Synopsis
This document addresses a use case which may causes errors for some users when generating documents due to enabling a critical update that prevents such users from accessing Custom Settings through Salesforce APIs.
UPDATE Feb, 19, 2020: IMPORTANT - You will want to assess whether you are using the Permission Sets that are included with the Nintex Drawloop DocGen page before upgrading. In some cases your Salesforce Admin may be using custom profiles or permission sets, in this case you will want make the changes outlined below in the Create a Custom Setting Definition section. Additionally, you have DocGen Packages configured to stored documents to Box, you will want to also box.Folder Details, box.Lead Setting, and box.SSO Setting to your Custom Setting Definition.
UPDATE Jan, 16, 2020: We have released Nintex Drawloop DocGen v16.1.2 with the appropriate Custom Settings Definitions added to our packages permissions sets and profiles. You can upgrade your Salesforce Org using the link below, as always, testing in a Sandbox first:
https://appexchange.salesforce.com/listingDetail?listingId=a0N300000016Zn3EAE
Customize Application Permission Critical Update
- In the Summer ’19 release, Salesforce deployed a new optional Critical Update that can restrict which Salesforce Users have read access to Custom Settings through different Salesforce APIs
- The new Critical Update is scheduled to be rolled out and enabled in all Salesforce orgs on January 3rd, 2020.
- The Customize Application permission is an elevated permission that allows several privileges. Understandably, this permission is granted on an “as needed” basis, typically to System Administrator, or similar users.
- Nintex Drawloop Docgen for Salesforce utilizes Custom Settings to store configurations related to the document generation process. These custom settings are sometimes accessed via the Salesforce REST API, and only accessed in a read-only method.
Control Who Receives Read Access to Custom Settings
- In Winter ’20 Salesforce released option for control access to Custom Settings, even through the Salesforce APIs
- The permission can be applied to a Profile or Permission set.
View All Custom Settings permission
- In Winter ’20 Salesforce released a new permission “View All Custom Settings”, that when used will allow user accounts read only access to ALL custom settings through the APIs.
- The permission can be applied to a Profile or Permission set.
Who is Impacted
Nintex Drawloop DocGen customers with the following configurations may experience errors if action is not taken when enabling the Critical Update, or when the Update goes into permanent effect
- Storing generated documents to:
- Attachments back to the original record
- Veeva Vault
- CipherCloud
- Accessing the DocGen Queue Record details page if the user does not already have the DocGen Admin permission
Recommendations
The following option has been confirmed from Salesforce to essentially put your org and your user permissions into a state exactly as it would be found prior to the Summer ’19 release, which is to say all Users have read access to Custom Settings through the APIs.
Create a Custom Setting Definition
For the recommendation, you can add to already exiting Profiles or Permissions granular control to the Nintex DocGen Settings Custom Setting that can cause errors when generating documents if you users do not have access.
- In Salesforce Setup, navigate to Manage Users > Profiles or Permissions sets
- Click the name of your desired Profile or Permission Set
- Further down the page click on Custom Setting Definitions
- Click the Edit button
- Locate and add the Loop.Nintex DocGen option
- Click Save
- Users assigned the Profile or Permission Set should no longer experience errors when running DocGen Packages.
Customers using the Nintex LOOP Storage application will also want to add the LStore.Storage Settings setting to application Profiles and Permission Sets.
Enable the View All Custom Settings permission
One option is to add the View All Custom Settings permission to all necessary Profiles or Permission Sets to allow users access to the needed Custom Settings.
Additional Information
Potential Product Fix
Nintex is also currently investigating the possibility of including a Custom Setting Definition for the Loop.NintexDocGen option in the “DocGen Admin” and “DocGen User” permission sets the come bundled with Nintex Drawloop DocGen. We recommend that you subscribe/follow this for further updates regarding the status of a new package version.
Nintex has decided to not include the “View All Custom Settings” permission with the bundled DocGen Admin or DocGen User permissions because the permission allows access to all custom settings, not just those specifically for an Application’s namespace, which could lead to unintended security concerns.
Nintex has also learned from Salesforce that additional options for access to Custom Settings may be made available in upcoming releases, however details are not yet known. Until details are provided by Salesforce, the above options are our recommendations to prevent disruptions in service when the Critical Update goes into effect on January 3rd, 2020. As always, thoroughly test in a Sandbox first, and please reach out to us through the Nintex Customer Central portal if you require any assistance or have questions.
Testing
A simple use case to test whether your implementation of our recommendations are applied can be found below:
- Create or run a document package that has “Store as” option, set to store the documents as an Attachment
- With the Critical Update OFF -> no errors should appear
- With the Critical Update ON -> errors with messaging of “Missing access to LoopSettings__c” will be displayed.
- Enable the Critical Update
- Add the Custom Setting Definition to desired Profile/Perm Set
- Re-run document package -> no errors