Enforcing FLS and CRUD in Salesforce

By: Abhinav Mishra On: August 3, 2020

Enforcing FLS and CRUD in Salesforce

Field-level security in salesforce let you restrict users’ access to view and edit specific fields. The field level security can be judged using the operation create, read, update and delete i.e CRUD.

Apex in salesforce doesn’t respect CRUD & FLS. Its is because most of the processes that a developer has to implement in Apex have to surpass CRUD & FLS.

It is left to the developer the responsibility of managing CRUD & FLS in Apex as per requirements. Depending on how your custom applications render and process data, unauthorized users have the potential to access and modify data that they shouldn’t. So FLS should be enforced when required.

The DescribeSObjectResult class includes a number of helper functions that you can use to verify a user’s level of access and prevent data from being inadvertently exposed or modified.

  • IsCreateable()
  • IsAccessible()
  • IsUpdateable()
  • IsDeleteable()

IsCreateable()

Before you insert a record in the database, you can have a check that the logged-in user has both “Edit” permission on the field and “Create” permission on the object. You can check both permissions by checking if the particular field isCreateable().

if (!Schema.sObjectType.Account.fields.Name.isCreateable()){
    System.debug('Insufficient Permissions');
  }
  Account ac = new Account(Name='Test');
  insert ac;

IsAccessible()

Before you retrieve a field from an object, you want to verify that the logged-in user has permission to access the field by checking if the field isAccessible().

if (!Schema.sObjectType.Opportunity.fields.ExpectedRevenue.isAccessible()){
      System.debug('Insufficient Accessiblity Permissions');
    }
    Opportunity [] myList = [SELECT ExpectedRevenue FROM Opportunity LIMIT 1000];

IsUpdateable()

Before you update a record, you have to check if the logged-in user has “Edit” permission for the field and the object. You can check for both permissions by checking if the particular field isUpdateable().

if (!Schema.sObjectType.Opportunity.fields.StageName.isUpdateable()){
        System.debug('Insufficient Permissions');
      }
      o.StageName=Closed Won;
      update o;

IsDeleteable()

To enforce “delete” access restrictions, use the isDeleteable() function before your code performs a delete database operation.

if (Opportunity.sObjectType.getDescribe().isDeleteable()){
        delete l;
      }

Note- Since you delete records in SOQL and do not delete fields, you need to check only the user’s CRUD access to the object.

See More Articles

External Services In Salesforce
Abhinav Mishra

February 28, 2021

Conditional Rendering in LWC
Abhinav Mishra

October 18, 2020

Wedgecommerce Live Agent Integration
Himanshu Dangwal

September 1, 2020

Leave A Reply

Please verify that you are not a robot.

Company

Products

Contact Us

Webkul Software Pvt. Ltd.
H-28, 2nd floor, ARV Park,
Sector 63, Noida,
Uttar Pradesh 201301 (India)

Connect With Us

Wedgcommerce is a fully-owned subsidiary of Webkul, a leading provider of e-commerce solutions.

Tell us about Your Company

How can we help you with your business?




    Message Sent!

    If you have more details or questions, you can reply to the received confirmation email.

    Back to Home