Salesforce being a cloud application can something be confusing for some of the most season professional coming from an on-premise environment to cloud.
Within an on-premise environment, a service account is used for integration with other line of business system and other elevated administrative tasks.
With Saleforce, they introduce the concept of a “Integration User”, this at the very basic is similar to a service account that many folks are familiar with.
Let’s look at how we can create one.
- Create a normal user with appropriate licenses. Maybe give them a new specific profile also.
- Go to Setup-> Manage Users -> Profiles
- Open the profile of the new User. Click Edit
- Scroll down to Administrative Permissions and check the API Enabled box
Security Consideration
API Only – Specifies that the user can only log in through the API. This prevents the user from being used for any purpose other than integration scenarios.
- Modify All Data – Specifies that the user can view any data stored in the database and edit any field with the editable flag. (Some fields, like CreatedDate, do not have the editable flag set and cannot be edited by any user, regardless of the “Modify All Data” permission.) This permission is also required for any user who wants to upsert non-unique external IDs through the API. When this permission is not enabled and if the user tries an upsert using non-unique external ID the error seen is as follows : INSUFFICIENT_ACCESS: Upsert requires view all data on a non-unique custom index
If you don’t want to grant “Modify All Data” to the User, use the “Modify All” permission. This permission further restricts the integration user’s access and at the same time avoids the above error with respect to Upsert using non-unique external ID.
In addition, consider restricting the following to enable a more secure integration:
All logins use secure access (HTTPS)
- The integration user’s access to just those objects required for the integration.
- The IP addresses that the integration user can use, perhaps to just the IP address of the server.
- The organization-wide sharing model—select the lowest level of the hierarchy for the integration user to make changes.
- All passwords are considered strong and contain at least 20 random characters.
- Please make sure “Lightning Experience User” is unchecked while creating an API user profile.
Additional Information
Blog, Value of Integration User
Documentation for Integration User