good morning everyone and welcome to our secure coding session we’re going to talk about field level security crud and sharing my name is max Feldman I’m a product security engineer I work on doing security reviews of some of the app exchange apps and I also work on security reviews of internal platform stuff here at Salesforce my name is Kyle Tobin I’m also a product security engineer I specialize in force comm platform security and you may also know me from developers support who used to work on a lot of really tough cases so safe harbor if we talk about anything forward-looking which we are not don’t make any purchasing decisions on that but we’re not so don’t worry about that so you don’t need to take any photos of the slides we’re gonna give you all the slides and actually all the demos to after the talk about 20 minutes after the talk we’ll post them to the Dreamforce session page and also if you have any questions during the presentation please post them to that same thread we’ve got some people here in the audience who will be answering the questions will also have Q&A at the end and we’ll also have some trivia during this and we’ll hand out prizes so if you do win a prize please come up after the presentation so today we’re talking about authorization for force comm specifically we’re talking about FLS crud and sharing this is primarily useful for Salesforce developers but if you’re like a prospective partner or an admin who just wants to know a little bit more about these features this is good for you too and if this is below your level we’ve got some pretty hard trivia questions interspersed within and if you get one right you get one of these cool Salesforce trust hoodies these are pretty rare I don’t even have one so the questions are hopefully hard enough to justify the hoodie so what is authorization authorization dictates what a user is permitted to access and we use the principle of least privilege to figure out who should be authorized this basically says that a person should only have as much access as their duties require and this minimizes accidental or purposeful use of excess privilege abuse of excess privilege and one thing we also want to mention because we’re gonna use these a lot user context and system context user context tells you that your users authorization is respected by the platform and system context tells you that your users authorization is ignored by the platform and this is important for apex and visualforce because it allows them to be more extensible and flexible but the reason for this talk you need to be careful when doing it because you are opening up potential abuses of least privilege so now max is going to jump into crud so we’re gonna start this off by talking about crud in Salesforce and so crud is create read update delete and these are controlled on the profile and basically crud dictates a user abilities object by object and so as far as developers should be concerned apex classes do not enforce crud why is this because apex runs in a system context visualforce pages however do enforce crud because visualforce pages run in a user context so to enforce crud and apex what you’ll do is you’ll take your s object and you’ll call s object type and get describe and then you can check if it is created is accessible is updatable is deletable so here we’ve got a sample controller class which is getting an account and what it’s going to do is check if this account dot object type don’t get just right describe is accessible if it’s not accessible it will return nothing so this is just an example of how you would invoke these methods in Apex so with that we’ll take it to a demo so Kyle if you could go to the browser and what we’ve got here is our crud demo and we have down here a little visualforce page and what this is going to do is act on a random sensitive object that we’ve created so Kyle if you could just select a user with no perms and what this has its say apex in the background doing crud operations so what we’re going to see here is that even though this user has no permissions they can still create a record and if you can create a couple more and what’s happening here is the apex in the background is running in system context so let’s try and update them all and maybe delete them all so we see here we’ve got this object that should be controlled but apex isn’t doing this controlling and so what we’re going to show you is how you would fix that with code so Kyle if you could take us to the fix demo and so what we’ll do here is

we’ll edit our apex class and what we’re gonna do is invoke the methods that I just described which is getting the object type and then checking if it is accessible so what we’re doing here is schema s object type dot random sensitive object underscore one underscore underscore C is creative so we’re going to apply this and then we’ll see what happens when our user has their crud permissions checked by apex because we’ve finally written it right so if you could select a user again that has no permissions and what we’ll see here when we try and create something is that we receive an error message so we’ve done a check in Apex to see if this user should be able to create an object and they’re not able to and this is the methodology you used to prevent access or creation deletion updating using apex code so if you could go back to the slides and now we’re gonna do a little trivia question for all of you in the audience so which of the following visualforce code patterns respect the are read in crud and we’ve got an apex output field we have apex output text we have a naked merge field and then we have an apex output text but with a dereference string so select which ones of these actually respect the read permission and just that go ahead