[SalesForce] How to reset an API user’s password

We have set up a API user in Salesforce and just today got this error message:

INVALID_OPERATION_WITH_EXPIRED_PASSWORD: The users password has expired you must call the SetPassword before attempting any other API operations

Can someone clarify? I understand that apparently the API users password has expired, and that I should send a SetPassword request before further action. What is the best practice for this:

Should I reset the password once a month? once a day? only when the error is thrown? What are the password format requirements (special chars, numbers and letters, etc)?

Is there a way to lock the password for this user in the Salesforce admin setup section to deactivate the required password refresh?

Best Answer

To some degree it will depend on the security requirements for your organization. If you absolutely must change the password, then you can use the current session to call SetPassword(). Of course, this creates all sorts of other problems. You now need to automate the storage of the new password and potentially pickup the new security token as well.

Personally, I'd create a dedicated profile for API users.

Then on the profile under Administrative Permissions you can set "Password Never Expires".

With this you don't need to figure out password complexity options or security tokens.

You can also lock down what this profile has access to so it only makes sense to use it for an API user. Maybe restrict it to a particular IP address range.

Related Solutions

[SalesForce] Creating user via API

You can suppress creation of initial email (it's identical to unticking the checkbox "generate new password and notify user immediately" on the new user screen). Then whenever you're ready later - System.setPassword?

If this can work for you I'd like to link to my SO answer for similar thing: https://stackoverflow.com/questions/13118039/salesforce-creating-contact-and-user-by-importing-csv-file-send-notification/13137400

The problem with setPassword is that it's good for one time (upon logging in you land on the password change page similar to what happens when your password expires). That's how SF makes sure sysadmin will not know the user's final desired password. And of course you'd have to set it to something that complies with your own policies ("remember 3 last passwords" for example).

[SalesForce] How to mass change emails with sending only a password reset mail in Apex

You could perform something like this in Execute Anonymous, silently changing their email after deactivating the user and then resetting the password:

// retrieve your 500 users
List<User> users = [SELECT Id, IsActive, Email FROM User WHERE FirstName = 'Derpy'];

// deactivate the users
for (User u : users) {
    u.IsActive = false;
}
update users;

// correct their email addresses
for (User u : users) {
    u.Email += '.nonsense';
}
update users;

// reactivate the users
for (User u : users) {
    u.IsActive = true;
}
update users;

// fire a password reset and send the reset email
for (User u : users) {
    System.resetPassword(u.id, true);
}

Prior to running this script, consider the repercussions of deactivating active users. SFDC Link: Tips on Deactivating Users

Best Answer

Related Solutions

[SalesForce] Creating user via API

[SalesForce] How to mass change emails with sending only a password reset mail in Apex

Related Topic