Read the screenplay: FANNIEGATE — $7 trillion. 17 years. The biggest fraud in American capital markets.
#23🔒 SecurityPainful

Gave Everyone 'Modify All' Because It Fixed the Bug

Users couldn't edit records. I gave the profile 'Modify All Data' instead of fixing the actual sharing rules.

What Happened

Support team at a client org couldn't edit certain Cases. Instead of diagnosing the sharing rules, org-wide defaults, and role hierarchy, I took the shortcut: gave their profile 'Modify All' on Cases. Problem 'fixed.' Except now every support rep could edit, delete, and transfer every Case in the org, including escalated Cases they were explicitly supposed to be locked out of. A junior rep accidentally mass-updated 200 escalated Cases. The escalation team lost their notes. I had to roll it all back and actually fix the sharing rules properly.

The Wrong Way

// User: "I can't edit this Case."
// Me: "I'll fix that."
//
// Setup → Profiles → Support Team
// Object Settings → Cases:
//   ☑ Read    ☑ Create
//   ☑ Edit    ☑ Delete
//   ☑ View All    ☑ Modify All  ← "This'll fix it"
//
// Result: Every support rep can now modify
// EVERY Case in the org. Including escalated
// cases with restricted access. Oops.

The Right Way

// Step 1: Diagnose the actual issue
// Setup → Sharing Settings → Organization-Wide Defaults
//   Case: Private (correct, intended)
//
// Step 2: Check sharing rules
// Does the user's role give them access? No.
// Is there a sharing rule for their team? No.
//   → CREATE a Criteria-Based Sharing Rule:
//     Share Cases where Status != "Escalated"
//     with Support Team role
//     Access Level: Read/Write
//
// Step 3: Profile permissions (minimal)
//   ☑ Read  ☑ Create  ☑ Edit
//   ☐ Delete  ☐ View All  ☐ Modify All
//
// Users can edit their Cases but NOT escalated ones.
// Principle of least privilege. Always.

The Lesson

'Modify All' is never the answer to a sharing problem. Diagnose the actual issue: OWD, role hierarchy, sharing rules, permission sets. Fix the root cause, not the symptom.

Share this mistake on X

Don't make this mistake.

Hire someone who already did.

View Consulting →
String Concatenation in SOQL: Hello, InjectionAPI Keys Hardcoded in Apex: Now in Version Control Forever

Enjoyed this? Get more like it.

Glen's Musings — AI, investing, and building things. Occasional. Free.

More Security Mistakes

Career-Ending

Forgot 'with sharing': Every User Could See Everything

Wrote an Apex class without the sharing keyword. Every user bypassed all sharing rules. Full org access.

Read moreCareer-Ending

String Concatenation in SOQL: Hello, Injection

Built a dynamic SOQL query with string concatenation from user input. Textbook injection vulnerability.

Read morePainful

API Keys Hardcoded in Apex: Now in Version Control Forever

Hardcoded an API key in an Apex class. Committed to Git. Deployed to prod. Key visible to every developer.

Read more