API Only User permission was set on Profile or Permission Set, causing login issues
|Knowledge Article Number||000003819|
The only Profile with the "Manage Users" permission has accidentally set the "API Only User" permission and unable to login to Salesforce using the User Interface.
1. The "API Only User" perm has been set at the profile level, for the only Sys Admin profile in an org
If the User who has API Only User Permission checked, then Un-check the permission “API Only User” on the Profile or Permission set and then the user will not receive "Insufficient Privileges error" while logging.
Step 1. Login using the Data Loader.
You will now be able to login through the User Interface.
NOTE: If the customer only has access to a Mac machine, then the same steps can be done using Data Loader for Mac using the same steps above.
1. Login to the workbench here: https://workbench.developerforce.com/login.php
2. Locate the permission set(s) that currently have PermissionsApiUserOnly = TRUE by selecting, Jump to: SOQL Query | Object: PermissionSet and click Select. Paste the following query into the "Enter or modify a SOQL query below:" field and then click Query:
SELECT Id, Label, PermissionsApiUserOnly FROM PermissionSet WHERE PermissionsApiUserOnly = TRUE
3. Move your mouse cursor over the affected permission set's Id in the query result list and select the Update option in the corresponding "Choose an action:" hover menu.
Note: If you are unsure which permission set is assigned to the affected user(s):
A) Use the query in Step 2 but select View as: List and click Query to generate a list of the permission sets. Copy and paste the list into Excel for use later on.
B) Then paste the following Query into the "Enter or modify a SOQL query below:" field to generate a list of User Ids and Names:
SELECT Id, Name FROM User
C) Locate an affected User's Id in the query results and copy it down. Replace <UserIdHere> with the affected User's Id in the following query to generate a list of permission sets assigned to that user.
SELECT PermissionSetId FROM PermissionSetAssignment WHERE AssigneeId = '<UserIdHere>'
D) Cross reference the permission set Ids listed in your Excel file from step A) with those listed in the query results from step C) to identify which permission set Id exists in both locations. Once the PermissionSet Id has been identified follow Step 3.
4. On the corresponding Update page locate the field, "PermissionsApiUserOnly" and change the value from true to false. Scroll to the bottom of the page and click the "Confirm Update" button.
If done correctly, this should remove the "API Only User" perm from the Permission Set assigned to the user, and they should now be able to login to the normal UI.
Note: If there are multiple Permission Sets that have "API Only User" set to "true", the steps above will have to be repeated for each unique Permission Set ID.