function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

FLS needed for Hosted / Composite / Mashup Apps?

We are submitting our composite ("mashup") application app for security review and have seen several references to FLS (Field Level Security) requirements.


Our integration is solely throught the API - there is no APEX code, native integration, etc.


I have seen in several places that Field Level Security (FLS) is enforced at the API level fro hosted applications. For example...

The API will enforce all Sharing, CRUD, and FLS settings of the current user.  Apex With Sharing mode will NOT enforce FLS by default.

At runtime, when an access token is negotiated for a consumer that belongs to a managed package, the access token is scoped to the user's Org, with the CRUD/FLS permissions of theuser as well as the package access permissions granted upon installation being enforced.


We are only working with common objects (Contacts, etc) – that would likely not be restricted on any given account. 


Do we need to take this into account? Or can we rely on the API layer to enforce this for us?







You don't need to bother. Salesforce will take care of this.