Salesforce Sharing and Visibility Designer Series Part 16

This entry is part 17 of 17 in the series Sharing and Visibility Designer Study Guide

Enforce Object and Field level permission when designing Programmatic Solutions

Enforce CRUD and FLS permission on Apex Class & Web Service Class

  1. Object Level Access – Schema methods are available in Apex to check the permission on objects.
  • Check if user can access object – Lead.sObjectType.getDescribe().isAccessible()
  • Check if user can create object – Lead.sObjectType.getDescribe().isCreateable()
  • Check if user can delete object – Lead.sObjectType.getDescribe().isDeletable()
  • Check if user can update object – Lead.sObjectType.getDescribe().isUpdateable()
  1. Field Level Access – Schema methods can also be used to get the FLS in Apex
  • Check if user can access object – Schema.sObjectType.Account.fields.Name.isAccessible()
  • Check if user can create object – Schema.sObjectType.Account.fields.Name.isCreateable()
  • Check if user can update object – Schema.sObjectType.Account.fields.Name.isUpdateable()
  1. Manual check of Permission using Profile Access and Permission Set can also be fetched using SOQL on following objects –
  • FieldPermission – to get FLS
  • ObjectPermission – to get CRUD
  • Profile – to get additional permission details like modifyAll.
  • PermissionSet – to get additional permission details like modifyAll.

Reference – https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS

 

Enforce CRUD and FLS permission on Apex Class – With and Without Sharing keywords

Use the with sharing or without sharing keywords on a class to specify whether or not to enforce sharing rules.

  1. With Sharing keyword allows you to specify that the sharing rules for the current user be taken into account for a class
  • Enforce Sharing Setting (OWD), CRUD & FLS on Apex Class
  • Inner & Outer Class can be defined as With Sharing.
  • A method called from ‘With Sharing’ class also inherits the ‘With Sharing’ properties if no other properties in defined is class.
  • A method called from normal class also enforce sharing rules if defined on class called.
  • Eg. Public with sharing class sharingClass { }
  1. Without Sharing ensure that the sharing rules for the current user are not enforced
  • Code runs in system mode means full access on entities.
  • Eg. public without sharing class noSharing { }

Reference – https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_keywords_sharing.htm

 

Encryption/Decryption in Apex using Crypto Class

  • Consists of functions to encrypt and decrypt information using AES128, AES192 and AES256 algorithms.
  • The Crypto class provides the following functions to encrypt and decrypt using the AES algorithm:
    • encrypt()
    • decrypt()
    • encryptWithManagedIV()
    • decryptWithManagedIV()
  • Only The AES128, AES192 and AES256 algorithms are supported
  • To encrypt the data, first step is to generate the key – Blob cryptoKey= Crypto.generateAesKey(256);
  • The length of the private key must match to the specified algorithm.
  • Encrypt data using encryption method – Blob encryptedData= Crypto.encryptWithManagedIV(‘AES256’, cryptoKey, ‘Test’);
  • Decrypt data using decryption method – Blob decryptedData= Crypto.decryptWithManagedIV(‘AES256’, cryptoKey, encryptedData);
  • Crypto class also supports digital signature using sign() method.

Reference – https://developer.salesforce.com/page/Apex_Crypto_Class

 

Q&A

  1. Universal Containers has created a custom Sales Operations profile with read and edit access to the Category field on a custom object. There is a new requirement that 3 of the 100 users assigned to the Sales Operations Profile should have read-only access to the Category field. How can the Architect support this request? Choose one answer
  • Create a permission set in the Category field to read-only and assign it to the users.
  • Create a new profile without edit access to Category and assign it to the users.
  • Create a new page layout with the Category Field set to read-only for these users.
  • Create a custom permission to grant read-only access to Category and assign it to the users.

 

2. Universal Containers has successfully implemented a large Service Cloud rollout for their national call center 3 months ago. One of their largest customer accounts, United Automotive, has over 15,000 open cases. Agents are now having trouble opening new cases for United Automotive. When they try to create a case, the following Error message appears for them:

UNABLE_TO_LOCK_ROW

They notice that this only occurs for the United Automotive account. If they try to save the case again it will usually work, but the problem seems to be happening more and more often. What option should the Architect recommend? Choose one answer

  • Review all Account sharing rules to ensure that the Customer Service team has Read/Write access to the United Automotive Account.
  • B. Review the Account structure to split the United Automotive account into multiple branch accounts.
  • Review all Case Sharing Rules and consolidate where appropriate to reduce the total number of sharing rules.
  • Review the Customer Service Profile to ensure that they have Read/Write access to the appropriate Case and Account Fields.
Series Navigation<< Salesforce Sharing and Visibility Designer Series Part 15
Posted in Contributors and tagged , , .

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of