+ Start a Discussion
James George 00700James George 00700 

Why Cross-object formula fields are able to pull data even if the user have no access

Hi Friends,
Why Cross-object formula fields are able to pull the data even if the user have no access to it.

Is this a kind of security breach or a feature?

Let me know your comments.

Thanks
JG
Best Answer chosen by James George 00700
Bhimaraj BBhimaraj B
Hi James,

Could you please explain me your business scenario in brief? so that I can try to help you out.

FYI
Basically, formula fields are read only fields with values defined by the underlying formula. Even if the field is exposed on the page, user's will not be able to modify the field information but in case if you do not want to show field for particular user then you can remove read access in the profile. 

All Answers

Bhimaraj BBhimaraj B
Hi James,

If you create a formula that references a field on another object and display that formula in your page layout, users can see the field on the object even if they don’t have access to that object record. For example, if you create a formula field on the Case object that references an account field, and display that formula field in the case page layout, users can see this field even if they don’t have access to the account record.  
 
Yes it's a Salesforce feature.
 
Please find the below article for your reference.
https://help.salesforce.com/articleView?id=customize_cross_object.htm&type=5 (https://help.salesforce.com/articleView?id=customize_cross_object.htm&type=5)
James George 00700James George 00700
Hi Bhimaraj,
Thanks for your reply,
So Cross-object formula will become a developer's burden to implement the security, by hiding those fields.
Is there any alternative approach to avoid Cross-Object fields?

Thanks
JG
Bhimaraj BBhimaraj B
Hi James,

Could you please explain me your business scenario in brief? so that I can try to help you out.

FYI
Basically, formula fields are read only fields with values defined by the underlying formula. Even if the field is exposed on the page, user's will not be able to modify the field information but in case if you do not want to show field for particular user then you can remove read access in the profile. 
This was selected as the best answer
James George 00700James George 00700
Hi Bhimaraj,

Thanks for your detail reply.

No business reason behind my question, but thought about that possibility.

Thanks again buddy...

JG