Licensed profiles/permission sets can show custom objects that are children of standard objects that are not allowed
Last updated 2020-01-28 ·Reference W-6984077 ·Reported By 5 users
If a customer creates a custom object with a field that references another object, and that other object is restricted from some licenses then a customer is able to add that custom object to a profile/permission set when it should not be allowed. Additionally, this is also an issue with only part of the parent CRUD is not licensed for a profile/permission set.
When the parent object is not supported for the licensed profile.
1. Create a custom object
2. Create a field on the custom object, that is a master-detail to 'Opportunity'
3. Clone a profile that uses the 'salesforce platform' license. (which doesn't have access to opportunities)
4. In the cloned profile, modify the read/write values for the custom object.
5. Profile will now have access to the restricted parent object (Opportunity).
When the parent object is only partially supported (View All and Modify All are not allowed permissions).
1. Enable a community for the org
2. Create a custom object
3. Create a master-detail field on the custom object to 'Case'
4. Clone a profile of the customer community standard profile (which doesn't have View All/Modify All on case)
5. In the cloned profile allow Modify All on the custom object
6. View All/Modify All is is enabled for Case even though the profile is not licensed for it.
Ensure that the CRUD permissions are disabled for the child custom object for profiles that do not have access to the parent standard objects permissions (all or partial).
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.