How the Salesforce Integration User Saves Licenses for Real Humans

How the Salesforce Integration User Saves Licenses for Real Humans

min. reading

Salesforce is introducing something pretty exciting for orgs that have little wiggle room while assigning licenses to Salesforce users. A new type of license called “Salesforce Integration User” is available now, and it’ll help you to save your user licenses for actual humans.

The Salesforce Integration User was introduced to facilitate best practices of using a separate license for any integrations that require an integration license to integrate with Salesforce. That includes integrations like Docusign and MuleSoft.

This license is specifically designed for System-to-System Integration types and provides the user with API Access Only.

How many Salesforce Integration User Licenses Do We Get?

All orgs will have 5 free Salesforce Integration User Licenses available to them, and additional licenses are available to purchase for about $10 each (customers should speak to their AEs regarding the purchase of additional licenses).

Salesforce Integration User License Setup

You can verify the number of integration user licenses available to you under Company Information > Setup.

In addition to the new licenses, a new standard profile called ‘Salesforce API Only System Integrations‘.

NOTE: When creating a new user with the Salesforce Integration User License, this will be the only profile available.

Creating a Custom Profile for the API Only System Integration User (System Permissions)

Since the new ‘Salesforce API Only System Integrations’ profile is a standard profile and therefore can’t be updated, it is recommended that you create a new profile by cloning the Salesforce API Only System Integrations (not System Administrator) for integration users in order to customize the permissions:

  1. Go to Setup > Profiles
  2. Locate the ‘Salesforce API Only System Integrations’ profile and click Clone.
  3. In the Permission set, go to System Permissions
  4. Enable the following permissions:
    • Password never expires – doing this prevents the password from expiring while someone is out of the office with no one available to update it across integrations
    • API Enabled
    • Api Only User
    • Chatter Internal User (optional)
  5. (Still under System Permissions) Make sure ‘Multi-Factor Authentication Login Requirements for API Access’ is not enabled

Create a Custom Permission Set for the Integration (Object Access)

  1. Go to Setup > (Quickfind) Permission Sets
  2. Create a new permission set
  3. Name your permission set to reflect the permission for this integration. For example “Integration – ZoomInfo”
  4. Leave the License Type empty “–None–”
  5. Add the following to the Object Settings for each object the integration needs access to:
    1. Object CRUD access (Create/Read/Update/Delete/View All/Modify All)
      • This example is for adding access to just the Account object to the Integration User.
    2. Field-level access (Read/Edit) for each field on the object
    3. Remember the principle of least privilege – we want to grant access only for the actions that the integration needs.
      • In particular, keep in mind custom record types that are deployed by integrations’ own packages

Creating an Integration User

To use one of these licenses, it is recommended to:

  • Create a new user for each specific integration (if there is not a dedicated license already)
  • Assign the Salesforce Integration license (or you can change the license or if you already have a dedicated user for the integration)
  • Give the user the Salesforce Integration API permission set license.
  • Add the custom permission set you created above.

Validate

Once your user is set up:

  • Add the new integration user credentials in the integration platform (the steps may vary based on the integration)
  • Test the integration to confirm the integration is working the way it should.
    • For example, are records being updated as expected?

Considerations

  • The Salesforce Integration user license is API Access Only, meaning that it is not suitable for non System to System integration uses. Users with this license will not have access to the direct user login or access the org through the UI.
  • With the new licenses, it is still recommended to use one integration user per integration to ensure traceability of the transactions that the integration has within Salesforce.
  • If you are moving an existing user to the integration user license, the new ‘Salesforce API Only System Integrations’ profile, may not have all the object permissions needed. Any specific permissions needed may need to be assigned using permission sets.
  • Pardot API users are usually better met with the Identity User License, but if there are reasons to use this license (Oath2 Client Credentials) the Integration Connector User permission set is what will need to be applied to grant Pardot record access. Users using this license may not appear in User Sync until after you manually create and connect a Pardot user.
  • A custom permission set granting object and field access is preferred over doing this in the profile as permissions in profiles is scheduled to be sunset Spring of ’26.

Additional Resources

Special thank you to Heather Rinke, Larry Harvey, and Mike Creuzer for contributing to this post.

Subscribe to The Spot

Hidden
Hidden
Hidden
Hidden
This field is for validation purposes and should be left unchanged.

Upcoming Salesforce Events

Salesforce Training Courses

Categories

Top 5 Recent Posts

  • Nathalie is a CRM Analyst at Sercante with four years of experience working with Sales & Service Cloud. When she's not working, she can be found watching Rugby Union, reading or listening to a true crime podcast. Nathalie enjoys learning from her fellow Sercantians and improving Salesforce processes.

Leave Your Comment

Related Articles

Bot Single Post