function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Best Practice re Salesforce Security Framework - app access through API

Hi All,

What's the best way to structure the SF interface for an app to poll a SF user's data outside the browser session? For example, polling Contacts or Leads from an app partner website on a regular basis to check for new records. Apex may replace this functionality in the future, but until then, what to do?

Two issues arise:
1) An SF username and password are needed to establish a session, and the password needs to be passed to SF through the API in plaintext (any alternatives that I am not aware of?). So before the app can poll, it has to have a password in plaintext that it can use. SF users may balk (probably would) at giving away their password, especially if there is no protection against their other data that they don't want the app to access.
2) Sharing Rules may alleviate the problem. For example, create a Sharing Rule that gives access to the specific data - and no other. But can a user (administrator) give access through Sharing Rules to an app?

One possible solution may be to ask the user to create a 'proxy' user (through the administrator) with a username/password that can be more comfortably provided to the app so that it can do its job. Would this work?

Perhaps their is a 'best practice' that I am just not seeing here. What is the Salesforce recommended practice. Can anyone help?


Colin Goldberg

Mike LeachMike Leach

An asynchronous, polling app must store and encrypt a single API username and password.

Best practice is to create an API Profile in Salesforce with restricted logins to a static IP address and restricted access to objects.