Print this page

API Access Change for Connected Apps

Knowledge Article Number 000199627
Description

What is the change?

After September 10, 2014, only users who have the “API Enabled”  profile permission turned on will have access to the identified connected apps, including:

  • Salesforce1 downloadable apps for iOS and Android devices

  • Salesforce for Outlook

  • Connect for Outlook

  • Connect for Office

For details on expected changes in behavior and specific error messages, please read through this article.

This change may also affect a subset of connected apps created by our partners. For a complete list of those apps, please review the impacted apps list attached to this knowledge article. In the case of partner connected apps, we encourage you to contact the application provider for additional details on how this change may impact app behavior.

 

Why is this change being made?

 

In October 2013, we introduced an updated API whitelisting program to allow salesforce.com and our partners to integrate certain apps with some Salesforce editions (Professional, Group and Contact Manager) that do not support API access. As part of that program, apps undergo a thorough security review and, if approved, are given a whitelisted client ID that identifies the app as an approved endpoint that can establish an API connection. [For more information on this API whitelisting program, please refer to our ISV documentation.]

During a routine product architecture review, we found that API calls originating from these approved endpoints were not following the “API Enabled” user permission for editions that do support API access (Enterprise, Unlimited, and Performance editions).

This behavior resulted in users being granted API access regardless of profile settings, creating the opportunity for them to have broader access than explicitly granted. We have no evidence that customers were negatively impacted by this behavior.
 

To address this issue and ensure that a user's access to data is consistent with the permissions you have enabled, we are now requiring these apps to respect profile permissions for all salesforce.com data APIs in the Enterprise, Unlimited, and Performance Editions.

As of September 10, 2014, the “API Enabled” profile permission must be turned on to ensure users can continue accessing these specific connected apps.

 

Why does this issue only apply to a subset of connected apps?

This enhancement only applies to apps that have been granted a whitelisted API client ID as part of our whitelisting program. The program was intended to let editions that do not support API access use API-dependent applications, like the Salesforce1 mobile app, through the granting of a whitelisted API client ID. For more details on the whitelisting program, please review this documentation: http://www.salesforce.com/us/developer/docs/packagingGuide/index_Left.htm#StartTopic=Content/dev_packages_api_access.htm

Apps that were not reviewed and whitelisted as part of the program are not affected by this change.

 

Which Salesforce applications are affected by this change?

We completed thorough testing of our client apps against this change. At this time, the known apps impacted by this enhancement are as follows:

  • Salesforce1 downloadable apps for iOS and Android devices
  • Salesforce for Outlook
  • Connect for Outlook
  • Connect for Office
  • Chatter Desktop
  • Chatter Messenger (although not a connected app this does need API Enabled”  profile permission turned on)

We do not have any evidence that other salesforce.com connected apps are affected.

 

Which partner and ISV applications are affected by this change?

A list of partner apps that will be impacted by this enhancement is attached to this knowledge article. We encourage you to contact the app provider to determine if a specific app is affected by this change.

 

Why are we being given limited notice of this change?

At salesforce.com trust is our #1 value. With that in mind, we prioritized releasing this update to make users' access consistent with the permissions enabled.

 

Salesforce1 Mobile App

 

What new behavior can my Salesforce1 mobile app users expect to see with this change*?

Scenario

Downloadable App for iOS

Downloadable App for Android

When a user without API access tries to log in to…

[Enterprise, Unlimited, and Performance Editions]

Login attempt fails. User sees the following error message: "You don't have access to Salesforce1. Ask your administrator to enable API access for you."

Login attempt fails. User sees the following error message: "You don't have access to Salesforce1. Ask your administrator to enable API access for you."

If a user is logged in to Salesforce1 and then their API access is disabled…

[Enterprise, Unlimited, and Performance Editions]

When trying to navigate the app, the user will run into action specific error messages that will indicate that he or she does not have the required permission enabled.

When trying to navigate the app, the user will run into action specific error messages that will indicate that he or she does not have the required permission enabled.

Professional and Group** Editions

Will continue to work as before.

Will continue to work as before.

Contact Manager Edition

Will continue to work as before.

Will continue to work as before.

Chatter External User without API access***

Login attempt fails. User is redirected to the login page.

Login attempt fails. User sees the following error message: "You don't have access to Salesforce1. Ask your administrator to enable API access for you."

Chatter Free OR Chatter Only user without API access

Login attempt fails. User sees the following error message: "You don't have access to Salesforce1. Ask your administrator to enable API access for you."

