There’s been a big buzz across the ecosystem about the release of free Salesforce Integration user licenses. But what does this new license type mean for you and can you use them with your Gearset account?
What are Salesforce Integration user licenses?
As of March 2023, Salesforce introduced Integration user licenses designed to give API access only for users that manage system-to-system integrations. This means users with this license type can’t access the org directly and view Salesforce data in the user interface. They can only interact with the org through the Salesforce APIs.
Why assign a Salesforce Integration user license?
In line with the principle of least privilege, it’s recommended to have one user per integration. By having an individual user for each integration, their permissions can be as limited as possible. Users that are assigned the new Salesforce Integration user license will have stripped-back permissions by default and can then be given any necessary additional access to only the data needed for that specific integration.
But assigning an Integration user license isn’t just useful for limiting access. Having a dedicated user per integration point helps with traceability, given that any issues can be tracked to an individual integration and user quickly. This makes troubleshooting easier, instead of trying to untangle an issue caused by a user who has access to, and manages, multiple integrations.
What are the benefits of Integration user licenses?
With such restricted access and trackability, the security benefits for Integration user licenses are huge. But there’s another key benefit that makes them an appealing choice to assign — the cost.
If you’re using Performance, Enterprise, or Unlimited edition orgs, then you’ll have access to five Integration user licenses free of charge. In Developer orgs, one free license will be available. Any additional licenses can be added for a small monthly cost, making them a much cheaper solution than assigning a full Salesforce license to each integration user who won’t need that level of access.
How to assign an Integration User License
Log into your Performance, Enterprise, Unlimited or Developer edition org.
Via Service Setup, navigate to Settings > Company Settings > Company Information to see how many Salesforce Integration licenses are available under User Licenses.
To assign to an existing user, navigate to Administration > Users > Users and press Edit next to the user you want to assign this license type to. Salesforce Integration should be available under the User License field.
If you’re creating a new user, follow the same path of Administration > Users > Users and press New User. Salesforce Integration will be available for assignment on the User License field.
Once the license is assigned, you can begin to add any additional permissions the user may need. With a Salesforce Integration user license assigned, both the Salesforce API Only System Integrations profile as well as the Salesforce API Integration permission set become available for that user.
Using Gearset with Salesforce Integration user licenses
Users have reached out asking if they can use this license type with their Gearset account, so our DevOps Architects got on the case and began testing out the new capabilities of the Salesforce Integration licenses.
It turns out it’s possible to use Gearset with the Salesforce Integration user licenses, but there is a caveat. Gearset typically only requires users to have the ‘Modify All Data’ permission — with the new license type, a more detailed permission set is needed to get the integration functioning as expected.
To extend the user’s access you need to use permission sets, because the profile associated with Integration licenses can’t be edited — but, given the migration from profiles to permissions, this is best practice anyway.
You’ll need the following permissions as a minimum:
- Modify Metadata Through Metadata API Functions
- Customize Application
This should allow you to validate and deploy edits to standard/custom objects and fields.
But you won’t be able to deploy most other metadata types, such as new or updated permissions or custom items like Flows and Apex. Attempting to deploy other metadata types will usually give the following errors:
insufficient access rights on cross-reference id (line:XXX) or
not available for deploy for this organization.
In order to deploy other metadata types, you’ll need to go into the permission set and find the associated tickbox for the metadata type you’re trying to deploy. For example, ‘Manage Flows’ is needed to deploy flows successfully or ‘Author Apex’ for Apex deployments.
While it’s possible to deploy through Gearset with Salesforce Integration user licenses, it’s important to note that we haven’t tested all metadata types. It might not be possible to migrate all the metadata types that Gearset typically supports when using integration licenses — you would need to test your specific metadata filter to assess whether the Integration user license can support the metadata you’re trying to deploy.
Keep in mind that extending permissions for a user with the Salesforce Integration license is contrary to best practice. As we looked at above, the main advantage of integration licenses is the enhanced security of keeping the user permissions stripped down to only the permissions needed in order for the integration to function. Enabling widespread permissions for every integration user is contrary to what these licenses were designed for, so isn’t something we recommend.
The comprehensive platform for Salesforce DevOps
With a standard user license, you can experience the full breadth of Salesforce DevOps functionality that Gearset has to offer, from click-driven deployments to data backup and automation pipelines. To try it for yourself, you can start a free 30-day trial now with nothing to install in your orgs.