Salesforce 2020 critical updates

Here's a list of Critical Updates released by Salesforce that could potentially impact your Frisbii configuration.
Please check whether this applies to you and follow the instructions if it does.
We'll be updating this article regularly.

Request "Customize application for direct read access to customized settings" authorization 

Scheduled for 03/01/2020

In Frisbii, automations (batch launches/scheduled tasks) and the administration panel are based on custom settings. 

If you use automations in Frisbii :

1. Please update a partial copy sandbox

2. Activate the update by going to Setup > Critical updates

3. Test the display of the admin panel (tab: Frisbii Administration)

4. Test your automations (invoice/quotation creation, reminders, etc.).

Here is what Salesforce has to say about this critical update:

Salesforce guidelines

Currently, users who do not have Customize Application permission can read custom settings using different Salesforce APIs.
To reinforce security, this update revokes Read access for users who do not have Customize application authorization.

You can grant Read access to these users using a specific profile or permission sets.

Profiles

1. In Setup, enter Profiles in the Quick Search bar, then select Profiles.

2. Choose a profile, then click on Modify.

3. In the Administrative authorizations section, select Show all custom settings.

4. Click on Save.

Permission Sets

1. In Setup, enter Permission sets in the Quick search box, then select Permission Sets.

2. Choose a permission set, then click on Modify.

3. In the Select columns to display section, find the View All Custom Settings permission and add it to the Selected parameters.

4. Click on Save.

You can also reactivate Read access to customized settings without Apex code or system mode, as follows.
This method is not recommended for safety reasons.

1. In Setup, enter Schema Settings in the Quick search box, then select Schema Settings.

2. Uncheck Restrict access to custom settings.

Test this Critical Update

To test this critical update, we recommend working in a sandbox organization. If you have any problems, please contact Salesforce Customer Support.

Note: This modification does not affect the accessibility of custom settings with an Apex code or in system mode. Custom settings retrieved using your custom Apex code remain operational after this update.

Restrict access to Apex @AuraEnabled methods for guest and portal users according to user profile

Scheduled for 07/02/2020

This update concerns those who have set up communities and automations at the same time.

• Salesforce limits access to Apex methods for community users.

• Please sandbox test the impact of this update by following Salesforce's instructions, if you are concerned.

Salesforce guidelines

When this critical update is enabled, a guest or portal user can access an Apex @AuraEnabled method only if the user's profile authorizes access to the Apex class. This critical update applies user profile restrictions to the Apex classes used by the Aura and Lightning Web components.

We recommend testing this update in a sandbox organization to verify its behavior, before activating it in your production organization.

Test this Critical Update

How: to test this critical update, we recommend working in a sandbox organization.

1. In Setup, enter Critical updates in the Quick search bar.

2. Select Critical updates.

3. See details of the critical update "Limit access to Apex @AuraEnabled methods for guest and portal users based on user profile".

4. Click on Activate.

5. Check that any custom Aura or Lightning components you've developed work properly for guest and portal users.

Update managed packages to reflect changes in the external sharing model

Scheduled for 07/02/2020
Make sure your managed packages are up to date with changes to the external sharing model. The external sharing model is automatically activated in organizations created with Spring '20 or higher. In addition, external access levels are initially set to Private for all objects in these organizations. These changes do not affect existing customers.

Where: this change applies to Lightning Experience and Salesforce Classic in Essentials, Group, Professional, Enterprise, Performance, Unlimited and Developer editions. The Dev Hub is available in Developer, Enterprise, Performance and Unlimited editions.

Why: packages that depend on an external access level of an object other than Private do not always work normally in organizations created with Spring '20 or higher.

How: update your packages to support these modifications, by changing the organization's default settings.

See also:
Enable organization default external access settings in all new organizations

Guest user: security policies applied

These two features :

• Protection of sharing settings and access to recordings by guest users

• Assign records created by guest users to a default owner in the organization

will be automatically activated from Summer '20, with deactivation and removal options available. The settings will be applied to Winter '21 without disable and exclude options.

Before the Summer '20 release, you can opt out of automatic activation via the critical update Unsubscribe from guest user security policies prior to Summer '20 (update already released) located in Configuration > Critical updates.
Customers will no longer be required to submit a case with support.

By activating this update, you unsubscribe from three policies that reinforce data security in the presence of guest or unauthenticated users. Activating this update unsubscribes your organization from the automatic activation of the following settings in Summer '20 : Secure access to records by guest users, Assign records created by guest users to the default owner and Assign records created by guest users to Salesforce sites. If your organization has already activated these settings, activating this update will not change your configuration.

Where: This change applies to all organizations with active communities in Enterprise, Essentials, Unlimited, Performance and Developer editions.

When: user settings :

• Secure access to recordings by guest users,

• Assign records created by guest users to the default owner and

• Assign records created by Salesforce site guest users,

are automatically activated with the Summer '20 version. This update gives you extra time to prepare. If you opt out of these settings for the Summer '20 release, you must comply with these new security strategies for guest users before the Winter '21 release, in which the settings apply to all organizations.  

How: to unsubscribe from automatic activation of these settings, activate the update. To check whether or not the settings are activated, you can access the settings in the user interface as follows :

• In Settings, enter Sharing Settings in the Quick search bar. Select Sharing Settings. The page displays the Secure access to recordings by guest users checkbox.

• In Setup, enter Experience Settings in the Quick Search bar, then select Experience Settings. The page displays the checkbox Assign records created by guest users to the default owner.

• In Setup, enter Sites in the Quick Search bar, then select Sites. The page displays the checkbox Assign records created by Salesforce site guest users.

Removing Aura components from the ui namespace

Scheduled for Summer '21

The retirement of ui components is planned for all Salesforce organizations in the Summer '21 release. Instead, use similar components in the lightning namespace. Removing our legacy components allows us to focus our efforts on components that comply with the latest Web standards in terms of performance, accessibility, user experience and internationalization.

Where: This change applies to organizations with Lightning components in Lightning Experience, to Salesforce Classic and to all versions of the Salesforce application.

When: Salesforce plans to discontinue support for Aura components in the namespace ui with the Summer '21 release. You can continue to use these components beyond Summer '21, but we will not be accepting support requests from this version onwards.

How: replace removed components with their equivalents in the lightning namespace. These components are faster, more efficient and implement the Lightning Design System style out-of-the-box.

Salesforce Release Note

Spring '20

• Request Customize application authorization for direct read access to custom settings (critical, deferred update)

• Control who gets read access to custom metadata types

• Restrict access to Apex @AuraEnabled methods for guest and portal users according to user profile (critical update)

• Update managed packages to reflect changes in the external sharing model

• Enable organization default external access settings in all new organizations

Summer '20

• Guest user: security policies applied

Winter '20

• Removing Aura components from the ui namespace