limited to api, refresh_token, and web (if required)
  • Permitted Users set to "Admin approved users are pre-authorized"
  • Login IP Ranges allowlist set to our egress IP ranges only
  • Permission set
  • Release Assurance permission set created
  • API Enabled = on
  • Modify Metadata Through Metadata API Functions = off
  • Use Any API Client = off
  • External Client App / Connected App assigned through this permission set
  • Permission set assigned to each persona user
  • Salesforce UI hygiene
  • Setup › In-App Guidance: Salesforce Standard In-App Guidance = off
  • Setup › In-App Guidance: Custom In-App Guidance = off
  • Adoption Assistance: Switch to Classic Feedback = off
  • Adoption Assistance: Suggested for You = off
  • Adoption Assistance: Product Feedback Form = off
  • Audit and ongoing
  • Setup Audit Trail enabled
  • Certificate rotation cadence agreed with Release Assurance
  • Process for deactivating personas on extended pauses documented
Ready to onboard?

Send the signed-off checklist and persona usernames to your Release Assurance contact, along with the sandbox instance URL. We'll confirm the certificate fingerprint, run a connectivity dry-run, and schedule your first regression pass.