Yesterday I spoke about the option of using a dedicated license to load data into Salesforce. This Automation User (perhaps it should be called “Unautomation User” or “No Automation User”) is similar to another kind of dedicated license – the API User.
The API User is a user license assigned for integrations only. If you don’t have any integrations, this user is not needed.
Unlike the Automation User, this user should not be a System Administrator. Instead it’s profile should be cloned from “Read Only” and upgraded based only on the objects it needs access to (a good name for this new profile is “API Only”).
Thus, if you’re only integrating with accounts, contacts and opportunities, those are the only objects this profile should be able to access. The type of access depends on the nature of the integration, but a good starting point is limiting access (i.e. read and create) and upgrading them as needed.
Further, the system permission, “Api Only User” should be set to true. This allows this user to login through the API only, and not through the UI.
If you have multiple integrations, the same API User can be used, unless there are specific use cases that require additional API users.
The takeaway
Some clients don’t like the idea of “burning” user licenses for these purposes. It’s your role as a Salesforce consultant to explain the value in protecting their data by limiting access.
Just like you don’t want dozens of system administrators running around, you need to keep integrations and automations flowing smoothly and securely.