SlideShare a Scribd company logo

Secure Coding: Field-level Security, CRUD, and Sharing

Download as PPTX, PDF
Salesforce Developers
Salesforce Developers

With sharing or without sharing... is that the question? Join us to better understand how to leverage the best Salesforce security features in code. Learn all the best practices for hardening your application and keeping your data secure. We'll cover sharing, FLS, CRUD, and all the most common mistakes and misconceptions about how these features work in Apex and Visualforce.

Technology
1 of 37
Secure Coding: Field-Level Security, CRUD, and Sharing Kyle Tobener Product Security Engineer @KyleKyle Maxwell Feldman Product Security Engineer
Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
No Photos Required…. Slides and demos will be made available after the talk!
Primary Topic Today: Authorization • We will be covering developer-oriented authorization topics on the Salesforce platform. • Specific features to cover include: – FLS – CRUD – Sharing • Useful for anyone in the following areas: – Salesforce Developers – Salesforce Partners – Salesforce Administrators
What is Authorization? “Authorization dictates what a user is permitted to access.”
Guiding Principle: Least Privilege “A person should only have access to the minimum amount of information required to accomplish their duties, ensuring that their ability to take advantage of excess privilege purposefully or accidentally is minimized.”
A Note: Salesforce Contexts •User Context - Current user’s authorization respected •System Context - Current user’s authorization ignored – This is done on purpose to allow more extensible and flexible coding, but needs to be done properly!
CRUD
CRUD What is CRUD? Create Read Update Delete! » Controlled on the profile » Dictates user abilities object by object
CRUD for Developers •Apex Classes do not enforce CRUD – Why? System Context •Visualforce Pages do enforce CRUD – Why? User Context
Enforcing CRUD in Apex <sObject>.sObjectType.getDescribe() – isCreateable() – isAccessible() – isUpdateable() – isDeletable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Account.sObjectType.getDescribe().isAccessible()) { 4 return ‘’; 5 } 6 }
Demo: CRUD
Trivia! “Which of the following Visualforce code patterns respect the R (read) in CRUD?” 1. <apex:outputField value="{!sObject.Field__c}"/> 2. <apex:outputText value="{!sObject.Field__c}"/> 3. {!sObject.Field__c} Note : (Naked merge Field) 4. <apex:outputText value="{!Object.String}"/>
Trivia (answered)! “Which of the following Visualforce code patterns respect the R (read) in CRUD?” 1. <apex:outputField value="{!sObject.Field__c}"/> 2. <apex:outputText value="{!sObject.Field__c}"/> 3. {!sObject.Field__c} Note : (Naked merge Field) 4. <apex:outputText value="{!Object.String}"/>
FLS
FLS What is FLS? Field Level Security! » Controlled on the profile » Dictates which fields are visible to a user on a given object
FLS For Developers •Apex classes do not enforce FLS – Why? System Context •Visualforce pages do enforce FLS – User mode – Exception: de-referenced fields • {!Contact.Email} = yes • {!contactEmail} = NO
Enforcing FLS in Apex Schema.sObjectType.<sObject>.fields.<field> – isAccessible() – isUpdateable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Schema.sObjectType.Account.fields.Name.isAccessible()) { 4 return ‘’; 5 } 6 ... 7 }
Demo: FLS
When does the Platform stop respecting FLS? When you assign from an sObject to a primitive! Apex: Random_Sensitive_Object_1__c r; wRandom_Sensitive_Object_1 wR; wR.Sensitive_Number = r.Sensitive_Number__c; Visualforce: <apex:OutputText value="{!r.Sensitive_Number__c}" /> <!-- FLS RESPECTED --> <apex:OutputText value="{!wR.Sensitive_Number}" /> <!-- FLS IGNORED -->
Trivia! “We showed you how to respect FLS read permissions in Apex. Which one of the following would allow you to respect the FLS read permission in Visualforce?” 1. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.isAccessible}” 2. rendered=“{!$ObjectType.CustomObject__c.CustomField__c.isAccessible()}” 3. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.Accessible}” 4. rendered=“{!$ObjectType.CustomObject__c.CustomField__c}”
Trivia (answered)! “We showed you how to respect FLS read permissions in Apex. Which one of the following would allow you to respect the FLS read permission in Visualforce?” 1. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.isAccessible}” 2. rendered=“{!$ObjectType.CustomObject__c.CustomField__c.isAccessible()}” 3. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.Accessible}” 4. rendered=“{!$ObjectType.CustomObject__c.CustomField__c}”
