+ Start a Discussion
bluecapbluecap 

Custom Rest Service and Access to data via API

Hello,

Ive created a custom REST webservice within Salesforce.com. This webservice will be consumed by users from a 3rd Party website that register on that site with their Salesforce.com credentials. I would like to allow users to consume my custom webservice but do not want to give them free reign of all data they own via the Salesforce.com APIs in the process. This is due to the sensitivity of some of the information that we do not want to provide via the custom web service. So I could use some advice on how best to accomplish this, here's what I have done so far..

1. Ive created a Connected App that uses OAuth for authentication and allowing the following scopes..
  • Access your basic information (id, profile, email, address, phone)
  • Perform requests on your behalf at any time (refresh_token, offline_access)
2. Ive created a custom apex class that defines the REST service and given permission to this class to the proper profiles.

What steps do I need to perform to make sure the users only have access to the REST service and not all data?

Thank you for your help. All suggestions are appreciated!

I have created a Connected App so that the 
scottbcovertscottbcovert
Hi ForcedSum,

There is another route you could take to expose a custom REST endpoint through a Force.com site that is publicly available. In this way you can circumvent OAuth and instead use parameters in the HTTP request as an authentication method as you'll probably want to have some sort of method to verify that the person requesting to read/write to the database should have access. The Force.com Site will have a ghost user profile generated where you can set specific CRUD access and FLS settings as well. Here is some more information:

https://developer.salesforce.com/blogs/developer-relations/2012/02/quick-tip-public-restful-web-services-on-force-com-sites.html
bluecapbluecap
scottbcovert - thank you for the response and the suggestion. Unfortunately we won't be able to use this due to SEC regulations and our company's data. Have you used the ConnectAppPlugin class thats available with the Winter 15 release? Im guessing not, like most of us but thought I would ask.
scottbcovertscottbcovert
Hi ForcedSum,

No, I haven't had a chance to play with that yet. Have you actually verified that the users are able to access their Salesforce data from the 3rd party service via the app? I believe if you haven't granted them 'full' or 'api' access within the OAuth settings then you should be okay. Also, be sure that when you test API access from the 3rd party site you aren't simultaneously logged into Salesforce directly.