Salesforce API Only System Integrations

As an admin, it’s crucial to prioritize security by following the principle of least privilege. What does that mean? Essentially, it’s about granting users access to only the resources necessary for their job. It’s a principle I’ve always stuck to as an admin, and I strongly recommend adopting it. Of course, it requires discipline and patience.

If you’re using the Salesforce API Only System Integrations profile for the first time, I highly recommend configuring it in a sandbox before implementing it in your production environment. This allows you to perform comprehensive testing in a safe environment, minimizing the risk of negatively impacting your production data.

Keep in mind that not all integrations are compatible with this license. It’s important to check with the vendor or provider to ensure compatibility. In some cases, you might not be able to assign a managed package permission set based on the permissions granted to the integration user.

Allocate one user per integration

When setting up access for a new integration, it may seem convenient to use the System Administrator profile. However, this approach often grants excessive access privileges. In my experience, most integrations work perfectly fine without giving full system admin access. There are rare occasions where the integration requires the System Administrator profile specifically (based on their internal checks).

Here’s my recommendation: create a new user for each integration and assign them the Salesforce Integration user license. This license creates the Salesforce API Only System Integrations profile and the Salesforce API Integration permission set license. If you’re using Enterprise, Unlimited, or Professional Edition, you’ll automatically be provisioned with five Salesforce Integration user licenses at no extra cost. For additional licenses, reach out to your account executive (AE). Remember, API Only means the user can only access Salesforce through REST, SOAP, or Bulk APIs and not through the user interface.

Using the same user account for multiple integrations can expose your system to unnecessary risks and violates the principle of least privilege. By assigning each integration its dedicated user, you can precisely control its access permissions, including login IP ranges. Only grant the necessary permissions for the integration to fulfill its function.

See also  ProgramMatek API Documentation

You can find the Salesforce Integration user license and the Salesforce API Integration permission set license under “Company Information” in the Setup menu.

Under Company Information in Setup, the Salesforce Integration under User Licenses and the Salesforce API Integration under Permission Set Licenses.

Here’s an example of a user assigned to the Salesforce Integration user license. Upon license assignment, the profile is automatically populated with Salesforce API Only System Integrations.

Configured user with the Salesforce Integration user license.

After verifying the new user account, Salesforce will display a note indicating restricted access for API Only users. Subsequent logins must use the REST, SOAP, or Bulk API.

“Access Restricted for API Only Users” note shown upon successful verification of a new integration user account.

Remove permissions from the Salesforce API Only System Integrations profile

Profiles will be deprecated for permissions in Spring ’26, and the recommended approach for user access control is to use permission sets and permission set groups based on user personas. The profile should only be used for setting defaults, page layout assignments, login hours and IP ranges, and the API Only permission.

With this in mind, I strongly advise removing all permissions from the Salesforce API Only System Integrations profile. Instead, use permission sets and permission set groups to grant permissions such as user permissions, object and field permissions, and connected app access.

Ideally, the Salesforce API Only System Integrations profile should have minimal permissions from the start. Please note that there is a known issue where the profile adds additional permissions upon creation.

What should be in a permission set vs. a profile come end of life permissions on profile in Spring '26.

Assign the Salesforce API Integration permission set license

Furthermore, you’ll need to assign the Salesforce API Integration permission set license to your integration user. This license contains all the permissions previously granted by the standard System Administrator profile.

So, what’s the difference between a permission set license and a permission set? Think of a permission set license as additional permissions beyond those already granted by your user license. A permission set, on the other hand, is a subset of permissions assigned to a user. If you assign permissions to a user via a permission set but they lack the required license, you’ll encounter an assignment error.

For example, let’s say we have Mochi, my pomeranian, who is assigned an animal user license that doesn’t allow her to have zoomies or eat dog treats. However, she needs both. Mochi is assigned a dog permission set license that grants her the ability to have zoomies and eat dog treats. But in order for Mochi to actually have zoomies or eat dog treats, we need to assign her the two permissions via a permission set.

See also  Performance and Scalability with Jamf Pro APIs

For our integration user, we initially assign the Salesforce Integration profile (user license), which only has administrative permissions: API enabled, API only user, and Chatter internal user enabled. It has no access to standard or custom objects. To grant additional permissions to the integration user, we extend the functionality via the Salesforce API Integration permission set license. For example, if you need to grant read and edit access to contact data, you can do so by assigning a permission set to the integration user.

Shows the Salesforce Integration user license and Salesforce API Integration permission set license.

Please note that when creating a permission set, if you select a specific permission set license, any user assigned to the permission set will automatically be assigned the permission set license. If you choose “None,” you’ll need to manually assign the permission set license to users before adding them to the permission set.

To view all the permissions associated with the Salesforce API Integration permission set license, navigate to the Company Information page in Setup and locate the permission set license. You’ll find a list of all the permissions granted by the license.

To view the permissions associated with the Salesforce API Integration permission set license, navigate to the permission set license in the Company Information page in Setup.

Exercise user management best practices to extend access

To grant the necessary permissions to your integration users, I recommend following the best practices for user management. Apart from setting defaults, page layout assignments, login hours and IP ranges, create permission sets and permission set groups to extend access to your integration users. Bundle permission sets into persona-based permission set groups for easier user management. With permission set groups, you can reuse permission sets and mute permissions that don’t apply to the users assigned to the group.

Now, which permissions should you grant your integration users? It depends on your specific use case. One integration may require read/edit access to account and contact data, while another might need read access to user data and the ability to create activities. Collaborate with the integration provider to determine the least privilege access for the integration user. Check if the provider or vendor has already documented this information in a setup or user guide.

See also  Use Janitor AI with Kobold API on Mobile Devices for Free

Based on your requirements, your integration user may also need additional permission set licenses in addition to the Salesforce API Integration permission set license. If you encounter issues assigning a specific permission set license, please open a case with Salesforce Support and indicate that you’re unable to assign the permission set license to a user with the Salesforce Integration user license.

Test, test, test, and do more testing!

Before implementing these changes in your production environment, thoroughly test the new integration profile, permission sets, and permission set groups configuration in a sandbox. It’s crucial to ensure that everything functions as expected. Start with the bare minimum privileges and gradually add more permissions during testing. It may require some trial and error, but it’s worth it.

Implement in production and monitor

Once you’re confident in your testing results, it’s time to implement the changes in your production environment. Verify that no new permissions have been added to the Salesforce API Only System Integrations profile during deployment. If any unauthorized permissions are found, manually edit the profile to remove them. Spend a month monitoring the integration to ensure it has all the necessary permissions. If updates are needed, make the changes to the permission sets and permission set groups in a sandbox, test them, and then deploy them to production.

If you’re transitioning an existing user to the new integration profile, permission sets, and permission set groups access model, I recommend keeping the previous model intact as a backup. After the integration has run smoothly on the new access model for 1 to 2 months, you can safely delete the obsolete access model (custom profile and permission sets).

Resources