This article describes the Best Practice for Integration (API) only accounts and how to configure for user accounts.
Dutch version of this article can be found here.
Why use API Only licenses for Integration user accounts?
By using the specific 5 free APIonly Salesforce Licenses you could avoid using the normal Salesforce licenses so these will be available for GUI-based end-users. These API Only licenses are available for all instances with an Enterprise, Unlimited, Performance or Developer Edition. For reference visit this Salesforce Help.
Security: Using these API-Only provide ability to:
- Specific users for integrations to give only access to data (Objects & Fields) which is needed for the integration.
- Avoid unintended use of application by users with access to Integration User credentials as an Integration Only user in Salesforce can’t access the application via the GUI.
Steps to use these API Only licenses
1. Make an account with normal license, generate and set the password.
2. Reset the security token (via the login as feature) to receive one and store this at a suitable place. This so you:
a. Receive a new security token when the password has been changed;
b. Could retrieve the security token later when needed without having to reset the security token and be force to change it all integrations who use these credentials.
3. Make a custom ‘integration only’ profile with the license ‘Salesforce Integration’.
a. Don’t give any access to objects, handle this with permission sets for each specific set of rights.
b. Apply a no expire password exception on this profile. Nothing more annoying than a integration which stops working as the password is expired. Be careful: as good security practice you should change this password regularly, but you should manage this as a recurring change so you are more in control about the expiration of the password.
4. Assign the new custom ‘Integration Only’ profile to the applicable user account(s).
First change the license to ‘Salesforce Integration’ , then select the profile.
5. Make special permission set for access to objects. This has two reasons:
a. To be able to grant access to standard objects as Account, Contact, Lead as this a current inability with the vanilla Salesforce Integration profile.
b. Ability to give different access to separate users or groups of users by creating specific additional permission sets for each distinct set of access rights.
You have to assign the ‘SALESFORCE API INTEGRATION’ license to this permission set to be able to set access to standard objects!
6. Assign the permission set to the applicable users.
By applying this configuration of profiles and permissions you are able to:
- Make use of the API-only license and the potential costs saving,
- Apply the ‘least privilege’ principle for access rights;
- Avoid service disturbances of integrations caused by expired passwords/security tokens.
Thank you and good luck!