function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Granting access to particular functionality of a composite applications

Hi guys,

We have a composite application developed in ASP.Net.

We are showing the application within a salesforce tab and our application consists of a number of subtabs(3 altogether).

What we would like to achieve is to give the users the ability to control access to the tabs from within SalesForce.


The only way that I can come up with of achieving the desired functionality is to install two groups along with our application.

1- Our app users

2- Our app admins

When the user accesses our application we use the SalesForce API to check to which group the user is a member of. If the user is a member to "Our app users" group we do not show the admin section.

I am not sure if the above would work it is just theoretical for the moment.


Could you please let me know what the recommended way of doing that is?

It is very important that our solution does not look like a hack.






Using the API UserInfo methods is a good and secure solution.  When your composite app gets an API SID for a user, you can call getUserInfo to grab that user's User ID and Profile ID. 


If you want to use Public Groups for access control, you can call GroupMember via the API to see if the User is a member of that particular group.

See here for info on GroupMember:


You could also restrict access by Profile as well.


It is also important that you handle unauthorized attempts properly.  If Bob is not an authorized user of your app, he still may have access to click your custom tab and attempt to use the application.  If Bob fails your Group Member security check, you should not give him a Session ID to your application.  It would also be a good thing to write the event to a security log for the Admins to review.


Hope that helps!




Hi BrendanOC,

Thank you for you answer it indeed helps.

I just need a little more to be able to decide what to do.

Idially I would want to use profile settings to control access. The problem I am having is that my application is one SalesForce tab but multiple (3) ASP.Net subtabs.

What I would like to do is to control access to the 3 subtabs but they do not appear in the profile settings it is only the SalesForce tab that is there.


How can I achieve this.

If this is not possible do you think that using a group access is a good way to handle this.

Basically when users install my app I will make them install 2 public groups.

Then when somebody clicks on the SalesForce tab I will query to see to which group that user is a member of. If the user is a member of the Admin group that user see all subtabs else if the user is a member of the user group that user sees only one of the ASP.Net subtabs and finally if the user is not a member of either of the two groups I display not authorized message.


What do you think?