Sharing
Sharing What is Sharing? Record Level Access! » Controlled outside the profile via Org-Defaults, Roles, Ownership, and sharing rules. » Dictates which records of an object a user can see.
Sharing for Developers •Apex classes do not enforce sharing (by default) – Why? System Context •Visualforce pages do not enforce sharing – Rely on controller for record access. •Exception: standard controllers enforce sharing
Enforcing Sharing in Apex Use the “With Sharing” keywords. • Default is without sharing • Invoked classes respect defined sharing. If no sharing is defined, they inherit sharing from the invoking parent 1 Public with sharing Class MyController { 2 //... With Sharing is Applied ... 3 Public without sharing Class MyInnerClass { 4 // ... Sharing is not applied to this class ... 5 } 6 }
Demo: Sharing
Sharing Behavior Recap No sharing Without sharing With sharing Inner method (no sharing) All All Shared Inner class (no sharing) All All Shared Inner class without sharing All All All Inner class with sharing Shared Shared Shared External class (no sharing) All All Shared External class without sharing All All All External class with sharing Shared Shared Shared
Trivia! In the code snippet below the class is defined without sharing and it queries the private account object. Assume the running user has no visibility to any account records. When invoking this class via the developer console, does the running user see any accounts? Explain why! 1 public without sharing Class queryPrivate { 2 public List<privateObject> p_list; 3 p_list =[select name from privateObject limit 1]; 4 system.debug(p_list); 5 }
Trivia (answered)! The developer console runs in user context, so sharing will be respected even if you call a class that is explicitly defined as without sharing. Fun! 1 public without sharing Class queryPrivate { 2 public List<privateObject> p_list; 3 p_list =[select name from privateObject limit 1]; 4 system.debug(p_list); 5 }
Recap - Basics FLS Sharing CRUD
Recap – Developer Tools Here are the developer methods we covered for respecting authorization: 1. CRUD • Apex does not respect CRUD. Visualforce with a standard controller does respect CRUD. • Use Account.sObjectType.getDescribe().isAccessible() to enforce CRUD in Apex. 2. FLS • Visualforce respect FLS for sObjects, Apex does not. • Use Schema.sObjectType.Account.fields.Name.isAccessible() to enforce FLS in Apex. • Use rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.Accessible}” to enforce in VF. 3. Sharing • By default, Apex does not respect sharing. • Use “with sharing” in the class definition to enforce sharing in Apex. • Best practice: Make all classes with sharing, make exceptions inner methods defined as without sharing.
Additional Resources • Secure Coding Guidelines - https://developer.salesforce.com/page/Testing_CRUD_and_FLS_Enforcement • CRUD & FLS Enforcement Guide - https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS • Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security • Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) • Security Office Hours (Partners) - http://security.force.com/security/contact/ohours
Slides + Demo • Get Slides Here: – DF Chatter Group – >> URL HERE<< – Security Essentials Success Community - >> URL HERE<< – @kylekyle Twitter – https://www.twitter.com/kylekyle •Want to play with our demo code? – Sign-up for a pre-configured trial here: >> URL HERE<<
Secure Development Sessions Secure Coding: Field-level Security, CRUD, and Sharing Monday, October 13 @ 11:00 a.m. - 11:40 a.m. Secure Coding: Storing Secrets in Your Salesforce Instance Monday, October 13 @ 2:00 p.m. - 2:40 p.m. Building Secure Mobile Apps Monday, October 13 @ 5:00 p.m. - 5:40 p.m. Protect Your Data Against Malicious Scripts Tuesday, October 14 @ 11:00 a.m. - 11:40 a.m. Secure Coding: External App Integration Wednesday, October 15 @ 9:00 a.m. - 9:40 a.m. Secure Coding: SSL, SOAP, and REST Thursday, October 16 @ 10:30 a.m. - 11:10 a.m. Announcements: Force.com Code Scanner now supports Salesforce1 and JavaScript! Try it here: http://bit.ly/SF1Scanner Chimera Web App Scanner alpha nominations are open. Partners apply at: http://bit.ly/SFChimera Live security office hours are available in the Partner Zone.
Q&A
Secure Coding: Field-level Security, CRUD, and Sharing

