About API and Dynamic Apex Access in Packages | Salesforce
About API and Dynamic Apex Access in Packages
Available in: Salesforce Classic
Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions
ApexPackage components have access via dynamic Apex and the API to standard and custom objects in the organization where they are installed. Developers of Force.com AppExchange packages that are intended for external customers (also called third-party developers or partners) may wish to restrict this access. Restricting access makes packages safer for administrators to install. Also, administrators who install such packages may wish to restrict this access after installation, even if the package developers have not, for improved security.
API Access is a package setting that controls the dynamic Apex and API access that s-controls and other package components have to standard and custom objects. The setting displays for both the developer and installer on the package detail page. With this setting:
The developer of an AppExchange package can restrict API access for a package before uploading it to Force.com AppExchange. Once restricted, the package components receive Apex and API sessions that are restricted to the custom objects in the package. The developer can also enable access to specific standard objects, and any custom objects in other packages that this package depends on.
The installer of a package can accept or reject package access privileges when installing the package to his or her organization.
After installation, an administrator can change Apex and API access for a package at any time. The installer can also enable access on additional objects such as custom objects created in the installer’s organization or objects installed by unrelated packages.
There are two possible options for the API Access setting:
The default Unrestricted, which gives the package components the same API access to standard objects as the user who is logged in when the component sends a request to the API. Apex runs in system mode. Unrestricted access gives Apex read access to all standard and custom objects.
Restricted, which allows the administrator to select which standard objects the components in the package can access. Further, the components in restricted packages can only access custom objects in the current package if the user has the object permissions that provide access to them.
Considerations for API and Dynamic Apex Access in Packages
By default, dynamic Apex can only access the components with which the code is packaged. To provide access to standard objects not included in the package, the developer must set the API Access.
From Setup, enter Packages in the Quick Find box, then select Packages.
Select the package that contains a dynamic Apex that needs access to standard objects in the installing organization.
In the Package Detail related list, click Enable Restrictions or Restricted, whichever is available.
Set the access level (Read, Create, Edit, Delete) for the standard objects that the dynamic Apex can access.
Choosing Restricted for the API Access setting in a package affects the following:
API access in a package overrides the following user permissions:
Edit HTML Templates
Edit Read Only Fields
Manage Call Centers
Manage Custom Report Types
Manage Package Licenses
Manage Public Documents
Manage Public List Views
Manage Public Reports
Manage Public Templates
Use Team Reassignment Wizards
View Setup and Configuration
Weekly Export Data
If Read, Create, Edit, and Delete access are not selected in the API access setting for objects, users do not have access to those objects from the package components, even if the user has the “Modify All Data” and “View All Data” permissions.
A package with Restricted API access can’t create new users.
Salesforce denies access to Web service and executeanonymous requests from an AppExchange package that has Restricted access.
The following considerations also apply to API access in packages:
Workflow rules and Apex triggers fire regardless of API access in a package.
If a component is in more than one package in an organization, API access is unrestricted for that component in all packages in the organization regardless of the access setting.
If Salesforce introduces a new standard object after you select restricted access for a package, access to the new standard object is not granted by default. You must modify the restricted access setting to include the new standard object.
When you upgrade a package, changes to the API access are ignored even if the developer specified them. This ensures that the administrator installing the upgrade has full control. Installers should carefully examine the changes in package access in each upgrade during installation and note all acceptable changes. Then, because those changes are ignored, the administrator should manually apply any acceptable changes after installing an upgrade.
S-controls are served by Salesforce and rendered inline in Salesforce. Because of this tight integration, there are several means by which an s-control in an installed package could escalate its privileges to the user’s full privileges. In order to protect the security of organizations that install packages, s-controls have the following limitations:
For packages you are developing (that is, not installed from AppExchange), you can only add s-controls to packages with the default Unrestricted
API access. Once a package has an s-control, you cannot enable Restricted
If an installed package has Restricted
API access, upgrades will be successful only if the upgraded version does not contain any s-controls. If s-controls are present in the upgraded version, you must change the currently installed package to Unrestricted