hardis:lint:access
Description
Command Behavior
Checks if specified Salesforce metadata elements (Apex classes and custom fields) have at least one permission defined in any Permission Set or Profile.
This command is crucial for maintaining proper access control and identifying potential security vulnerabilities or misconfigurations in your Salesforce project. It helps ensure that all custom elements are accessible to the intended users through appropriate permission assignments.
Key functionalities:
- Element Validation: Verifies that Apex classes and custom fields have
enabled(for Apex classes) orreadable/editable(for custom fields) access in at least one Permission Set or Profile. - Configurable Ignores: Allows you to ignore specific elements or entire types of elements (e.g., all Apex classes, a particular custom field) using the
--elementsignoredflag or project configuration. - Permission Set/Profile Filtering: You can specify Permission Sets or Profiles to ignore during the access check using the
--ignorerightsflag. - Reporting: Generates a CSV report of all missing access elements, which can be used for auditing or further analysis.
- Notifications: Integrates with notification providers (Grafana, Slack, MS Teams) to alert about missing access issues, making it suitable for CI/CD monitoring.
- Interactive Fix: In non-CI environments, it offers an interactive prompt to automatically add missing accesses to selected Permission Sets.
This command is part of sfdx-hardis Monitoring and can output Grafana, Slack and MsTeams Notifications.
Technical explanations
The command's technical implementation involves:
- File System Traversal: Uses
globto find all Apex class (.cls) and custom field (.field-meta.xml) files within the specified root folder. - XML Parsing: Parses the XML content of Permission Set (
.permissionset-meta.xml) and Profile (.profile-meta.xml) files to extract access configurations. - Element Filtering: Filters out elements that are explicitly ignored (via flags or configuration) or are not subject to access checks (e.g., Master-Detail fields, required fields, Custom Metadata Types, Custom Settings).
- Access Verification Logic: Iterates through each element to check and verifies if it has the necessary access enabled in any of the non-ignored Permission Sets or Profiles.
- Data Aggregation: Collects all elements with missing access into a
missingElementsarray andmissingElementsMapfor reporting and notification purposes.
Parameters
| Name | Type | Description | Default | Required | Options |
|---|---|---|---|---|---|
| debug -d |
boolean | Activate debug mode (more logs) | |||
| elementsignored -e |
option | Ignore specific elements separated by commas | |||
| flags-dir | option | undefined | |||
| folder -f |
option | Root folder | force-app | ||
| ignorerights -i |
option | Ignore permission sets or profiles | |||
| json | boolean | Format output as json. | |||
| outputfile -x |
option | Force the path and name of output report file. Must end with .csv | |||
| skipauth | boolean | Skip authentication check when a default username is required | |||
| target-org -o |
option | undefined | |||
| websocket | option | Websocket host:port for VsCode SFDX Hardis UI integration |
Examples
$ sf hardis:lint:access
$ sf hardis:lint:access -e "ApexClass:ClassA, CustomField:Account.CustomField"
$ sf hardis:lint:access -i "PermissionSet:permissionSetA, Profile"