Security Review Communication 2020/2021 - ADvendio Version 2.137

As part of the regular Salesforce Security Review, we’ve undergone a number of enhancements in our product to ensure the high standard across the salesforce App exchange.

In doing so, we’ve made minor changes across the product, touching many of the core features and functions.

These changes or enhancements include:


Read Access

In order to carry out certain functions or trigger specific processes, it was necessary to ensure the user starting the process had read access to the fields required to carry out that function.

Action Required: There are no specific steps required from users or Admins to enable these changes, they are done as default in the latest version (starting with version number 2.137 which will be released in the mid of January).

We do however suggest, as with every new installation, that you test your core functions and processes in a sandbox environment before installing in production. They key thing to test here is that the users who will be carrying out the functions on a daily basis, have the relevant permissions to carry out those functions as normal. So for example that your Sales team can still create visit reports, create and edit Campaign Items and send proposals, the Product Manager / Sales Support can still define new products and their prices and the finance manager can still carry out invoicing or Publisher Payout. 

When upgrading to a new version of ADvendio, we always recommend you follow the steps highlighted in our wiki: How to upgrade ADvendio

What happens if a user doesn’t have the right access?

If a user is trying to carry out a function where they are missing relevant read permission, they will be shown an error similar to the one below

Access violation by field ADvendio__VatIdNumber__c in object Account

In this case you simply need to give the user read permission for the mentioned field on the relevant object.

Steps:

  • User reports issue and error message for process to the Admin (for example, the user is trying to verify that VAT ID of an account and hits the access violation above)

  • Depending on where you manage the ADvendio permissions the Admin navigates to the
    Setup > Permission Sets > [Select the relevant Permission] Set or Setup > Users > [User reporting the issue] > Permission Set Assignments > [Select the relevant Permission Set]
    or Setup > Users > [User reporting the issue] > check Profile > [Select the relevant Profile]

  • Select Object Settings and navigate to the reported object

  • Press Edit

  • Set Read Access to true for reported field

Sample video:

This is not something which we expect your users to encounter frequently, and if encountered it is merely due to a simple misconfiguration in the permissions. We simply wanted to draw your attention to it so it can be identified as quickly as possible, if relevant.

Trouble shooting

Question: My user has the relevant access and rights but is still getting an access violation error?

Answer: This has been reported by some users with regards to fields which have been deleted from the ADvendio package or custom fields where the API name is the same as a packaged field, without the ADvendio prefix. This is due to a bug in the Salesforce method Security.stripInaccessible which has been reported to Salesforce. In order to continue working in the meantime, the following solutions are available:

In the case of deleted packaged fields, there are two options available. 1) remove the access users have to these fields, they are no longer needed for the ADvendio features and functions or 2) delete the fields entirely from the org if you also no longer need them.

In the case of the API name being the same as a packaged field, without the ADvendio prefix, simply change the API name of the custom field so that it differs to the packaged field. If doing this, be sure to update references to this field in other places.

As always, we remain available to assist at support@advendio.com if you are having any issues with reconfiguring your permissions or identifying the relevant fields.


Confirming Certain Process

As part of the security updates, it is now necessary to confirm certain processes where these processes will alter or create certain data. For more information on which processes are impacted, please see the following link: https://advendio.atlassian.net/wiki/spaces/SO/pages/1564147721

Action required: no action is required to implement or activate these confirmation modals. They will be triggered where needed from version 2.130 onwards.


Updating Software Versions

In our code we are using libraries such as jquery that regularly receive their own security updates. We updated these versions in order to avoid vulnerabilities.

Action required: no action is required. This is simply a change in the code which will have no impact on end users.


View Setup Permissions

To carry out certain functions, users were required to have ‘View Setup' permissions in order to query certain information stored in a setup object. For example, to carry out a Billing Run users needed to query the Organisation Object to create the results of the different Phases and generate links in the results emails.

Action required: no action is required on behalf of the users or admin, queries regarding the Organisation Object and AsyncApexJobs have been redirected to get that information from another location. Meaning users should not experience any issues, this includes processes such as Accounting Record Generation, Invoice Billing Run, Merge PDFs, Sell Through Report and VAT matching.

If standards users do experience any issues in running processes or accessing features, which Admins or users with View Setup Permissions can carry out then please contact us at support@advendio.com