I am able to get refresh and access token for an admin in Salesforce. My question is: Similiar to Microsoft, will I be able to access all the user's and their data inside the same organization/tenant using this token. I am not sure, Salesforce has written this anywhere in their documentation. I have already implemented APIs for Microsoft(there we have Application permission), there I was using Client_credentials flow and can access all users and their data using admin token but I am not sure about Salesforce. Does Salesforce has any application permission concept? Please help me with it.
1 Answers
1
votes
Oh man. "Ogres have layers".
No, it's not guaranteed, even if you have access to System Administrator. (Actual profile name doesn't matter, it's all about checkboxes ticked like "Modify All Data"). Even with MAD there might be fields admin can see in UI but you won't be able to pull them in API until admin's profile is fixed. And then there's OAuth2 on top of that.
1st line of defense is "can you see this table in database at all", that's controlled with Profile/Permission Set level.
2nd line is "ok, but can you see / edit / delete this particular record in the table". That can be granted with Modify All Data, record ownership, sharing rules, role hierarchy...
3rd line is "ok, so which particular fields in this record you can see/edit". That's back to Profiles/Permission Sets and field-level security (FLS). SF UI is somewhat relaxed with it for sysadmins but FLS is enforced in REST API (don't remember about SOAP API). So MAD is not enough, your SF admin must pay attention and check, tick tick tick all checkboxes... If you query a field you're not supposed to see the error is same as if you made a typo/field genuinely didn't exist.
If you'd be using SOAP API or OAuth2 username-password flow this might be the end of it. But as you're using different flow & get refresh tokens - OAuth2 scopes get on top of that.
Let's say you made an amazing mobile app and you allow logging in to it with Salesforce. How much do you need to do with SF user's data and how much are they going to consent to. Basic info about the user, email, maybe posting something on the Chatter feed - sure. Full access to database - no way. OAuth scopes limit what the connecting app can do even if it's sysadmin accessing it. If all you got is Chatter and OpenId user info - you'll get a session id in your app all right but you won't be able to elevate it and run queries on Accounts, Contacts etc.
It's a huge topic and part of it is asking Google the right questions. A paranoid organisation might have user permissions set to sysadmin-like when they login from office network/VPN but limited when they login from home. So really, having the tokes is not a guarantee of success.
TL;DR - check if it has "Modify All Data" and all checkboxes ticked next to fields you need to see in field-level security. It'll be a good start but there might be more and admins might need to build a special integration user just for you. Sysadmin doesn't mean root, especially with API access.
These might help:
- https://trailhead.salesforce.com/en/content/learn/modules/data_security
- https://resources.docs.salesforce.com/latest/latest/en-us/sfdc/pdf/salesforce_security_impl_guide.pdf
- https://help.salesforce.com/articleView?id=sf.remoteaccess_oauth_tokens_scopes.htm&type=5
- https://help.salesforce.com/articleView?id=sf.remoteaccess_oauth_username_password_flow.htm&type=5 ("this flow doesn't support scopes" so you get full access - but also "this response doesn’t send a refresh token.")
- https://trailhead.salesforce.com/en/content/learn/modules/connected-app-basics/connected-app-basics-api-integration but consider checking out the whole training, https://trailhead.salesforce.com/en/content/learn/trails/build-integrations-using-connected-apps
