Loading
Salesforce now sends email only from verified domains. Read More

Best Practices: Manage Integration and Security Users in CRM Analytics

Publish Date: Apr 30, 2026
Description


During enablement, Analytics generates an Integration User and Security User, along with associated licenses and profiles. These users are vital to the functionality of Analytics, as the permissions of the Integration User are used to extract data from Salesforce objects and fields when a dataflow job runs and the Security User sharing and security predicate functionality to control row visibility in datasets as well as Data Prep preview. Any changes to these Users may result in the above ceasing to function properly.

Note: Please review the Considerations before enabling CRM Analytics in addition to the details below when you configure the Analytics Cloud Integration and Security Users.

Special Considerations

The Integration and Security Users are locked down in several important ways:

  • Password cannot be reset
  • Login as (impersonation) cannot be granted
  • The user IDs integration@<orgid>.com and security@<orgid>.com are reserved Salesforce user IDs, and you must not create users that use these IDs.

These restrictions ensure that the only actions that these users can take are those driven by internal CRM Analytics processes and functionality.

Default Profile Settings

The Analytics Cloud Integration User Profile and Analytics Cloud Security User Profile are tied to the Analytics Integration User License. This license is provisioned as part of the Enable Analytics process and must not be disassociated from the Integration and Security Users.

By default, the Analytics Integration User Profile has the following permissions:
 

  • View All Data
  • Read and View All Records on all standard objects*
  • Read Access on Field Level Security for all standard fields*

Note: There are Objects, Fields, and Field Types that are unsupported. For details, please see Unsupported Salesforce Objects and Fields in CRM Analytics.

 

Customizing the Profile

Prior to making changes to the standard Analytics Integration User Profile, clone the profile and work in the cloned profile. You may also assign some permissions via Permission Set. This is in line with Salesforce Best Practices and will allow for recovery/repair if issues are encountered with the modification process.

You should not need to make any changes to the standard Analytics Security User Profile.

No Analytics Permission Set Licenses Needed

The Analytics Integration User and Security User do not need to be granted any Analytics-related Permission Set Licenses (i.e.: Sales Analytics Apps, Analytics Platform). They have all the access needed from the User License they are automatically provisioned with. Assigning an Analytics-related Permission Set License to the Integration or Security User will tie up a license that another user could be making use of and may cause problems if Analytics needs to be disabled and enabled in the future.
Resolution

Considerations for Customization of the Analytics Cloud Integration and Security User

 

  • Do not attempt to create a wholly new custom Integration User.
  • Do not change the User License associated with the Integration or Security User. Validation rules in the UI will prevent this change, but some changes can be done via API.
    • If you think your org is in this state, please contact Salesforce Support for assistance.
  • Because the Analytics Integration Profile has View All Data access, consider restricting access to particular objects and fields that contain sensitive data. Removing View All Data will result in query failures.
  • The Analytics Integration Profile includes a default set of permissions for all of the standard objects available on the platform. Depending on your data needs, Read and View All permission may need to be granted on custom objects.
  • Profile Filtering will impact the ability to sync the Profile object. If Profile Filtering is enabled, ensure the Analytics Cloud Integration User is granted the View All Profiles permission.
  • Field Level Security for custom fields will need to be granted through the profile or permission set.
  • Objects and Fields from Managed Packages may require specific permissions, licenses, or other access requirements be met before the Integration User can access those Objects and Fields. Contact the package creator for assistance granting access to the included assets.
  • Be aware of the Unsupported Salesforce Objects and Fields in CRM Analytics.
  • Preferences that impact user authentication can negatively impact the Integration and Security Users' functionality. This includes IP Ranges, Login Hours, and Two-Factor Authentication.
    • The potential impact of this is documented in Dataflow error: 'Queue wait time exceeded limit' or 'Job killed due to inactivity' in CRM Analytics.
    • If you choose to add IP ranges to the Integration or Security User profiles, please ensure that you have allowed the entire list of ranges noted in Salesforce IP Addresses and Domains to Allow. Failure to do so can result in job failures, interruptions during asset creation/customization, and other undesired behaviour.
    • Setting the “Session Security Level Required at Login” to "High Assurance" for the Integration or Security User may result in session or authentication errors.
    • Enabling "Enforce login IP ranges on every request" (in Setup | Security Controls | Session Settings | Require secure connections) in combination with IP Range restrictions on the Integration and Security User profile will block internal processes and result in a variety of problems, including IP Restriction errors during app creation, data management, and in other product areas. The following IP range covers internal Salesforce infrastructure. If IP Range restrictions are enabled on the Integration or Security User profile, this range must also be included to prevent job failures. 
      • 10.0.0.0/8 or 10.0.0.0 - 10.255.255.255
  • If you have API Access Control enabled, the Integration and Security Users will need to be granted the 'Use Any API Client' permission. For more information, refer to Restrict Access to APIs with Connected Apps.
  • If the dataflow is configured to extract data from an object or field on which the Integration User does not have visibility, read/view all records permission, or is unsupported then the dataflow job will fail.
Additional Resources

 

Related Resources

 

 

 

 

Knowledge Article Number

000384569

 
Loading
Salesforce Help | Article