To access permissions or permission set groups, users must have the View Setup and Configuration permission or the equivalent permissions to manage permission sets or users, including Manage Session Permission Set Activations, Manage Users, and Assign Permission Sets.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, Developer, and Database.com editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_admin_permissions.htm&release=224&type=5

Salesforce Data Mask is a powerful new data security resource for Salesforce admins and developers. Instead of manually securing data and access for sandbox orgs, admins can use Data Mask to automatically mask the data in a sandbox.

Where: This change applies to Lightning Experience in Enterprise, Performance, and Unlimited editions.

Why: Data Mask uses platform-native obfuscation technology to mask sensitive data in any full or partial sandboxes. The masking process lets you mask some or all sensitive data with different levels of masking, depending on the sensitivity of the data. Once the data is masked, you can’t unmask it. This irreversible process ensures that the data is not replicated in a readable or recognizable way into another environment.

How: Data Mask is a managed package that you install in a production org. You then run the masking process from any sandbox created from the production org.

https://help.salesforce.com/s/articleView?id=release-notes.rn_sandboxes_data_mask.htm&release=224&type=5

To better protect your Salesforce org’s data, we restrict who can view record names in lookup fields. Beginning in Winter ’21, users must have read access to these records or the View All Lookup Record Names permission to view this data. This critical update also applies to system fields, such as Created By and Last Modified By.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

When: This critical update is enforced with the rollout of the Winter ’21 release.

How: Admins can enable the View All Lookup Record Name permission in custom profiles or permission sets. Only enable this permission for users who must see record names in all lookup and system fields, regardless of sharing settings.

We recommend that you test this update in a sandbox or Developer Edition org before enabling it in your production org.

To activate this critical update before Winter ’21, from Setup, enter Critical Updates in the Quick Find box, then select Critical Updates. For Require Permission to View Record Names in Lookup Fields, click Activate.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_lookup_names_perm.htm&release=224&type=5

nhanced External Services are generally available and enabled by default. It’s easy to use, and provides more ways to create and connect to outside services. Now, when you register a service, you get support for more complex OpenAPI 2.0 schema, nested object types, and send parameters as headers within the HTTP requests.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions.

How: After turning on Enhanced External Services, register new external services the same way you did before. Actions generated by your schema are created as External Service Actions in Flow Builder.

Existing registrations are not automatically migrated to Enhanced External Services. For existing registrations to use the new features in Enhanced External Services, you must re-register the schema, update the flows that use the old Apex Action to the new Enhanced External Service Action and delete the old registration.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_ext_services_enhanced.htm&release=224&type=5

You can now control the access of custom settings at a granular level by granting direct Read access to specific custom settings through profiles and permission sets.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, and Unlimited editions.

When: This feature is a late-breaking addition to the Winter ’20 release.

Who: Users with the Customize Application permission can grant read access to specific custom settings through profiles and permission sets.

How: To grant a Profile or Permission Set read access to specific custom settings, enable the Restrict access to custom settings org permission. Then enable access to specific custom settings.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_custom_settings_access.htm&release=224&type=5

Access for users without the Customize Application permission to read unprotected custom settings is revoked as part of this critical update. Using different APIs that are provided by Salesforce, users without the Customize Application permission could read unprotected custom settings. Following the “secure by default” approach, this access is revoked.

Where: This change applies to Lightning Experience and Salesforce Classic in Contact Manager, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.

When: This critical update is scheduled to be enforced on sandbox instances on January 2, 2020 in the Spring ’20 release. It will not be rolled out to all instances on January 2, 2020. Sandbox instances are upgraded 4–6 weeks before a release goes into production. To find the exact activation date for your instance, refer to https://status.salesforce.com.

How: When this critical update is enforced on the instance, users without the Customize Application permission can no longer access custom settings. To minimize the impact on your users, admins with the Customize Application permission can grant read access to specific custom settings, or to all custom settings.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_custom_settings_access_cruc_addWinter.htm&release=224&type=5

Access to sharing rules and sharing sets through the Salesforce API is available for users with the View Setup and Configuration permission. Editing sharing rules and sharing sets through the API is available for users with the Manage Sharing permission.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_sharing_api_access.htm&release=224&type=5

You can now set external access levels for the Lead object, which was previously in beta, and the Campaign object. Select more restrictive access for external users without changing the default internal access level. The objects available for external org-wide defaults vary depending on your Salesforce org’s licenses and other settings.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: To set external org-wide defaults, from Setup, enter Sharing Settings in the Quick Find box, then select Sharing Settings. Under Organization-Wide Defaults, edit the default external access.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_sharing_owds_lead_campaign.htm&release=224&type=5

To better protect your Salesforce org’s data, you can no longer disable the external sharing model after it’s enabled in your org.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: The external sharing model allows you to customize the access levels for internal and external users. We recommend setting org-wide defaults to Private for external users.

From Setup, enter Sharing Settings in the Quick Find box, then select Sharing Settings. Under Organization-Wide Defaults, edit the Default Internal and External Access as required by your business needs.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_sharing_ext_owds_disabled.htm&release=224&type=5

To better secure your data, the External Sharing Model is enabled by default in all Salesforce orgs created in Spring ’20 or later. External org-wide defaults let you set more restrictive levels of access for external users, instead of giving internal and external users the same default access. In these newly created orgs, external access levels are initially set to Private for all objects.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: We recommend that you maintain a strict access level for external users, but you can edit your external org-wide defaults. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing Settings. Under Organization-Wide Defaults, edit the default external access.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_sharing_external_owd_enabled.htm&release=224&type=5