Loading

Learn about API access changes and requirements for Connected Apps

Publiseringsdato: Oct 13, 2022
Beskrivelse

What is the change?

After September 10, 2014, only users who have the “API Enabled” profile permission turned on will have access to the identified connected apps, including:

  • Salesforce downloadable mobile apps (iOS and Android ) 
  • Mobile Publisher apps for Salesforce Apps (iOS and Android )
  • Mobile Publisher apps for Experience Sites  (iOS and Android ) 
  • Salesforce for Outlook  ( Retiring Dec 2027 )
  • Connect for Outlook  
  • Connect for Office ( *retired ) 

 

For details on expected changes in behavior and specific error messages, please read through this article.

This change may also affect a subset of connected apps created by our partners. For a complete list of those apps, please review the impacted apps list attached to this knowledge article. In the case of partner connected apps, we encourage you to contact the application provider for additional details on how this change may impact app behavior.

 

Løsning

Why is this change being made?

In October 2013, we introduced an updated API allowlisting program to allow salesforce.com and our partners to integrate certain apps with some Salesforce editions (Professional, Group and Contact Manager) that do not support API access. As part of that program, apps undergo a thorough security review and, if approved, are given a allowlisted client ID that identifies the app as an approved endpoint that can establish an API connection. [For more information on this API allowlisting program, please refer to our ISV documentation.]

During a routine product architecture review, we found that API calls originating from these approved endpoints were not following the “API Enabled” user permission for editions that do support API access (Enterprise, Unlimited, and Performance editions).

This behavior resulted in users being granted API access regardless of profile settings, creating the opportunity for them to have broader access than explicitly granted. We have no evidence that customers were negatively impacted by this behavior.

To address this issue and ensure that a user's access to data is consistent with the permissions you have enabled, we are now requiring these apps to respect profile permissions for all salesforce.com data APIs in the Enterprise, Unlimited, and Performance Editions.

As of September 10, 2014, the “API Enabled” profile permission must be turned on to ensure users can continue accessing these specific connected apps.

Why does this issue only apply to a subset of connected apps?

This enhancement only applies to apps that have been granted a allowlisted API client ID as part of our allowlisting program. The program was intended to let editions that do not support API access use API-dependent applications, like Salesforce mobile apps, through the granting of a allowlisted API client ID. For more details on the allowlisting program, please review this documentation: http://www.salesforce.com/us/developer/docs/packagingGuide/index_Left.htm#StartTopic=Content/dev_packages_api_access.htm

Apps that were not reviewed and allowlisted as part of the program are not affected by this change.
 

Which Salesforce applications are affected by this change?

We completed thorough testing of our client apps against this change. At this time, the known apps impacted by this enhancement are as follows:

  • Salesforce for iOS and Android downloadable mobile apps
  • Salesforce Mobile Publisher apps for iOS and Android 
  • Salesforce Mobile Publisher apps for Experience sites for iOS and Android 
  • Salesforce for Outlook  ( Retiring Dec 2027 )
  • Connect for Outlook 
  • Connect for Office ( retired ) 
  • Chatter Desktop (retired ) 
  • Chatter Messenger (although not a connected app this does need “API Enabled” profile permission turned on) ( retired ) 


We do not have any evidence that other salesforce.com connected apps are affected.
 

Which partner and ISV applications are affected by this change?

A list of partner apps that will be impacted by this enhancement is attached to this knowledge article. We encourage you to contact the app provider to determine if a specific app is affected by this change.

Why are we being given notice of this change?

At salesforce.com trust is our #1 value. With that in mind, we prioritized releasing this update to make users' access consistent with the permissions enabled.

Salesforce Mobile Apps : 

What behavior can my Salesforce mobile app users expect to see with this change*?

Scenario

Downloadable App for iOS

Mobile Publisher apps for iOS for Salesforce App or Experience Sites

Downloadable App for Android

Mobile Publisher apps for Android for Salesforce App or Experience Sites

When a user without API access tries to log in to…

[Enterprise, Unlimited, and Performance Editions]

Login attempt fails. Users could see the following error messages: "You don't have access to the Salesforce mobile app. Ask your administrator to enable API access for you." OR " "We couldn't establish a secure connection due to a network error. Check your network connectivity and try again. It is also possible that your org admin has not yet granted you the required permissions, please reach out to them." 

Login attempt fails. Users could see the following error message: "You don't have access to the Salesforce Mobile app. Ask your administrator to enable API access for you." OR "We couldn't establish a secure connection due to a network error. Check your network connectivity and try again. It is also possible that your org admin has not yet granted you the required permissions, please reach out to them." 

