Safeguarding customer data is crucial in today’s digital landscape. In recent months we have all heard about large companies experiencing data breaches leading to customer information being exposed online. Join us to learn about how to Strengthen Salesforce Org Security by enabling API access controls.
What are API Access Control Settings?
API Access control is a feature that can be turned on in your Salesforce org by reaching out to Salesforce support. It allows users to only connect to 3rd party connected apps that have been approved by the system admin.
- Connected apps need to be set up with policies otherwise users will not be able to access
- Turning this feature on could block APIs or Google Chrome extensions, a couple of examples we have found is the Salesforce inspector tool and Developer Console.
- If the application must be used a permission set can be added to the user to authorize the connection.
Learn more about Security in Salesforce.
Connected Apps OAuth Usage page in Salesforce without API Access controls
Connected Apps OAuth Usage page in Salesforce without API Access controls in place
- Users can connect using Salesforce credentials to different applications
- Users can connect to Salesforce without having a policy in place
- Managing Connected App via the OAuth page puts an added burden on Salesforce Admins
Connected Apps OAuth Usage page in Salesforce Org with API Access controls
Connected Apps OAuth Usage page in Salesforce Org with API Access controls in place
- Users are unable to connect using Salesforce credentials to different applications
- Users will be unable to connect unless the connected app is installed, and policies are put in place
- Salesforce admins no longer need to view the OAuth Connected app page to review what users have connected to
Before implementing API access controls
- Review the Connected Apps OAuth page in Salesforce to view connected apps that have been authorized
- Identify if these connected apps are approved for use
- Document what connected apps are used for and by whom
Enable API Access controls
To Enable API Access controls:
- Contact Salesforce support if API Access Control settings are not available in your Org and request they be turned on
- Test enabling API access controls in a Sandbox to ensure there are no system impacts that need to be mitigated
- A permission set with “Use Any API Client” can be created for users that need to access an external API that does not use a connected app
Creating Policies for the Connected app
Set Token Policies
- For users connecting to an app set policies to immediately expire refresh token
- For users that are connecting to Excel or Power BI the token policy may need to be set for an hour
- For service accounts e.g., Own used for completing nightly back-ups of your Salesforce data, the refresh token policy may need to be set to never expires. Make sure to have a credential rotation process in place for these types of connections.
Add Profiles and Permission Sets
- Based off the documentation that has been created update the Connect app with approved Profiles
- To fine tune access add the Permission Sets that need to be assigned to users to access
Salesforce Org Security
According to an article posted on cybersecuritydive.com and written by David Jones “Third-party vendors are five times more likely to exhibit poor security”, this is one example of why every 3rd party app we connect to Salesforce needs to be reviewed and authorized. By implementing API Access controls and making sure polices have been put in place to manage connected app access a proactive approach can be taken ensuring a more secure org. Learn more Hands on Learning with Trailhead Super Badge. Hope this will help you to understand how to Strengthen Salesforce Org Security: Enabling API access controls.