Login attempt fails. User sees the following error message: "You don't have access to Salesforce1. Ask your administrator to enable API access for you."

 

*Please note that this behavior will start with the release of version 6.1 for the downloadable apps for Android and iOS. Users with earlier versions of the downloadable apps will see the following generic error when attempting to perform API-dependent activities: “Oops, we encountered unexpected error, sorry”. Version 6.1 is targeted for a September 2014 release. Date is subject to change.

**Assumes standard Professional or Group Edition setup. For those PE & GE customers that have added API access, please review the question below pertaining to recommended action.

***Chatter External users with API Enabled will also see some change in behavior. Please review the question below pertaining to the revised user experience.

 

What versions of Salesforce1 are impacted by this change?

This change applies to the downloadable apps for iOS and Android devices. The mobile browser app is not affected as it does not rely on the same API architecture.  

 

Salesforce for Outlook

What change in behavior can my users expect?

Users working in Enterprise, Unlimited, and Performance editions on Salesforce for Outlook v2.3.0 and later will only be able to log in if they have the “API Enabled” profile permission turned on. Users without access attempting to log in will see the following error message: “API_Currently_Disabled: API is disabled for this user”.

For users who are already logged in when the change takes effect, records set to sync between Salesforce and Outlook will not sync, and users will not be able to access their settings from the system tray until their administrator turns on the “API Enabled” permission. The error message displayed will be specific to the inability to successfully complete the sync.



 

Connect for Outlook

What change in behavior can my users expect?

Users working in Enterprise, Unlimited, and Performance editions will only be able to log in to any versions of Connect for Outlook if they have the “API Enabled” profile permission turned on. Users without access attempting to log in will see the following error message: “Failed to login to Salesforce.com. An error occurred while attempting to contact Salesforce.com”.

For users who are already logged in when the change takes effect, records set to sync between Salesforce and Outlook will not sync until their administrator turns on the “API Enabled” permission. The error message displayed will be specific to the inability to successfully complete the sync.

 

Connect for Office

What change in behavior can my users expect?

Users working in Enterprise, Unlimited, and Performance editions will only be able to log in to any versions of Connect for Office if they have the “API Enabled” profile permission turned on. Users without access attempting to log in will see the following error message: “An internal server error has occurred while processing your request”. Please note that the error message will show the specific URL the user is attempting to connect to.

For users who are already logged in when the change takes effect, records set to sync between Salesforce and Office will not sync until their administrator turns on the “API Enabled” permission. The error message displayed will be specific to the inability to successfully complete the sync.

 

I am a Group Edition or Professional Edition customer. How does this change impact me?

This update does not change the existing whitelisted connected app behavior for Group Edition or Professional Edition that have the “API Enabled” and “Customizable Profiles” permissions turned off (the default for these editions). If you have BOTH of those permissions turned on in your org, please follow the recommended actions as listed above.

 

I have Chatter External Users, with API access enabled, using the Salesforce1 downloadable app for Android. What change in behavior will they see?

If the ‘API Enable’ permission is turned on, they will see the following changes:

  • Users may be presented with the error message "No Recently Viewed Items" when trying to review their list of Groups, Archived Groups, etc. This list is is not displayed  due to the Most Recently Used (MRU) list being unavailable for these users. Impact should be minimal given that the vast majority of External Users only belong to a single group. The recommended workaround is to use the app menu to access groups. Our Technology team will look to implement more descriptive error messages for the next Android app update.  

  • For Android users making a new post, using the Person+ icon (used to add an @mention) will not work. Instead, use the @mention feature within the text editor to reference a team or person as you would on Salesforce desktop.

 

How can I get further information on salesforce.com's recommended data security practices?

To learn more about security, we encourage you to review our documentation on securing data access or utilize the instructional Salesforce Security Workbook to see relevant tutorials.

How to turn on the "API Enabled" on the Profile level: 


1. Go to Your Name | Setup | Manage User | Profiles | Profile Name | Click Edit | Scroll down to Administrative Permissions. Now check the box next to the "API Enabled"

If using Enable Enhanced Profile User Interface use the following steps:


2. Go to Setup | Manage User | Profiles | Profile Name | System Permissions | Edit.  Now check the box next to the "Permission Name" "API Enabled"





Attachments
Name Type Size
Impacted Connected Apps List.xlsx
14KB

promote demote