Require Customize Application Permission for Direct Read Access to Custom Metadata Types (Critical Update)

Users without the Customize Application permission can read unprotected custom metadata types using different APIs that are provided by Salesforce. Following the “secure by default” approach, read access for users who don’t have the Customize Application permission is revoked with this update. This change affects Visualforce pages and Lightning components that directly reference custom metadata types. For custom metadata types, an admin can explicitly grant access to a specific profile or permission set.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, Developer, and Database.com editions. Professional Edition orgs can create, edit, and delete custom metadata records only from types in installed packages.

When: This critical update is enforced in the Spring ’20 release.

How: To grant a profile or permission set read access to a custom metadata type:
  1. Go to the profile or permission set that you want to grant access to.
  2. Under Enabled Custom Metadata Type Access, click Edit.
  3. Add the custom metadata type to the list of enabled custom metadata types.
To re-enable read access to custom metadata outside of Apex code or system mode contexts:
  1. In Setup, navigate to Schema Settings.
  2. Deselect Restrict access to custom metadata.
To test this critical update, we recommend working in a sandbox. If you experience issues, contact Salesforce Customer Support.
Note

Note

This change doesn’t affect accessibility of custom metadata types from Apex or system mode contexts. Custom metadata types retrieved using your custom Apex code continue to work after this update.