FAQ-000462 - Custom Settings and Configuration Security / Custom Metadata Security and Visibility Management

Developers cannot directly change the visibility of a custom metadata type from Public to Protected in a released managed package. To address this, they need to: 1. Create a new custom metadata type with Protected visibility. 2. Update all references in the code and metadata to use the new Protected custom metadata type. 3. Deprecate the old Public custom metadata type to ensure it's no longer used. 4. Optionally, file a case with Salesforce to remove the old metadata type if necessary. This process ensures compliance with Salesforce's managed package policies. If you can't change the visibility of a custom metadata type in a released package, this workaround secures the data it contains while maintaining compliance.

The FAQ content is generally accurate and well-structured. I made one minor improvement to enhance clarity and make the language more conversational by changing "If you cannot change" to "If you can't change" which aligns with the brand guidelines of using contractions for a more natural, conversational tone. This change makes the text feel less formal and more approachable while maintaining all the technical accuracy. I selected the AvoidChangeProtectionUnprotected security rule because this FAQ directly addresses metadata visibility management in managed packages. The rule specifically targets scenarios where developers might attempt to change protection levels inappropriately. The FAQ's core content about creating new Protected custom metadata types and deprecating old Public ones directly relates to this rule's purpose of preventing inappropriate protection changes. The FAQ teaches the correct approach for handling visibility changes in released packages, which is exactly what this security rule is designed to enforce.