secure salesforce: crud / fls / sharing
TRANSCRIPT
![Page 1: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/1.jpg)
Secure Salesforce: CRUD, FLS, and Sharing Daphne Kao
Senior Product Security Engineer
@daphnekao
Ryan Flood
Associate Product Security Engineer
![Page 2: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/2.jpg)
Secure Salesforce at Dreamforce 2015
10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform
Visit our booth in the DevZone with any security questions
Check out the schedule and details at http://bit.ly/DF15Sec
Admin-related security questions?
Join us for coffee in the Admin Zone Security Cafe
![Page 3: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/3.jpg)
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
Safe Harbor
![Page 4: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/4.jpg)
Principle of Least Privilege
• Users should only have access to the minimum amount of information required to accomplish their duties, ensuring their ability to take advantage of excess privilege purposefully or accidentally is minimized.
Contexts
• User context: Enforces user permissions, field-level security, and sharing rules of the current user.
• System context: Ignores user permissions, field-level security, and sharing rules of the current user.
Background
![Page 5: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/5.jpg)
CRUD
![Page 6: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/6.jpg)
What is CRUD?
• Defines user’s access for each object
• Controlled on the profile
Create, Read, Update, Delete
![Page 7: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/7.jpg)
Apex classes do not enforce CRUD
• Runs in system context
Visualforce pages enforce CRUD
• Runs in user context
CRUD for Developers
![Page 8: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/8.jpg)
Enforcing CRUD in Apex <sObject>.sObjectType.getDescribe()
• isCreateable() • isAccessible()
• isUpdateable() • isDeletable()
1 Public Class MyController {
2 Public String getmyAccount { 3 if (!Account.sObjectType.getDescribe().isAccessible()) {
4 return '';
5 }
6 }
![Page 9: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/9.jpg)
Enforcing CRUD in Visualforce
Visualforce code patterns respect read in CRUD:
1. <apex:outputField value="{!sObject.Field__c}"/>
2. <apex:outputText value="{!sObject.Field__c}"/>
3. {!sObject.Field__c}
Visualforce code pattern does not respect read:
1. <apex:outputText value="{!Object.String}"/>
![Page 10: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/10.jpg)
CRUD Demo
![Page 11: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/11.jpg)
Best Practices and Q&A for CRUD
• Always check CRUD permissions before performing the operation.
![Page 12: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/12.jpg)
FLS
![Page 13: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/13.jpg)
What is FLS?
• Defines user’s access to fields on a given object
• Controlled on the profile
Field-Level Security
![Page 14: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/14.jpg)
Apex classes do not enforce FLS
• Runs in system context
Visualforce pages enforce FLS
• Runs in user context
• Does not enforce FLS for dereferenced fields
• {!Contact.Email} = yes
• {!contactEmail} = no
FLS for Developers
![Page 15: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/15.jpg)
Enforcing FLS in Apex
Schema.sObjectType.<sObject>.fields.<field> • isAccessible() • isUpdateable()
1 Public Class MyController { 2 Public String getmyAccount { 3 if (!Schema.sObjectType.Account.fields.Name.isAccessible()) { 4 return ''; 5 } 6 ... 7 }
![Page 16: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/16.jpg)
Apex:
Random_Sensitive_Object_1__c r; // Salesforce sObject wRandom_Sensitive_Object_1 wR; // Custom wrapper object
wR.Sensitive_Number = r.Sensitive_Number__c;
Visualforce:
<apex:OutputText value="{!r.Sensitive_Number__c}" /> <!-- FLS RESPECTED --> <apex:OutputText value="{!wR.Sensitive_Number}" /> <!-- FLS IGNORED -->
When sObject is assigned a primitive When does the Platform stop respecting FLS?
![Page 17: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/17.jpg)
FLS Demo
![Page 18: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/18.jpg)
Best Practices and Q&A for FLS
• Use sObject references whenever possible.
• Iterate through your list of fields and check FLS for each field.
![Page 19: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/19.jpg)
Sharing
![Page 20: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/20.jpg)
What is Sharing?
• Dictates which records of an object a user can see
• Controlled outside the profile via org-defaults, roles, ownership, and sharing rules
Record-level access
![Page 21: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/21.jpg)
Apex classes do not enforce sharing by default
• Runs in system context
• Exceptions: Anonymous code blocks, developer console, and standard controllers execute in user context
Visualforce pages depend on controllers for record access
Sharing for Developers
![Page 22: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/22.jpg)
Enforcing Sharing in Apex • Default behavior is without sharing. Use with sharing keyword to enforce sharing.
• If a class isn’t declared as either with or without sharing, the current sharing rules remain in effect.
• The sharing setting of the class where the method is defined is applied, not of the class where the method is called.
1 Public with sharing Class MyController { 2 // Code enforces current user’s sharing rules 3 Public without sharing Class MyInnerClass { 4 // Code doesn’t enforce current user’s sharing rules 5 } 6 }
![Page 23: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/23.jpg)
Sharing Demo
![Page 24: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/24.jpg)
Best Practices and Q&A for Sharing
• Sharing keywords don’t enforce CRUD and FLS.
• Explicitly declare with sharing or without sharing for all classes in your code.
• If you must use without sharing, document the reasoning in a comment block.
![Page 25: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/25.jpg)
Summary
![Page 26: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/26.jpg)
CRUD
• Object-level permission. Should the user have access to this object?
FLS
• Field-level permission. Should the user have access to this field?
Sharing
• Record-level permission. Should the user have access to this record?
Developer practices for respecting authorization model Summary
![Page 27: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/27.jpg)
Additional Resources Security Implementation Guide https://developer.salesforce.com/././securityImplGuide/ (full link hidden) CRUD & FLS Enforcement Guide https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS Testing CRUD and FLS Enforcement https://developer.salesforce.com/page/Testing_CRUD_and_FLS_Enforcement Using with sharing or without sharing Keywords https://developer.salesforce.com/./././apex_classes_keywords_sharing (full link hidden) Salesforce StackExchange http://salesforce.stackexchange.com/questions/tagged/security Salesforce Developer Security Forum https://developer.salesforce.com/forums Security Office Hours (Partners) http://security.force.com/security/contact/ohours
![Page 28: Secure Salesforce: CRUD / FLS / Sharing](https://reader034.vdocuments.mx/reader034/viewer/2022052606/58f29ab31a28ab80178b4589/html5/thumbnails/28.jpg)
Thank you