Prepare for Upcoming Critical Update Enforcement: Restricting Access to @AuraEnabled Apex Methods
If you are a Salesforce admin/developer/support agent or plays any other role in managing a Salesforce org for your company or your client, you may have come across this very important and critical announcement that was made by Salesforce recently which might impact your company’s/client’s Salesforce org and needs urgent attention in order to ensure business continuity.
Salesforce has been sending out the below email as a reminder to all Salesforce org owners/managers to draw their attention towards this major change coming up in Winter’21 release.
If you have received this email, that means this feature is due for your org and will be affecting users in your org. This must-have got you thinking that what is really changing and how does it impact your org.
1) Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile:
With this new security feature rollout, admin users will have more control over the authenticated users accessing the apex classes. Once this feature gets activated in your org, all authenticated users will be able to access the @AuraEnabled Apex method only when the user is provided that access on their profile or via a permission set. By default, they will not be able to access the Apex method. This change will be applicable to Aura components, lightning web components, All communities(Both classic & lightning, flows in lightning experience, and all versions of the Salesforce app. Looking at this, these changes will be affecting multiple internal/authenticated users who are currently using any @AuraEnabled Apex Methods across the community and other modules posing a threat to business continuity to current users if not carefully reviewed.
This update will be useful for the admins from an org security standpoint as it will enforce the user profile & permission set restrictions for the Apex classes used by Lighting web components & Aura based components and will provide more flexibility to admins/org managers to provide selective access to users on need basis. However, as this feature brings additional security, it also needs careful review by the admins before rollout in order to avoid unexpected issues with end-users not being able to access required functionalities.
2) Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile:
This feature is another variation of the above-discussed feature which provides additional access security for Guest & Portal users. Once this feature gets activated in your org, all guest, portal, or community users will be able to access the @AuraEnabled Apex method only when the user is provided that access on their profile or via a permission set. By default, they will not be able to access the Apex method. This change will be applicable to Aura components, lightning web components, All communities(Both classic & lightning), flows in lightning experience as well as all portals & salesforce sites. This change will mostly be affecting external/portal users and a careful review and actions will be critical in maintaining business continuity across the organization.
Now that we have talked about the changes, the next question that comes up is when is this feature coming in and what preparations are needed to ensure minimal impact on end-users.
This critical update will be automatically applied to your Salesforce orgs when your org gets upgraded to Winter’21 and will be applied to sandbox & production instances automatically as soon as they are upgraded to Winter’21 post-August 9,2020. If you are not sure about the Winter’21 upgrade dates for your instance, you can find these details by logging in to https://status.salesforce.com.
Preparation needed from Admin/Release managers
According to Salesforce Release Management best practices, Salesforce recommends testing these features in a Sandbox environment before rolling these changes out in the production environment. As the auto-activation date for this feature has already passed(August 9th), the admin now needs to wait for the feature to get auto-activated within the sandbox org with Sandbox upgrading to Winter’21.
By the time this upgrade happens, Admin needs to review the following documents:
- Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile critical update
- Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile critical update
Now that the admin is aware of the updates that will be applied, the following steps need to be followed by them to make this a seamless transition.
- Admin needs to be taken is to analyze the changes and list out the users who will be affected by the update.
- Next, the admin will update user-profiles and add/remove permission sets as needed to provide access to select few components and test these changes.
- As a next step, an admin needs to test that all the custom Aura components, Lightning web components, and flows that have been developed for guests, portal, and community users are working currently for these users. This step needs to be followed for Authenticated users as well for the components developed for these users.
- Lastly, the admin needs to train the affected users and make them aware of the incoming changes before these changes get auto-applied to the production instance.
- Once all the above steps are done, the admin needs to continuously monitor the Trust and maintenance calendars in order to remain aware of any changes on the release plans and https://status.salesforce.com for their upgrade date.
Once you have reviewed the release notes and prepared for the changes, it's time to sit back and enjoy the additional security features from Salesforce.