Category: 2020

Salesforce Permission Set updates from the 2020 releases.

Spring 20 highlights

April 19, 2024
  • Permission Set Groups: Greater Flexibility in Granting Permissions (Generally Available) – Permission set groups are an ideal way to consistently and reliably assign permissions to a group of users. Assign users a single permission set group instead of multiple permission sets. Permission set groups combine selected permission sets to provide all the permissions that users need for their job function. Remove individual permissions from a group with the muting permission set feature to ensure that permissions do not exceed user job functions.This change applies to Lightning Experience and Salesforce Classic.
  • Group Permission Sets Based on User Job Function for Easier Assignment (Generally Available) – Now you can assign users a single permission set group instead of multiple permission sets. Permission set groups combine selected permission sets to provide all the permissions that users need for their job. Similarly, remove individual permissions from a group with the permission muting feature to ensure that users do not get permissions that are not relevant to their job functions. A new user interface helps you create and manage permission set groups.
  • Track Permission Set Edits with a New Confirmation Menu – It just got easier to track bulk edits on permissions. We’ve improved readability and security so that multiple-selection permissions and any permission dependencies are summarized on a separate page. With the Permission Changes Confirmation page, you can easily identify and review all added and removed permissions before they become part of your permission ecosystem. Previewing the permission edits summary helps you better manage and maintain security control for your users and organization.
  • Manage Permissions in Permission Set Groups with a Muting Permission Set (Generally Available) – A muting permission set is a handy way to increase security and ensure that only components that are required by your organization and users are accessible and, conversely, those components that shouldn’t be accessed are not available. When used along with permissions, a muting permission set gives you granular control over permissions and helps make sure you’re complying with the principle of least privilege.
  • External Org-Wide Defaults Are Enabled by Default in All New Orgs – To better secure your data, the External Sharing Model is enabled by default in all Salesforce orgs created in Spring ’20 or later. External org-wide defaults let you set more restrictive levels of access for external users, instead of giving internal and external users the same default access. In these newly created orgs, external access levels are initially set to Private for all objects.
  • The External Sharing Model Can No Longer Be Disabled – To better protect your Salesforce org’s data, you can no longer disable the external sharing model after it’s enabled in your org.
  • Safeguard Your Data by Setting External Access Levels for the Lead and Campaign Objects (Generally Available) – You can now set external access levels for the Lead object, which was previously in beta, and the Campaign object. Select more restrictive access for external users without changing the default internal access level. The objects available for external org-wide defaults vary depending on your Salesforce org’s licenses and other settings.
  • Changes to Sharing API Access – Access to sharing rules and sharing sets through the Salesforce API is available for users with the View Setup and Configuration permission. Editing sharing rules and sharing sets through the API is available for users with the Manage Sharing permission.
  • Permission Changes for Queues – Access to queues through the Salesforce API is available for standard and partner users, while editing queues is available for users with the Manage Users permission.
  • Authentication and Identity: Apple Sign-In, Identity Verification, and API Access Control – Enable Apple sign-in for your orgs and communities, allowing users to authenticate with their Apple ID, Face ID, or Touch ID. Enhance identity verification security by storing domain verification files for external services and enabling verification methods that are more secure than email. Restrict external user access to Salesforce APIs through connected apps that are installed in your org or community. And apply the Request Signature Methods to single logout, have extra time to approve OAuth authentication requests, and troubleshoot bridged OAuth sessions.
  • Domains: Custom Domains for Sandboxes (Pilot), Salesforce Edge, Instanceless URLs, and Certificate Changes for My Domains – Test your Salesforce Sites and Communities in a sandbox using custom domains (Pilot). For customers with a My Domain, certificates are changing and you can accelerate domain requests with Salesforce Edge. Remove instance names from My Domain URLs through critical updates or sandbox refreshes.
  • Salesforce Shield: Real-Time Event Monitoring Threat Detection (Beta), Event Monitoring Analytics App Improvements, and Platform Encryption for Platform Events – Use Real-Time Event Monitoring platform events to detect common threats to your org (Beta). We improved the performance of the Event Monitoring Analytics app. The legacy transaction security policy framework will be retired in Summer ’20. Shield Platform Encryption now supports Platform Events in addition to Change Data Capture Events.
  • Data Protection and Privacy: Party Consent, Communication Subscription, and Contact Point Objects – Store data related to your customers’ general consent preferences and the communications that they subscribe to. You can also associate multiple email addresses or phone numbers to individuals or person accounts, and manage their preferred time and consent to be contacted.
  • Other Security Changes: Guest User Record Assignment, External URL Whitelist, and Setup Enhancements – Set up a default owner for any records created by guest users in Salesforce Sites. Whitelist external URLs that users are allowed to navigate to directly. Plus, we made improvements to Session Security Level Policies and the Setup Audit Trail.
  • General Setup: Custom Settings Enhancements and Improved Connections with Enhanced External Services – Protect and control who has access to custom settings. Create better connections to outside services with Enhanced External Services.
  • Require Customize Application Permission for Direct Read Access to Custom Settings (Critical Update, Enforced) – Access for users without the Customize Application permission to read unprotected custom settings is revoked as part of this critical update. Using different APIs that are provided by Salesforce, users without the Customize Application permission could read unprotected custom settings. Following the “secure by default” approach, this access is revoked.
  • Protect Custom Settings in Developer and Scratch Orgs – The Visibility field is now only available in developer or scratch orgs, where managed packages can be created. When you create a custom setting, the package type and the Visibility field determine whether the custom setting is public or private. You can only create protected custom settings in a developer or scratch org that are then deployed in a managed package. In addition, the Visibility field must be set to protected.
  • Control Who Gets Read Access to Custom Settings – You can now control the access of custom settings at a granular level by granting direct Read access to specific custom settings through profiles and permission sets.
  • Make More Connections the Enhanced External Services Way (Generally Available) – Enhanced External Services is generally available and enabled by default. It’s easy to use, and provides more ways to create and connect to outside services. Now, when you register a service, you get support for more complex OpenAPI 2.0 schema, nested object types, and send parameters as headers within the HTTP requests.
  • Require Permission to View Record Names in Lookup Fields (Critical Update) – To better protect your Salesforce org’s data, we restrict who can view record names in lookup fields. Beginning in Summer ’20, users must have read access to these records or the View All Lookup Record Names permission to view this data. This critical update also applies to system fields, such as Created By and Last Modified By.
  • Secure Your Sandbox Data with Salesforce Data Mask – Salesforce Data Mask is a powerful new data security resource for Salesforce admins and developers. Instead of manually securing data and access for sandbox orgs, admins can use Data Mask to automatically mask the data in a sandbox.
  • Permission Changes for Administrator Tasks – To access permissions or permission set groups, users must have the View Setup and Configuration permission or the equivalent permissions to manage permission sets or users, including Manage Session Permission Set Activations, Manage Users, and Assign Permission Sets.
  • Changes to Managing User Roles and Preferences – Access to user roles is available for users with the View Roles and Role Hierarchy permission. Editing user roles is available for users with the Manage Roles permission. Access to UserPreference records of other users in the SOAP API is available for users with the View All Data or Manage Users permission, but all users can access their own UserPreference record.

