Submit a request
 
  1. dataloader.io
  2. Knowledge Base
  3. Troubleshooting

Unexpected Audit Trail Entries When Logging Into DataLoader.io

Avatar

Summary
When users log in to DataLoader.io for the first time using their Salesforce credentials, the Audit Trail may display entries suggesting that a package (`dataloaderio_v2_oauth_c4s`) has been "installed" or "upgraded."

These entries can appear even when the user does not have the Download AppExchange Packages permission. This behavior is only observed on first login to DataLoader.io via the web UI and does not represent an actual package installation.


Steps

1. Create a new Salesforce user.
2. Log in to (https://dataloader.io/) using Salesforce credentials.
3. Navigate to Setup > Audit Trail.
4. You may see log entries that indicate:

   "The managed package dataloaderio\_v2\_oauth\_c4s version 2.0 has not been security reviewed and was installed by user…", or
   "Upgraded AppExchange package: dataloaderio\_v2\_oauth\_c4s Custom Apps."


Actual Result:
Audit Trail shows log entries that imply a package installation or upgrade event.

Expected Result:
Audit Trail should not show installation or upgrade entries when logging in to DataLoader.io.


Root Cause:
This is expected behavior related to Salesforce’s handling of connected apps.

DataLoader.io uses a connected app (`dataloaderio_v2_oauth_c4s`) for OAuth authentication.
When a user logs in and grants consent, Salesforce records this as an "installation" event in the Audit Trail.
Each user’s first authorization is logged separately, even though no actual package installation occurs.

The package appears as "unreviewed" because it has not undergone Salesforce Partner Program security review. However, it originates from the official DataLoader.io (MuleSoft) team and does not pose a security risk.


Workarounds / Mitigations:

Admin Controls: In Setup > Connected Apps OAuth Usage, admins can manage the DataLoader.io connected app by:

  Setting access policies such as Admin-approved users only, IP restrictions, or session limits.
  Assigning permissions via profiles or permission sets to limit who can authorize the app.
  Revoking access through Manage Current OAuth Connected App Sessions if required.

Org-wide Installation: Admins can install the connected app org-wide, so users are not prompted individually.

DataLoader.io has confirmed this behavior is by design for connected apps in Salesforce.
No further action is required from customers other than managing the connected app per organizational security policies.

Have more questions? Submit a request

Comments

Article is closed for comments.