FAQ-000537 - Custom Settings and Configuration Security / Security Review and Compliance

During the AppExchange Security Review, custom access control logic is evaluated to ensure it enforces proper access control measures and prevents unauthorized access. The review includes: 1. **Checking for "Without Sharing" Classes**: Ensuring that appropriate access control steps are implemented when sharing rules are bypassed. 2. **Validating Access Restrictions**: Verifying that the application logic restricts access based on user permissions or roles. 3. **Assessing Functionality**: Understanding the application's functionality to determine if the access control mechanisms are sound and justified for the use case. This evaluation ensures your custom logic aligns with security best practices.

The existing FAQ content is accurate and well-structured, so no substantive changes are needed. The content directly relates to two key security rules: ApexSharingViolations addresses the 'without sharing' classes mentioned in point 1, as this rule detects when sharing rules are bypassed without proper controls. ApexCRUDViolation relates to points 2 and 3 about validating access restrictions and permissions, as this rule identifies when CRUD (Create, Read, Update, Delete) permissions are not properly enforced in Apex code. Both rules are fundamental to the custom access control logic evaluation described in the FAQ. The answer maintains appropriate detail level for an FAQ format while covering the essential security review aspects.