Salesforce provides a powerful toolset for developers to manage and enforce security on data, ensuring that users only access the fields and records they are permitted to. One such feature is Security.stripInaccessible, which helps developers control access to sensitive data based on a user's permissions.
In this blog, we will explore the Security.stripInaccessible method, how it helps manage field-level security, and provide examples of its usage.
What is Security.stripInaccessible?
The Security.stripInaccessible method in Salesforce allows developers to sanitize data before performing operations like retrieving, updating, or inserting records. This ensures that the records only contain fields the current user has access to, as defined by their profile permissions or field-level security settings.
This is important because, even if a user has access to certain records, they may not be allowed to see or interact with specific fields. Using Security.stripInaccessible, developers can programmatically remove these fields from records, preventing unauthorized access.
Key Features of Security.stripInaccessible
1. Field-Level Security Enforcement: It respects the field-level security (FLS) of the user making the request, automatically removing any fields the user cannot access. 2. Access Types: The method works with different access types:
READABLE: Removes fields the user cannot view.
CREATABLE: Removes fields the user cannot write to when creating records.
UPDATABLE: Removes fields the user cannot modify when updating records.
3. Data Integrity: It helps maintain the integrity of data operations by ensuring that only allowed fields are included in DML operations (e.g., insert, update).
4. Customizable Security: Developers can fine-tune the data returned based on the permissions of the logged-in user.
How Does Security.stripInaccessible Work?
The Security.stripInaccessible method requires two parameters:
1. AccessType: Specifies the type of access control you want to apply, such as READABLE, CREATABLE, or UPDATABLE.
2. SObject List: A list of records (e.g., List<Contact>) that you want to sanitize based on the user's access level. The method returns an object containing the sanitized list of records that respect the user's field-level access rights.
Example: Using Security.stripInaccessible in Different Scenarios
Let’s break down the provided code snippets and see how Security.stripInaccessible is used in different scenarios.
1. Read-Only Data - READABLE
When retrieving data, you often need to ensure that only the fields a user can view are included in the results.
StripInaccessibleExampleREADABLE.apxcpublic with sharing class StripInaccessibleExampleREADABLE { public static void readableContacts() { // Retrieve Contact records List<Contact> contacts = [ SELECT Id, FirstName, LastName, Email, Phone FROM Contact LIMIT 5 ]; // Sanitize records to remove fields the user cannot READ List<SObject> sanitizedContacts = Security.stripInaccessible( AccessType.READABLE, contacts ).getRecords(); // Log the sanitized records System.debug('Sanitized Contacts for Display: ' + sanitizedContacts); } }
In this example, the Security.stripInaccessible(AccessType.READABLE, contacts) ensures that only the fields the current user has permission to view (as per their profile) are included in the sanitizedContacts list. Sensitive fields like Phone might be excluded if the user does not have permission to view them.
2. Creating Data - CREATABLE
When inserting new records, Salesforce ensures that only fields the user is allowed to create or populate are included. This is useful when you want to respect field-level security during DML operations.
StripInaccessibleExampleCREATABLE.apxcpublic with sharing class StripInaccessibleExampleCREATABLE { public static void createableContacts() { // Prepare new Contact records List<Contact> newContacts = new List<Contact>{ new Contact(FirstName = 'John', LastName = 'Doe', Email = 'john.doe@example.com', Phone = '123-456-7890'), new Contact(FirstName = 'Jane', LastName = 'Smith', Email = 'jane.smith@example.com', Phone = '987-654-3210') }; // Sanitize records to keep only fields the user can CREATE List<SObject> sanitizedContacts = Security.stripInaccessible( AccessType.CREATABLE, newContacts ).getRecords(); // Perform DML operation on sanitized records try { insert sanitizedContacts; System.debug('Sanitized Contacts Inserted Successfully.'); System.debug('Sanitized Contacts Inserted: '+sanitizedContacts); } catch (Exception e) { System.debug('Error during Contact creation: ' + e.getMessage()); } } }
Here, the Security.stripInaccessible(AccessType.CREATABLE, newContacts) ensures that only the fields a user is allowed to create will be included in the newContacts list. For example, if a user does not have permission to fill in the Phone field, it will not be included in the sanitized records during insertion.
3. Updating Data - UPDATABLE
Similar to creating records, updating data must respect the user's field-level access to ensure that only the fields they can modify are included in the update operation.
In this case, the Security.stripInaccessible(AccessType.UPDATABLE, contacts) ensures that only the fields the user has permission to update are included in the sanitizedContacts list. For instance, if a user cannot modify the Phone field, the sanitized version of the record will not include it during the update operation.
Managing Permissions at the Profile Level
You mentioned removing permission for the Phone field from the system admin profile. This can be done through the profile settings in Salesforce. Here’s how you can manage field-level security (FLS):
1. Go to Setup in Salesforce.
2. Under Profiles, select the System Administrator profile (or any other profile you want to modify).
3. In the Field-Level Security section, find the Phone field under the Contact object.
4. Uncheck the Visible box for the Phone field to remove visibility for the profile.
Once the field is no longer visible to the profile, the Security.stripInaccessible method will automatically respect this restriction, and the Phone field will be excluded from the sanitizedContacts list in the examples above.
Conclusion
The Security.stripInaccessible method is a crucial tool for developers to ensure data security and compliance with Salesforce's robust security model. By stripping inaccessible fields based on user permissions, developers can prevent unauthorized access to sensitive data, maintain data integrity, and ensure smooth operations across different objects and user profiles.
By leveraging this method along with field-level security, you can significantly enhance the security of your Salesforce application while maintaining flexibility in how users interact with data.