Recommended

Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforce
Mark Adcock
 
Two-Way Integration with Writable External Objects
Two-Way Integration with Writable External ObjectsTwo-Way Integration with Writable External Objects
Two-Way Integration with Writable External Objects
Salesforce Developers
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentation
Nithesh N
 
Intro to Salesforce Lightning Web Components (LWC)
Intro to Salesforce Lightning Web Components (LWC)Intro to Salesforce Lightning Web Components (LWC)
Intro to Salesforce Lightning Web Components (LWC)
Roy Gilad
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
Salesforce Developers
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
Salesforce Developers
 
Commerce Cloud 101
Commerce Cloud 101Commerce Cloud 101
Commerce Cloud 101
Gaurav Kheterpal
 
Salesforce Intro
Salesforce IntroSalesforce Intro
Salesforce Intro
Rich Helton
 

Recommended

Integrating with salesforce
Integrating with salesforceIntegrating with salesforce
Integrating with salesforce
Mark Adcock
 
Two-Way Integration with Writable External Objects
Two-Way Integration with Writable External ObjectsTwo-Way Integration with Writable External Objects
Two-Way Integration with Writable External Objects
Salesforce Developers
 
Lwc presentation
Lwc presentationLwc presentation
Lwc presentation
Nithesh N
 
Intro to Salesforce Lightning Web Components (LWC)
Intro to Salesforce Lightning Web Components (LWC)Intro to Salesforce Lightning Web Components (LWC)
Intro to Salesforce Lightning Web Components (LWC)
Roy Gilad
 
Secure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best PracticesSecure Salesforce: Lightning Components Best Practices
Secure Salesforce: Lightning Components Best Practices
Salesforce Developers
 
Introduction to the Salesforce Security Model
Introduction to the Salesforce Security ModelIntroduction to the Salesforce Security Model
Introduction to the Salesforce Security Model
Salesforce Developers
 
Commerce Cloud 101
Commerce Cloud 101Commerce Cloud 101
Commerce Cloud 101
Gaurav Kheterpal
 
Salesforce Intro
Salesforce IntroSalesforce Intro
Salesforce Intro
Rich Helton
 
Dependency Injection with Apex
Dependency Injection with ApexDependency Injection with Apex
Dependency Injection with Apex
Salesforce Developers
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
Mohith Shrivastava
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetup
MuleSoft Meetup
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
Joshua Hoskins
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Salesforce Overview For Beginners/Students
Salesforce Overview For Beginners/StudentsSalesforce Overview For Beginners/Students
Salesforce Overview For Beginners/Students
Sujesh Ramachandran
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in Salesforce
Jitendra Zaa
 
Salesforce Online Training
Salesforce Online TrainingSalesforce Online Training
Salesforce Online Training
Keylabs
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce security
Salesforce Admins
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce Instance
Salesforce Developers
 
Salesforce Development Best Practices
Salesforce Development Best PracticesSalesforce Development Best Practices
Salesforce Development Best Practices
Vivek Chawla
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
Salesforce - Sweden, Denmark, Norway
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Force.com canvas入門ガイド
Force.com canvas入門ガイドForce.com canvas入門ガイド
Force.com canvas入門ガイドKazuki Nakajima
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
Salesforce Developers
 
Salesforce Presentation
Salesforce PresentationSalesforce Presentation
Salesforce Presentation
Chetna Purohit
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
Calvin Noronha
 
Apex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong FoundationsApex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong Foundations
Salesforce Developers
 
Discover Salesforce Commerce Cloud and Vlocity Integration Patterns
Discover Salesforce Commerce Cloud and Vlocity Integration PatternsDiscover Salesforce Commerce Cloud and Vlocity Integration Patterns
Discover Salesforce Commerce Cloud and Vlocity Integration Patterns
Eva Mave Ng
 
Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / Sharing
Salesforce Developers
 
Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)
Mindfire Solutions
 

More Related Content

What's hot

Dependency Injection with Apex
Dependency Injection with ApexDependency Injection with Apex
Dependency Injection with Apex
Salesforce Developers
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
Mohith Shrivastava
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetup
MuleSoft Meetup
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
Salesforce Developers
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
Joshua Hoskins
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
Salesforce Overview For Beginners/Students
Salesforce Overview For Beginners/StudentsSalesforce Overview For Beginners/Students
Salesforce Overview For Beginners/Students
Sujesh Ramachandran
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in Salesforce
Jitendra Zaa
 
Salesforce Online Training
Salesforce Online TrainingSalesforce Online Training
Salesforce Online Training
Keylabs
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce security
Salesforce Admins
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce Instance
Salesforce Developers
 
Salesforce Development Best Practices
Salesforce Development Best PracticesSalesforce Development Best Practices
Salesforce Development Best Practices
Vivek Chawla
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
Salesforce - Sweden, Denmark, Norway
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Force.com canvas入門ガイド
Force.com canvas入門ガイドForce.com canvas入門ガイド
Force.com canvas入門ガイドKazuki Nakajima
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
Salesforce Developers
 
Salesforce Presentation
Salesforce PresentationSalesforce Presentation
Salesforce Presentation
Chetna Purohit
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
Calvin Noronha
 
Apex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong FoundationsApex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong Foundations
Salesforce Developers
 
Discover Salesforce Commerce Cloud and Vlocity Integration Patterns
Discover Salesforce Commerce Cloud and Vlocity Integration PatternsDiscover Salesforce Commerce Cloud and Vlocity Integration Patterns
Discover Salesforce Commerce Cloud and Vlocity Integration Patterns
Eva Mave Ng
 

What's hot (20)

Dependency Injection with Apex
Dependency Injection with ApexDependency Injection with Apex
Dependency Injection with Apex
 
Best Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdfBest Practices with Apex in 2022.pdf
Best Practices with Apex in 2022.pdf
 
Salesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetupSalesforce integration best practices columbus meetup
Salesforce integration best practices columbus meetup
 
Lightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An IntroductionLightning web components - Episode 1 - An Introduction
Lightning web components - Episode 1 - An Introduction
 
Salesforce Integration
Salesforce IntegrationSalesforce Integration
Salesforce Integration
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Salesforce Overview For Beginners/Students
Salesforce Overview For Beginners/StudentsSalesforce Overview For Beginners/Students
Salesforce Overview For Beginners/Students
 
Episode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in SalesforceEpisode 20 - Trigger Frameworks in Salesforce
Episode 20 - Trigger Frameworks in Salesforce
 
Salesforce Online Training
Salesforce Online TrainingSalesforce Online Training
Salesforce Online Training
 
Getting started with Salesforce security
Getting started with Salesforce securityGetting started with Salesforce security
Getting started with Salesforce security
 
Setting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce InstanceSetting up Security in Your Salesforce Instance
Setting up Security in Your Salesforce Instance
 
Salesforce Development Best Practices
Salesforce Development Best PracticesSalesforce Development Best Practices
Salesforce Development Best Practices
 
Architect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon SessionArchitect day 20181128 - Afternoon Session
Architect day 20181128 - Afternoon Session
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Force.com canvas入門ガイド
Force.com canvas入門ガイドForce.com canvas入門ガイド
Force.com canvas入門ガイド
 
Secure Salesforce: External App Integrations
Secure Salesforce: External App IntegrationsSecure Salesforce: External App Integrations
Secure Salesforce: External App Integrations
 
Salesforce Presentation
Salesforce PresentationSalesforce Presentation
Salesforce Presentation
 
OAuth with Salesforce - Demystified
OAuth with Salesforce - DemystifiedOAuth with Salesforce - Demystified
OAuth with Salesforce - Demystified
 
Apex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong FoundationsApex Enterprise Patterns: Building Strong Foundations
Apex Enterprise Patterns: Building Strong Foundations
 
Discover Salesforce Commerce Cloud and Vlocity Integration Patterns
Discover Salesforce Commerce Cloud and Vlocity Integration PatternsDiscover Salesforce Commerce Cloud and Vlocity Integration Patterns
Discover Salesforce Commerce Cloud and Vlocity Integration Patterns
 

Viewers also liked

Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / Sharing
Salesforce Developers
 
Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)
Mindfire Solutions
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
Using the Google SOAP API
Using the Google SOAP APIUsing the Google SOAP API
Using the Google SOAP API
Salesforce Developers
 
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com WebinarSalesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce Developers
 
Hybrid IT: The Importance of Integration to Salesforce Success
Hybrid IT: The Importance of Integration to Salesforce SuccessHybrid IT: The Importance of Integration to Salesforce Success
Hybrid IT: The Importance of Integration to Salesforce Success
Darren Cunningham
 
Secure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISecure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part I
Salesforce Developers
 
Introduction to Campaigns in Salesforce - Create, Manage, Launch, and Measure
Introduction to Campaigns in Salesforce - Create, Manage, Launch, and MeasureIntroduction to Campaigns in Salesforce - Create, Manage, Launch, and Measure
Introduction to Campaigns in Salesforce - Create, Manage, Launch, and Measure
Shell Black
 

Viewers also liked (8)

Secure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / SharingSecure Salesforce: CRUD / FLS / Sharing
Secure Salesforce: CRUD / FLS / Sharing
 
Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)Webservices in SalesForce (part 1)
Webservices in SalesForce (part 1)
 
Secure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and RESTSecure Coding: SSL, SOAP, and REST
Secure Coding: SSL, SOAP, and REST
 
Using the Google SOAP API
Using the Google SOAP APIUsing the Google SOAP API
Using the Google SOAP API
 
Salesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com WebinarSalesforce API Series: Integrating Applications with Force.com Webinar
Salesforce API Series: Integrating Applications with Force.com Webinar
 
Hybrid IT: The Importance of Integration to Salesforce Success
Hybrid IT: The Importance of Integration to Salesforce SuccessHybrid IT: The Importance of Integration to Salesforce Success
Hybrid IT: The Importance of Integration to Salesforce Success
 
Secure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part ISecure Development on the Salesforce Platform - Part I
Secure Development on the Salesforce Platform - Part I
 
Introduction to Campaigns in Salesforce - Create, Manage, Launch, and Measure
Introduction to Campaigns in Salesforce - Create, Manage, Launch, and MeasureIntroduction to Campaigns in Salesforce - Create, Manage, Launch, and Measure
Introduction to Campaigns in Salesforce - Create, Manage, Launch, and Measure
 

