Print this page

API Only User permission was set on Profile or Permission Set, causing login issues

Knowledge Article Number 000003819

The only Profile with the "Manage Users" permission has accidentally set the "API Only User" permission and unable to login to Salesforce using the User Interface.

This prevents the System Administrator from logging into Salesforce using the User Interface.  They will receive a generic "Insufficient Privileges" error.  

This problem can occur in one of two ways:

1. The "API Only User" perm has been set at the profile level, for the only Sys Admin profile in an org

2. A Permission Set has been assigned at the User level, to the only Sys Admin user in an org


If the User who has API Only User Permission checked, then Un-check the permission “API Only User” on the Profile or Permission set and then the user will not receive "Insufficient Privileges error" while logging.
Below is the Click Path:
1) Login as System Admin
2) Go to the affected User profile | Click Edit next to the user profile | Under Administrative Permissions Uncheck the checkbox for 'API User' Only Permission | Click on Save. 
Click on Setup | Manage User | Permission set | Click on Profile and un-check the 'API User Only' Permission checkbox > Click on Save.

The steps below can be used to fix this issue when "API Only User" has been set at the profile level using Data Loader:


Step 1. Login using the Data Loader.
Step 2. Export the Profile object.
Step 3. Update the "PERMISSIONSAPIUSERONLY column with False for your Profile.
Step 4. Perform the update.

You will now be able to login through the User Interface.

NOTE: If the customer only has access to a Mac machine, then the same steps can be done using Data Loader for Mac using the same steps above.

If the root cause of the login issue is because of a Permission Set assignment, then the steps below are the easiest to use to resolve this issue.  The reason the Workbench is proposed below, is because single row updates can be done directly in the UI from query results, which avoids the need from having to use a csv file to do the update on the Permission Set(s) needed. That said, DataLoader can be used as well if desired.

1. Login to the workbench here:

2. Locate the permission set(s) that currently have PermissionsApiUserOnly = TRUE by selecting, Jump to: SOQL Query | Object: PermissionSet and click Select. Paste the following query into the "Enter or modify a SOQL query below:" field and then click Query:

SELECT Id, Label, PermissionsApiUserOnly FROM PermissionSet WHERE PermissionsApiUserOnly = TRUE

3. Move your mouse cursor over the affected permission set's Id in the query result list and select the Update option in the corresponding "Choose an action:" hover menu.

Note: If you are unsure which permission set is assigned to the affected user(s):

A) Use the query in Step 2 but select View as: List and click Query to generate a list of the permission sets. Copy and paste the list into Excel for use later on.

B) Then paste the following Query into the "Enter or modify a SOQL query below:" field to generate a list of User Ids and Names:


C) Locate an affected User's Id in the query results and copy it down. Replace <UserIdHere> with the affected User's Id in the following query to generate a list of permission sets assigned to that user.

SELECT PermissionSetId FROM PermissionSetAssignment WHERE AssigneeId = '<UserIdHere>'

D) Cross reference the permission set Ids listed in your Excel file from step A) with those listed in the query results from step C) to identify which permission set Id exists in both locations. Once the PermissionSet Id has been identified follow Step 3.

4. On the corresponding Update page locate the field, "PermissionsApiUserOnly" and change the value from true to false. Scroll to the bottom of the page and click the "Confirm Update" button.
If done correctly, this should remove the "API Only User" perm from the Permission Set assigned to the user, and they should now be able to login to the normal UI.

Note: If there are multiple Permission Sets that have "API Only User" set to "true", the steps above will have to be repeated for each unique Permission Set ID.




promote demote