FAQ-000092 - Access Control and Authorization Issues / Managed Package Access Control

The best practices for implementing access control in managed packages include: 1. **Use of Custom Permissions**: Implement custom permissions to control access to specific functionalities, ensuring they're evaluated during the security review. 2. **Explicit CRUD/FLS Checks**: Always check Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) permissions explicitly in your code. Use modern approaches like `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods, which automatically enforce permissions. You can also use `Schema.sObjectType` to verify field accessibility before performing DML operations. 3. **Permission Checks**: Explicitly check permissions against the caller or user context. Use specific permissions to control access to sensitive operations or data. 4. **User Mode Enforcement**: Enforce User Mode for CRUD and FLS in SOQL queries and DML operations. Modern approaches like `WITH USER_MODE` and `AccessLevel.USER_MODE` automatically handle permission enforcement. You can also verify field accessibility using `Schema.sObjectType` before performing operations. 5. **Guest User Access**: Safely grant access for guest users by limiting exposure, storing sensitive data in protected custom metadata, and enforcing proper sharing rules. 6. **System Context and User Mode**: Understand and use the appropriate context (system or user mode) for operations. User mode enforces permissions for DML/SOQL operations, while system context may bypass them. 7. **Apex Sharing**: Define and enforce sharing rules within your managed package. Apply custom sharing logic using Apex sharing when necessary. 8. **Audit Access Control Changes**: Review and audit code that modifies sharing or access control configurations, such as permission sets and sharing rules, ensuring only authorized users can execute such operations to maintain compliance with security standards. 9. **Avoid Elevated Privileges**: Don't use elevated privileges unnecessarily, such as in post-install scripts, to minimize security risks. 10. **Mitigation of False Positives**: Document and explain any false positives identified during security reviews, especially for CRUD/FLS or access control-related findings. 11. **Session ID Usage**: Don't handle user credentials or impersonate users. Use OAuth credentials for authentication and follow approved guidelines for session ID usage. 12. **Secure Data Storage**: Store sensitive data, like encryption keys, in protected custom metadata. Use strong encryption techniques for sensitive fields, ensuring decrypted values are accessible only to authorized users. 13. **Comprehensive Testing**: Validate access control mechanisms through end-to-end use cases to ensure compliance with security standards. 14. **Documentation and Review**: Provide detailed documentation, including architecture diagrams and security assurance activities, to support the security review process. These practices help ensure robust and secure access control in your managed package.

The recommendations improve clarity and modernize the security guidance while preserving all existing points. Key changes include: 1) Updated CRUD/FLS guidance to lead with modern approaches (WITH USER_MODE and AccessLevel.USER_MODE) as per security approaches guidelines, while maintaining that traditional Schema.sObjectType checks remain valid. 2) Improved conversational tone by replacing 'Refrain from using' with 'Don't use' and 'Avoid handling' with 'Don't handle' for better readability. 3) Enhanced encryption guidance by replacing generic 'encryption techniques (e.g., AES)' with 'strong encryption techniques' to be more actionable. 4) Changed 'ensuring they are evaluated' to 'ensuring they're evaluated' for conversational tone. All technical content accuracy is preserved while making the language more accessible and actionable. Security rule associations: ApexCRUDViolation relates to points 2 and 4 about explicit CRUD/FLS checks and user mode enforcement. ApexSharingViolations connects to point 7 about Apex sharing implementation. Session ID rules (AvoidApiSessionId, AvoidUnauthorizedApiSessionIdInApex, AvoidUnauthorizedGetSessionIdInApex) relate to point 11 about proper session ID usage and OAuth authentication. Hardcoded credential rules relate to point 12 about secure data storage and avoiding hardcoded sensitive data. ApexBadCrypto and ApexSuggestUsingNamedCred connect to points about encryption and secure credential management.