You need to sign in to do that
Don't have an account?
Ben Koala
SAML, API Access, SOAP Service Access controls of portal users
I am, having a situation for which I cannot find a clear answer.
I have portal user the can login to their portal experience using SAML from an OpenSSO provider.
We would like to be able to call REST services via connected apps as those users.
I know we can get a bearer token from the SAML key so that is not a problem.
So here are the questions.
Is this correct, I cannot use the REST calls unless I “Enable API Access”?
Leading to the next questions.
If I “Enable API Access”, what access do they have to the SOAP interfaces?
Do they then have access the metadata or SOAP api? If so, can I block it?
There is a concern that someone could gain their token and then use the soap api to look at apex code or object data. I know sharing rules can fix most of the problems, but we do have some special situations that could still be a problem.
I have portal user the can login to their portal experience using SAML from an OpenSSO provider.
We would like to be able to call REST services via connected apps as those users.
I know we can get a bearer token from the SAML key so that is not a problem.
So here are the questions.
Is this correct, I cannot use the REST calls unless I “Enable API Access”?
Leading to the next questions.
If I “Enable API Access”, what access do they have to the SOAP interfaces?
Do they then have access the metadata or SOAP api? If so, can I block it?
There is a concern that someone could gain their token and then use the soap api to look at apex code or object data. I know sharing rules can fix most of the problems, but we do have some special situations that could still be a problem.
Access to objects are still governed by object/field CRUD and Sharing Rules/Roles.
If you don't give them "Author Apex", they can't CHANGE code, but they could still potentially view it.