Episode 6. Salesforce API user ( Your technical | Integration user ) & underline common Best practices

An API integration is the connection between two or more applications, via their APIs, that lets those systems exchange data.

Ignore this image

Standrd busines perspective:Client applications that access Salesforce through the API must first log in as a Salesforce user for authentication. For this purpose Always recomended to create a special user in your organization, solely for integration purposes. That way, if an actual user leaves your organization, you’ll always have a user with the correct permissions available.

This process consists of two phases. Phase 1 describes how to create such a Profile and Phase 2 describes how to create a User account with said profile.

Steps to configure

• Create an integration user in your organization with Administrative permissions, solely for integration purposes.
• Make sure to select the API Enabled and API Only User check boxes to allow an integration user to log in via API.
• A Salesforce API user must log in first for authentication.

1. Set up an API Only profile

1. Go to setup →open exiting profile (standad read only)
2. Clone it and give standard Salesforce License (user license = Salesforce)
3. Set (assign) the relevant object(s) permissions
4. Under administrative permissions, check API only (if you don’t want the user account to be allowed access to the Salesforce standard UI login)and
5. To enable access via an API, select the API Enabled check box in the Administrative Permissions region.

2. Create user with ‘API Only’ profile

• Once the Profile is setup, create a user → setup → Manage users → New users (user license= salesforce & profile API Only) and Save, Done!

Some Do’s & dont’s

Do’s

• Dedicate one custom profile for all API users
• Configure it by default with no access to all objects
• Have 1 different integration user for each external application/requirement interacting with your Salesforce org
• Assign all integration users to the same integration profile using a Full Salesforce licence if possible
• Create 1 Permission Set by external application or requirement
• ** Grant Field Level Security to the API users only through permission sets, as well as specific system and application permissions
• Assign the Permission Set to the corresponding user

Don’ts

• Using a system administrator profile to provide access to external application
• Creating multiple profiles per external application (leverage permission sets instead) No No: maintenance thik about it !
• Giving more than what’s really required. what can be done instead is: Do: →Try controlling access based on the systems in the landscape and requiring integration (data flow) and decide if per user in a unique combination with 1 permission set(containing actual objects permisions) would be better

Lastly as said above if mutiple systems are involved, try leverging permission sets (new user + permission set + but existing profile) to fine tune your access based what ‘s needed by the other system(interface)

for more info: please check Sf help doc

Help | Training | Salesforce

Also- To share there is very nice article i love it

The Value of Having A Dedicated Salesforce Integration User - Salesforce Admins

Thanks- Mohits