Spring 20 Summary

April 19, 2024

Another massive set of permissions changes in the Spring 20 release. Over 20 new features giving you increased control over how users access the platform and what they can do on the platform. Permission set groups in GA, more control over external org wide defaults. Custom settings and much, much more

Winter 20 highlights

April 19, 2024
  • Permission Set Groups: Assign users a single permission set group instead of multiple permission sets.
  • Install Even More Custom Objects in Your Org: raised the total hard limit for custom objects in an org to 3,000 (up from 2,500 in the previous release) so that you can install more custom objects from packages.
  • Check a Field’s References and Find Reports Using It (Generally Available): With the click of a button, view the references to a custom field before you edit it, such as references in a formula, layout, or Apex class.
  • Secure Guest Users’ Sharing Settings: When you enable the Secure guest user record access setting, you set guest users’ org-wide defaults to Private for all objects. This setting also restricts the way you can share records with guest users and lets you create new guest user sharing rules.
  • Safeguard Your Data by Setting External Access Levels for More Standard Objects (Generally Available): You can now set external access levels for many more standard objects. Select more restrictive access for external users without changing the default access level for internal users.
  • Keep Sharing Records When Migrating to Enterprise Territory Management: If you’re migrating to Enterprise Territory Management, you can keep your original territory sharing records so that your sales team can continue working.