and raise your hand yeah that is partially true so there are actually more than one answer here but you can come by after and we’ll give you one of the we’ve got some little prizes for getting it partially right yes that is correct so stop by afterwards for a sweatshirt so if we could go to the explanation of this visualforce respects the first three but this D reference string here on the bottom will not have a crud check done and with that I’ll hand it over to Kyle for FLS thanks so FLS stands for field level security it is also controlled on the profile and you can see here you have a word you’ve been looking at the account object we’ve got the fields there some of them are visible some can be read-only this dictates which fields are visible to a user on a given object your options visible read-only and some fields system fields like account name created by created date those always come with crud so you can’t control FLS for those but for most of the custom fields you can for developers this is very similar to crud apex classes do not enforce FLS because they run its system context visualforce pages do enforce fos because they run in user mode the exception much like the trivia question is when you’re using a dereference test object like contact email the string instead of contact email the s object field so to enforce FLS it’s very similar method to the previous where you’re enforcing crud you’re calling schema and getting the s object type putting in your s object in this demo it’s account then grabbing the field set then giving the name of the field and then asking is it accessible or is it updatable so let’s hop into a demo of this Max is going to log out as our demo user so what we have here again is a visualforce page designed to demo FLS and below we have blocks of code presented in the way that we just showed you in the trivia before so we’ve got apex output text apex output field naked merge field and then an output text with that dereference string or wrapper object so max if you could give me a user that does not have FLS oh you want the user with crud not FLS so that’s behavior when you have nothing all right which we should see here is that the first three blocks are respecting FLS for sensitive text and sensitive number you can’t see the values but then in the bottom for the output text pointing to the dereference string the sensitive text in the sensitive number fields are showing up because FLS is not respected there the platform cannot track it to that point so we’re going to show you how to fix this how to check for FLS so max if you could open up the demo so this is basically the same page except we just have the single block where FLS was not respected and Max is going to jump into the edit screen first returning to the admin so we don’t get an error okay so what you’ll see here is the code

block where we’re assigning these two fields sensitive object 1 and sensitive number 1 to the wrapper object string sensitive text and sensitive number and Max right now is adding the FLS checks to the assignment so if the FLS check fails where it says is accessible if that’s false it’ll just assign an empty string so max if you can save that and go back you see there now FLS is respected and max if you can log out and go to the converse of this a user who does have crud and fls we’d hope to see that the values will still be there perfect so FLS is respected dynamically using the schema methods in apex which is exactly what we want lease privilege here will be respected the permissions that the admin have set up are respected everyone’s happy now we’re gonna take it to oh you know we have one more slide just to illustrate the point about the diva reference string in case I lost you there so here we have the apex random sensitive object and that’s our then we have a wrapper object which is just a plain object not an s object and that’s WR so when you assign our dot sensitive number C to W are sensitive number you can see in the bottom the r dot sensitive number c will have its f LS respected whereas the output text for wor sensitive number will not FL s is ignored there and that brings us to a trivia question so here we showed you how to respect FL s in Apex one of these just one is the correct way to respect FL s in visualforce we’re using the rendered tab option so we’re calling object type custom object underscore underscore C for all of them and that’s where they start to differ the first one is fields dot custom field that is accessible the next one is dot custom field dot is accessible with parentheses the next one is field custom field dot accessible no parentheses or is and the final one is just custom field so one of these is right gentleman right there on the aisle the last one is not correct let’s go over here you there in the blue yes with the two fingers the second one no also incorrect about way in the back in the back corner no so you all got it wrong everyone fails it’s the third one it’s tricky so anyone who got that wrong can come get a cup later but no hoodies for you guys all right max is gonna take over doing sharing now okay so now we’re gonna talk about sharing and what is sharing it is record level access it’s controlled outside the profile via or defaults roles ownership and sharing rules and what sharing does is it dictates which records of an object a user can see so as far as developers are concerned apex classes do not enforce sharing by default why is this once again system context visualforce pages also do not enforce sharing they rely on the controller for record access so in this case there is an exception standard controllers do enforce sharing but this isn’t as with crud and fls where visualforce pages are doing that enforcing for you automatically and so to