API Access Change for Connected Apps

With the current release, all users of approved connected apps must have the “API Enabled” profile permission turned on to allow access to all features.

In Winter ‘14 we introduced a program that allows specific approved, security-reviewed connected apps from Salesforce and our partners to integrate with Salesforce using a process that lets the connected app establish an API connection regardless of user profile settings. To ensure your users’ access to data is consistent with the permissions you have enabled, these apps will be required to respect user profile permissions for API access.

With this change, users who don’t have the “API Enabled” profile permission turned on will no longer be able to use the affected connected apps. The list of affected connected apps from Salesforce includes:
  • Salesforce1 downloadable apps for iOS and Android devices
  • Salesforce for Outlook
  • Connect for Outlook
  • Connect for Office
This change affects all Salesforce, Chatter, and Communities users. For the complete list of affected apps and expected changes in app behavior for different types of users, see the API Access Change for Connected Apps Knowledge article.

If you want your users to continue to have access to the affected connected apps, turn on the “API Enabled” permission. You can accomplish this through either a profile update or an appropriate permission set. Keep in mind that this will grant users API access to your organization and its data.

If you decide not to grant access, you should notify end users who do not have the “API Enabled” profile permission that they will not be able to use the affected connected apps.

If you are using an affected connected app developed by a Salesforce partner or ISV, you should contact the app provider for details on the potential impact. A list of affected partner connected apps is available in the API Access Change for Connected Apps Knowledge article.

Your data is protected by security tools in the application, including org-wide sharing settings, object-level security, and field-level security. This applies regardless of how users are accessing data, whether through the API or an application, to ensure that users don’t have improper access to data. For further information on application security settings, see Securing Data Access in the Salesforce Help.