Salesforce API Access Control: A Complete Guide

Understanding API Access Control

Salesforce’s API Access Control feature provides robust security options for managing API access to your org. Available across Professional, Enterprise, Performance, Unlimited, and Developer Editions (in both Classic and Lightning), this feature lets you:

  • Restrict all users from accessing Salesforce APIs unless pre-authorized
  • Specifically limit customer/partner API access to approved connected apps

Key Capabilities

1. Restricting API Access via Connected Apps

  • Lock down all connected apps’ access to Salesforce APIs
  • Allowlist specific connected apps for approved access
  • Control user access through profiles and permission sets

2. Managing Customer/Partner API Access

  • Restrict Experience Cloud site users to installed connected apps
  • Maintain security while enabling necessary integrations

Implementation Process

To enable API Access Control:

  1. Contact Salesforce Customer Support to request activation
  2. Configure your access policies through Setup

API Management via Anypoint Platform

For organizations using MuleSoft’s Anypoint Platform to manage APIs, follow these steps to apply policies:

Prerequisites

  1. Generate Authorization Bearer token
  2. Obtain your Organization ID (Org ID)
  3. Retrieve Environment ID
  4. Identify the API ID

Applying IP Whitelist Policy

bash

Copy

Download

curl 'https://anypoint.mulesoft.com/apimanager/api/v1/organizations/<org_id>/environments/<env_id>/apis/<api_id>/policies' \
-X POST \
-H 'Accept: application/json, text/plain, */*' \
-H 'X-ANYPNT-ORG-ID: <org_id>' \
-H 'X-ANYPNT-ENV-ID: <env_id>' \
-H 'Content-Type: application/json;charset=utf-8' \
--data-raw '{
  "configurationData": {
    "ipExpression": "#[attributes.headers[''x-forwarded-for'']]",
    "ips": ["1.1.1.1"]
  },
  "apiVersionId": <api_id>,
  "pointcutData": null,
  "policyTemplateId": null,
  "groupId": "68ef9520-24e9-4cf2-b2f5-620025690913",
  "assetId": "ip-allowlist",
  "assetVersion": "1.1.1"
}'

Retrieving Policy Configuration

To understand policy parameters:

bash

Copy

Download

curl 'https://anypoint.mulesoft.com/apimanager/api/v1/organizations/<org_id>/environments/<env_id>/apis/<api_id>/policies' \
-X GET \
-H 'Accept: application/json, text/plain, */*' \
-H 'Authorization: Bearer <token>' \
-H 'X-ANYPNT-ENV-ID: <env_id>' \
-H 'Content-Type: application/json;charset=utf-8'

Best Practices

  1. Always test policies in a sandbox environment first
  2. Maintain detailed documentation of all API access policies
  3. Regularly review and audit connected app permissions
  4. Use the principle of least privilege when granting API access

By implementing these controls, organizations can significantly enhance their API security posture while maintaining necessary integration capabilities.

Content updated February 2025.

Salesforce Partner
#salesforcepartner
Related Posts
AI Automated Offers with Marketing Cloud Personalization
Improving customer experiences with Marketing Cloud Personalization

AI-Powered Offers Elevate the relevance of each customer interaction on your website and app through Einstein Decisions. Driven by a Read more

Salesforce OEM AppExchange
Salesforce OEM AppExchange

Expanding its reach beyond CRM, Salesforce.com has launched a new service called AppExchange OEM Edition, aimed at non-CRM service providers. Read more

The Salesforce Story
The Salesforce Story

In Marc Benioff's own words How did salesforce.com grow from a start up in a rented apartment into the world's Read more

Salesforce Jigsaw
Salesforce Jigsaw

Salesforce.com, a prominent figure in cloud computing, has finalized a deal to acquire Jigsaw, a wiki-style business contact database, for Read more

Share