Prepare for Upcoming Critical Update Enforcement: Restricting Access to @AuraEnabled Apex Methods
If you are a Salesforce admin, developer, support agent, or play any other role in managing a Salesforce org for your company or client, you need to be aware of an important critical update from Salesforce. This security change could impact your organization's Salesforce implementation and requires urgent attention to ensure business continuity.
If you are a Salesforce admin, developer, support agent, or play any other role in managing a Salesforce org for your company or client, you need to be aware of an important critical update from Salesforce. This security change could impact your organization's Salesforce implementation and requires urgent attention to ensure business continuity.
Salesforce has been sending reminder emails to all org owners and managers about this major change coming in the Winter '21 release:
If you've received this notification, it means this feature will affect users in your org. Let's examine what's changing and how to properly prepare for this critical security enhancement.
Understanding the Critical Security Updates
1. Restrict Access to @AuraEnabled Apex Methods for Authenticated Users
With this new security feature, administrators gain enhanced control over authenticated users accessing Apex classes. Once activated in your org, all authenticated users will only be able to access @AuraEnabled Apex methods when explicitly granted that access through their user profile or via a permission set.
By default, users will not have access to these Apex methods. This change affects:
- Aura components
- Lightning web components
- All communities (both Classic & Lightning)
- Flows in Lightning Experience
- All versions of the Salesforce mobile app
This update significantly impacts internal/authenticated users currently using any @AuraEnabled Apex methods across communities and other modules. Without careful review and preparation, this could disrupt business continuity.
From a security perspective, this update benefits administrators by enforcing user profile and permission set restrictions for Apex classes used by Lightning web components and Aura-based components. It provides greater flexibility to grant selective access on an as-needed basis. However, this additional security layer requires thorough review before rollout to prevent unexpected functionality issues for end users.
2. Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users
This parallel security feature focuses specifically on external users. Once activated, all guest, portal, or community users will only be able to access @AuraEnabled Apex methods when explicitly granted that access through their user profile or via a permission set.
This change affects:
- Aura components
- Lightning web components
- All communities (both Classic & Lightning)
- Flows in Lightning Experience
- All portals and Salesforce sites
External and portal users will be most affected by this change, making careful review and preparation critical for maintaining business continuity.
Release Timeline and Implementation Strategy
This critical update will be automatically applied when your Salesforce org upgrades to Winter '21. Both sandbox and production instances will receive this update automatically upon upgrading to Winter '21 after August 9, 2020.
If you're unsure about your Winter '21 upgrade dates, you can find this information by logging into https://status.salesforce.com.
Required Preparation for Administrators and Release Managers
Following Salesforce solutions best practices, we recommend thoroughly testing these features in a sandbox environment before they take effect in production. Since the auto-activation date has already passed (August 9th), administrators should follow these steps:
- Review the official Salesforce documentation:
- Analyze Impact and Create User Inventory: Identify all users who will be affected by this update, particularly those utilizing custom components.
- Update Access Controls: Modify user profiles and add/remove permission sets as needed to provide access to appropriate components, then thoroughly test these changes.
- Component Testing: Test all custom Aura components, Lightning web components, and flows developed for guests, portal, and community users to ensure they continue to function correctly. Repeat this testing for components used by authenticated internal users.
- User Training and Communication: Inform affected users about the upcoming changes before they are automatically applied to your production instance. Clear communication is essential for a smooth transition.
- Continuous Monitoring: Regularly check the Trust and maintenance calendars to stay informed of any changes to release plans, and monitor https://status.salesforce.com for your specific upgrade date.
How Addax Can Help
At Addax, our certified Salesforce consultants specialize in guiding organizations through critical Salesforce updates like this one. Our Salesforce Solutions team can:
- Perform a comprehensive audit of your existing Apex classes and Lightning components
- Identify all affected users and functionality
- Create and implement a detailed remediation plan
- Configure profiles and permission sets correctly to maintain business continuity
- Provide training for your administrators and end users
Our expertise in CRM implementation and customization ensures that security updates like this enhance rather than disrupt your operations.
Next Steps
Once you've reviewed the release notes and prepared for these changes, you can confidently embrace these additional security features from Salesforce, knowing your system will continue functioning smoothly for all users.
Ready to ensure your Salesforce org is properly prepared for this critical update? Contact Addax today for expert assistance with your Salesforce security configuration.