If a user is logged in to Salesforce mobile app and then their API access is disabled…

[Enterprise, Unlimited, and Performance Editions]

When trying to navigate the app, the user will run into action specific error messages that will indicate that he or she does not have the required permission enabled.

When trying to navigate the app, the user will run into action specific error messages that will indicate that he or she does not have the required permission enabled.

Professional and Group** Editions

Will continue to work as before.

Will continue to work as before.

Contact Manager Edition

Will continue to work as before.

Will continue to work as before.

Chatter External User without API access***

Login attempt fails. User is redirected to the login page.

Login attempt fails. User sees the following error message: "You don't have access to the Salesforce mobile app. Ask your administrator to enable API access for you."

Chatter Free OR Chatter Only user without API access

Login attempt fails. User sees the following error message: "You don't have access to the Salesforce mobile app. Ask your administrator to enable API access for you."

Login attempt fails. User sees the following error message: "You don't have access to the Salesforce mobile app. Ask your administrator to enable API access for you."

*Please note that this behavior started with the release of version 6.1 for the downloadable apps for Android and iOS. Users with earlier versions of the downloadable apps which saw the following generic error when attempting to perform API-dependent activities: “Oops, we encountered unexpected error, sorry”. Version 6.1 was addressed in a September 2014 release.

**Assumes standard Professional or Group Edition setup. For those PE & GE customers that have added API access, please review the question below pertaining to recommended action.

***Chatter External users with API Enabled will also see some change in behavior. Please review the question below pertaining to the revised user experience.

What versions of the Salesforce Mobile app are impacted by this change?

This change applies to the downloadable apps for iOS and Android devices and Salesforce Mobile Publisher apps for Salesforce app and Experience Sites for both iOS and Android. The mobile browser is not affected , as it does not rely on the same API architecture, however accessing Salesforce from a phone's browser is not considered supported.  Only accessing via Ipad devices on the Safari browser with iOS v. 13 and above will render the Lightning experience desktop UI.  Chrome browser is not supported. 

Salesforce for Outlook

What change in behavior can my users expect?

Users working in Enterprise, Unlimited, and Performance editions on Salesforce for Outlook v2.3.0 and later will only be able to log in if they have the “API Enabled” profile permission turned on. Users without access attempting to log in will see the following error message: “API_Currently_Disabled: API is disabled for this user”.

For users who are already logged in when the change takes effect, records set to sync between Salesforce and Outlook will not sync, and users will not be able to access their settings from the system tray until their administrator turns on the “API Enabled” permission. The error message displayed will be specific to the inability to successfully complete the sync.


 

Connect for Outlook

What change in behavior can my users expect?

Users working in Enterprise, Unlimited, and Performance editions will only be able to log in to any versions of Connect for Outlook if they have the “API Enabled” profile permission turned on. Users without access attempting to log in will see the following error message: “Failed to login to Salesforce.com. An error occurred while attempting to contact Salesforce.com”.

For users who are already logged in when the change takes effect, records set to sync between Salesforce and Outlook will not sync until their administrator turns on the “API Enabled” permission. The error message displayed will be specific to the inability to successfully complete the sync.

Connect for Office

What change in behavior can my users expect?

Users working in Enterprise, Unlimited, and Performance editions will only be able to log in to any versions of Connect for Office if they have the “API Enabled” profile permission turned on. Users without access attempting to log in will see the following error message: “An internal server error has occurred while processing your request”. Please note that the error message will show the specific URL the user is attempting to connect to.

For users who are already logged in when the change takes effect, records set to sync between Salesforce and Office will not sync until their administrator turns on the “API Enabled” permission. The error message displayed will be specific to the inability to successfully complete the sync.
 

I am a Group Edition or Professional Edition customer. How does this change impact me?

This update does not change the existing allowlisted connected app behavior for Group Edition or Professional Edition that have the “API Enabled” and “Customizable Profiles” permissions turned off (the default for these editions). If you have BOTH of those permissions turned on in your org, please follow the recommended actions as listed above.

I have Chatter External Users, with API access enabled, using the Salesforce downloadable app for Android. What change in behavior will they see?

If the ‘API Enable’ permission is turned on, they will see the following changes:

  • Users may be presented with the error message "No Recently Viewed Items" when trying to review their list of Groups, Archived Groups, etc. This list is is not displayed due to the Most Recently Used (MRU) list being unavailable for these users. Impact should be minimal given that the vast majority of External Users only belong to a single group. The recommended workaround is to use the app menu to access groups. Our Technology team will look to implement more descriptive error messages for the next Android app update.
  • For Android users making a new post, using the Person+ icon (used to add an @mention) will not work. Instead, use the @mention feature within the text editor to reference a team or person as you would on Salesforce desktop.

 

Knowledge-artikkelnummer

000386343

 
Laster
Salesforce Help | Article