Only allow Bulk API for specific API users

In Salesforce either you have API access or you don’t. Following recent events you might want to restrict access to specific API types (think Bulk, REST etc.) to certain users. Doing this can be done with a Transaction Policy based on events from real-time Shield Event Monitoring using an Apex event condition. The below event condition only allows the ApiEvent to go through if the user has been assigned the Data_Steward permission set if it’s a Bulk API request. Assigning this permission set could even be a permission that automatically times out to further the security posture.

global class BlockBulkAPIEventCondition implements TxnSecurity.EventCondition {

    public boolean evaluate(SObject event) {
        // cast event object
        final ApiEvent ev = (ApiEvent)event;
        
        // if not a Bulk API event simply allow
        if (ev.ApiType.indexOf('Bulk') < 0) return false;

        // this is for the Bulk API ensure permset assignment
        final Id userId = ev.UserId;
        final PermissionSetAssignment permsetAssign = 
            [SELECT Id FROM PermissionSetAssignment 
             WHERE permissionset.Name = 'Data_Steward' 
             AND AssigneeId =: userId LIMIT 1] ?? null;
        return null == permsetAssign;
    }

}

Published by

lekkim

Positive, competent, out-spoken, frank and customer focused architect and developer with a strong foundation in web, cloud and product development. I'm a strong advocate for API first and cloud based solutions and development. I have a knack for being able to communicate and present technically complicated matters in conference, customer and training settings. I've previously acted as team member and leader in a product organisation.

Leave a Reply

Your email address will not be published. Required fields are marked *