Salesforce Functions are finally GA in Winter ’22, and offer the ability to add more powerful coding capability to your Org. There are however some restrictions with respect to API access and record sharing you should know about beforehand:
- One Permission Set to Rule Them All:
All functions have the same permissions to your Org, and the Functions Permission Set is the only one that defines access, so you can’t for example have a Function that can only read Opportunities and a Function that can only write Leads.
2. You can’t execute code as the invoking User or ‘WITHOUT SHARING’:
The code will execute as per the “Cloud Integration User” along with the assigned Functions Permission Set. That means the sharing settings of the invoking User will not be used, nor the ability to run the function without restrictions (using WITHOUT SHARING).
3. Configuring the Functions Permission Set is extremely limited by the “Cloud Integration User” license:
This license really restricts what permissions you can enable in your Functions Permission Set. For example ‘View All Files’ or allowing the Tooling API is not possible. As far as I can tell you are limited to read/write access settings on main objects for the most part, with anything that gives you elevated access to the Org being forbidden.
4. Permissions in the Local Docker environment are NOT the same as the Compute Environment:
The restrictions in the Functions Permission Set above do not apply at all to code that you deploy to Docker, which is great until you actually want to deploy it to your Compute environment and find the code can’t actually run.
It is great that Salesforce is allowing all developers to build Functions locally in Docker today, however it is problematic that many will produce all kinds of great functions and demo those to their stakeholders, only to discover too late that they will not work after deployment. I would recommend creating a test user with minimum access and assign them the Functions Permission Set, just to ensure that your SOQL queries and other API functions are not limited (run in the Developer Console or whatever).
Functions are very new however, and hopefully some of these restrictions will be addressed in future releases.