Salesforce Developer Security Api Consideration
// Salesforce - Developer - Security - API Considerations: 1. API access to an org allows a user to bypass presentation layer controls (Visualforce pages, standard page layouts) and comes with some unique situations to be aware of. 2. API queries rely completely on pre-configured FLS/CRUD/Sharing. If these items are not correctly configured, data may be unintentionally exposed. This is common for portal users where data access is decided in Visualforce & Apex. 3. Some objects do not allow FLS/CRUD/Sharing to be configured. Examples of this include custom settings in the local namespace, and Work.com objects such as Thanks. 4. API access allows easy mass extraction of data. Some kinds of data are less sensitive individually but increasingly sensitive in large numbers. 5. It may sound like API access is something to avoid, but currently many mobile apps require users to have API access. The best approach is to make sure CRUD / FLS / Sharing are scoped correctly, so that a user should have access to everything available through the API.
page revision: 0, last edited: 01 Jan 2017 23:50