Borobudur Security Extensions

The Borobudur release has additional security enforced in the Kaptio APEX services. Security checks are performed on the objects and their fields that are being queried or inserted / updated or deleted.

The security checks are for CRUD (Create, Read, Update and Delete) on the object and FLS (Field Level Security) on the object’s fields.

A new security model has been implemented using custom permissions in the package. Each custom permission has two lists of objects associated with it;

The READ list is a list of the objects that a user with the custom permission may query without CrUD and FLS checks being applied.
The WRITE list is a list of the objects that a user with the custom permission may insert / update or delete without CrUD and FLS checks being applied.

If the user does not have a custom permission granting permission to an object then the CrUD and FLS permissions are enforced using the permissions granted by the user’s profile and permission sets.

Custom Permissions

The following custom permissions are available in the Borobudur package;

(Kaptio) Create Trips & Itineraries — grants access to the objects used when working with Trips and Itineraries.
(Kaptio) Customer Payments — grants access to the objects used when processing a customer payment.
(Kaptio) Inventory Management — grants access to save inventory through a global method call.
(Kaptio) View Proposals — grants access to view a proposal document. The permission is intended for use by the user for the Salesforce read only site used by customers to view proposals.
(Kaptio) Supplier Actions — grants access for a supplier to confirm bookings. The permission is intended for use by the user for the Salesforce read only site used by suppliers to confirm bookings.
(Kaptio) Itinerary Comments — grants access for a customer to make comments on a proposal. The permission is intended for use by the user for the Salesforce read only site used by customers to view proposals.
(Kaptio) Privileged Access — grants access to the user with the privilege to bypass sharing rules when viewing a proposal, making a comment on an itinerary, making a payment or confirming supplier bookings. The permission is intended for use by the user for the Salesforce read only site to allow objects not owned by the user to be modified
(Kaptio) Use Security Metadata — grants access to the custom meta data overrides for the READ and WRITE list associated with a custom permission. This custom permission is for use by Kaptio and must not be added to user without guidance from Kaptio.

All (Kaptio) custom permissions must be granted to users using a permission set. If the custom permission is added to a profile, it will not be granted to the user.