In recent Salesforce releases, including Summer ’21, we’ve noticed gradual changes. These changes are part of Salesforce’s ongoing efforts to improve its security model. They are in reaction to public security breaches such as SolarWinds and the successful class action against Salesforce and Hanna Andersson. The goal is to protect customers from attack through insecure development and–more often than not–simple use of default configurations. These steps ensure responsibility for any such future does not lie at Salesforce’s door.

With Provar, customers can use regression test packs to check updates months in advance. Most changes we catch help them avoid updating test cases. However, some Salesforce changes affect expected results, requiring a decision to either update customizations or test case outcomes.

With Salesforce’s Summer ’21 release in Pre-Release environments, I want to highlight important updates. These updates should be included in your regression planning. Some teams have neglected them until the Sandbox Preview or even Production releases! You don’t need to wait until Summer ‘21 hits your sandbox to test them.

History of Recent (Breaking) Changes

Spring ‘20 & Summer ‘20

Many of these changes were deferred to allow customers more time during the COVID-19 impact to prepare for the changes and avoid disrupting businesses.

  • Change: Secure Guest User Record Access.
  • Common Impacts: Community Cloud failed for unauthenticated users, Site.com, and Lightning Out pages. External API calls to Salesforce couldn’t retrieve records. Public Search showed missing data records with no results. Changes to record owners for new documents caused business logic failures.
  • How Provar Helped: Provar TestRunner flagged page and API failures in both Salesforce and non-Salesforce applications. Customer support teams fixed the permissions and used Provar to retest automatically. This restored expected behavior and helped find any missed areas during the impact assessment.

Winter ‘21

  • Change: Restrict Access to @AuraEnabled Apex Methods for Authenticated Users Based on User Profile. It sounds simple, but this change broke many implementations.
  • Common Impacts: Aura component Quick Actions, Lightning Page Customisations, and Experience (Community) Cloud pages using Apex methods failed if the user’s profile or permissions did not include security access to the supporting Apex class. Before Winter ‘21, these interactions would have worked.
  • How Provar Helped: Deploying permission changes to Profiles becomes challenging unless you deploy the related artifacts together. You can deploy Permission sets, but you must grant them to users. Development teams used Provar test cases to identify broken UI components in regression tests. They tested whether deployment steps were complete and automated the process of granting permissions to users through API or UI interactions.

Spring ‘21

  • Change: The explicit assignment of apex class security is required for profiles/permission sets.
  • Common Impacts: Experience cloud and Site.com page errors, VisualForce page failures, and processes/flow using invocable Apex broke in production. We even saw losses in the Salesforce Partner Community when raising new cases.
  • How Provar Helped: Regression tests in Sandboxes identified page failures, showed error pages, failed to render components, and caused data values to not appear in custom components. After rectifying the root cause, teams could rerun the same Provar tests and repeat the tests for different user profiles to check coverage across all profiles and user types. On production, release teams could run a test plan to smoke-test the production instance that had been updated correctly.

What’s next for Summer ‘21?

Here is a summary of upcoming security changes that could break your current Salesforce application customizations when enabled. We strongly recommend you allow these Releases to be Updated in a Sandbox and test the impact before the auto-activation deadlines.

Release UpdateAuto-activationPotential ImpactHow Provar can help
Enforce Access Modifiers on Apex Properties in Lightning Component MarkupSummer ‘21Before this change, apex attributes with private access modifiers were still visible to Lightning Components. This change may cause an error in the component’s javascript, or fields/text may not appear that were previously visible.Ensure you have UI test coverage for your custom components, which will fail if fields & values cannot be located.
Disable Access to Non-global Controller Methods in Managed PackagesSummer ‘21Before this change, your local Aura development could access Apex methods in 3rd party packages that were not shared as global. After enabling this change, aura components may fail to display or display errors if they reference non-global methods.Ensure you have UI test coverage for your custom components. The test will fail if fields and values cannot be located.
Enforce Access Modifiers on Apex Properties in Lightning Component MarkupSummer ‘21Before this change, Aura and LWC customizations could reference personal attributes in Apex controllers. This change started hitting some sandboxes on April 4th, 2021.
This may cause components to fail and errors or values not to appear as expected.
Ensure you have UI test coverage for your custom components which will fail if fields & values cannot be located.
Enforce Data Access in Flow Merge FieldsSummer ‘21Previously postponed, we’re expecting this to be enforced finally. If affected, Flows that reference fields that the running user does not have permission to access will fail and likely cause a failure email to the flow author.Ensure you have at least API coverage for your record-triggered flows and UI coverage for screen flows and Quick Actions to verify expected behavior.
Require Verification When Experience Cloud Users, Partners, and Customers Change Their Email AddressSummer ‘21Experience (Community) Cloud users who change their email address will get a generic email notification instead of a company-branded one.Customize your email template and use Provar to test the email received on the change of experience cloud user email address. Rerun the same test for a user after deploying the template to production to verify your deployment.

This list is not exhaustive. We strongly recommend reviewing the Draft Release Notes for Summer ’21, available from April 20, 2021. Stay updated on changes until the Sandbox Preview starts on May 8, 2021. There are a set of excellent Trailhead Modules on Release Readiness if you are unfamiliar with this activity:

Future Roadmap Insights & Predictions

If we take out our crystal ball, we know the following changes are in the Salesforce pipeline, though where they may land, or if they go ahead, are the ultimate forward-looking statements. Proposed release versions are always subject to change:

  • Dynamic Forms for Standard Objects (Deferred from Spring ‘21 and not in Summer ‘21 pre-release orgs at the time of writing). Provar handles conversion from Page Layouts to Dynamic Forms to ensure you don’t need to amend your test cases unexpectedly. Still, you may wish to amend your test to cater to customizations on the field and section visibility rules your Salesforce admins introduce.
  • Incremental changes to the Lightning DOM to implement complete open shadow DOM. Provar tries to protect you from these changes on standard Salesforce elements. Still, where you have developed your Page Objects and Xpaths to test your custom web components, you may wish to edit your locators to use a ProvarX field mapping to insulate you from future DOM changes.
  • Incremental changes (component by component) to Experience Cloud to render standard features as Lightning Web Components instead of Aura Components. You may use AuraBy or Xpath locators today to test Experience Cloud sites, which may need a simple remapping in the PageObject. We predict this will be made available as an optional Release Update before being enforced at a future date.
  • Order Save Behaviour Update (Enforced in Summer 22). Already available to test, customers advised doing this as soon as possible as changes to any customizations may be required. This change will likely affect any record-triggered customizations and business logic on the Order and Order Line Item objects or cause actions to fire more than once.
  • Dynamic Interaction is a new declarative solution due to entering Pilot soon to configure reactive, active components declaratively. Based on previous pilot programs, we predict this will unlikely be GA before Spring ‘22. One piece may change based on actions and values in another. These are good candidates to add to your test coverage. It can also help identify unnecessary page and component refreshes previously used in your solution.