We are trying to expose a service in Salesforce using Apex that external systems can call. This service is pretty simple. We will run a query against an object and create a response that returns an array of "coupon codes" stored on each account of a certain record type that has a coupon code.
basically it's just [SELECT Id, Coupon__c FROM Account WHERE Coupon__c != null]
We then will loop through the list and formulate a JSON array and return the coupon codes.
The issue here is we have more than 50,000 rows needing to be returned. So SOQL 101 is an issue. Also heap size could be an issue. We are expecting possibly up to 500,000+ accounts with coupons to be returned.
What are our options here? Should we tell our consumers to call a standard Salesforce API, similar to how you can execute queries in workbench? This would require subsequent calls to retrieve all 500,000 accounts/coupons though, right? Like a query more type of thing?
Also now that we are exposing APIs from Salesforce, I know we have a 24 hour API call limit. Is there a concurrent limit? If we are allowed say, 5,000,000 calls over a 24 hour period, what happens in 4,000,000 all come at the same time? How will the system respond?
Any help would be appreciated. Thanks!

Hello

I am working to build a POC for embedded login for our community. I am using the example repo:

salesforceidentity/embedded-login-example

I am getting an error saying "...an ancestor value violates the following Content Security Policy directive".

The Salesforce documentation (https://developer.salesforce.com/docs/atlas.en-us.externalidentityImplGuide.meta/externalidentityImplGuide/external_identity_login_considerations.htm) states that this is because the site is not listed under CORS. I do in fact have the site listen under CORS and it still isn't working.

Anyone have a similar issue? The entry into CORS is 
https://ryanwerner7052888.herokuapp.com which is the URL to the Heroku app I deployed this example code in. The "salesforce-allowed-domains" meta tag is also present on the page with the value "ryanwerner7052888.herokuapp.com"

What could I be missing? Thanks

We have a security requirement where certain accounts should only be visible to a certain public group. To enable this we have a checkbox on the account and set our OWD to private. Any account with this checkbox unchecked is shared to all internal users via a sharing rule. Any account with this checkbox checked is shared only to the public group.

We have a lightning experience implementation and have set the owners' role of these private accounts to their own role so horizontal sharing is not opened to everyone in the role, since an account owner has access to all access a community user has access to, and everyone in that account owner's role is given access as well.
We are seeing call center agents sometimes opening Cases linking a community user contact from a non-private account to a private account. This linkage appears to be opening access to that community user to the private account through this case, therefore opening up access to the private account for everyone in the role of the owner of the account belonging to that community user. This is breaking the private account access functionality.

There is a checkbox setting in Salesforce's sharing settings page called "Grant site users access to related cases" that can cut off access to a community user who is linked to a case. Although this removes access for the community user to that case, it does not remove access to the role of the account owner of that community user to the account linked in that case.

Is there anything we can do here to remedy this situation? Linking non-private account contacts to a private account via a case has legitimate use in our org, we just don't want this to open up security to the role of the non-private contact's account owner's role.

Thanks

Our security team has found an issue in our lightning experience site where a link to an external system is adding the account # in the URL. This means any user who can access this link can modify the account # in the URL and see other people's data in the external system (big oops to whoever esigned that).

I was thinking the easiest way to fix this is to encrypt the account # so the external system can still grab the encrypted # from the URL, decrypt it, and show the correct information.

Below is the code I created to encrypt this account # in Apex (This is just a sample key):

private static final Blob KEY = EncodingUtil.base64Decode('ZZZB0LSDWRlPSpOR3LgqSpZdN0DCJYcxohJ/K3oPsA=');

private static String encryptString(String clearText) {
    Blob encryptedBlob = Crypto.encryptWithManagedIV('AES256', KEY, Blob.valueOf(clearText));
    String encryptedText = EncodingUtil.base64Encode(encryptedBlob);
    return encryptedText;
}

I told the external systems developer to use the key provided above as well as AES256 to decrypt the value and he says this isn't enough info.

How can I encrypt a value in a way where another system can decrypt it?

Thanks

In our implementation we originally had security on an object set to Public Read/Write. Along with this we have Apex functionality to submit a record for approval where the person submitting is not the record owner, but the Apex they are invoking is setting the setSubmitterId to the record owner's Id.

Now we want to tighten security on this object to Private and it is breaking our Apex code. I am having trouble debugging and truly identifying the issue, but my assumption is even though the Apex code being invoked is setting the submitter Id as the record owner, since the Apex itself is being run by a different user, the approval process is failing to run since the person running the Apex itself isn't the record owner and sharing is private.

Is it correct to assume an approval process runs in the context of who invokes it, and not who is set as the submitter Id?

Hello-

We have a junior developer who wrote a very large lightning component that has over 1,000 references to:

<aura:if isTrue="{!v.profileName =='System Administrator'}"

The issue we have is now we need additional profiles, all containing "Admin" in the name to this. Is there a way to copy/replace all so I don't have to go through each individual reference and add || or && conditions to it? Is something like this doable:

<aura:if isTrue="{!CONTAINS(v.profileName, 'Admin'}"

or

<aura:if isTrue="{!v.profileName == '%Admin'}"

In some cases we may need an || condition in some cases we may need an && condition. So i cannot just to a global replace to add the additional profile names here.

Thanks

Hello-

We have a requirement where community users will need to see different accounts within the account hierarchy based on their user profile. Below is an example of an account hierarchy:

• Global Account 1
  • USA 1
    • USA 1 Branch 1
      • USA 1 Branch 1 Sub-Account 1
    • USA 1 Branch 2
      • USA 1 Branch 2 Sub-Account 1
      • USA 1 Branch 2 Sub-Account 2
  • Canada 1
    • Canada 1 Branch 1
      • Canada 1 Branch 1 Sub-Account 1
      • Canada 1 Branch 1 Sub-Account 2
    • Canada 1 Branch 2
      • Canada 1 Branch 2 Sub-Account 1

The hierarchy will never go deeper than the sub-account level. Our community users will be added to each Branch level account - there will be no users on the Global, Country, or Sub-Account accounts.