enforce sharing in Apex you use the with sharing keywords the default behavior is without sharing so if you don’t specify with sharing it will default it without sharing and invoke classes will respect defined sharing so if no sharing is defined a class or method will inherit sharing from its invoking parent so here we’ve got a public class that we’ve declared with sharing so you do public with sharing class my controller and so in the context of this class sharing will be applied up until we reach our inner class that’s defined as without sharing and so this class my inner class will not have sharing applied because we’ve explicitly defined that without sharing is its behavior so now Kyle could you take us to the sharing demo and what we’re gonna have here is a visual force page that’s accessing some sensitive records and what we’ll see is that when sharing isn’t enforced our user has access to a lot of records which we don’t want them to have access to so user with Groton FLS will be good but what we’ll see is that if without sharing is the behavior they can access everything so we’ve got some records that the user should not have access to and one record that the user owns that

they should be able to access so what we’ve got is a visualforce page reflecting an apex page that at its highest level has no sharing behavior defined so we’ll look at the behaviors of inner methods and classes and external methods and classes when no sharing is defined at the top level so Kyle if you could take us to the top we see that an inner method you cannot define sharing for so it will inherit the behavior of its invoking class and the behavior at the top level was no sharing so we see that this user has access to a bunch of records many of which they shouldn’t have access to we also see an inner class that has no sharing defined inherits this same behavior so the inner class has as exposed all of these records to our user which they shouldn’t be able to see if we have an inner class defined as without sharing this behavior is the same so instead of inheriting the without shaved sharing behavior it explicitly defines without sharing behavior but that means the behavior is the same so then however if we go down to an inner class that’s defined as with sharing this with sharing behavior will override the default behavior and what we see here is this user only has access to the record to which they should have access and now if we look at external classes and methods we’ll see that an external class or method that has no sharing defined also inherits the without sharing behavior that is the default and was at the top level we see an external class or method that has without sharing defined exhibits the same behavior we’ve got our user able to see all of these records which they shouldn’t be able to see and then if we have an external class or method that has with sharing explicitly defined this behavior will override that without sharing and we’ve got our access restricted to the appropriate level and what we’re going to do now is open up that controller and/or that apex page and we’re going to change our definition from no sharing mentioned at all to a class without sharing so we’re going to make this a here we go yes so we’re gonna make our class public without sharing class sharing demo and then we’ll do a quick save and then what we’ll show you is the behavior that happens now that we’ve defined our top-level class as without sharing and what we’re going to see is that the behavior is basically the same because the default behavior of something that doesn’t have with or without sharing defined is no sharing respected so when we do without sharing it’ll be the same behavior so we’ve got an inner method that inherits this no sharing behavior we’ve got an inner class that has no sharing defined and this will also inherit the behavior of it’s invoking a parent and an inner class that’s defined without sharing and we see here a user has access to all of these records and that’s not what we want if we’ve got the inner class defined as with sharing this is still restricted with sharing overrides the invoking behavior if we go to our external classes and methods we see much of the same we see that a class with no sharing defined or without sharing defined has this without sharing behavior the user can access everything but if we look at an external class or method that does have sharing defined we see that it’s been restricted properly so now Kyle if we could go back and change the top-level class to be defined as with sharing what we’ll see is that this does affect the behavior of inheriting classes so now we see that we have a top level class that’s defined as with sharing we’ve got public with sharing class demo class and this inner method inherits that behavior so an inner method called by a class that’s defined as wish sharing will exhibit the with sharing behavior an inner class that has had no sharing defined this is also be careful to note no sharing and without sharing are different for the purposes of Apex so we’ve got this inner class that has no sharing defined and a little bit more thanks and we see that it inherits that with sharing behavior if we look at an inner class that’s defined as without sharing this without sharing definition overrides that with sharing behavior and the user has access to all of these records again an inner class that’s defined as with sharing has with sharing applied and if we look at external classes and methods if we don’t define sharing it will inherit with sharing behavior if we define without sharing it will override and display without sharing behavior and if we do an external class or method with sharing defined we have sharing behavior and sharing is respected so Kyle could you bring us back to the slides we’ve got here just a little recap of that a table to see what the behavior will be I’m not going to walk through this right now but it will be in the slides which will be posted on the chatter feed so if you

