Securing Salesforce from unauthorised data-loads using API Access Control

blog

Securing Salesforce from unauthorised data-loads using API Access Control

As an Administrator, you might be hesitant to open up API access for your users, because they can use any tool (like Salesforce Inspector) to export and import data. Fortunately, there is a feature that allows you to whitelist apps such that only approved apps may be used by end users.

In this blog we will show you how to secure your Salesforce Org to limit data uploads, so only admin-approved mappings may be used by business users to load Excel data into Salesforce.

Step 1: Request the feature with Salesforce Support

The feature 'API Access Control' is not enabled by default in Salesforce orgs. So the first step is to create a Case with Salesfore to enable the 'API Access Control' feature.

Step 2: Before setting it up

Once the feature has been enabled by Salesforce, you can now find it in Setup. However, once you enable it, all API access will be blocked, so we will need to make sure first that normal operations can continue. For instance, administrators should be excempt from this new rule.

Administrator API Access

Ususallly, you want administrators to be able to use tools like Salesforce Inspector or Dataloader that also rely on the use of APIs. For these users, you should create a specific permissionset with the following system permission: Use Any API Client.

By assigning this permission to admins, they will be able to use the APIs without specific permission through connected apps.

SmartUpload API Access

Now in Setup navigate to Connected Apps OAuth Usage. Since you have already installed and used SmartUpload as an administrator, SmartUpload should be visible in the list. Click on the 'Install' button next to it:

With the connected app installed in your org, you can now link a new permissionset to allow users access to this app. This is done by creating a new Permissionset, navigate to 'Assigned Connected Apps' and add SmartUpload to the list:

Finally you can now assign the permissionset to all users that require access to SmartUpload.

Step 3: Enabling API Access Control

With all permissionsets now in place, you can safely enable the setting in Setup. Navigate to 'API Access Control' and check the first checkbox: "For admin-approved users, limit API access to only allowlisted connected apps".

This has an immediate effect on your Org, which means that any API call from a non-admin will be blocked. Make sure to test this thoroughly on sandbox environments before enabling it on production!

Effect of this setting on unauthorized tools

If a user does not have the 'Use Any API Client' permission, then he will get an exception when trying to access the Salesforce APIs. The following error is shown in Workbench:

And the following is shown when a user tries to use the Salesforce Inspector chrome extension:

For Business Users

For Admins

For IT Managers