Require Customize Application Permission for Direct Read Access to Custom Metadata Types (Critical Update, Enforced)

Access for users without the Customize Application permission to read unprotected custom metadata types is revoked as part of this critical update. Using different APIs that are provided by Salesforce, users without the Customize Application permission could read unprotected custom metadata types. Following the “secure by default” approach, this access is revoked.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, Developer, and editions. Professional Edition orgs can create, edit, and delete custom metadata records only from types in installed packages. This change also affects Visualforce pages and Lightning components that directly reference custom metadata types.

When: This critical update is scheduled to be enforced on sandbox instances on January 2, 2020 in the Spring ’20 release. It will not be rolled out to all instances on January 2, 2020. Sandbox instances are upgraded 4–6 weeks before a release goes into production. To find the exact activation date for your instance, refer to

How: When this critical update is enforced on the instance, users without the Customize Application permission can no longer access custom metadata types. To minimize the impact on your users, admins with the Customize Application permission can grant read access through profile or permission sets.

  1. Go to the profile or permission set that you want to grant access to.
  2. Under Enabled Custom Metadata Type Access, click Edit.
  3. Add the custom metadata type to the list of enabled custom metadata types.


This change doesn’t affect accessibility of custom metadata types from Apex or system mode contexts. Custom metadata types retrieved using your custom Apex code continue to work after this update.

While not recommended, you can disable this critical update by turning off the Schema Settings: “Restrict access to custom metadata types” permission. This Schema Settings permission corresponds to the security org-wide critical update.
  1. Go to Setup and search for Schema Settings.
  2. Turn off Restrict access to custom metadata types.