Over the last few Salesforce releases, summer 21, we’ve seen incremental changes by Salesforce to make ongoing improvements to the security model. It is in reaction to public security breaches such as SolarWinds and the successful class action against Salesforce & Hanna Andersson. The goal is to protect the customers from attack through insecure development and–more often than not–simple use of default configurations. These steps ensure responsibility for any such future does not lie at Salesforce’s door.
With Provar, our customers can use their regression test packs to verify the impact of these updates months ahead of their automatic enforcement. Most changes we catch for customers allow them to avoid updating their test cases. However, some changes that Salesforce introduces affect the expected result–which means you need to decide whether to accept the new behavior by changing your customizations or your test case desired results.
With Salesforce’s Summer ‘21 release hitting Pre-Release environments, I wanted to highlight some enforced release updates to consider, including in your release regression planning that some teams have historically neglected until the Sandbox Preview or even until Production releases enforce the behavior! You don’t need to wait until Summer ‘21 hits your sandbox to test them.
History of Recent (Breaking) Changes
Spring ‘20 & Summer ‘20
Many of these changes were deferred to allow customers more time during the COVID-19 impact to prepare for the changes and avoid disrupting businesses.
- Change: Secure Guest User Record Access.
- Common Impacts: Community Cloud unauthenticated users, Site.com and Lightning Out page failures; external API calls into Salesforce failed to retrieve records; missing data records (no results found) on public Search; Changes to record owner for new documents created causing business logic failures.
- How Provar Helped: Regression tests run using Provar TestRunner flagged page and API failures on both Salesforce and non-Salesforce applications under test. Customer support teams were able to rectify the permissions and use Provar to automatically retest the changes that had restored the expected behavior, which helped identify any additional areas that were missed during impact assessment.
Winter ‘21
- Change: Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile. It sounds simple, but this change broke a lot of implementations.
- Common Impacts: Aura component Quick Actions, Lightning Page Customisations, and Experience (Community) Cloud pages using Apex methods failed if the user’s profile or permissions did not include security access to the supporting Apex class. Before Winter ‘21, these interactions would have worked.
- How Provar Helped: Permission changes to Profiles are notoriously challenging to deploy unless the related artifact is deployed at the same time. Permission sets can be deployed but need to be granted to users. Provar test cases were used to identify broken UI components in regression tests by development teams to test whether the deployment steps had been completed and to automate granting permissions to users via API or UI interactions.
Spring ‘21
- Change: Require explicit assignment of apex class security to profiles/permission sets.
- Common Impacts: Experience cloud and Site.com page errors, VisualForce page failures, and processes/flow using invocable Apex broke in production. We even saw losses on the Salesforce Partner Community when raising new Cases.
- How Provar Helped: Regression tests identified page failures with error pages being shown, components not rendering, and data values not appearing in custom components using Sandboxes. After rectifying the root cause, teams could rerun the same Provar tests and repeat the tests for different user profiles to check coverage across all profiles and user types. On production, release teams could run a test plan to smoke-test the production instance that had been updated correctly.
What’s next for Summer ‘21?
Here is a summary of upcoming security changes that could break your current Salesforce application customizations when enabled. We strongly recommend you allow these Releases to be Updated in a Sandbox and test the impact before the auto-activation deadlines.
| Release Update | Auto-activation | Potential Impact | How Provar can help |
|---|---|---|---|
| Enforce Access Modifiers on Apex Properties in Lightning Component Markup | Summer ‘21 | Before this change, apex attributes with private access modifiers were still visible to Lightning Components. This change may cause an error in the component’s javascript, or fields/text may not appear that were previously visible. | Ensure you have UI test coverage for your custom components, which will fail if fields & values cannot be located. |
| Disable Access to Non-global Controller Methods in Managed Packages | Summer ‘21 | Before this change, your local Aura development could access Apex methods in 3rd party packages that were not shared as global. After enabling this change, aura components may fail to display or display errors if they reference non-global methods. | Ensure you have UI test coverage for your custom components, which will fail if fields & values cannot be located. |
| Enforce Access Modifiers on Apex Properties in Lightning Component Markup | Summer ‘21 | Before this change, Aura and LWC customizations could reference personal attributes in Apex controllers. This change started hitting some sandboxes on April 4th, 2021. This may cause components to fail and errors or values not to appear as expected. | Ensure you have UI test coverage for your custom components which will fail if fields & values cannot be located. |
| Enforce Data Access in Flow Merge Fields | Summer ‘21 | Previously postponed, we’re expecting this to be enforced finally. If affected, Flows that reference fields that the running user does not have permission to access will fail and likely cause a failure email to the flow author. | Ensure you have at least API coverage for your record-triggered flows and UI coverage for screen flows and Quick Actions to verify expected behavior. |
| Require Verification When Experience Cloud Users, Partners, and Customers Change Their Email Address | Summer ‘21 | Experience (Community) Cloud users who change their email address will get a generic email notification instead of a company-branded one. | Customize your email template and use Provar to test the email received on the change of experience cloud user email address. Rerun the same test for a user after deploying the template to production to verify your deployment. |
This list is far from exhaustive, and we strongly recommend you review the Draft Release Notes for Summer ‘21 when they become available from April 20th, 2021, and stay up to date with amendments until Sandbox Preview starts on May 8th, 2021. There are a set of excellent Trailhead Modules on Release Readiness if you are unfamiliar with this activity:
- https://trailhead.salesforce.com/en/content/learn/modules/sf_releases
- https://trailhead.salesforce.com/en/content/learn/modules/advanced-salesforce-release-readiness-strategies
Future Roadmap Insights & Predictions
If we take out our crystal ball, we know the following changes are in the Salesforce pipeline, though where they may land, or if they go ahead, are the ultimate forward-looking statements. Proposed release versions are always subject to change:
- Dynamic Forms for Standard Objects (Deferred from Spring ‘21 and not in Summer ‘21 pre-release orgs at the time of writing). Provar handles conversion from Page Layouts to Dynamic Forms to ensure you don’t need to amend your test cases unexpectedly. Still, you may wish to amend your test to cater to customizations on the field and section visibility rules your Salesforce admins introduce.
- Incremental changes to the Lightning DOM to implement complete open shadow DOM. Provar tries to protect you from these changes on standard Salesforce elements. Still, where you have developed your Page Objects and Xpaths to test your custom web components, you may wish to edit your locators to use a ProvarX field mapping to insulate you from future DOM changes.
- Incremental changes (component by component) to Experience Cloud to render standard features as Lightning Web Components instead of Aura Components. You may use AuraBy or Xpath locators today to test Experience Cloud sites, which may need a simple remapping in the PageObject. We predict this will be made available as an optional Release Update before being enforced at a future date.
- Order Save Behaviour Update (Enforced in Summer 22). Already available to test, customers advised doing this as soon as possible as changes to any customizations may be required. This change will likely affect any record-triggered customizations and business logic on the Order and Order Line Item objects or cause actions to fire more than once.
- Dynamic Interaction is a new declarative solution due to enter Pilot soon for configuring reactive, active components declaratively. Based on previous pilot programs, we predict this will unlikely be GA before Spring ‘22. This could change the contents of one piece based on actions and values in another and would be good candidates to add to your test coverage, plus identify unnecessary page and component refreshes that may have previously been used in your solution.
