function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Justin RuckJustin Ruck 

Stop Access To Account Object for API User

My company has an API connection to an external system which updates SFDC nightly.  How can I turn off its access to the Account object?

The external system is sending incorrect information to the Account object.  Unfortunately, the administrator on the external system has no idea how to change the settings on her side.  So, I want to just turn off the access to that.  I want to keep the other integrations to other objects, though.

I've gone through the profile, which is a custom profile specifically for API.  I changed all settings for Accounts to read-only.  I checked the sharing settings, and there's nothing shared with that profile or a group that the API user is in.  But, it's still somehow able to update Accounts.  
Best Answer chosen by Justin Ruck
buyan thyagarajanbuyan thyagarajan
Justin,
Can you send me your contact information to my email id buyan@eigenx.com and i can see if i can call you to resolve this isue? I am assuming that there is custom code on the external application which is updating your accounts which will bypass all your security rules. So to avoid this, one thing you can do is if you have external ids on the account which the external application uses to reference the account, you can update the external ids in salesforce to a non matching value so that the accounts will not be matched at all and updates are not done. 
 If you dont use external ids and the external application has the account ids, then if some body can get to the table which the external application uses and update the account ids to null, it would not impact your current account ids. Feel free to reach out to me and i can explain this further..
Thanks
Buyan

All Answers

Andy BoettcherAndy Boettcher
Does that profile have the "Modify All Data" checkbox on?
Justin RuckJustin Ruck
No.  What it does have is "API Enabled", "Api only user", "Password never expires", "Chatter Internal User", and "View Help Link". 
buyan thyagarajanbuyan thyagarajan
Hi Justin,
 You might want to check the last modified user which is updating the account and verify what profile is being used to update the account. You can make account as private on the org wide settings but this might have a major impact on others. Do you know how the external system is making the api call? Do you know why the account data is updated wrongly by the night batch?
Buyan
Justin RuckJustin Ruck
The integration user was the last modified user.  Account is already set as private.  I do not know how the external system is making the api call, and neither does the admin for the external system.  The account data is being updated with old data, so even if there's an update in the external system or SFDC, the external system still pushes old data.  Again, the admin on the external system has no idea and the person who set it up previously is now gone, and she is not very technical.  I'm trying to control it on the SFDC side by blocking write access to Accounts. 
buyan thyagarajanbuyan thyagarajan
Justin,
Can you send me your contact information to my email id buyan@eigenx.com and i can see if i can call you to resolve this isue? I am assuming that there is custom code on the external application which is updating your accounts which will bypass all your security rules. So to avoid this, one thing you can do is if you have external ids on the account which the external application uses to reference the account, you can update the external ids in salesforce to a non matching value so that the accounts will not be matched at all and updates are not done. 
 If you dont use external ids and the external application has the account ids, then if some body can get to the table which the external application uses and update the account ids to null, it would not impact your current account ids. Feel free to reach out to me and i can explain this further..
Thanks
Buyan
This was selected as the best answer
Justin RuckJustin Ruck
I just accepted your LinkedIn invite, so you should have my contact information now.

We do have external IDs.  What I do know is that the external system creates new accounts if one doesn't already exist in SFDC.  For instace, if the external system created company A with the external ID 123, going forward it looks at that external ID and just updates company A.  But if company A exists with external ID 123, and we remove the external ID, then the external system would say that company A doesn't exist in SFDC and it will create the account again and assign another external ID.  Then, we'd have duplicates.  
Ashish DevAshish Dev
Justin,

I think there must be some webservice methods which is being invoked from external system.
Try to find that class and make that class "with sharing", in this way user (used by external system) won't be able to access account records which is not shared with him.

I am supporter of global switches to be kept to on/off functionality in codes. :-)
Justin RuckJustin Ruck
I just found the process that was running that was updating with incorrect information.  Thanks all for your willingness to help and the information.