Similar to Secure Coding: Field-level Security, CRUD, and Sharing

Advanced Apex Security Expert Tips and Best Practices (1).pptx
Advanced Apex Security Expert Tips and Best Practices (1).pptxAdvanced Apex Security Expert Tips and Best Practices (1).pptx
Advanced Apex Security Expert Tips and Best Practices (1).pptx
mohayyudin7826
 
Salesforce Lightning workshop
Salesforce Lightning workshopSalesforce Lightning workshop
Salesforce Lightning workshop
Shivanath Devinarayanan
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
Salesforce Developers
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
Salesforce Developers
 
TDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsTDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer Tools
Doug Ayers
 
Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719
Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719
Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719
BingWang77
 
Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex Triggers
Salesforce Developers
 
Mbf2 salesforce webinar 2
Mbf2 salesforce webinar 2Mbf2 salesforce webinar 2
Mbf2 salesforce webinar 2
BeMyApp
 
Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...
Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...
Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...
Salesforce Developers
 
Salesforce Integration Pattern Overview
Salesforce Integration Pattern OverviewSalesforce Integration Pattern Overview
Salesforce Integration Pattern Overview
Dhanik Sahni
 
Asynchronous Apex Salesforce World Tour Paris 2015
Asynchronous Apex Salesforce World Tour Paris 2015Asynchronous Apex Salesforce World Tour Paris 2015
Asynchronous Apex Salesforce World Tour Paris 2015
Samuel De Rycke
 
Cairo meetup low code best practices
Cairo meetup low code best practicesCairo meetup low code best practices
Cairo meetup low code best practices
Ahmed Keshk
 
Hands-On Workshop: Introduction to Development on Force.com for Developers
Hands-On Workshop: Introduction to Development on Force.com for DevelopersHands-On Workshop: Introduction to Development on Force.com for Developers
Hands-On Workshop: Introduction to Development on Force.com for Developers
Salesforce Developers
 
Salesforce Spring 20 Highlights
Salesforce Spring 20 HighlightsSalesforce Spring 20 Highlights
Salesforce Spring 20 Highlights
Nishant Singh Panwar
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.com
Steven Herod
 
Dreamforce 2019 GG & Spring 20 release features - Halifax, Canada Community
Dreamforce 2019 GG & Spring 20 release features - Halifax, Canada CommunityDreamforce 2019 GG & Spring 20 release features - Halifax, Canada Community
Dreamforce 2019 GG & Spring 20 release features - Halifax, Canada Community
Prag Ravichandran Kamalaveni (he/him)
 
A Beard, An App, A Blender
A Beard, An App, A BlenderA Beard, An App, A Blender
A Beard, An App, A Blender
edm00se
 
Salesforce Lightning workshop Hartford - 12 March
Salesforce Lightning workshop Hartford - 12 MarchSalesforce Lightning workshop Hartford - 12 March
Salesforce Lightning workshop Hartford - 12 March
Jitendra Zaa
 
Apex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard ProblemsApex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard Problems
Salesforce Developers
 
Salesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 releaseSalesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 release
Devendra Sawant
 

Similar to Secure Coding: Field-level Security, CRUD, and Sharing (20)

Advanced Apex Security Expert Tips and Best Practices (1).pptx
Advanced Apex Security Expert Tips and Best Practices (1).pptxAdvanced Apex Security Expert Tips and Best Practices (1).pptx
Advanced Apex Security Expert Tips and Best Practices (1).pptx
 
Salesforce Lightning workshop
Salesforce Lightning workshopSalesforce Lightning workshop
Salesforce Lightning workshop
 
Lightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and TestingLightning web components - Episode 4 : Security and Testing
Lightning web components - Episode 4 : Security and Testing
 
Best Practices for Team Development in a Single Org
Best Practices for Team Development in a Single OrgBest Practices for Team Development in a Single Org
Best Practices for Team Development in a Single Org
 
TDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer ToolsTDX19 - Untangle Your Org with Salesforce Developer Tools
TDX19 - Untangle Your Org with Salesforce Developer Tools
 
Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719
Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719
Apex Enterprise Patterns Galore - Boston, MA dev group meeting 062719
 
Introduction to Apex Triggers
Introduction to Apex TriggersIntroduction to Apex Triggers
Introduction to Apex Triggers
 
Mbf2 salesforce webinar 2
Mbf2 salesforce webinar 2Mbf2 salesforce webinar 2
Mbf2 salesforce webinar 2
 
Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...
Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...
Hands-On Workshop: Introduction to Coding for on Force.com for Admins and Non...
 
