Apex Code Development You need to sign in to do that
Don't have an account?
jhart Global search ignores field-level permissions
Global search does not respect field-level security for Profiles.
In other words, I can completely hide a field from a given profile. But, a user in that profile can search through that field using Global Search. All objects whose hidden field matches that search text will be displayed in the Global Search results.
This seems like a serious bug.
Consider salesforce's classic "HR/Recruiting app" example. A user from whom a "Salary" field is hidden can nonetheless simply enter dollar amounts into Global Search to figure out the field value for every record.
I'm a bit shocked that such a large security hole is present in Global Search, and I think it can't possibly be by design. I'm so surprised by this behavior that I keep double-checking it, but each time I'm able to search for values in fields that are hidden from my profile.
Salesforce support- I have created case 09471736 to track this issue.
Apparently this is by design. Per http://na3.salesforce.com/help/doc/en/search_fields.htm:
Users can search for information in fields that are hidden from them by field-level security. When users search for a value in a field hidden from them, search results include the record that contains the field, even though users can't see the field.
So spear-phishing for salary information is the expected behavior of the Global Search feature.
This seems like a big sign saying "do not store sensitive data in salesforce".
Salesforce support replies that (a) yes, it's by design, and (b) if you aren't happy with that, you should promote this Idea:
https://success.salesforce.com/ideaView?id=08730000000Kj7hAAC
So I suppose that's that, for now.