Maximizing Data Privacy with a Custom Integration User
Not every integration with Salesforce provides you with the ability to restrict access to records in your Salesforce org. Some integrations have an “all or nothing” approach to the synchronization of data. This document will guide you through the process of creating and configuring a Salesforce Integration User. It addresses best practices and data privacy concerns related to using a perennial Integration User with the Salesforce Integration User License and the Salesforce API Only System Integrations Profile and shows you how to configure Salesforce to only allow certain records to sync with the connected integration.
By creating a dedicated Integration User, applying specific permission sets, using sharing rules and field-level security, you can precisely control which records and fields are accessible to a third party integration. This secure connection ensures sensitive information remains protected while only sharing necessary data.
Salesforce provides 5 Integration User Licenses for free
Salesforce provides 5 Integration User Licenses for free. Having a separate integration user for each integration enables you to have more control over permissions and access for each integration and also provides better visibility into which integrations are responsible for updates to records in your org.
Introduction
To prevent disruptions due to individual user account deactivations and to maintain data privacy, it is recommended to create a dedicated "Integration User" for authenticating the connection between Salesforce and third-party tools. This document will guide you through the process of creating and configuring a Salesforce Integration User and ensuring it has the correct permissions and access settings using the Salesforce Integration User License and the Salesforce API Only System Integrations Profile in conjunction with Salesforce sharing settings.
Step 1: Create a New Integration User
- Log in to Salesforce as an administrator.
- Go to Setup > Users > New User.
- Fill in the required fields:
- First Name:[Optional]
- Last Name: [Something meaningful like the Name of the Integration]
- Email: [a dedicated email address for the integration user]
- Username: [a unique username for the integration user]
- Role: [assign an appropriate role, e.g., Integration User]
- User License: Salesforce Integration
- Profile: Salesforce API Only System Integrations
- Click "Save" to create the new Integration User.
- Assign the “Salesforce API Integration” permission set license to the newly created user by clicking on the “Permission Set Group Assignments [x]” link at the top of the user detail page.
- Click “Edit Assignments” in the “Permission Set License Assignments” section of the page
- Scroll down to the “Salesforce API Integration” permission set license
- Check the box in the “Enabled” column
- Scroll to the top/bottom of the page and click save
Step 2: Configuring Access to Specific Fields and Records
- Go to Setup > Object Manager and select the object (e.g., Lead, Account, Opportunity, or Contact) you want to modify access for.
- Click on "Fields & Relationships" and select the field you want to hide from the Integration User.
- Click "Set Field-Level Security" and uncheck the "Visible" box for the Integration User's profile.
- Do this for all fields containing sensitive data
- Click "Save" to update field-level security settings.
Step 3: Create a Permission Set (Optional)
It may be necessary to add special permissions to the Integration user specific to your integration. You may also need to open access the fields restricted from the Salesforce API Only System Integrations profile in the previous step.
*Also, it is worth noting that Salesforce will be retiring permissions on Profiles in the Spring '26 release, which will then require permissions to be managed via permission sets and permission set groups.
- Go to Setup > Users > Permission Sets.
- Click "New Permission Set."
- Enter a label and an API name for the permission set.
- Click "Save" to create the new permission set.
- Add Relevant System Permissions specific to your integration to the Permission Set
- Repeat steps 1 - 5 in order to create a permission set for each integration requiring a unique set of permissions.
Assigning the Permission Set to Users
- Click "Manage Assignments."
- Click "Add Assignments."
- Select the Integration User
- Click "Assign" and then click "Done" to complete the assignment process.
Step 4: Create a Public Group
Since sharing rules (configured in the next step) do not allow for sharing records with individual users, it is necessary to create a public group and add our integration user to the group.
- Go to Setup > Users > Public Groups.
- Click "New Public Group."
- Enter a label and a unique name for the public group.
- Click "Save" to create the new public group.
Adding the Integration User to the newly created public group
- Click "Manage Members."
- Click "Add Members."
- Change the dropdown menu to "Users" (if it's not already set to that).
- Locate the Integration User in the list of available users or use the search functionality to find the user.
- Select the Integration User by checking the box next to their name.
- Click the "Add to Group" button to add the selected user to the group.
- Click "Done" to complete the process.
Step 5: Configure Sharing Settings
Before configuring Sharing Settings, we will need to create a field on each object that we intend to regulate. This field will serve as an identifier for the records that need to be included in the batch when our integration initiates a sync. You could consider making this a formula checkbox field that evaluates to TRUE based on criteria. For the purposes of this tutorial we will use a standard checkbox field type.
Create Custom Field on Target Object
- Create a custom field on the target object (i.e. Account) called "Send to [Name of Integration]" i.e “Send to Hubspot” with a data type of Checkbox.
- Apply the checked checkbox to the records that you intend to sync to your integration.
- Apply the checked checkbox to the records that you intend to sync to your integration.
Setting Org Wide Default Settings
- Go to Setup > Security > Sharing Settings.
- Click "Edit" next to the target object(i.e. Account).
- Set the Org-Wide Defaults for the object to "Private."
- Repeat for any other objects that you wish to restrict access
- Click "Save" to update the Org-Wide Defaults.
Create a Sharing Rule
- Scroll down to the "Account Sharing Rules," click "New Sharing Rule" for the target object.Repeat for any other objects necessary configure the sharing rule:
- Rule Name: Send_to_Integration
- Description: Shares Account records with Integration User when "Send to [Integration]" is checked.
- Select "Based on Criteria."
- Set the criteria to "Send to [Integration] equals True."
- In the "Share with" section, select the Public Group created in the previous step
- Choose Read/Write access level for Account
- Click "Save" to create the new sharing rule.
Now, the Integration User will only have access to Account records where the "Send to [Integration]" checkbox is checked.