Winter 20 Summary

April 19, 2024

Well its been a big release. Better control over external user access to data through controlling the org wide defaults on external objects. Permission set groups in Beta. Understand where a field is used throughout your org. They upped the limit from 2500 to 3000 custom objects and the reporting around custom object usage. Improved domain name setting, API monitoring, Sharing settings and much much more.

Check a Field’s References and Find Reports Using It (Generally Available)

April 19, 2024

With the click of a button, view the references to a custom field before you edit it, such as references in a formula, layout, or Apex class. On a custom field’s detail page, click Where is this used? to see where a field is used and where changes to the field appear. Use this information to communicate changes to others who use the field in a formula or other context. In this release, we added support for reports.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, and Unlimited editions.

Who: Admins with the View Setup permission can check where a custom field is used.

The list can include these references.

  • Validation rule
  • Layout
  • Formula field
  • Visualforce page
  • Apex class
  • Apex trigger
  • Email template (Salesforce Classic, text based)
  • Field set
  • Flow (query)
  • Lightning component markup (attr)
  • Process Builder (criteria)
  • URL button (formula)
  • Lightning page (related list single)
  • Lookup filter (lookup and master detail)
  • Reports (column

Click a reference label to view the settings for the layout, formula, or other reference. Reference labels link to more information only if there is a known settings page for the reference. For example, a report name links to the report settings. But, a criteria formula created within a flow does not link to the flow settings.

Within a subscriber org, references in a managed package aren’t included in the list of results. For example, you have a number field referenced in a formula. If you add the field to a package and install the package in a subscriber org, the subscriber org’s field reference detail page doesn’t show that this number field is referenced in a formula field.

However, new references created after installing the managed package in the subscriber org do appear. For example, after you install the managed package and you add the number field to another formula in the subscriber org, the new reference appears.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_fields_where_ga.htm&release=222&type=5

Release Updates: Critical Updates and Security Alerts in One Location, Permission Changes for Apex, and More

April 2, 2024

Enjoy a cleaner view of important updates and alerts in one location. Ensure that your org stays up to date on all changes that affect its performance, security, and users.

  • Review Important Org Changes with Release Updates (Beta)
    Understand and act on updates that impact your Salesforce org using an improved user interface. View your updates and alerts information in a single, easy-to-use page.
  • Release Updates (Beta)
    Salesforce periodically releases updates that improve the performance, logic, security, and usability of Salesforce, but which can affect your existing customizations. Find the Summer ’20 updates in the Release Updates node in Setup.
  • Security Alerts
    Security Alerts help customers implement security-related updates in their org. Find the Summer ’20 alerts in the Security Alerts node in Setup.

https://help.salesforce.com/s/articleView?id=release-notes.rn_cruc_overview.htm&release=226&type=5

Other Security Changes: Private Connect (Generally Available), Security Command Center (Beta), Stricter Security with Salesforce Sites, and Stronger Algorithms with Apex Crypto Class

April 2, 2024

Private Connect (generally available) creates a secure connection with Amazon Web Services to protect your cross-cloud traffic from outside threats. Use the new Security Command Center (beta) to monitor security, privacy, and governance policies across multiple tenants. Choose a default owner for records created by a Salesforce Sites guest user. And the Crypto class supports more hashing algorithms for more secure key material.

  • Secure Your Cross-Cloud Integrations with Private Connect (Generally Available)
    When you integrate your Salesforce org with applications hosted on third-party cloud services, it’s essential to be able to send and receive HTTP/s traffic securely. With Private Connect, you can increase security on your Amazon Web Services (AWS) integrations by setting up a fully managed network connection between your Salesforce org and your AWS Virtual Private Cloud (VPC). Route your cross-cloud traffic through the connection instead of over the public internet to reduce exposure to outsider security threats.
  • Take Charge of Your Security with Security Command Center (Beta)
    Maintaining security, privacy, and governance policies across multiple tenants is critical and often time-intensive work. Enter Security Command Center, a tool for monitoring all of your tenants’ security settings in one app. Use Security Command Center to see who’s logging in with which authentication protocols, review permission assignment changes, and more. You can even review average and per-tenant health check scores without going to each tenants’ Health Check page.
  • Use Stronger Hashing Algorithms with Apex Crypto Class
    The Crypto class now supports RSA-SHA384 and RSA-SHA512 hashing standards, giving you more options for generating cryptographically strong key material. You can pass RSA-SHA384 and RSA-SHA512 values into the algorithmName parameter for Crypto.sign, Crypto.signWithCertificate, Crypto.signXML(), and Crypto.verify() methods. Use a third-party application or the Crypto.generateAesKey method to generate this key for you.
  • Assign New Records Created by Salesforce Sites Guest Users to a Default Owner
    To increase the security of your Salesforce data, Salesforce Sites guest users are no longer automatically the owner of records they create. Instead, when a Salesforce Sites guest user creates a record, the record is assigned to a default record owner that you choose.
  • Permission Changes for Security Features
    Review access changes to Security features that take effect with the Summer ’20 release.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_changes.htm&release=226&type=5

