Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile (Update, Postponed)
Where: This change applies to Aura and Lightning web components in Lightning Experience, Salesforce Classic, Lightning communities, and all versions of the Salesforce app.
When: This update was created in Winter ’20 and is enforced when a sandbox or production org is upgraded to Winter ’21. Enforcement starts for some sandboxes on August 9, 2020. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.
Why: This update enforces user profile and permission set restrictions for Apex classes used by Aura and Lightning web components.
Note
To enable access to a public Apex controller that’s part of a managed package, a subscriber org must use a permission set. You can’t enable access to a public Apex controller from a managed package using a user profile.
How: To test this update, we recommend working in a sandbox. After August 12, you can continue to activate or deactivate the update from Release Updates in Setup until the update is automatically enforced when your org is upgraded to Winter ’21. After August 9, you can no longer activate or deactivate the update from Critical Updates in Setup.
- From Setup, enter Release Updates in the Quick Find box.
- Select Release Updates (Beta).
- Find “Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile” and click View Details or click Get Started.
- Test that custom Aura or Lightning web components that you’ve developed are working correctly
for authenticated users.
Note
The AuraEnabled Scanner open-source tool lists all the Apex classes in your org that contain one or more @AuraEnabled methods. The tool also identifies classes with no access granted to a profile or permission set. For more information, see this GitHub repo.