Salesforce integration licenses - how to implement

Note: This process has changed since I wrote this, and the article is no longer correct. Leaving here for archival purposes.

Salesforce has recently release their new Integration licenses, which allows you to connect to external sites without taking up a standard (expensive) license. All accounts on enterprise and up will get 5 licenses, and it sounds like getting extra licenses is an inexpensive process (to confirm, but it sounds like $10 per license per month).

Why is this an important offering?

• Increased security - instead of attaching external systems to a real user, you're able to set up a specific account that only connects to Salesforce via API.
• Decreased cost - previously, following best practice meant that you lost a license, which was a large price to pay for doing things the right way. Now there's minimal to no cost in doing so.

How do you implement these licenses?

1. Create a new user.

Create a new user, using the Salesforce Integration license type, and the Salesforce API Only System Integration profile. If you need to adjust anything about the profile, you can clone it, but we're going to be opening up access to objects via permission sets, so it's not a major issue.

Note: you can also change an existing API user into this license type by editing them to this license and profile. Be aware, this will probably stop your integrations working till you open your objects up via permission sets as in step 3 below, since you're not able to set object permissions on this profile.

2. Set the users password.

You can set the users password normally, via the resent link sent to the email. After setting the password, you'll be told that's the last thing you can do via the UI. If you need to reset the users security token, you'll need to change the users type to a standard license, log in and reset it, then change it back. There's no programmatic way of resetting security tokens, it has to be done via the UI.

3. Create and assign permission sets.

This bit is still a bit weird, I'm not entirely sure I'm right here, so please let me know if you find anything different.

You need to create 2 permissions sets, one for standard objects, and one for custom objects.

For standard objects, you need to set the permission set to use the license type of "Salesforce API Integration". Trying to add a permission set with a standard object to this user without that license type will throw an error.

Then create another permission set, granting wider access to custom objects that you want to integrate with. This shouldn't have a license type set.

Once these are set up, assign it to the same user.

That's it! You've got a user set up that has restricted access, and probably isn't costing you anything. Management will be thrilled.

If you want to review Salesforce's documentation, you can find it here.

Notes:

• The documentation states you need to add a specific permission set to grant access to this feature. This doesn't seem to be necesssary.
• You can't grant an oauth connection while it's in UI only mode, you're unable to get to the permission screen to grant access. You need to change it back to a normal account, authenticate, then back to API only. Same with resetting a token.