Grant Access to Custom Settings After Restricting Org-Wide Access (Critical Update)

Users without the Customize Application permission can read custom settings using APIs that are provided by Salesforce. This access will be revoked as part of a critical update that is scheduled to be rolled out with the Spring ’20 release on January 3, 2020. For the Winter ’20 release, new permissions allow read access to custom settings.

Where: This change applies to Lightning Experience and Salesforce Classic in Contact Manager, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.

When: The critical update to revoke read access to custom settings using APIs from users without the Customize Application permission is enforced on January 3, 2020 in the Spring ’20 release. You can activate the critical update in the Summer ’19 release or later.

After the critical update, users without the Customize Application permission no longer can access custom settings. To minimize the impact on your users, admins with the Customize Application permission can grant read access to custom settings through profiles and permission sets. You can prepare the necessary changes to permission sets and profiles before enabling the critical update.

How: We recommend that you test this update in a sandbox before enabling it in your production org.

To test this update before the enforcement date:
  1. From Setup, enter Critical Updates in the Quick Find box, then select Critical Updates.
  2. Click Activate for the update: Require Customize Application permission for direct read access to custom settings.

    You can also enable or disable read access to custom settings using the Restrict access to custom settings permission available from Schema Settings. This permission corresponds to the critical update org-wide permission.

  3. Grant read access through profiles or permission sets.
    To grant a specific profile or permission set read access to custom settings:
    1. Search for Profiles or Permission Sets from Setup, then click the name of the profile or permission set.
    2. Click the Custom Setting Definitions permission.
    3. Click Edit, add the custom setting to the Enabled Custom Setting Definitions list, then click Save.
    To grant profiles or permission sets read access to all custom settings:
    1. Search for Profiles or Permission Sets from Setup, then click the name of the profile or permission set and click Edit.
    2. In the Administrative Permissions section, check View All Custom Settings.
    3. Click Save.
  4. Test this critical update. With the Restrict access to custom settings permission enabled, permissions are enforced as follows:
    • Customize Application permission—Read and write access to all custom settings.
    • Custom Setting Definitions—Read access to specific custom settings outside of System context. Users must be granted access through profiles and permission sets.
    • View All Custom Settings permission—Read access to all custom settings outside of System context.
    • View Setup and Configuration permission—Read access to custom settings in Setup. Users must be granted access to specific custom settings through profiles and permission sets, or be granted the View All Custom Settings permission.

Apex generally runs in system mode so the current user's permissions and field-level security aren’t considered during code execution.​ The critical update doesn’t affect the accessibility of custom settings from system mode. Calling Apex methods such as isAccessible indicate whether the running user has access outside of system mode. After activating this critical update, if the user isn’t granted access to an object, calling isAccessible returns false. For example, if a user isn’t granted access through a profile to Contact, isAccessible returns false.