Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Restrict Access to APIs with Connected Apps

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Restrict Access to APIs with Connected Apps

            You can use API Access Control to restrict users from accessing your Salesforce APIs, unless they’re pre-authorized through an approved connected app. Connected apps integrate external applications with Salesforce APIs. With API Access Control, you can lock down all connected apps’ access to Salesforce APIs and then approve (allowlist) specific connected apps. Using profiles and permission sets, you can then grant users access to an approved connected app. These users can access APIs through the connected app.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To read, create, update, or delete connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
            To rotate the consumer key and consumer secret: Allow consumer key and secret rotation
            To install and uninstall connected apps:

            Customize Application AND either

            Modify All Data OR Manage Connected Apps
            To install and uninstall packaged connected apps:

            Download AppExchange Packages AND Customize Application AND either

            Modify All Data OR Manage Connected Apps

            To enable this feature, request API Access Control from Salesforce Customer Support.

            Salesforce creates connected apps for common Salesforce apps and automatically installs them in your org. It’s your responsibility to approve these connected apps and grant access to users.

            Important
            Important If users have the Use Any API Client permission, they can access any app, including all connected apps. But use this permission with extreme caution. It’s intended only for a limited number of admins.
            1. From Setup, in the Quick Find box, enter API Access Control, and then select API Access Control.
            2. Click Edit, and then select For admin-approved users, limit API access to only allowlisted connected apps.
              All connected apps that are installed in the org are set to the Admin approved users are pre-authorized Permitted Users policy. This policy limits user access to users with the associated profile or permission set assigned to the app. See Manage OAuth Access Policies for a Connected App.

              If you’re working with a JWT bearer flow, the change in the UI is reflected in the API. However, with any other flow, when you enable the For admin-approved users, limit API access to only allowlisted connected apps org preference, the updated Permitted Users policies appear only in the UI. Because the org preference overrides the API but doesn’t change it, the new policies aren’t reflected on ConnectedApplication objects. For example, even though the org preference sets all connected apps to Admin approved users are pre-authorized, the OptionsAllowAdminApprovedUsersOnly field on a ConnectedApplication object can indicate that it’s set to All users may self-authorize instead. Use the Permitted Users policies in the UI as your source of truth.

              With this org preference disabled, Permitted Users policies are the same in the UI and API in all flows. For more information on accessing a connected app via the API, see the ConnectedApplication object in the SOAP API Developer Guide.

            3. To allow users of pages with Visualforce domains to override this limitation and access APIs, select Allow Visualforce pages to access APIs.
              Important
              Important For this option to work, users must have the API Enabled user permission.
              This option allows API calls from only Visualforce domains. API calls from other domains are denied access.

              If you don’t select this option, users can’t access Salesforce APIs through Visualforce domains. Also, client apps that call getSessionId() are denied access.

            4. Save your changes.
            5. Grant users access to a connected app by assigning them the associated profile or permission set assigned to the app. See Manage Other Access Settings for a Connected App.
              The connected app is now approved and the users associated with the profiles or permission sets assigned to the connected app are pre-authorized.
              Note
              Note If you allowlist connected apps in your org and don’t receive the expected scopes, take these steps:
              • From Setup, in the Quick Find box, enter OAuth, and then select Connected Apps OAuth Usage.
              • For the allowlisted connected app, click Block.
              • For the allowlisted connected app, click Unblock.

            After enabling this API Access Control restriction, you can approve additional connected apps.

            • From Setup, in the Quick Find box, enter Connected Apps, and then select Connected Apps OAuth Usage.
            • Under Actions, if Unblock is disabled, the connected app isn’t approved.
            • To approve the connected app, install the app.
            • Grant users access to the connected app.
             
            Loading
            Salesforce Help | Article