Require Customize Application Permission for Direct Read Access to Custom Settings (Critical Update)

Currently users without Customize Application permission can read custom settings using different APIs that are provided by Salesforce. Following the “secure by default” approach, read access for users without Customize Application permission will be revoked with this update. This change affects Visualforce pages and Lightning components that directly reference custom settings.

Where: This change applies to Lightning Experience and Salesforce Classic in Contact Manager, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.

When: This critical update will be enforced starting January 3, 2020, as part of the Spring ’20 release (originally planned for September 6, 2019, then postponed).

How: This update enables Restrict access to custom settings for your org’s Schema Settings in Setup. We recommend that you test this update in a sandbox before enabling it in your production org.

To activate this critical update before the enforcement date, from Setup, enter Critical Updates in the Quick Find box, then select Critical Updates. For Require Customize Application permission for direct read access to custom settings, click Activate.

This change doesn’t affect accessibility of custom settings from Apex or system mode contexts. Custom settings retrieved using Apex code will continue to work after this update.

Note

Note

With the org-wide setting Restrict access to custom settings enabled, use the ViewAllCustomSettings permission in a profile or permission set to allow users read access to custom settings outside of Apex code or system mode contexts. We do not recommend disabling the org-wide setting.