function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Object History values visible in API for fields restricted through field level security

Hi All,


I'm creating a custom object that will contain some sensitive employee data.  I've got it pretty well locked down except that I have found that my admin users can query the _History object through the API to see audited field value changes.  This has been tested through to Explorer (both of them).  On the other hand, admin users (or users with View All Data/Modify All Data) do not see the Audit history for fields they do not have access to when viewing the data through a page layout in Salesforce.


So my questions are:

1) is this intended behavior

2) is there any way to lock this down

3) or should I just build a custom object to replicate the audit trail?


Thanks for your input.






Page Layouts are not security controls.  Page Layouts only affect UI visibility.  If your admins have the View All Data permission, they can view all data in the org.  Hiding it in UI will not prevent an Admin from accessing data.  Using a custom object will not help, as the Admins will be able to view your custom object just as easily.


What are you trying to accomplish?  Is there a reason your Admins shouldn't see field history?