Loading

CRM Analytics Integration User: Session Security Level, Freeze Restriction, and Permission Requirements

Publish Date: May 26, 2026
Description

CRM Analytics creates two internal users when it is enabled: the Analytics Cloud Integration User and the Analytics Cloud Security User. Certain administrative actions on these users — including freezing, deactivating, or applying org-wide session security policies — cause dataflow and recipe failures that can be difficult to diagnose. This article explains the restrictions that apply to these users and documents configuration steps that are not available in standard product documentation.

Causes

Session Security Level Set Too High

In orgs that enforce a high-assurance session security policy (Setup > Session Settings), the Analytics Cloud Integration User’s session may be classified as standard assurance even though the org policy requires high assurance. This causes all dataflow and recipe jobs to fail with permission-like errors because the Integration User’s session is rejected before it can access Salesforce data.

Integration User Is Frozen or Deactivated

Administrators sometimes freeze the Integration User as part of a user audit or security review. Freezing or deactivating the Integration User immediately stops all data sync, dataflow, and recipe jobs from running. Errors surface in the Jobs Monitor as permission failures or silent job aborts.

Integration User Missing Object or Field Permissions

The Integration User must have read access to every Salesforce object and field referenced in a dataflow or recipe. If an object’s profile permissions or FLS settings are changed — for example, after a package upgrade or a security review tightens FLS — the Integration User loses access and dataflow jobs begin failing for those fields or objects.

Resolution
Step 1: Set the Integration User session security level to None

This step is required in orgs with high-assurance session policies and is the most common fix for Integration User-related dataflow failures.

  1. In Setup, enter Users in the Quick Find box and select Users.
  2. Locate the Analytics Cloud Integration User.
  3. Click the user’s name to open the user record.
  4. Click Edit.
  5. In the Session Security Level Required at Login field, select None.
  6. Click Save.
  7. Rerun the failing dataflow or recipe job to confirm the issue is resolved.
Repeat this step for the Analytics Cloud Security User if dataflow failures persist after updating the Integration User.
Step 2: Do not freeze or deactivate the Integration User

The Analytics Cloud Integration User and Analytics Cloud Security User cannot be frozen or deactivated. If you have frozen the Integration User as part of a user audit, unfreeze it immediately from Setup > Users. Password resets and login impersonation are also restricted for this user type — these actions are not supported paths.

Freezing the Integration User stops all CRM Analytics data sync silently. There is no immediate error in the UI — failures only appear when the next scheduled dataflow or recipe run attempts to execute.
Step 3: Verify field-level security for the Integration User profile

For each object referenced in a failing dataflow or recipe:

  1. Go to Setup > Object Manager and open the relevant object.
  2. Select Fields & Relationships and click the affected field.
  3. Click Set Field-Level Security.
  4. Ensure the Analytics Cloud Integration User profile has Read access to the field.
  5. Save changes, then rerun the dataflow or recipe.
FAQ

Can I use a custom user instead of the default Integration User?

Yes. CRM Analytics supports custom integration users. However, a custom user requires the full permission set assignment to be maintained manually, including after sandbox refreshes. The default Integration User is recommended for most orgs. See KB article 000382200 for details on resolving issues with custom integration users.

My dataflow was working last week. Nothing changed. Why is it failing now?

Common causes include: a recent package upgrade that changed FLS on a synced object; an org-wide session policy change; a user audit that froze the Integration User; or a sandbox refresh that reverted Integration User settings. Check the Jobs Monitor for the specific error message and cross-reference with the steps above.

Why can’t I reset the Integration User’s password?

Password resets are blocked for the Analytics Cloud Integration User and Security User because these are system-managed users. Salesforce Support cannot reset these passwords either. If you believe there is an issue with how these users are functioning, contact Salesforce Support with your org ID and the specific error from the Jobs Monitor.

Knowledge Article Number

005385258

 
Loading
Salesforce Help | Article