ever need a cheat sheet for sharing and sharing behavior just check this out and what I do want to stress is that at Salesforce we employ with sharing whenever possible so our best practice for this because crud and fls we saw that there are code ways and code to fix these problems for sharing it’s more of a best practice and what we recommend is that you use with sharing whenever possible and you really minimize and compartmentalize what you do with without sharing so what we have internally are classes that are all defined as with sharing and if we ever need functionality that is without sharing we will explicitly set that but in an inner class or method something that lets us keep track of where our without sharing behavior actually occurs because then we can say Oh sharing is respected throughout the code that we employ except in these particular small cases and this is the best practice we recommend for this is to end with sharing whenever possible and really limit your use of without sharing and with that we will go to trivia so the code snippet below has a class which is defined as without sharing and it queries the private account object so the user shouldn’t have access to this if sharing is respected assume the running user has no visibility to any account records so when invoking this class via the developer console does the running user see any accounts and explain why for this one so we’ll want an explanation but yeah so we’ve got our class query private and lists the accounts and we’ll select from this list but it’s declared as without sharing so what happens to this user yes okay so the answer that she said was a user will be able to see this because without sharing will be applied and so even if there’s one account they will still be able to see it and that’s actually not correct for this case but you can swing by after for one of the smaller brush can anyone tell us why that’s incorrect I’ll give you a hoodie if you can you were almost there but you had the wrong word yes no no so the gentleman here with the goatee was a lot closer but he said system it’s the developer console was running in user context but you were close enough I’ll give you a that was good yes so what we’ve got here is that sharing is actually respected because without sharing is ignored because developer console runs in user context so that was a bit of a tricky question so yeah and I’ll hand it back to Kyle for a recap so if you’re new to sort of crud FLS and sharing I you like to use this spreadsheet model to illustrate what the features are to help keep track of them you can think of crud as access to the different tabs representing the objects in Salesforce FLS is the columns the different fields you get to see and then sharing is row level access which records in the spreadsheet show up for you now for developers as we talked about apex does not respect crud visualforce with the standard controller does respect crud you can use the object name s object type get describe is accessible to enforce crud an apex then for FLS visualforce respects FL s4s objects apex does not you can use schema SM type dot accounts fields name of the field is accessible to enforce and I think there’s actually a code error in the crud one reverse where the objects should be and then for sharing by default apex does not enforce sharing you have to use with sharing in the class definition to enforce sharing and like Mac said at Salesforce our best practices all classes are with sharing and then you make an inner class without sharing with a little common block telling me why it’s without sharing so that when we audit the code looking for lease privilege we can easily see where it should be without sharing now we have some additional resources here and when you get the slides you can just click on these links through the secure coding guidelines which are on the developer forests website there’s also the crud and fls enforcement guide which has neat little code snippets you can also go to the sales for Stack Exchange and the security tag or the developer forum with the security or the security forum in the developer forums also we try and monitor those and answer questions when they don’t get answered so it’s a good place to ask if you you need help if you’re a partner you can also always go to Security office hours if you need a little guidance on this that link there will take you to the sign up form max attempt those a lot you can also check out the security implementation guide the link is there if you want more general security guidance things like IP range restrictions identity confirmation stuff like that so I said you’d get the slides in demo

we will be putting the slides at that link there which is also the signup page for this session I also probably put them on my Twitter and then if you want the demo code and this is my favorite part about this we made a trial template so you go to that link there you put in your name and your email and then we’ll send you a sign-up link to a pre-configured demo that is identical to the one you just used you may have noticed there was tons of words on every demo we put all that there so that when we’re not there guiding you through it you can take yourself through it and learn at your own pace feel like that’s a good way to reinforce the concepts we went over so please sign up that also be the demos for our next talk as well which we’re about to advertise so at 2 o’clock Max and I are talking again about storing secrets and the demos for that will be in the same trial