You are here:
Configure OAuth Policies: Configure Custom Scopes for External Client Apps
This security setting enables Salesforce admins to define specific, limited access permissions that allow external applications to interact only with designated protected resources.
Control Name
External Client Apps: Configure OAuth Policies: Configure Custom Scopes for External Client Apps
Recommended Configuration
Configure Custom Scopes for External Client Apps.
Control Overview
This security setting enables Salesforce admins to define specific, limited access permissions that allow external applications to interact only with designated protected resources rather than the entire organizational dataset.
Security Risk If Not Configured
Overly broad custom scopes for connected clients lead to a vulnerability where integrated applications gain excessive control and unauthorized functional capabilities via over-privileged access tokens.
Threat Scenarios
An external application with an unrestricted custom scope is compromised by an attacker who then uses the elevated token privileges to execute administrative commands or access sensitive data beyond the original business requirement.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
Failure to implement granular custom scopes results in a lack of least-privilege enforcement, potentially allowing a single vulnerability in a third-party tool to escalate into a full-scale compromise of the Salesforce environment.
Higher Risk When
When custom scopes are mapped to global or wildcard permissions that grant the external client the ability to read, write, or delete records across all objects without restriction.
Low Risk When
If the company uses a robust OAuth scope validator and enforces strict internal code reviews to ensure that each integration only requests the absolute minimum functional claims required for its operation.
Business and Integration Considerations
Defining precise custom scopes improves the company security posture but requires developers to explicitly update application logic to request and handle restricted tokens for specific API calls.
Recommended Remediation
Go to the OAuth Settings for the External Client App to define specific Custom Scopes and then assign these scopes to the relevant policies to ensure restricted access for all client requests.
Security Health Review Guidance
Security Health Review identifies the use of granular custom scopes as a strongly recommended standard to enforce the principle of least privilege and prevent third-party integrations from obtaining excessive control over the Salesforce instance.
