How to Handle Guest User CRUD/FLS in Security Review?

Question

We are developing an app for the Salesforce AppExchange that integrates with external systems. During the Salesforce Security Review, we encountered an issue related to CRUD (Create, Read, Update, Delete) and Field-Level Security (FLS) checks in Apex code. Salesforce’s security guidelines require that all Apex code performing DML operations or SOQL queries explicitly check for CRUD and FLS permissions before executing.

However, guest users have restricted access to Salesforce metadata and cannot be assigned a permission set. This makes it challenging to perform standard CRUD and FLS checks. Additionally, our app includes error logging, which requires access to Salesforce metadata, but guest users do not have the necessary permissions. Given these constraints, we are unsure how to ensure compliance with Salesforce’s security review while maintaining the required functionality.

Answer

Salesforce mandates that all Apex code handling data must enforce CRUD and FLS checks. Since guest users have limited permissions, addressing this requirement requires alternative approaches.

One possible solution is to use a system-mode class with “without sharing” that runs the necessary CRUD/FLS checks before performing any operations. You can use the Schema.DescribeFieldResult methods to check permissions dynamically. Here’s an example:

public static Boolean hasReadAccess(String objectName, String fieldName) {
    Schema.DescribeFieldResult fieldResult = Schema.getGlobalDescribe()
        .get(objectName)
        .getDescribe()
        .fields.getMap()
        .get(fieldName)
        .getDescribe();
    return fieldResult.isAccessible();
}

To check object-level CRUD permissions:

public static Boolean hasCreateAccess(String objectName) {
    return Schema.getGlobalDescribe().get(objectName).getDescribe().isCreateable();
}

If the guest user lacks the necessary permissions, the operation should be skipped or executed through a service running under a system user with the appropriate permissions.

In cases where error logging requires metadata access but the guest user lacks the necessary permissions, you might consider storing logs in a custom object and ensuring that the required access is granted via a public record-sharing model. If this is not feasible, an external logging service (such as AWS CloudWatch or a remote logging API) could be an alternative.

Can This Be Marked as a False Positive?

If CRUD/FLS checks are not feasible due to guest user limitations, Salesforce allows marking these instances as a false positive in the security review documentation. While Salesforce does not enforce a strict format for false positive documentation, they recommend explaining:

1. Why the standard CRUD/FLS check cannot be applied
2. How the functionality is secured or mitigated through other means
3. Why the limitation does not pose a security risk

An example false positive explanation might look like this:

Issue: Guest users do not have metadata access, preventing standard CRUD/FLS checks.
Mitigation: We enforce CRUD/FLS checks using a system-user flow where possible and restrict guest user operations to only permitted actions.
Justification: Since guest users cannot modify records beyond permitted public data, there is no security risk.

If guest user restrictions prevent the recommended approach, a combination of system-mode Apex execution, external logging, and a well-documented false positive explanation should help pass the security review.

Enroll for Career-Building Salesforce Training with 100% Money Back Guarantee

Our Salesforce Course is thoughtfully designed to give you a comprehensive understanding of the Salesforce platform, equipping you with essential skills to excel in the CRM industry. The program covers key modules such as Salesforce Admin, Developer, and AI, blending theoretical knowledge with hands-on practice. Through real-world projects and practical exercises, you’ll gain the expertise needed to solve complex business challenges using Salesforce solutions. Our expert instructors ensure you develop both technical proficiency and industry insights to thrive in the Salesforce ecosystem.

Beyond technical skills, our Salesforce Training in Florida provides personalized mentorship, certification support, and interview coaching to boost your career prospects. You’ll have access to in-depth study materials, real-time project experience, and ongoing guidance throughout your learning journey. By the end of the course, you’ll be well-equipped for certification exams and possess the practical problem-solving skills that employers highly value. Start your Salesforce journey with us today and open the door to exciting career opportunities. Sign up for a Free Demo now!