Using a Salesforce Integration User Licence
You can authorise MoveData under a free Salesforce Integration user licence instead of a paid Salesforce seat. This requires additional manual permission configuration.
Who is this for?
Salesforce Enterprise, Unlimited, and Performance editions include five free Salesforce Integration user licences. If your organisation has limited licences and your team is comfortable configuring Salesforce permissions, this approach can save the cost of a paid seat.
For the standard setup using a full Salesforce licence, see The MoveData Authorised User.
Before you begin#
- Your Salesforce org has at least one Salesforce Integration user licence available.
- MoveData and the required extensions are already installed.
- You have System Administrator access to perform the configuration.
- You have a sandbox environment to test the configuration before deploying to production.
How it works#
The packaged MoveData permission sets (MoveData_Application, MoveData_NPSP_Extensions, MoveData_Nonprofit_Extensions, MoveData_Commerce_Extensions) target the full Salesforce user licence. You can assign these permission sets to a Salesforce Integration licence user without errors. However, Salesforce silently drops the standard-object permissions (Contact, Account, Campaign, Opportunity) at runtime. The Apex Class Access and movedata__* custom field permissions still take effect.
The result: a user that looks fully configured but fails at runtime with errors like "The current user does not have access to read data from Contact".
To fix this, create a separate custom permission set with no user licence assigned. Without a licence binding, Salesforce does not filter the permissions at runtime. The packaged permission sets handle Apex class access and custom field permissions. The custom permission set handles standard CRM object access.
Configuration steps#
Step 1: Create the user on a full Salesforce licence#
The Salesforce Integration licence does not allow UI login, so the user cannot complete MoveData's OAuth authorisation flow under that licence. You must authorise first under a UI-capable licence, then switch.
- Go to Setup > Users > New User.
- Set User Licence to Salesforce.
- Set Profile to System Administrator.
- Use a dedicated email and username (e.g.,
movedata+integration@yourorg.com). - Click Save and activate the user.
Step 2: Authorise MoveData#
- Log in as the new user.
- Open the MoveData app from the App Launcher.
- Go to Settings > General > Authorise MoveData.
- Complete the OAuth flow — click Allow on the Salesforce consent screen.
- Confirm the success screen appears.
The OAuth grant from this step persists through the licence change in Step 3.
Step 3: Switch the user to the Salesforce Integration licence#
- Go to Setup > Users > find the user > Edit.
- Change User Licence to Salesforce Integration.
- Change Profile to Minimum Access - API Only Integrations.
- Click Save.
Warning
Do not use the deprecated Salesforce API Only System Integrations profile in orgs where both profiles are available. Use Minimum Access - API Only Integrations instead.
After this step, the user can no longer log into the Salesforce UI. The MoveData OAuth grant remains valid.
Step 4: Assign the packaged MoveData permission sets#
- Go to Setup > Users > select the user > Permission Set Assignments > Edit Assignments.
- Assign the permission sets relevant to your installation:
| Permission set | When to assign |
|---|---|
| MoveData Application | Always required |
| MoveData NPSP Extensions | NPSP data model |
| MoveData Nonprofit Cloud Extensions | Nonprofit Cloud data model |
| MoveData Commerce Extensions | Commerce/ticketing flows |
Assignment succeeds despite the licence mismatch. Apex Class Access and movedata__* custom field permissions take effect, but standard-object permissions do not.
Step 5: Verify the Salesforce API Integration permission set licence#
- Go to Setup > Users > select the user.
- Scroll to Permission Set Licence Assignments.
- Confirm that Salesforce API Integration appears in the list.
Salesforce auto-grants this permission set licence when the Salesforce Integration user licence is assigned. It is occasionally missing, particularly on users created via API or in older orgs.
If it is missing, click Edit Assignments, tick Salesforce API Integration, and click Save.
Step 6: Create a custom permission set for standard object access#
This is the most important step. The custom permission set grants the standard CRM object access that the packaged permission sets cannot provide under an Integration licence.
- Go to Setup > Permission Sets > New.
- Set Label to
MoveData Integration User - Object Access(or similar). - Leave User Licence as --None--. Do not select any licence.
