Permission Concepts for User External Credentials
As a Salesforce admin, you must pay careful attention to security and permissions settings in your org. We recommend that you limit data access to the lowest level possible, while still allowing everyone to do their jobs. This strategy is known as the principle of least privilege. Whether you enable user external credentials via permission sets or profiles, follow this guidance to grant the appropriate access for each authentication protocol.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
| Available in: all editions |
User external credential objects store encrypted tokens used by named credentials to authenticate to external systems. In order to perform an authenticated callout, users need profile- or permission set-based access to user external credentials. These tables outline the necessary permissions for each authentication protocol. For more information about the authentication protocols, see Authentication Protocols for Named Credentials.
OAuth 2.0
| OAuth 2.0 Variant | Identity Type | Role | Access Level | Reason |
|---|---|---|---|---|
|
Named Principal | Users making callouts | Modify All Records | Users can make a callout using the access tokens entered by the admin. If a callout uses expired access tokens, the Modify All permission grants Salesforce access to retrieve refreshed tokens from the external system and update the external credential’s principal with the new tokens on behalf of the user making the callout. Users can’t access or update the named credential configuration in Setup. |
|
Per User Principal | Users making callouts | Read, Create, Edit, Delete | Each user can enter their credentials to authenticate to the external system, make callouts using the named credential, and revoke access, if needed. |
AWS Signature Version 4
| AWS Signature Version 4 Variant | Identity Type | Role | Access Level | Reason |
|---|---|---|---|---|
| Access Key and Secret | Named Principal | Salesforce admin | Read, Create, Edit, Delete | Only the admin can enter the access key and secret to authenticate to the external system or revoke access. |
| Users making callouts | View All Records | Users can make a callout using the access key and secret entered by the admin. View All permission grants Salesforce access to the credentials for the external system on behalf of the user making a callout. Users can’t access the named credential configuration in Setup. |
||
|
— | Users making callouts | Modify All Records | Users can make a callout using the access tokens entered by the admin. If a callout uses expired access tokens, the Modify All permission grants Salesforce access to retrieve refreshed tokens from the external system and update the external credential’s principal with the new tokens on behalf of the user making the callout. Users can’t access or update the named credential configuration in Setup. |
Custom Authentication
The Custom authentication protocol supports only the Named Principal identity type. A named principal applies the same credential or authentication configuration for an entire org.
| Role | Access Level | Reason |
|---|---|---|
| Salesforce admin | Read, Create, Edit, Delete | Only the admin can enter access tokens or API keys to authenticate to the external system or revoke access. |
| Users making callouts | View All Records | Users can make a callout using the access tokens entered by the admin. The View All permission grants Salesforce access to the credentials for the external system on behalf of the user making a callout. Users can’t access the named credential configuration in Setup. |
Basic Authentication
| Identity Type | Role | Access Level | Reason |
|---|---|---|---|
| Named Principal | Salesforce admin | Read, Create, Edit, Delete | Only the admin can enter credentials to authenticate to the external system or revoke access. |
| Users making callouts | View All Records | Users can make a callout using the credentials entered by the admin. The View All permission grants Salesforce access to the credentials for the external system on behalf of the user making a callout. Users can’t access the named credential configuration in Setup. |
|
| Per User Principal | Users making callouts | Read, Create, Edit, Delete | Each user can enter their credentials to authenticate to the external system, make callouts using the named credential, and revoke access, if needed. |
JWT
| Identity Type | Role | Access Level | Reason |
|---|---|---|---|
| Named Principal | Users making callouts | Read | The Read permission grants users access to additional authentication parameters so that they can make callouts using the named credential. |
| Per User Principal | Users making callouts | Read | The Read permission grants users access to additional authentication parameters so that they can make callouts using the named credential. |
No Authentication
The No Authentication protocol supports only the Named Principal identity type. A named principal applies the same credential or authentication configuration for an entire org.
| Role | Access Level | Reason |
|---|---|---|
| Users making callouts | Read | The Read permission grants users access to additional authentication parameters so that they can make callouts using the named credential. |
