Koepelplein 1E, Haarlem

020 – 486 81 52

Salesforce Best Practice for Integration (API) only accounts

This article describes the Best Practice for Integration (API) only accounts and how to configure for user accounts.

Dutch version of this article can be found here.

Why use API Only licenses for Integration user accounts?

Cost savings

By using the specific 5 free APIonly Salesforce Licenses you could avoid using the normal Salesforce licenses so these will be available for GUI-based end-users. These API Only licenses are available for all instances with an Enterprise, Unlimited, Performance or Developer Edition. For reference visit this Salesforce Help.

Security: Using these API-Only provide ability to:

  • Specific users for integrations to give only access to data (Objects & Fields) which is needed for the integration.
  • Avoid unintended use of application by users with access to Integration User credentials as an Integration Only user in Salesforce can’t access the application via the GUI.

Steps to use these API Only licenses

1. Make an account with normal license, generate and set the password.

Make an account with normal license, generate and set the password

2. Reset the security token (via the login as feature) to receive one and store this at a suitable place. This so you:

a. Receive a new security token when the password has been changed;

b. Could retrieve the security token later when needed without having to reset the security token and be force to change it all integrations who use these credentials.

Reset the security token

3. Make a custom ‘integration only’ profile with the license ‘Salesforce Integration’.

a. Don’t give any access to objects, handle this with permission sets for each specific set of rights.

Make a custom ‘integration only’ profile with the license ‘Salesforce Integration’

b. Apply a no expire password exception on this profile. Nothing more annoying than a integration which stops working as the password is expired. Be careful: as good security practice you should change this password regularly, but you should manage this as a recurring change so you are more in control about the expiration of the password.

Apply a no expire password exception on this profile

4. Assign the new custom ‘Integration Only’ profile to the applicable user account(s).

First change the license to ‘Salesforce Integration’ , then select the profile.

Assign the new custom ‘Integration Only’ profile to the applicable user account(s)

5. Make special permission set for access to objects. This has two reasons:

a. To be able to grant access to standard objects as Account, Contact, Lead as this a current inability with the vanilla Salesforce Integration profile.

b. Ability to give different access to separate users or groups of users by creating specific additional permission sets for each distinct set of access rights.

Make special permission set for access to objects

You have to assign the ‘SALESFORCE API INTEGRATION’ license to this permission set to be able to set access to standard objects!

You have to assign the ‘SALESFORCE API INTEGRATION’ license to this permission set to be able to set access to standard objects!

6. Assign the permission set to the applicable users.

Assign the permission set to the applicable users

Conclusion

By applying this configuration of profiles and permissions you are able to:

  • Make use of the API-only license and the potential costs saving,
  • Apply the ‘least privilege’ principle for access rights;
  • Avoid service disturbances of integrations caused by expired passwords/security tokens.


Thank you and good luck!

Facebook
Twitter
LinkedIn
WhatsApp

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

Blijf op de hoogte

Wij willen je graag op de hoogte houden van het nieuws rondom onze diensten die jou interesseren. Het enige wat je daar voor dient achter te laten zijn jouw mailadres en je voornaam. Vanaf dat moment zullen we je van tijd tot tijd een Ebicus update sturen.

Meest recente blogs: