Summer ‘20 Security Alert that Affects All Orgs
Salesforce has done a great job at releasing Security Alerts so they’re easy to find, due to some recent changes. They can be located by navigating to Setup > Quick Find > Security Alerts, or by using the new Release Updates (Beta). This particular alert we’re bringing to your attention is the one for “Review Permission and Access Changes in the Summer ‘20 Release”. Read on to find out more.
What are the Details?
This particular alert is intended for all orgs. According to the notice, your org is affected as “this release contains security enhancements for certain features. These changes can affect the default access that users have to those features, which could result in a loss of access and disrupted functionality”. It further goes on to list specific permissions changes that could impact your org, and encourages System Admins to take some time and explore how their users may be affected.
Checking in on Specific Features
If you have a preview org set up, and your sandbox is a part of that, it’s recommended to explore how these changes may affect your company before the release is live in production. If you are not part of a preview org, then unfortunately, you will have to further explore this once it’s live. However, with that being said, you can still take a look at the specific features that may be affected and create a spreadsheet so that you can more quickly assess your org when this goes live. That way, you won’t login to find a plethora of permissions related cases on your release date. Let’s look more specifically at the permission changes from the Summer ‘20 Release Notes.
Permission Changes for Sales Cloud
In order to have access to Duplicate Management for duplicate rules, duplicate jobs, matching rules and matching criteria through the API, users must now have the “View Setup and Configuration” permission. Changes were made to email, as well, as now access to email domain filters in the API is “limited to authenticated users with the Email Administration, Customize Application, and View Setup and Configuration permissions”. Also, “access to org-wide email addresses for user profiles is limited to authenticated users”. It seems both Duplicate Management and Email changes now require additional permissions in order for users to retain their previous access. Enterprise Territory Management went in the opposite direction, by limiting a few features to standard and partner users only.
Permission Changes for Service Cloud
For Service Cloud, there were changes to Entitlements and Milestones, and Linked Articles. Specific parts of Entitlements and Milestones are limited to Salesforce Admins, those with object access for Cases, Entitlements, and Work Orders, and those with the “View Setup and Configuration” permission. Also, linked articles are “limited to users with access to the parent record linked to the knowledge article”.
Permission Changes for Customization Features
Salesforce released a hefty list of changes for this one. Muting Permission Sets, which allows you to “mute” a permission set in a permission set group for easier and more secure adjustments is now limited to users with “View Setup and Configuration, Manage Session Permission Set Activations or Assign Permission Sets permission”. The “View Setup and Configuration” permission is also required to access a host of settings, layout assignments, object permissions, and even record types. This permission is also required to view Permission Set License Assignments, and Profile Layouts and Record visibility. System Admins usually have this permission, but it’s worth checking on any Delegated Administrators you may have. There are also changes to Sharing object records, and access to User Roles and the Hierarchy.
Permission Changes for Security Features
In order for users to access the LogoutEventStream object, users must have the “Customize Application” permission. And, for users to have access to SAML Single Sign-On Configuration, there is an option of either providing them with the “View Setup and Configuration” permission or to combine “Customize Application” with “Modify All Data” permissions.
Permission Changes for Visualforce Pages
For both Lightning and Classic UI, access to ApexPageInfo is “limited to users who can view the specific Visualforce page, and users with the View Setup and Configuration permission”.
How to Prepare your Org for the Security Changes in Summer ‘20
On the Security alert, you have the option to select “Get Started” in order to begin the steps for review. Utilizing the information in this article in conjunction with the release notes can better prepare you for what’s to come in the Summer ‘20 release. In summary of the changes above, it seems “View Setup and Configuration” is required to have access to objects and functionality that was not previously required.
Which Other Changes should I be aware of at this time?
Although released previously in other releases, there are two more Security Alerts that need to be addressed as well during this time. Due in August are two required changes that pertain to @AuraEnabled Apex Methods: Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile and Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile. Both of these updates are related to critical updates released earlier this year. Because they are required, it behooves you to factor in those changes if you have not already.
Taking time to prioritize these changes is prudent for keeping your org more secure. As intimidating as Permissions can be, you always want to make sure you never have requirements too loose. Break this down into digestible parts, and work through them a little at a time. In a matter of a few hours, you can breathe easy that you’ve checked it off your list and know that your org is updated to how it should be.