One of the quickest idea in terms of implementation time into the product – at Dreamforce 2022 during TTTC Alon Waisman asked why we need to pay full licence for all integration users, when security and trust is one of the Salesforce values. The idea, which came after 20+ years on the market, has been immediately approved and during TrailblazerDX 2023 new licences have been announced. So merely 6 months after the wish we all (I mean Enterprise and above) got 5 free licences we can use for integration and additional one costs just 10$/month.
Why we need it?
First of all, there are two types of integrations and you can use these users only for one of them. Inbound (where external system calls into the Salesforce) and Outbound (where Salesforce calls external system).
While Outbound happens under the logged-in user, the Inbound was troubling so far as either the system admin or some other user gave their credentials into the other system and all updates have been tracked under them. Not best it terms of security and accountability.
With 5 of these licences we can give each external system their own user with their own set of permissions really tweaked to what the system needs to create/update in Salesforce. We will see which system made which changes and when and can track why it happened more precisily.
How to do it?
Just change the user licence to the new Salesforce Integration one.
There is profile already prepared, but it doesn’t provide access to the objects. So next step is to create permission sets and assign them to the user as David Smith summarizes in his article.
Step two – assign permission set licence. Without that you won’t be really able to assign any permission set with wider access you will create.
David also opened an interesting question about oAuth authentication or reseting a security token, where it seems you might need to switch into a full licence to do these things and then switch back. At the same time Salesforce Help says that oAuth 2.0 flow should be the way to go.
Let’s do it
Now just find the time to do the switch with my customers. While it looks easy at first (just switch and you are done) the fact that you can play with the access rights should lead to really think about what the other system should be allowed to do and limit it as much as possible. And that thinking process takes time.