Salesforce Integration Pattern Overview
Salesforce Integration Pattern OverviewSalesforce Integration Pattern Overview
Salesforce Integration Pattern Overview
 
Asynchronous Apex Salesforce World Tour Paris 2015
Asynchronous Apex Salesforce World Tour Paris 2015Asynchronous Apex Salesforce World Tour Paris 2015
Asynchronous Apex Salesforce World Tour Paris 2015
 
Cairo meetup low code best practices
Cairo meetup low code best practicesCairo meetup low code best practices
Cairo meetup low code best practices
 
Hands-On Workshop: Introduction to Development on Force.com for Developers
Hands-On Workshop: Introduction to Development on Force.com for DevelopersHands-On Workshop: Introduction to Development on Force.com for Developers
Hands-On Workshop: Introduction to Development on Force.com for Developers
 
Salesforce Spring 20 Highlights
Salesforce Spring 20 HighlightsSalesforce Spring 20 Highlights
Salesforce Spring 20 Highlights
 
Designing custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.comDesigning custom REST and SOAP interfaces on Force.com
Designing custom REST and SOAP interfaces on Force.com
 
Dreamforce 2019 GG & Spring 20 release features - Halifax, Canada Community
Dreamforce 2019 GG & Spring 20 release features - Halifax, Canada CommunityDreamforce 2019 GG & Spring 20 release features - Halifax, Canada Community
Dreamforce 2019 GG & Spring 20 release features - Halifax, Canada Community
 
A Beard, An App, A Blender
A Beard, An App, A BlenderA Beard, An App, A Blender
A Beard, An App, A Blender
 
Salesforce Lightning workshop Hartford - 12 March
Salesforce Lightning workshop Hartford - 12 MarchSalesforce Lightning workshop Hartford - 12 March
Salesforce Lightning workshop Hartford - 12 March
 
Apex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard ProblemsApex Trigger Debugging: Solving the Hard Problems
Apex Trigger Debugging: Solving the Hard Problems
 
Salesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 releaseSalesforce shield &amp; summer 20 release
Salesforce shield &amp; summer 20 release
 

More from Salesforce Developers

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Salesforce Developers
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
Salesforce Developers
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
Salesforce Developers
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
Salesforce Developers
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
Salesforce Developers
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
Salesforce Developers
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
Salesforce Developers
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
Salesforce Developers
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
Salesforce Developers
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
Salesforce Developers
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
Salesforce Developers
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
Salesforce Developers
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
Salesforce Developers
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
Salesforce Developers
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
Salesforce Developers
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
Salesforce Developers
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
Salesforce Developers
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
Salesforce Developers
 
Modern App Dev: Modular Development Strategies
Modern App Dev: Modular Development StrategiesModern App Dev: Modular Development Strategies
Modern App Dev: Modular Development Strategies
Salesforce Developers
 

More from Salesforce Developers (20)

Sample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce DevelopersSample Gallery: Reference Code and Best Practices for Salesforce Developers
Sample Gallery: Reference Code and Best Practices for Salesforce Developers
 
Maximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component PerformanceMaximizing Salesforce Lightning Experience and Lightning Component Performance
Maximizing Salesforce Lightning Experience and Lightning Component Performance
 
Local development with Open Source Base Components
Local development with Open Source Base ComponentsLocal development with Open Source Base Components
Local development with Open Source Base Components
 
TrailheaDX India : Developer Highlights
TrailheaDX India : Developer HighlightsTrailheaDX India : Developer Highlights
TrailheaDX India : Developer Highlights
 
Why developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX IndiaWhy developers shouldn’t miss TrailheaDX India
Why developers shouldn’t miss TrailheaDX India
 
CodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local DevelopmentCodeLive: Build Lightning Web Components faster with Local Development
CodeLive: Build Lightning Web Components faster with Local Development
 
CodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web ComponentsCodeLive: Converting Aura Components to Lightning Web Components
CodeLive: Converting Aura Components to Lightning Web Components
 
Enterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web ComponentsEnterprise-grade UI with open source Lightning Web Components
Enterprise-grade UI with open source Lightning Web Components
 
TrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer HighlightsTrailheaDX and Summer '19: Developer Highlights
TrailheaDX and Summer '19: Developer Highlights
 
Live coding with LWC
Live coding with LWCLive coding with LWC
Live coding with LWC
 
LWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura InteroperabilityLWC Episode 3- Component Communication and Aura Interoperability
LWC Episode 3- Component Communication and Aura Interoperability
 
Lightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce dataLightning web components episode 2- work with salesforce data
Lightning web components episode 2- work with salesforce data
 
Migrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCPMigrating CPQ to Advanced Calculator and JSQCP
Migrating CPQ to Advanced Calculator and JSQCP
 
Scale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in SalesforceScale with Large Data Volumes and Big Objects in Salesforce
Scale with Large Data Volumes and Big Objects in Salesforce
 
Replicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data CaptureReplicate Salesforce Data in Real Time with Change Data Capture
Replicate Salesforce Data in Real Time with Change Data Capture
 
Modern Development with Salesforce DX
Modern Development with Salesforce DXModern Development with Salesforce DX
Modern Development with Salesforce DX
 
Get Into Lightning Flow Development
Get Into Lightning Flow DevelopmentGet Into Lightning Flow Development
Get Into Lightning Flow Development
 
Integrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS ConnectIntegrate CMS Content Into Lightning Communities with CMS Connect
Integrate CMS Content Into Lightning Communities with CMS Connect
 
Introduction to MuleSoft
Introduction to MuleSoftIntroduction to MuleSoft
Introduction to MuleSoft
 
Modern App Dev: Modular Development Strategies
Modern App Dev: Modular Development StrategiesModern App Dev: Modular Development Strategies
Modern App Dev: Modular Development Strategies
 

Recently uploaded

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 

Recently uploaded (20)

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 

Secure Coding: Field-level Security, CRUD, and Sharing

  • 1. Secure Coding: Field-Level Security, CRUD, and Sharing Kyle Tobener Product Security Engineer @KyleKyle Maxwell Feldman Product Security Engineer
  • 2. Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
  • 3. No Photos Required…. Slides and demos will be made available after the talk!
  • 4. Primary Topic Today: Authorization • We will be covering developer-oriented authorization topics on the Salesforce platform. • Specific features to cover include: – FLS – CRUD – Sharing • Useful for anyone in the following areas: – Salesforce Developers – Salesforce Partners – Salesforce Administrators
  • 5. What is Authorization? “Authorization dictates what a user is permitted to access.”
  • 6. Guiding Principle: Least Privilege “A person should only have access to the minimum amount of information required to accomplish their duties, ensuring that their ability to take advantage of excess privilege purposefully or accidentally is minimized.”
  • 7. A Note: Salesforce Contexts •User Context - Current user’s authorization respected •System Context - Current user’s authorization ignored – This is done on purpose to allow more extensible and flexible coding, but needs to be done properly!
  • 9. CRUD What is CRUD? Create Read Update Delete! » Controlled on the profile » Dictates user abilities object by object
  • 10. CRUD for Developers •Apex Classes do not enforce CRUD – Why? System Context •Visualforce Pages do enforce CRUD – Why? User Context
  • 11. Enforcing CRUD in Apex <sObject>.sObjectType.getDescribe() – isCreateable() – isAccessible() – isUpdateable() – isDeletable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Account.sObjectType.getDescribe().isAccessible()) { 4 return ‘’; 5 } 6 }
  • 13. Trivia! “Which of the following Visualforce code patterns respect the R (read) in CRUD?” 1. <apex:outputField value="{!sObject.Field__c}"/> 2. <apex:outputText value="{!sObject.Field__c}"/> 3. {!sObject.Field__c} Note : (Naked merge Field) 4. <apex:outputText value="{!Object.String}"/>
  • 14. Trivia (answered)! “Which of the following Visualforce code patterns respect the R (read) in CRUD?” 1. <apex:outputField value="{!sObject.Field__c}"/> 2. <apex:outputText value="{!sObject.Field__c}"/> 3. {!sObject.Field__c} Note : (Naked merge Field) 4. <apex:outputText value="{!Object.String}"/>
  • 15. FLS
  • 16. FLS What is FLS? Field Level Security! » Controlled on the profile » Dictates which fields are visible to a user on a given object
  • 17. FLS For Developers •Apex classes do not enforce FLS – Why? System Context •Visualforce pages do enforce FLS – User mode – Exception: de-referenced fields • {!Contact.Email} = yes • {!contactEmail} = NO
  • 18. Enforcing FLS in Apex Schema.sObjectType.<sObject>.fields.<field> – isAccessible() – isUpdateable() 1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Schema.sObjectType.Account.fields.Name.isAccessible()) { 4 return ‘’; 5 } 6 ... 7 }
  • 20. When does the Platform stop respecting FLS? When you assign from an sObject to a primitive! Apex: Random_Sensitive_Object_1__c r; wRandom_Sensitive_Object_1 wR; wR.Sensitive_Number = r.Sensitive_Number__c; Visualforce: <apex:OutputText value="{!r.Sensitive_Number__c}" /> <!-- FLS RESPECTED --> <apex:OutputText value="{!wR.Sensitive_Number}" /> <!-- FLS IGNORED -->
  • 21. Trivia! “We showed you how to respect FLS read permissions in Apex. Which one of the following would allow you to respect the FLS read permission in Visualforce?” 1. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.isAccessible}” 2. rendered=“{!$ObjectType.CustomObject__c.CustomField__c.isAccessible()}” 3. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.Accessible}” 4. rendered=“{!$ObjectType.CustomObject__c.CustomField__c}”
  • 22. Trivia (answered)! “We showed you how to respect FLS read permissions in Apex. Which one of the following would allow you to respect the FLS read permission in Visualforce?” 1. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.isAccessible}” 2. rendered=“{!$ObjectType.CustomObject__c.CustomField__c.isAccessible()}” 3. rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.Accessible}” 4. rendered=“{!$ObjectType.CustomObject__c.CustomField__c}”
