function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
duubduub 

Cloudswarm Breaks the security model

Hi.

 

I have installed Cloudswarm and I am looking at Opportunity Swarm, why is it that an opportunity that user is not meant to see

through normal search can still "swarmed" on?

 

This is a security bug, swarm should only follow records that the user can see. Why is this being broken? so when the user clicks on the swarm post

they get a security error, since they are not allowed to view the opportunity..

 

Also why not include Record type so at least the Opportunities as an example can be reduced? Type doesn't cut it and the only true data segmentation

within Salesforce is record type...

 

Can this be addressed, I would love to rollout this product, but in its current form is impossible.

The Cloud Swarm TeamThe Cloud Swarm Team

Hi duub,

 

The swarming should still respect the security model, but probably not in the way you are expecting.  The trigger to do the swarm is run in the context of the user who makes the update on the record.  So that user doesn't know anything about what records the other users can and cannot see (that would be a bigger security hole if they could!)  If your users are following records that they can't see, that might be a platform feature that may be changed at some point in the future.

 

Cloud Swarm runs not only on Enterprise Edition, but also lower editions that don't have the Record Types feature which is why record types aren't used in the native app.  You can always just mirror Record Type and Type picklist values and create a workflow rule to keep them synched when they change, with a swarm rule on Type to get do the same thing as having Record Type swarm rules. 

 

That all being said, keep in mind that Cloud Force is an Unmanaged Package, so you can take the code, use the current code as a framework, and change it however you like (or hire a developer to change it for you.)

 

 

~ The Cloud Swarm Team
duubduub

Thanks for the reply on this. I understand where you are coming from, this was the easiest way to code this solution and yes it is free to all Salesforce users, but it is useless if it doesn't follow the rules that we follow and that Salesforce follows, security.

 

Currently if you cannot see a record you cannot follow, So in the case of Cloudswarm, if it does not follow the security model which is set in place by Salesforce, then I consider, that this product is breaking the Salesforce security model. i.e. User cannot see opportunity, but as soon as the Opportunity amount, hits $1M, then they will know this through the Chatter feed they receive, even though they are not privy to that info usually... 

 

If record types were provided as an AND option, then at least we could limit global record swarming. And so what if some licenses don't have record types, they just won't be able to choose that option. This has never stopped other products using record types !

 

Also Cloudswarm has two versions managed and unmanaged, I downloaded the managed version. 

 

PLEASE NOTE: with any product, you create based on a concept, you prototype and then get feedback, so the feedback is this needs security and at best record type options so that the ORGS which are global and use unlimited can deploy this solution (our ORG is global in 11 countries with over 800 users)