+ Start a Discussion
rsweetlandrsweetland 

FLS needed for Hosted / Composite / Mashup Apps?

We are submitting our composite ("mashup") application app for security review and have seen several references to FLS (Field Level Security) requirements.

 

Our integration is solely throught the API - there is no APEX code, native integration, etc.

 

I have seen in several places that Field Level Security (FLS) is enforced at the API level fro hosted applications. For example...

 

http://boards.developerforce.com/t5/Security/Field-level-security/m-p/184716/highlight/true#M164

The API will enforce all Sharing, CRUD, and FLS settings of the current user.  Apex With Sharing mode will NOT enforce FLS by default.

 

http://boards.developerforce.com/t5/Security/Integrating-Web-Applications-with-SFDC-using-OAuth/m-p/172660/highlight/true#M10

At runtime, when an access token is negotiated for a consumer that belongs to a managed package, the access token is scoped to the user's Org, with the CRUD/FLS permissions of theuser as well as the package access permissions granted upon installation being enforced.

 

We are only working with common objects (Contacts, etc) – that would likely not be restricted on any given account. 

 

Do we need to take this into account? Or can we rely on the API layer to enforce this for us?

 

Thanks,

Reilly

digamber.prasaddigamber.prasad

Hi,

 

You don't need to bother. Salesforce will take care of this.