signup there’s some other trust talks as well building secure mobile apps with our friends Sergey protecting your data against malicious scripts with our friend shall run from product security secure coding external app integration which is with hasta who’s sitting right there in the front and same thing with SSL soap and rest she’s also doing that talk and then a couple announcements so if you are ever use our code scanner the force comm code scanner now supports salesforce1 and JavaScript so we’ve got a bitly link there this’ll you can just check it out when you check out the slides we also have the chimera web app scanner alpha nominations which are open to partners so you can apply there and we have Life Security office hours available in the partner zone so I’ll be over there later this week and we’ve got some of our other team members over there to answer your questions so if you’ve ever phoned in for security office hours you can meet some of the people you’ve talked to or people who review apps or other people from product security over in the partner zone and that’ll be all week and that takes us to the QA yeah so if you have any questions or comments or want clarification please you can come up or use the mics in the middle however you want to discuss and if you got a prize feel free to come up now and we can hand those out to you okay yeah it’s a which slide sorry yeah yeah so Kyle on Twitter is at Kyle Kyle hi yeah no no stupid questions so so there’s an apex method the system uses sort of this but on the back end there’s an apex method called user data info and it can get all the active user info and it checks that users contacts yeah so she was asking how the f LS and crud checks know which user context to use and the answer is there’s a method that checks who the running user is at all times and that’s what’s referenced to get the users context questions you want to you get a cup you get a funny question hoodie what size we’ve got okay price large subject is not affected by with sharing is it is the price book object public by default or can you change it to private because if it’s always public then sharing would just not have any effect oh so then yeah so in that case it would be not like an external class or method so it’s invoking something else and so it but it’ll be let me give you my card I don’t know off the top of my head but I can look it up or it’ll inherit the behavior if there’s no sharing defined explicitly because I don’t have an answer for you sure yeah private account okay yes yeah exactly so if you have like a with sharing class that calls it then it’ll do with sharing and if you have without sharing class that calls it it’ll do without char so if there’s nothing to find it all it depends on what it’s if being invoked by it yeah yeah yes so the question is the example or the need the trivia we had where we reference the developer console and it was a class without sharing so the developer console always runs in user context so anything they’ve three an epic side of the system which gets ignored yeah I guess any exception to that would be if you kick off a scheduled job from the console the resulting scheduled not does not run in system or user context that’ll still run in system mode but anything actively called from the developer console is user mode did you you you think you get a cop down if you bike you’re welcome any other yes

so the if it’s on so there used to be I don’t think this exists anymore but there used to be an API or you could run apex colonel that was user context as well so you can get different results from that or the user context in here hall for this but if you polish a text web service that run right system content like why / – not in user so will it’s yeah yes and then what you can do is if you can say like well so if you’re trying to publish to the app exchange there’s been some talk about that I think they’re trying to work knows how to make that work you know like how other companies yeah if you’re just doing it internally like it’s important to yeah critically about security of you but if you say like oh it’s I suspect there’s an idea on the idea exchange you could vote on it but I definitely know they’re considering so yeah we’ll we will will fail yes if they have like sharing horrors things like that because other companies will use them but if it’s just for internal consumption it’ll be a bit different yeah it’s it’s yeah it depends because some like we try and approach security with a threat model that even users internally can try and like access data they shouldn’t have access to okay that can be a concern too if you’ve got like one type of user that can see a sensitive record if you have an app that has that doesn’t respect sharing then maybe some other users yeah so it’s possible so what you can do without sharing you saw when Isaac’s so the question is about criteria based sharing how could you do criteria base create is basically what you’re asked yes right so what you could do is if you wrote all of that in visualforce an apex what where we have the Jackson site is create a bowl you could just and another thing in there and maybe not sure how you would check which user has what your missions like what if you say but you could certainly come up with a way to check the criteria of what okay with that I see so you want to do it dynamically you want to get dynamic access the criteria based sharing right so the sharing rules don’t really cover create so you have to do the create checks on your own yes so if you were to do if it was like input field and then you call WR the wrapper and then dot account dot field that should respect MLS you open the demo you could write that in like twenty seconds with a demo that’s already there and try it out