Experience Cloud Developer Guide

Get Up to Speed with Experience Builder Sites
Develop Experience Builder Sites: The Basics
Brand Your Aura Site
Develop Secure Sites: Authenticated and Guest Users
Limit Declarative Access
Determine a Security Model
Limit Access to Apex Classes
Flow Security
SOQL Injection
Develop Secure Sites: CSP, LWS, and Lightning Locker
Analyze and Improve Experience Builder Site Performance
Add Pardot Tracking to Your Experience Builder Site
Use a CMS with Your Experience Builder Site
Report on Deflections: The Deflection Signals Framework
Deploy an Experience Cloud Site from Sandbox to Production
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Limit Declarative Access

Granting permission to view an object allows external users to view that object using standard controllers. Standard controllers are available in Experience Builder sites and Salesforce Tabs + Visualforce sites that have Lightning features enabled. These controllers grant access based solely on the platform declarative permissions.

Grant declarative access to create, view, modify, or delete only those objects for which external users are allowed to access without mediation via your controller. The Salesforce platform includes standard controllers that can be used to create, read, update, or delete data. Standard UI controllers enforce the declarative access policies encoded in the platform’s sharing rules, in the create, read, update, and delete (CRUD) permissions, and in field-level security (FLS). If you grant permissions to an external user to view or update an object, they’re able to perform the operation. Don’t grant excessive permissions to any object if you don’t want those permissions exercised.