FAQ-001481 - Permission Set Security / External Credentials and Automated Users

To grant permissions to an automated process or user to access an External Credential, you can use either Named Credentials or Protected Custom Metadata: 1. **Named Credentials**: These securely store and manage authentication parameters like client ID and secret. You can also enable the use of merge fields or formulas in the HTTP body by selecting the appropriate checkbox (e.g., "Allow Merge Fields in HTTP Body" or "Allow Formulas in HTTP Body"). 2. **Protected Custom Metadata**: This allows you to securely store secrets, ensuring that only authorized processes or users can access them. Both methods ensure secure and controlled access to External Credentials while avoiding hardcoded credentials in your code.

The existing answer correctly explains External Credential access methods but lacks clarity on the security benefit of avoiding hardcoded credentials. The recommended update preserves all existing information while adding a crucial clarification at the end that emphasizes avoiding hardcoded credentials in code, which is a fundamental security principle. The security rules selected directly relate to the FAQ content: - ApexSuggestUsingNamedCred: This rule specifically recommends using Named Credentials for secure credential management, which is exactly what the FAQ discusses as option 1 - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls: These rules all relate to avoiding hardcoded credentials in various contexts, which is the underlying security principle that makes Named Credentials and Protected Custom Metadata the correct approaches mentioned in the FAQ - ProtectSensitiveData: This rule relates to protecting sensitive data like authentication parameters, which is what External Credentials are designed to handle securely