There are 3 levels of access we will determine by the community users profile:
- Global
- Country
- Branch

A Global community user needs access to Global Account 1 and everything below in the hierarchy.

A Country community user needs access to the parent Country account and everything below in the hierarchy.

A Branch community user needs access only the the branch they belong to and the Sub-Accounts below that branch.


For example, John Smith is a community user with the Global profile. His contact is attached to USA 1 Branch 1 account. Therefore he needs access to every account listed.


Kevin Doe is a community user with the Country profile. He is attached to USA 1 Branch 1 account as well. He needs access to USA 1 account and every account below in the hierarchy.


Jane Johnson is a community user with the Branch profile. She is also attached to USA 1 Branch 1. She needs access to only USA 1 Branch 1 as well as the sub-accounts below this account in the hierarchy.


This is kind of a complicated requirement and we are not certain how to implement this without writing custom Apex Sharing Rule logic. Is there anyway using out of the box features we can implement this requirement?

Would attaching the users to the Account they need highest access to be an option? Combined with using something like an external account hierarchy? So a Global user would be attached to the Global Account 1 and have access to everything underneath, a Country user would be attached to the country account (say, USA 1) and have access to everything underneath?


Any ideas would be greatly appreciated. Thanks

We have a Salesforce community implementation and at the same time do not have a concept of role hierarchy in our org. Right now all internal users have the same role, "Sales User". Up until now, allowing all accounts to be viewed by all internal users was part of the requirements. Now, we want certain accounts hidden while having all other accounts remain open.

Our OWD for Account is set to "Private".

We created a sharing rule to open access of all Accounts with IsPrivate__c = false to the "Sales User" role.

What we are finding is every internal user is still allowed to view private accounts because of the sharing reason "Associated Portal User or Role" and sharing relationship of "Manager of Role Member". This is because the owners of the community Account are "Sales User" roles and therefore it is horizontally opening all sharing with all Sales Users. All community users assigned to that Account have the "AccountNameHere Customer User" role which reports to the "Sales User" role (because the Account owner is a Sales User).
How can we disable this horizontal role sharing? If I change an Account owner to a role above "Sales User", then the horizontal sharing with "Sales User" is removed (and instead shared with any of the new role or higher). We could introduce more roles, however this wouldn't accomplish anything because whatever role the owner is still we be shared with other users in that role and above.
Any ideas? Are there any settings under Sharing Settings or anything in the community settings that need to be tweaked?

Thanks

Hello-

I have created a structure to change our syncrhonous callouts to asyncrhonous using a continuation. We also are using Apex remoting. I have an abstract class which contains a method called "callbackCheck". The class which extends from this contains the remote methods that return the continuation. The callback always first goes to the callback check on the abstract class, and then once it verifies a valid response, it then invokes the proper callback for that specific service.

The issue I'm having is with writing the test class. When this runs, it cannot find the "callbackCheck" method. The "ctrl" is the controller which is abstracted from the abstract class, so the test is complaining it can't find "callbackCheck" on the controller:

Object result = Test.invokeContinuationMethod(ctrl, conti);

I cannot construct an abstract class so I cannot pass it instead of ctrl.

Is there anyway the continuation can view the callbackCheck on the abstract class?

Thanks!
 

We have a Salesforce community implementation and at the same time do not have a concept of role hierarchy in our org. Right now all internal users have the same role, "Sales User". Up until now, allowing all accounts to be viewed by all internal users was part of the requirements. Now, we want certain accounts hidden while having all other accounts remain open.

Our OWD for Account is set to "Private".

We created a sharing rule to open access of all Accounts with IsPrivate__c = false to the "Sales User" role.

What we are finding is every internal user is still allowed to view private accounts because of the sharing reason "Associated Portal User or Role" and sharing relationship of "Manager of Role Member". This is because the owners of the community Account are "Sales User" roles and therefore it is horizontally opening all sharing with all Sales Users. All community users assigned to that Account have the "AccountNameHere Customer User" role which reports to the "Sales User" role (because the Account owner is a Sales User).
How can we disable this horizontal role sharing? If I change an Account owner to a role above "Sales User", then the horizontal sharing with "Sales User" is removed (and instead shared with any of the new role or higher). We could introduce more roles, however this wouldn't accomplish anything because whatever role the owner is still we be shared with other users in that role and above.
Any ideas? Are there any settings under Sharing Settings or anything in the community settings that need to be tweaked?

Thanks

We are trying to expose a service in Salesforce using Apex that external systems can call. This service is pretty simple. We will run a query against an object and create a response that returns an array of "coupon codes" stored on each account of a certain record type that has a coupon code.
basically it's just [SELECT Id, Coupon__c FROM Account WHERE Coupon__c != null]
We then will loop through the list and formulate a JSON array and return the coupon codes.
The issue here is we have more than 50,000 rows needing to be returned. So SOQL 101 is an issue. Also heap size could be an issue. We are expecting possibly up to 500,000+ accounts with coupons to be returned.
What are our options here? Should we tell our consumers to call a standard Salesforce API, similar to how you can execute queries in workbench? This would require subsequent calls to retrieve all 500,000 accounts/coupons though, right? Like a query more type of thing?
Also now that we are exposing APIs from Salesforce, I know we have a 24 hour API call limit. Is there a concurrent limit? If we are allowed say, 5,000,000 calls over a 24 hour period, what happens in 4,000,000 all come at the same time? How will the system respond?
Any help would be appreciated. Thanks!