- Click Save.
In the new permission set, replicate the object permissions and field-level security documented in the extension permission set reference for your installation. These reference articles list exactly which objects, permission levels, and fields each extension requires:
- NPSP Extension permission sets
- Nonprofit Cloud Extension permission sets
- Commerce Extension permission sets
Use the object permissions table and field permissions table from the relevant article as your guide. Grant the same Read, Create, Edit, Delete, View All, and Modify All permissions listed there. Then scroll to the Field Permissions section within each Object Settings page and grant Read and Edit access on all fields listed in the reference.
Custom extension flows and additional fields
If your integration uses custom extension flows, any objects or fields that those flows read from or write to must also be included in this custom permission set. The packaged permission sets only cover the standard MoveData fields. Any customisations you have made — custom fields, custom objects, or fields referenced in flow logic — are your responsibility to add here.
The same applies to custom validation rules, process builders, or triggers that fire during MoveData processing. If they reference fields not covered by the extension permission set reference, add those fields to this custom permission set.
Step 7: Assign the custom permission set to the user#
- Go to Setup > Users > select the user > Permission Set Assignments > Edit Assignments.
- Add the new custom permission set.
- Click Save.
Permission set groups
You can group all four permission sets (MoveData Application, the relevant extension permission set, Commerce Extensions if applicable, and the custom permission set) into a single Permission Set Group for easier reuse.
Step 8: Verify the configuration#
Trigger a test notification or replay a recent failed one from the MoveData notifications view. It should process successfully from start to finish.
If you see an error (typically "The current user does not have access to read data from <Object>" or a missing-field error), add the relevant permission to the custom permission set and retry. You should have the correct permissions after one or two iterations.
Re-authorisation procedure#
If MoveData's OAuth access is revoked for the Integration user (whether intentionally or through Salesforce session policies), the user cannot re-authorise because they have no UI login.
To recover:
- Go to Setup > Users > find the Integration user > Edit.
- Change User Licence to Salesforce and Profile to System Administrator.
- Click Save. This temporarily consumes a paid licence.
- Log in as the user. Open MoveData > Settings > General > Authorise MoveData. Complete the OAuth flow.
- Go to Setup > Users > find the user > Edit.
- Change User Licence back to Salesforce Integration and Profile back to Minimum Access - API Only Integrations.
- Click Save.
The temporary licence consumption lasts a few minutes at most, but a paid licence must be available.
Caveats and limitations#
- Initial setup requires a paid licence temporarily. The OAuth authorisation flow in Step 2 requires a UI-capable licence. If your organisation has no spare paid licence, this approach will not work.
- Re-authorisation requires coordination. Recovering from a revoked OAuth grant requires temporarily switching to a paid licence, as described above.
- Custom fields require manual permission configuration. If your integration uses custom fields, custom objects, or custom validation rules, you must add these to the custom permission set yourself.
- "Login As" does not work for diagnostics. Administrators cannot use Login As to test as an Integration user because there is no UI access. Use Workbench or direct SOQL queries instead.
- Field-level security gaps appear as object-level errors. A missing Read permission on a single field can show as
"no access to read data from <Object>"rather than a field-specific error. When troubleshooting, check field-level security as well as object permissions.
Troubleshooting#
| Error message | Likely cause | Fix |
|---|---|---|
You do not have access to the Apex class named: MoveDataEndpoint |
MoveData Application permission set not assigned, or Apex Class Access not granted | Assign the MoveData Application permission set. Verify Apex Class Access for MoveDataEndpoint. |
The current user does not have access to read data from <Object> |
Object missing from custom permission set, or field-level security missing on a referenced field | Add the object to the custom permission set with Read, Create, and Edit permissions. Check field-level security on all matching and referenced fields. |
Insufficient access on cross reference entity |
A related object is missing from the custom permission set | Identify the related object from the execution context. Add it to the custom permission set. |
| Apex or flow execution error not linked to a missing permission | Possible licence-level limitation in MoveData's internal Apex logic | This falls outside the supported configuration. Consider using a full Salesforce licence instead. |