In the world of the Salesforce Administrator, it’s important that users are able to connect to the applications that interface with your system on a daily basis. However, when was the last time that you checked which applications are connecting to Salesforce? This is a section in Salesforce that I have not seen mentioned often in the community too often, so I figured I’d write a blog post to bring it some well deserved attention!
Here’s the quick FAQ about connected Apps:
1. Where do you go to see which apps are connected to your Salesforce instance?
Setup | Manage Apps | Connected Apps and Setup | Manage Apps | Connected Apps OAuth Usage
2. What information can I find there?
- Connected Apps:
- Which tools are available to users.
- Which versions for the application are used.
- Permissions for users to login to the application:
- Allow users to self-authorize – which is okay if everyone in your org should use the application
- Admin approved users are pre-authorized
- Timeout values
- Set the timeout value for the connected applications
- Why? Because there might be sensitive things being done that require restricted access or limited ability to do xyz in that system and only for a predefined period.
- What kind of IP restrictions there are:
- Relaxed with Security Token
- Requiring a high assurance session (Two-Factor Authentication – Click for more documentation about Session Level Security)
- User Provisioning with external application
- OAuth Connected Apps Usage
- The ability to BLOCK a connected app (after connecting with it once for it to appear in the list – note for admins if you want to block a known app
- User Count
- Revoke All Tokens or individual tokens for a connected app on this page
- All token revocation is temporary. The user can regain access simply by accessing the application again.
3. There are some apps that I don’t want people to access. What can I do?
- If the access only needs to be removed temporarily, you can go to either Setup | Manage Apps | Connected Apps OAuth Usage and click on the affected app and revoke that user’s token. The same ability is provided at the bottom of the user detail record. An example for revoking a workbench token is shown below:
- If you would like to remove access from the application permanently, you have two options:
- Blocking the application entirely, by going to Setup | Manage Apps | Connected Apps OAuth Usage and selecting BLOCK.
- By blocking the application except to those that have the appropriate permission set or profile via Setup | Manage Apps | Connected Apps.
- Click on edit next to the application name.
- Change “Permitted Users” from “All Users May Self-Authorize” to “Admin Approved Users Are Pre-Authorized.” Set any other connected app settings here.
- Select the label for the connected app on redirect and assign any profiles or permission sets to the connected app on the detail page.
Pro tip: Profiles should determine the base-level of permissions. If the permission should only be assigned to a subset of users in a profile, a permission set is most likely a better choice.
4. I’m a geek and want to use SOQL to compare permissions. Where should I start?
- The connected application permissions are stored in, guess where? The ConnectedApplication object.
- The permissions are stored in the SetupEntityAccess object.
- The SetupEntityId is the connected application.
To query the permission sets that have a certain connected application, you can use:
SELECT Id, ParentId, Parent.Name, SetupEntityId, SetupEntityType FROM SetupEntityAccess WHERE SetupEntityType ='ConnectedApplication' AND Parent.IsOwnedByProfile = FALSE
So you’re thinking to yourself, that was the quick overview?! Yes. Yes, it was. As an Admin, you should regularly review which applications users are using and whether or not the access should be restricted. In my opinion, this should be reviewed no less than on a quarterly basis. It is an important part of your job to ensure the security of the platform and that users are connecting to apps in a manner appropriate to their role and job function.
Pro tip: You can download login history for a user and filter on the application field to see how often they are using the application. (Note: it only contains history for the past 6 months, whereas the application usage section contains a much longer period of time).
Onto the ideas
Approvals / Notifications
Now, time for me to get up on my soapbox. I think that it would be great for administrators to be able to set the default access level for connected apps. Right now, the admin (or another user) has to login to the connected application for it to appear in the list for it to be blocked. As an administrator, I believe that the access level should be able to be set to “no access” for security review and then after review with the appropriate parties can be blocked or enabled for the organization. You can vote up the freshly minted idea here.
Reports / Dashboards
With information about connected apps, you are able to answer some very important business questions from an adoption perspective. At this point in time, you cannot filter off of the grouped information in the login history to be able to say how often your application is being used. Some key questions that you could answer with the information:
- “We just started using Salesforce1. How often is it being used and by whom?”
- “In the past three months, we purchased xyz tool and here’s the amount of times it has been used (or hasn’t been used). Let’s (dis)continue our engagement with them.”
- “Here’s how often individuals are accessing the Salesforce Help & Training. There are some business units that are not logging in often. Let’s make them aware of this resource in our next training session.”
Aren’t those all great things that you’d love to be able to answer / say / do? You could do that with access to reports and dashboards that are filterable on the application field. Although, you can still run the report in workbench and copy and paste in in excel (from Workbench – you guessed it! A connected app!) by using a query like this:
SELECT COUNT(Id), Application, CALENDAR_MONTH(LoginTime) FROM LoginHistory WHERE LoginTime = LAST_N_Months:3 GROUP BY Application, CALENDAR_MONTH(LoginTime)
And the result:
|Amount Of Logins||Application||Month|
|99||Salesforce Help & Training||1|
|59||Salesforce Help & Training||2|
|72||Salesforce Help & Training||3|
|78||Salesforce Help & Training||4|
|73||Salesforce Help & Training||5|
|91||Salesforce Help & Training||6|
That’s great. I would like it to be in a salesforce dashboard and by each business unit. Autumn Hearne’s idea here speaks to that want.
Now you can say that you know all there is to know about connected apps!