  • 24. Sharing What is Sharing? Record Level Access! » Controlled outside the profile via Org-Defaults, Roles, Ownership, and sharing rules. » Dictates which records of an object a user can see.
  • 25. Sharing for Developers •Apex classes do not enforce sharing (by default) – Why? System Context •Visualforce pages do not enforce sharing – Rely on controller for record access. •Exception: standard controllers enforce sharing
  • 26. Enforcing Sharing in Apex Use the “With Sharing” keywords. • Default is without sharing • Invoked classes respect defined sharing. If no sharing is defined, they inherit sharing from the invoking parent 1 Public with sharing Class MyController { 2 //... With Sharing is Applied ... 3 Public without sharing Class MyInnerClass { 4 // ... Sharing is not applied to this class ... 5 } 6 }
  • 28. Sharing Behavior Recap No sharing Without sharing With sharing Inner method (no sharing) All All Shared Inner class (no sharing) All All Shared Inner class without sharing All All All Inner class with sharing Shared Shared Shared External class (no sharing) All All Shared External class without sharing All All All External class with sharing Shared Shared Shared
  • 29. Trivia! In the code snippet below the class is defined without sharing and it queries the private account object. Assume the running user has no visibility to any account records. When invoking this class via the developer console, does the running user see any accounts? Explain why! 1 public without sharing Class queryPrivate { 2 public List<privateObject> p_list; 3 p_list =[select name from privateObject limit 1]; 4 system.debug(p_list); 5 }
  • 30. Trivia (answered)! The developer console runs in user context, so sharing will be respected even if you call a class that is explicitly defined as without sharing. Fun! 1 public without sharing Class queryPrivate { 2 public List<privateObject> p_list; 3 p_list =[select name from privateObject limit 1]; 4 system.debug(p_list); 5 }
  • 31. Recap - Basics FLS Sharing CRUD
  • 32. Recap – Developer Tools Here are the developer methods we covered for respecting authorization: 1. CRUD • Apex does not respect CRUD. Visualforce with a standard controller does respect CRUD. • Use Account.sObjectType.getDescribe().isAccessible() to enforce CRUD in Apex. 2. FLS • Visualforce respect FLS for sObjects, Apex does not. • Use Schema.sObjectType.Account.fields.Name.isAccessible() to enforce FLS in Apex. • Use rendered=“{!$ObjectType.CustomObject__c.fields.CustomField__c.Accessible}” to enforce in VF. 3. Sharing • By default, Apex does not respect sharing. • Use “with sharing” in the class definition to enforce sharing in Apex. • Best practice: Make all classes with sharing, make exceptions inner methods defined as without sharing.
  • 33. Additional Resources • Secure Coding Guidelines - https://developer.salesforce.com/page/Testing_CRUD_and_FLS_Enforcement • CRUD & FLS Enforcement Guide - https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS • Salesforce StackExchange - http://salesforce.stackexchange.com/questions/tagged/security • Developer.Salesforce.com Security Forum - https://developer.salesforce.com/forums (full link hidden) • Security Office Hours (Partners) - http://security.force.com/security/contact/ohours
  • 34. Slides + Demo • Get Slides Here: – DF Chatter Group – >> URL HERE<< – Security Essentials Success Community - >> URL HERE<< – @kylekyle Twitter – https://www.twitter.com/kylekyle •Want to play with our demo code? – Sign-up for a pre-configured trial here: >> URL HERE<<
  • 35. Secure Development Sessions Secure Coding: Field-level Security, CRUD, and Sharing Monday, October 13 @ 11:00 a.m. - 11:40 a.m. Secure Coding: Storing Secrets in Your Salesforce Instance Monday, October 13 @ 2:00 p.m. - 2:40 p.m. Building Secure Mobile Apps Monday, October 13 @ 5:00 p.m. - 5:40 p.m. Protect Your Data Against Malicious Scripts Tuesday, October 14 @ 11:00 a.m. - 11:40 a.m. Secure Coding: External App Integration Wednesday, October 15 @ 9:00 a.m. - 9:40 a.m. Secure Coding: SSL, SOAP, and REST Thursday, October 16 @ 10:30 a.m. - 11:10 a.m. Announcements: Force.com Code Scanner now supports Salesforce1 and JavaScript! Try it here: http://bit.ly/SF1Scanner Chimera Web App Scanner alpha nominations are open. Partners apply at: http://bit.ly/SFChimera Live security office hours are available in the Partner Zone.
  • 36. Q&A

Editor's Notes

  1. Key Takeaway: We are a publicly traded company. Please make your buying decisions only on the products commercially available from Salesforce.com. Talk Track: Before I begin, just a quick note that when considering future developments, whether by us or with any other solution provider, you should always base your purchasing decisions on what is currently available.
  2. What does this mean for Salesforce? Configuring the authorization model such that every user can do their job, but no more.