FAQ-001471 - Permission Set Security / Broad Permission Justification

To justify broad permissions like "View All/Modify All" for your AppExchange app's administrative functions, you should: 1. **Explain Necessity**: Clearly describe why these permissions are essential for the app's administrative tasks and provide a detailed explanation of the business case and technical necessity. 2. **Limit Access**: Show that the permissions are restricted to administrative users who genuinely need this level of access and ensure their assignment is limited to users with specific permissions and roles that align with the intended functionality. 3. **Access Control Measures**: Document measures to prevent misuse, such as limiting the permission set to specific roles or profiles, and include proper access control checks to verify that only authorized users can assign or utilize these permission sets. 4. **Security Practices**: Provide assurance that the app enforces CRUD/FLS checks and follows secure coding practices to mitigate risks. Consider using `WITH USER_MODE` for SOQL queries and `AccessLevel.USER_MODE` for Database methods when you need to enforce user-level permissions, or implement appropriate security checks when working with system-mode operations. 5. **Documentation**: Highlight any mitigations in place, such as admin-configurable options, scoped permission sets, and explicit security checks. If applicable, submit a false-positive document explaining the use case and implementation to help reviewers understand the app's design and security measures. The review process will evaluate whether these permissions are appropriately scoped and adhere to security best practices.

The FAQ is comprehensive and well-structured, but I made one key improvement to align with modern security approaches. In point 4 (Security Practices), I enhanced the guidance to prioritize modern Apex security features by mentioning `WITH USER_MODE` and `AccessLevel.USER_MODE` as preferred methods for enforcing user-level permissions, while maintaining the existing advice about secure coding practices. This addition follows the guidelines to lead with modern features while not dismissing traditional approaches. The selected security rules are highly relevant: ApexCRUDViolation relates to the FAQ's discussion of CRUD/FLS checks and secure coding practices mentioned in point 4, as apps with broad permissions must still implement proper security checks in their code. ApexSharingViolations relates to the sharing rule enforcement aspects that are crucial when apps have broad permissions like 'View All' and 'Modify All', as the code must still respect appropriate data access controls even when the permission sets allow broader access.