Integration User
A dedicated Salesforce user account created specifically for API integrations with external systems, typically assigned an Integration license and configured with the minimum permissions required for the integration's data access needs.
Definition
A dedicated Salesforce user account created specifically for API integrations with external systems, typically assigned an Integration license and configured with the minimum permissions required for the integration's data access needs.
In plain English
“An Integration User is a dedicated Salesforce user account created specifically for API integrations with external systems. It's not tied to a real human; it's a service account with the minimum permissions needed for the integration to do its job.”
Worked example
Loomis Logistics' integration to its NetSuite ERP runs over MuleSoft, which authenticates into Salesforce as an Integration User named svc.netsuite.sync@loomis.io. The Integration User has a Salesforce Integration license, a profile with the minimum permissions needed (read/write on Order and OrderItem, read on Account and Product, no access to anything else), and a long-lived OAuth refresh token. When MuleSoft writes 5,000 Orders an hour, all the writes appear under svc.netsuite.sync's name - clearly distinguishable from human user activity in audit logs, and revocable in seconds if the integration token leaks.
Why Integration User matters
An Integration User is a dedicated Salesforce user account created specifically for API integrations with external systems. Rather than using a real human user's credentials (which is fragile and a security risk), the integration uses a service account configured with exactly the permissions it needs for its work. Integration users are typically assigned an Integration User license (a special license type for integrations, often included in the org) and configured with a custom profile granting only the necessary object and field permissions.
Using dedicated integration users is a security and operational best practice because it isolates integration access from human user access. If a human user leaves the company, their account can be deactivated without breaking integrations. If an integration is compromised, only its specific permissions are at risk. Salesforce has tightened integration user requirements in recent releases, making the dedicated Integration User license the recommended approach. Mature integrations follow least privilege carefully, granting only the access the integration actually needs.
How organizations use Integration User
Uses a dedicated integration user for each external system integration, with custom profiles granting only the necessary permissions.
Deactivated several human user-based integrations after a leaver caused production outages, replacing them with proper integration users.
Audits integration user permissions quarterly to ensure least privilege is maintained as integrations evolve.
Trust & references
Straight from the source - Salesforce's reference material on Integration User.
- Give Integration Users API Only AccessSalesforce Help
- Salesforce Integration User License (API Only)Salesforce Help
Test your knowledge
Q1. What is an Integration User?
Q2. Why use dedicated integration users?
Q3. What's a best practice for integration user permissions?
Discussion
Loading discussion…