You need to sign in to do that
Don't have an account?
coling
Best Practice re Salesforce Security Framework - app access through API
Hi All,
What's the best way to structure the SF interface for an app to poll a SF user's data outside the browser session? For example, polling Contacts or Leads from an app partner website on a regular basis to check for new records. Apex may replace this functionality in the future, but until then, what to do?
Two issues arise:
1) An SF username and password are needed to establish a session, and the password needs to be passed to SF through the API in plaintext (any alternatives that I am not aware of?). So before the app can poll, it has to have a password in plaintext that it can use. SF users may balk (probably would) at giving away their password, especially if there is no protection against their other data that they don't want the app to access.
2) Sharing Rules may alleviate the problem. For example, create a Sharing Rule that gives access to the specific data - and no other. But can a user (administrator) give access through Sharing Rules to an app?
One possible solution may be to ask the user to create a 'proxy' user (through the administrator) with a username/password that can be more comfortably provided to the app so that it can do its job. Would this work?
Perhaps their is a 'best practice' that I am just not seeing here. What is the Salesforce recommended practice. Can anyone help?
Thanks
Colin Goldberg
What's the best way to structure the SF interface for an app to poll a SF user's data outside the browser session? For example, polling Contacts or Leads from an app partner website on a regular basis to check for new records. Apex may replace this functionality in the future, but until then, what to do?
Two issues arise:
1) An SF username and password are needed to establish a session, and the password needs to be passed to SF through the API in plaintext (any alternatives that I am not aware of?). So before the app can poll, it has to have a password in plaintext that it can use. SF users may balk (probably would) at giving away their password, especially if there is no protection against their other data that they don't want the app to access.
2) Sharing Rules may alleviate the problem. For example, create a Sharing Rule that gives access to the specific data - and no other. But can a user (administrator) give access through Sharing Rules to an app?
One possible solution may be to ask the user to create a 'proxy' user (through the administrator) with a username/password that can be more comfortably provided to the app so that it can do its job. Would this work?
Perhaps their is a 'best practice' that I am just not seeing here. What is the Salesforce recommended practice. Can anyone help?
Thanks
Colin Goldberg
An asynchronous, polling app must store and encrypt a single API username and password.
Best practice is to create an API Profile in Salesforce with restricted logins to a static IP address and restricted access to objects.