secure salesforce: crud / fls / sharing

Secure Salesforce: CRUD, FLS, and Sharing Daphne Kao

Senior Product Security Engineer

@daphnekao

Ryan Flood

Associate Product Security Engineer

Secure Salesforce at Dreamforce 2015

  10 DevZone Talks and 2 Lighting Zone Talks covering all aspects of Security on the Salesforce Platform

  Visit our booth in the DevZone with any security questions

  Check out the schedule and details at http://bit.ly/DF15Sec

  Admin-related security questions?

  Join us for coffee in the Admin Zone Security Cafe

 Safe harbor statement under the Private Securities Litigation Reform Act of 1995:

 This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.

 The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of any litigation, risks associated with completed and any possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-K for the most recent fiscal year and in our quarterly report on Form 10-Q for the most recent fiscal quarter. These documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.

 Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Safe Harbor

Principle of Least Privilege

•  Users should only have access to the minimum amount of information required to accomplish their duties, ensuring their ability to take advantage of excess privilege purposefully or accidentally is minimized.

Contexts

•  User context: Enforces user permissions, field-level security, and sharing rules of the current user.

•  System context: Ignores user permissions, field-level security, and sharing rules of the current user.

Background

What is CRUD?

•  Defines user’s access for each object

•  Controlled on the profile

 Create, Read, Update, Delete

 Apex classes do not enforce CRUD

•  Runs in system context

 Visualforce pages enforce CRUD

•  Runs in user context

CRUD for Developers

Enforcing CRUD in Apex <sObject>.sObjectType.getDescribe()

•  isCreateable() •  isAccessible()

•  isUpdateable() •  isDeletable()

1 Public Class MyController {

2  Public String getmyAccount { 3  if (!Account.sObjectType.getDescribe().isAccessible()) {

4  return '';

5  }

6 }

Enforcing CRUD in Visualforce

Visualforce code patterns respect read in CRUD:

1.  <apex:outputField value="{!sObject.Field__c}"/>

2.  <apex:outputText value="{!sObject.Field__c}"/>

3.  {!sObject.Field__c}

Visualforce code pattern does not respect read:

1.  <apex:outputText value="{!Object.String}"/>

CRUD Demo

Best Practices and Q&A for CRUD

•  Always check CRUD permissions before performing the operation.

What is FLS?

•  Defines user’s access to fields on a given object

•  Controlled on the profile

 Field-Level Security

 Apex classes do not enforce FLS


 Visualforce pages enforce FLS

•  Runs in user context

•  Does not enforce FLS for dereferenced fields

•  {!Contact.Email} = yes

•  {!contactEmail} = no

FLS for Developers

Enforcing FLS in Apex

Schema.sObjectType.<sObject>.fields.<field> •  isAccessible() •  isUpdateable()

1 Public Class MyController { 2  Public String getmyAccount { 3  if (!Schema.sObjectType.Account.fields.Name.isAccessible()) { 4  return ''; 5  } 6 ... 7 }

Apex:

Random_Sensitive_Object_1__c r; // Salesforce sObject wRandom_Sensitive_Object_1 wR; // Custom wrapper object

wR.Sensitive_Number = r.Sensitive_Number__c;

 Visualforce:

<apex:OutputText value="{!r.Sensitive_Number__c}" />  <apex:OutputText value="{!wR.Sensitive_Number}" /> 

When sObject is assigned a primitive When does the Platform stop respecting FLS?

FLS Demo

Best Practices and Q&A for FLS

•  Use sObject references whenever possible.

•  Iterate through your list of fields and check FLS for each field.

Sharing

What is Sharing?

•  Dictates which records of an object a user can see

•  Controlled outside the profile via org-defaults, roles, ownership, and sharing rules

 Record-level access

 Apex classes do not enforce sharing by default


•  Exceptions: Anonymous code blocks, developer console, and standard controllers execute in user context

 Visualforce pages depend on controllers for record access

Sharing for Developers

Enforcing Sharing in Apex •  Default behavior is without sharing. Use with sharing keyword to enforce sharing.

•  If a class isn’t declared as either with or without sharing, the current sharing rules remain in effect.

•  The sharing setting of the class where the method is defined is applied, not of the class where the method is called.

1 Public with sharing Class MyController { 2 // Code enforces current user’s sharing rules 3 Public without sharing Class MyInnerClass { 4 // Code doesn’t enforce current user’s sharing rules 5 } 6 }

Sharing Demo

Best Practices and Q&A for Sharing

•  Sharing keywords don’t enforce CRUD and FLS.

•  Explicitly declare with sharing or without sharing for all classes in your code.

•  If you must use without sharing, document the reasoning in a comment block.

Summary

CRUD

•  Object-level permission. Should the user have access to this object?

 FLS

•  Field-level permission. Should the user have access to this field?

 Sharing

•  Record-level permission. Should the user have access to this record?

Developer practices for respecting authorization model Summary

Additional Resources Security Implementation Guide https://developer.salesforce.com/././securityImplGuide/ (full link hidden) CRUD & FLS Enforcement Guide https://developer.salesforce.com/page/Enforcing_CRUD_and_FLS Testing CRUD and FLS Enforcement https://developer.salesforce.com/page/Testing_CRUD_and_FLS_Enforcement Using with sharing or without sharing Keywords https://developer.salesforce.com/./././apex_classes_keywords_sharing (full link hidden) Salesforce StackExchange http://salesforce.stackexchange.com/questions/tagged/security Salesforce Developer Security Forum https://developer.salesforce.com/forums Security Office Hours (Partners) http://security.force.com/security/contact/ohours

Thank you

secure salesforce: crud / fls / sharing

Technology