Data Protection and Privacy: Customer Consent Channels and Consent API Calls

April 2, 2024

We added features to improve how your users manage customer contact preferences. Use the contact point address field to record customer mailing address information and consent. Store consent records for new contact point channels, or create your own, with the Engagement Channel field. Use the Policy option for Consent Read API calls to require explicit consent for contact channels in an object.

Store a New Contact Point and Customer Consent Information
To help you store more information about customers, you can now specify multiple addresses for an individual or person account. Use the Contact Point Address field to specify multiple mailing addresses, and add details about a customer’s contact preferences. You can also reference these records from a contact point consent record to store a customer’s consent to being contacted this way.

Customize and Store More Customer Consent Channels
To help your org better communicate with customers, you can use the Engagement Channel field to manage consent records for more contact point channels. For example, you can use the Engagement Channel Type field to specify a customer’s consent to be contacted through SMS or fax, when previously you could only indicate the contact point type phone. Even better, you can create your own Engagement Channel type to meet customers’ unique needs.

Improve the Accuracy of Consent API Calls
Use a new value on the Policy parameter to require explicit consent for any object where explicit consent can be recorded. With the new value on the Policy parameter, the API returns an infoNotFound response when consent for a contact point isn’t specified. Consent is only returned in the API response when your customers specify that they opt in to a contact point channel.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_data_protection_privacy.htm&release=226&type=5

Domains: OCSP Stapling, Salesforce Edge, and Shorter URLs

April 2, 2024

We enabled Online Certificate Status Protocol (OCSP) stapling to allow HTTPS to connect faster while ensuring that sensitive data remains private. For customers with a My Domain, we’re accelerating domain requests with Salesforce Edge and removing instance names from My Domain URLs through release updates.

  • Streamline External Certificate Verification with OCSP Stapling
    To keep your information secure while improving performance, we implemented Online Certificate Status Protocol (OCSP) stapling. OCSP stapling allows HTTPS to connect faster and ensures that sensitive data remains private. When the application calls out to an external HTTPS encrypted website with OCSP stapling enabled, that website attaches—or “staples”—a verification of their HTTPS certificate to their response. The verification contains digitally signed and timestamped information from their Certificate Authority vendor, proving that the certificate is valid and current.
  • Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and Content Files (Update, Postponed)
    We’re removing the instance names from Visualforce, Experience Builder, Site.com Studio, and content file URLs. An instance name identifies where your Salesforce org is hosted. Instanceless domains are cleaner and easier for users to remember. This update applies to orgs that have a deployed My Domain. After this update is activated, a URL that includes the instance name, such as a bookmark, automatically redirects to the new hostname. Released in Spring ’18, this update was scheduled for automatic activation on July 11, 2020 and has been postponed to Summer ’21.
  • Stabilize the Hostname for My Domain URLs in Sandboxes (Update, Enforced)
    We’re removing instance names from MyDomain URLs for sandboxes. The instance name identifies where your Salesforce sandbox org is hosted. Removing the instance name makes the URL cleaner and easier for users to remember. For example, MyDomain–SandboxName.my.salesforce.com replaces MyDomain–SandboxName.cs5.my.salesforce.com. This update was first made available in Summer ’18 and is enforced in Summer ’20.
  • Route My Domains Through Salesforce Edge (Update, Enforced)
    With this update, we accelerate domain requests for My Domains. You can keep the same My Domain address, but requests go through Salesforce Edge. Salesforce Edge uses machine-learning technology to improve connectivity and performance. This update was first available in Winter ’20 and is enforced in Summer ’20.
  • My Domain Name Length Requirement Was Changed
    To meet iOS requirements, new My Domain names must be at least 3 characters long. If your existing My Domain name has only 2 characters, you can experience an inability to access Lightning Experience when accessing your sandbox My Domain URL using iOS. To resolve this issue, rename your My Domain.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_domains.htm&release=226&type=5

