I need some guidelines on how to create an API Only user for Integration correctly in Salesforce.
I have found this guideline from Salesforce, which is what I would follow: https://help.salesforce.com/apex/HTViewSolution?urlname=User-Permission-for-API-Integration-User&language=en_US
However my follow up question to that would be – which profile should I clone for the API Only user? Is it a System Administrator? Or since I am setting Modify All Data, then it really doesn't matter which profile I clone?
Hope someone has the answer.
I think there are two approaches I would consider.
If you are thinking security-first, I would probably clone the most minimal Salesforce user profile, and then enable only the permissions I need. So in this case, probably
If you want to reduce possible unexpected access blocks, you could clone
System Administrator. But profiles are big, with lots of parameters, and you might be granting access to some feature that you integration user really doesn't need, creating a potential security threat.
In all honesty, I would probably always prefer the security-first approach, as you will only enable features and permissions that you absolutely need for your integration. Just be mindful that every time you need to expand the scope of what your integration does, you might need to revisit profile settings for every project. Arguably, this should be part of every project anyway, though.