Let's assume I have an REST ednpoint created:
@RestResource(urlMapping='/CUSTOM_DATA/*')
global with sharing class MY_CUSTOM_DATA
Now I am going to create Connected App with Full Access scope, I will get credentials, then I choose basic:
OAuth 2.0 Username-Password Flow
So I will provide external user with credentials, password and username.
My question is, how can I restrict access just to MY_CUSTOM_DATA class? It's enough to create profile with restricted access to this class/objects?
I want to be sure that external user will not have access to sf database and objects.
Best Answer
I can see 2 solutions:
I would go for profile. You would have multiple profiles for your external users that would have access to your rest api. Then on each profile, you can enable or disable which (REST) apex classes you want them to have access to (Enabled Apex Class Access section). For object, also need to review CRUD matrix for all the objects of profiles.
If you can't really use profiles for any reason, you will need to review all your rest apex classes, and add some validation based on some criteria, and throw an error to the user who is trying to have access to the rest class.