Authentication and Identity: Enhanced Two-Factor Authentication, Federation IDs, and Delegated Authentication Enablement

April 2, 2024

You can initiate two-factor authentication with two new Apex methods and enable it for external identity with a user permission. In addition, API-only users can register for two-factor authentication in the Salesforce UI. For easier integration with third-party identity providers, turn off case-sensitivity of Federation IDs for your Salesforce org. And stop your users from signing in to external identity providers with their Salesforce credentials, even when single sign-on is configured, by enabling delegated authentication through a Salesforce org preference.

  • Initiate Two-Factor Authentication with Apex
    Initiate your two-factor authentication process with two new Apex methods in the System.UserManagement class. To verify a user’s identity with email, phone (SMS), or Salesforce Authenticator verification, pair the methods—one to initiate a verification service and one to complete the verification service. For password or time-based one-time password (TOTP) verification, you can use the second method alone to provide a complete verification service.
  • Enable Two-Factor Authentication for External Users
    We added the Two-Factor Authentication for User Interface Logins user permission to the External Identity license. So now you can enable two-factor authentication for your external users, just like you do for your internal users. Simply enable this user permission on an external identity user profile or assign a permission set with this user permission to external identity users.
  • API Only Users Can Register for Two-Factor Authentication in the Salesforce UI
    We now allow API only users access to the Salesforce UI to register for two-factor authentication. After a successful authentication, API only users are restricted from accessing the UI.
  • Allow Highly Trusted Users to Skip Identity Verification
    Allow highly trusted users to log in to your Salesforce org from a new device without verifying their identity with a second factor, such as an SMS code. Because of security risks, we don’t recommend enabling this permission except for cases in which the user is highly trusted. For example, enable this permission if Salesforce Customer Support must log in to your org to troubleshoot an issue.
  • Apply Delegated Authentication to Your Salesforce Org
    To improve your Salesforce org’s security, enable Delegated Authentication for your entire org, and manage this setting for your users at the permission level. Delegated Authentication redirects your users to an authentication provider of your choice, preventing users from logging in with their Salesforce credentials. Use this feature to prevent former employees from accessing your org with their Salesforce credentials, which are different from the credentials they use with the authentication provider. Previously, you contacted Salesforce Customer Support to enable this feature.
  • Seamlessly Integrate Federation IDs with Identity Providers
    For easier integration with third-party identity providers, you can turn off case-sensitivity of Federation IDs for your entire Salesforce org. Previously, it was possible to create two unique users with similar Federation IDs because Salesforce recognized case-sensitivity; for example, ssmith and SSmith. Because some external identity providers don’t consistently recognize case-sensitivity, this created authentication issues.
  • Customize Your Embedded Login Page Type
    Give your customers a better login experience. Configure Embedded Login to use the discoverable login page type or any other custom login page type already set up for your community.
  • Improve SSO with Custom Community URLs
    Improve the login experience for your community users and reduce HTTP redirects by using optional community-specific URLs for single sign-on.
  • Discover Login Page Attributes with New JSON Response Fields
    Use two new JSON response fields to discover login page attributes. The new LoginPageType field determines whether the type of page assigned to communities is discoverable, custom, or standard, or if Salesforce org pages are discoverable or standard. The new LoginPageTypeConfigs field defines whether the login prompt displays a preconfigured localized message for discoverable login page types. For custom login pages, it includes the custom login page URL and defines if the login page type is Designer or VisualForce. The LoginPageTypeConfigs field also displays whether the discoverable or custom login page type assigned to the community is assigned to the Embedded Login configuration.
  • Access Pardot API Services with Connected Apps
    You can configure a connected app to access your Pardot API services. With this configuration, a client (represented by the connected app) accesses the Pardot services on behalf of the user. Manage the full extent of accessible services in Pardot.
  • Filter Login History by Application and Login Types
    You can now filter Login History reports and list views by the type of application a user logged in from, such as a mobile device. You can also filter by the type of login, such as Outlook integration logins. These filters apply to login data captured over the past 6 months.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=226&type=5